Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
Fig. 1 shows the flow chart of the kernel leak detection method based on virtual machine according to an embodiment of the invention.
This method is run under server end virtual machine sandbox isolation environment, for carrying out dynamic kernel for the sample file specified
Vulnerability exploit is detected.As shown in figure 1, the method comprises the following steps:
Step S101, starts communication agent process, and the communication agent process monitors designated port, waits and receive virtual
The detection bag and sample file of machine external host transmission, detection catalogue and interim mesh are respectively stored into by detection bag and sample file
Under record.
The process that communication agent process is responsible for virtual machine external host carries out data interaction, file is transmitted.Work as service
When end VME operating system is started shooting, the self-starting therewith of communication agent process.Communication agent process monitors designated port, waits simultaneously
Receive the detection bag and sample file of the associated process transmission of virtual machine external host.Communication agent process is solved to detection bag
Press operation, will decompress the file storage for obtaining and arrive under detection catalogue;In addition, sample file storage is arrived interim by communication agent process
Under catalogue.Then, communication agent thread starts the scheduling management and control process in detection bag.
Step S102, starts the scheduling management and control process in detection bag, and the scheduling management and control process obtains sample file storage
Path, recognizes sample file type, and the config option in general detection configuration file selects detection pattern and each detection work(
Energy point, to create the target detection configuration file for the sample file.
After management and control process initiation is dispatched, scheduling management and control process obtains sample file store path, recognizes sample file
Type.Then, scheduling management and control process reads the general detection configuration file of itself association, is detected according to sample file type selecting
Pattern and each detection function point, initialize itself each function, create the target detection configuration file for sample file.Then,
Scheduling management and control process initiation auxiliary detection procedure, and the store path (can be URL) of sample file is passed by way of parameter
Pass auxiliary detection procedure.
Step S103, starts auxiliary detection procedure, and the auxiliary detection procedure utilizes the target detection configuration file control
The switch of each detection function point of system.
After auxiliary detection procedure starts, auxiliary detection procedure is initialized according to target detection configuration file, plus
The driver of core detection procedure is carried, using the switch of each detection function point of target detection configuration file control.
Step S104, starts core detection procedure, and the core detection procedure receives the sample that auxiliary detection procedure sends
The switching information of the relevant information of file and each detection function point, performs the detection of leak, and daily record is generated according to testing result
File, by under journal file storage to Log Directory.
After the driver of auxiliary detection procedure loading core detection procedure, core detection procedure starts.Core is detected
Process receives the relevant information of the sample file that auxiliary detection procedure sends and the switching information of each detection function point, performs just
Beginningization is operated.Then, according to sample file relevant information and the switching information of each detection function point performs sample file
Detection, journal file is generated according to testing result, by under journal file storage to Log Directory.
The kernel leak detection method based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment,
Realize being transmitted with the data interaction of virtual machine external host and file by communication agent process, by scheduling management and control process and auxiliary
Detection procedure is helped to aid in core detection procedure to realize the detection of sample file.This method by the detection of kernel leak with it is outside every
From, for suspicious sample provides a detection environment for closing, even if suspicious sample is implicitly present in leak, also will not be to server
Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.
Fig. 2 shows the flow of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention
Figure.This method describes the overall plan of the kernel Hole Detection based on virtual machine, specifically husky in server end virtual machine
Run under case isolation environment, for carrying out dynamic kernel vulnerability exploit detection for the sample file specified.As shown in Fig. 2
The method comprises the following steps:
Step S201, when server end VME operating system is started shooting, communication agent process self-starting.
The process that communication agent process is responsible for virtual machine external host carries out data interaction, file is transmitted.Work as service
When end VME operating system is started shooting, the self-starting therewith of communication agent process.
Step S202, communication agent process monitors designated port, waits pending data.
Server end virtual machine provides the designated port for accessing to virtual external main frame, after communication agent process initiation
The designated port is just monitored, the data for waiting virtual machine external host to send over.
Step S203, communication agent process receives the detection bag and sample file of virtual machine external host transmission, will detect
Bag and sample file are respectively stored under detection catalogue and temp directory.
Detection bag and sample file that virtual machine external host is transmitted by designated port are received in communication agent process
Afterwards, decompression operations are carried out to detection bag therein, the file storage that obtains will be decompressed under detection catalogue, the detection catalogue can be with
For the catalogue that certain is randomly generated;In addition, communication agent process stores under temp directory sample file.
Step S204, communication agent process initiation scheduling management and control process.
Communication agent process sends and starts order, for starting scheduling management and control process.
Step S205, communication agent process creation message communicating thread is set up and the communication link between scheduling management and control process
Connect.
After management and control process initiation is dispatched, communication agent process creation message communicating thread, alternatively, by RPC
(Remote Procedure Call Protocol, remote procedure call protocol) sets up communication connection with scheduling management and control process.
Here, RPC is the mechanism in XMLRPCLIB storehouses, and XML RPC are the remote procedure calls for using http protocol as host-host protocol
Mechanism, order and data are transmitted using the mode of XML texts.Using the communication connection, subsequently received can be come from tune
The message packets for spending management and control process are forwarded to virtual machine external host in real time.
Step S206, dispatches management and control process initialization itself function.
After management and control process initiation is dispatched, scheduling management and control process obtains sample file store path, recognizes sample file class
Type.Then, scheduling management and control process reads the general detection configuration file of itself association, and mould is detected according to sample file type selecting
Formula and each detection function point, initialize itself each function.In addition, scheduling management and control process is according in general detection configuration file
The config option overtime restrictive condition of selection, wherein overtime restrictive condition concrete restriction core detection procedure perform detection when
It is long.By configuring overtime restrictive condition, it is to avoid the subsequently detection for certain sample file took for a long time, lifting detection
Efficiency.
Step S207, scheduling management and control process creation screen interception thread and/or mouse emulation click on thread.
Alternatively, scheduling management and control process creation screen interception thread and/or mouse emulation click on thread.Wherein screen interception
The effect of thread is to carry out sectional drawing to the screen of the server where virtual machine, and the screen picture being truncated to can be by communication agent
Process is sent to virtual machine external host.The effect that mouse emulation clicks on thread is to be clicked on for screen coordinate analog mouse at random
Operation, and for particular control analog mouse clicking operation.
Step S208, scheduling management and control process creation starts auxiliary detection for the target detection configuration file of sample file
Process, and the store path of sample file is passed into auxiliary detection procedure by way of parameter.
Scheduling management and control process is selected and configured by reading general detection configuration file to config option therein,
Obtain the target detection configuration file for sample file.It is directed to different types of sample file, detection pattern and configuration
Detection function point is different, and scheduling management and control process can be the target detection configuration text that different types of sample file creates customization
Part.Then, scheduling management and control process initiation auxiliary detection procedure, by the store path of sample file by way of command line parameter
Pass to auxiliary detection procedure.
Step S209, screen interception thread screen printing image at predetermined time intervals, the screen picture of interception is sent out in real time
Give communication agent process.
Step S210, mouse emulation clicks on thread and is directed to screen coordinate analog mouse clicking operation at random, and for spy
Determine control analog mouse clicking operation.
Step S211, auxiliary detection procedure is initialized according to target detection configuration file, is configured using target detection
Document control respectively detects the switch of function point.
Auxiliary detection procedure is carried out initially by resolve command line parameter and target detection configuration file to itself function
Change.Specifically, auxiliary detection procedure parsing obtains sample file store path, detection pattern, respectively detects function point and other
The Back ground Informations such as some detection functional configuration options, calculate the MD5 of sample file, control the switch of each detection function point.Pass through
, with task data can be associated the sample data that produced during subsequent detection, one by the MD5 of the sample file being calculated
Sample file may correspond to multiple Detection tasks.Can also be by sample data and wooden horse information, VT, first killing engine by MD5
It is associated.In addition, the URL of unified storage, wooden horse, APT classes sample can also be carried out into classification displaying by MD5.
Step S212, auxiliary detection procedure loads the driver of core detection procedure, to start core detection procedure.
Step S213, auxiliary detection procedure sends the relevant information of sample file and each inspection by way of IO control codes
The switching information of brake point.
Auxiliary detection procedure by way of IO control codes to core detection procedure send sample file relevant information with
And the switching information of each detection function point, to open the monitoring of inner nuclear layer vulnerability exploit behavior.
Step S214, auxiliary detection procedure starts sample process, sample process is run sample file.
Step S215, core detection procedure performs initialization operation.
Core detection procedure driver load when, initialization driver needed for related data structures object and
Variable, these related data structures objects and variable and each Function detection point close association.
Step S216, core detection procedure creates log recording thread.
For the ease of record detection process, log recording thread is created, for recording the daily record produced in detection process.
Step S217, core detection procedure receives the sample file that auxiliary detection procedure is sent by way of IO control codes
Relevant information and each detection function point switching information.
Core detection procedure receives the various IO control codes that auxiliary detection procedure sends, and parsing is carried out to it and obtains sample text
The switching information of the relevant information of part and each detection function point.For the switching information of each detection function point, phase is opened in control
The monitoring of function point should be detected.
Step S218, core detection procedure performs Hole Detection.
The detectable leak of core detection procedure includes the URL and relevant various leaks, virus, wood about malicious web pages
Horse, the sample object attacked.In addition, sample object also includes:0Day, NDay, exposure period 0Day, position extension horse information,
Important website, the follow-up of position extension horse etc..Wherein, 0Day is to have been found to (be possible to not be disclosed), and official does not have also
The leak of associated patch.These leaks be found after immediately by malicious exploitation, for example using 0Day can with edit the registry, download
File, runtime file.The form of sample object can be file, executable program etc., the invention is not limited in this regard.
Step S219, log recording thread generates journal file according to testing result, by journal file storage to daily record mesh
Under record.
Follow-up identification engine can read journal file, identify inside engine (static, dynamic) by the daily record of various needs
Information scratching out, is analyzed and screens to testing result, carries out basic rule judgement.Wherein the rule on backstage is up to several
Hundred.So-called analysis choosing is exactly with reference to static and dynamic daily record data, using rule and association analysis, to sample in short
This hazard level is identified (black, in vain, grey).And the effect screened is mainly to filter out and has hit using detecting behavioural characteristic
Sample, and some suspicious actions features high sample, according to different groups of demand, data are distributed.
Step S220, in above-mentioned detection process, whether real-time judge meets overtime restrictive condition, if so, then terminating inspection
Survey process, is packaged as testing result packet and is sent to communication agent process, so that communication agent process sends the packet within
Give virtual machine external host.
The kernel leak detection method based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment,
Realize being transmitted with the data interaction of virtual machine external host and file by communication agent process, by scheduling management and control process and auxiliary
Detection procedure is helped to aid in core detection procedure to realize the detection of sample file.This method by the detection of kernel leak with it is outside every
From, for suspicious sample provides a detection environment for closing, even if suspicious sample is implicitly present in leak, also will not be to server
Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.In this method, scheduling management and control process is according to logical
Overtime restrictive condition is selected with the config option in detection configuration file, by configuring overtime restrictive condition, it is to avoid be subsequently directed to
The detection of certain sample file took the efficiency for lifting detection for a long time.Scheduling management and control process creation screen interception thread and/
Or mouse emulation clicks on thread, the image that server screen is presented can be passed to virtual machine external host, outside virtual machine
The user of main frame checks the progress and concrete condition of detection process, and effect of visualization is good.
Fig. 3 shows the flow of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention
Figure.The present embodiment is mainly the course of work of above-mentioned core detection procedure is described in detail, and describes core inspection in detail
Survey process performs the particular content of Hole Detection.But it should be recognized that the method for the present embodiment is realize Hole Detection only
Cube case, it can not rely on previous embodiment description environment and under the premise of realize.The method of the present embodiment is in virtual machine
Run under sandbox isolation environment, as shown in figure 3, the method comprises the following steps:
Step S301, load driver program.
Core detection procedure driver load when, initialization driver needed for related data structures object and
Variable.The process ID of at least one system process is recorded, storage in record HAL routine address table (HalDispatchTable)
The function pointer values such as at least one Key Functions pointer value, such as HALQuerySystemInformatica.
Step S302, receives the relevant information of the sample file that user's layer process sends and the switch of each detection function point
Information.
In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Core is examined
Survey process receive auxiliary detection procedure send various IO control codes, it is carried out parsing obtain sample file relevant information with
And the switching information of each detection function point.
Step S303, the switching information according to each detection function point opens inner nuclear layer behavior monitoring master control switch.
Step S304, when the new process of system creation, new process is added in process creation record list.
When system starts sample process to run sample file, sample process is identified as the new process for being created, will
Sample process is added in process creation record list.
Step S305, each operation behavior of inner nuclear layer to new process is detected.
The present embodiment realizes the detection to each operation behavior of inner nuclear layer of new process by hook technology.Specifically, in core
Heart detection procedure is received after the IO control codes that auxiliary detection procedure sends, and parsing is carried out to it and identifies that " kernel is using prison
The mark of control ", then according to the data of incoming buffering area (Buffer), selection enters in corresponding distribution processor routine.According to
The switching information of the relevant information of sample file and each detection function point, hook (Hook) SSDT (System Services
Descriptor Table, system service descriptor table) in for each Function detection point specified API and
NtQueryIntervalProfile。
Using hook, before system calls specified API and NtQueryIntervalProfile, customized letter is performed
Number, realizes the detection to each operation behavior of inner nuclear layer.
Step S306, journal file is generated according to testing result, by under journal file storage to Log Directory.
The kernel leak detection method based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment,
The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row
It is monitoring master control switch;The new process that monitoring system is created, each operation behavior of inner nuclear layer to new process is detected.This method
The detection of kernel leak is isolated from the outside, for suspicious sample provides a detection environment for closing, even if suspicious sample is true
Real storage will not also cause damage in leak to server side, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.
Fig. 4 shows the flow of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention
Figure.The present embodiment has been further elaborated on the course of work of core detection procedure, such as Fig. 4 on the basis of the method shown in Fig. 3
Shown, the method comprises the following steps:
Step S401, load driver program.
Core detection procedure driver load when, initialization driver needed for related data structures object and
Variable.The process ID of at least one system process is recorded, storage in record HAL routine address table (HalDispatchTable)
The function pointer values such as at least one Key Functions pointer value, such as HALQuerySystemInformatica.
Step S402, creates log recording thread.
For the ease of record detection process, log recording thread is created, for recording the daily record produced in detection process.
Step S403, receives the relevant information of the sample file that user's layer process is sent by IO control codes and each detection
The switching information of function point.
In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Core is examined
Survey process receive auxiliary detection procedure send various IO control codes, it is carried out parsing obtain sample file relevant information with
And the switching information of each detection function point.
Specifically, core detection procedure identifies the mark of " kernel is using monitoring ", Ran Hougen by parsing IO control codes
According to the data of incoming buffering area (Buffer), selection enters in corresponding distribution processor routine.
Step S404, the switching information of relevant information and each detection function point according to sample file, in hook SSDT
For the specified API and NtQueryIntervalProfile of each Function detection point.
The present embodiment realizes the detection to each operation behavior of inner nuclear layer of new process by hook technology.According to sample file
Relevant information and each detection function point switching information, in hook SSDT for each Function detection point specified API and
NtQueryIntervalProfile.The API for being linked up with is specially for internal memory, privilege, registration table, process/thread, file etc.
The crucial NTAPI of operation.And, process creation notification routines are set, when system has new process creation, into process creation
Notification routines perform associative operation.
Step S405, the switching information according to each detection function point opens inner nuclear layer behavior monitoring master control switch.
Step S406, when the new process of system creation, new process is added in process creation record list.
When the new process of system creation, initially enter process creation notification routines, in this routine record created it is new
The property value of process, for example:The property values such as Privileges, UserSID, OwnerSID.Then, new process is added to process
In establishment record list.
Step S407, each operation behavior of inner nuclear layer to new process is detected.
When new process calls NtQueryIntervalProfile, first judge the new process whether in process creation record
In list, if it is not, then the new process is added in process creation record list;When new process calls foregoing specified API, sentence
Whether the new process of breaking is in process creation record list, if it is not, then the new process is added in process creation record list.
In the case where ensuring that new process is added to process creation record list, using hook technology, in new process
Each operation behavior of stratum nucleare is detected, specifically comprising following several embodiments:
(1) HalDispatchTable detections
Using hook technology, before NtQueryIntervalProfile is called, in acquisition HalDispatchTable
At least one Key Functions pointer value of storage;At least one the crucial letter that will be stored in acquired HalDispatchTable
At least one Key Functions stored in HalDispatchTable recorded in number pointer value and load driver program process
Pointer value is compared;If the comparison of at least one Key Functions pointer value is inconsistent, detects that new process is present and propose power behavior.
(2) Token replaces detection
Using hook technology, before specified API accordingly is called, according to recorded in load driver program process extremely
The process ID of a few system process obtains the EPROCESS structures address of at least one system process, while obtaining new process
EPROCESS structures address;By the pointer value in the Token domains in the EPROCESS structures address of new process and at least one system
The pointer value in the Token domains in the EPROCESS structures address of process is compared;If the EPROCESS structures address of new process
In the pointer value in Token domains and the EPROCESS structures address of one of system process in Token domains pointer value ratio
To consistent, then detect that new process is present and propose power behavior.
Here, specified API can be:Establishment process (NtCreateUserProcess), to other proceeding internal memories create with
And read-write (NtAllocateVirtualMemory/NtProtectVirtualMemory/NtReadVir tualMemory/
NtWriteVirtualMemory other process/threads (NtOpenThread/NtOpenProcess/), is opened
NtSetContextThread), registration table read-write, file read-write etc..
(3) Token property values detection
Using hook technology, before specified API accordingly is called, the property value of the new process is obtained;Will be acquired
The property value of new process compare with the property value of the new process recorded in process creation notification routines;If comparing not
Unanimously, then detect that new process is present and propose power behavior.
In specific comparison, Privileges, TokenUser, and/or TokenOwner of the new process that will be obtained with
Privileges, TokenUser, and/or TokenOwner of new process recorded in process creation notification routines are compared
It is right, if wherein there is a comparison inconsistent, detect that new process is present and propose power behavior.
Here, specified API refers to the function related to Token.
(4) Token property values are empty detection
Using hook technology, before specified API accordingly is called, inquire about in the EPROCESS structures address of new process
Whether the ACL in Token domains is set to null;If so, then detecting that new process is present proposes power behavior.
(5) kernel ROP (Return Oriented Programming, the new attack based on code reuse technology) inspections
Survey
Kernel ROP common at present is used to close SMEP (Supervisor Mode Execution Protection, prison
The pattern of superintending and directing performs protection) or CR4 registers are changed, this method utilizes hook technology, CR4 registers are operated in call stack
Before, check whether call stack is the call stack for allowing to call CR4 register modifying instructions, or, whether detection call stack is adjusted
With the instruction of disabling SMEP;If so, then detecting that new process is present proposes power behavior.
(6) Bitmap is using detection
For conditional kernel address write operation is converted into kernel arbitrary address read-write operation using Bitmap
Behavior, detects to this behavior, if in the presence of detecting that the new process is present and propose power behavior.
Step S408, journal file is generated according to testing result, by under journal file storage to Log Directory.
Generation daily record is got ready according to preset format, daily record is inserted into log buffer inventory.In log recording thread,
Continuously whether audit log buffer list has new daily record to insert, if so, then add new daily record being written to configuration
In option in the journal file of specified path, and discharge the node of the new daily record in log buffer inventory.
This programme gets detection daily record generation form ready for cache way is got ready.The daily record for being detected is temporary in log buffer
In inventory.The log recording thread poll log buffer inventory and mode according to FIFO (first in first out) processes each daily record successively
Node, will in the additional write-in journal file of log content, obtained by outside correlation scheduler module process upon completion of the assays and
Manage the journal file.
The packet of getting ready of this programme contains:Environment and document base information, detection function point trigger data etc..Environment and text
Part essential information is exported in forms such as flowing water daily records, and detection function point trigger data is exported in the form of user behaviors log.Its middle ring
Border and document base information are included:Sample process file MD5, sample file path, and major system modules title and file
Version etc..For HalDispatchTable detections, detection function point trigger data is included:Process ID, Thread Id, it is tampered letter
Several title, distort after pointer value, detection when where Hooked API (NtQueryIntervalProfile) etc.;For
Token replaces detection, and detection function point trigger data is included:Process ID, Thread Id, Token addresses, hit system process name,
Hooked API etc. where during detection.For the detection of Token property values, detection function point trigger data is included:Process ID, thread
ID, Privileges mask describe place Hooked API etc. when sequence, UserSID, OwnerSID, detection.Other detection sides
The detection function point trigger data of formula is similar to therewith, will not be repeated here.
The kernel leak detection method based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment,
The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row
It is monitoring master control switch;The new process that monitoring system is created, each operation behavior of inner nuclear layer to new process is detected.This method
The detection of kernel leak is isolated from the outside, for suspicious sample provides a detection environment for closing, even if suspicious sample is true
Real storage will not also cause damage in leak to server side, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.This
Method sets Hook Function by hook technology for the corresponding API of each detection function point that user's layer process is provided, and is calling
Before API, perform detection operation can timely and effectively find the problems such as putting forward power and utilize, and improve the effect of kernel Hole Detection
Rate.
Fig. 5 shows the kernel Hole Detection process protection method based on virtual machine according to an embodiment of the invention
Flow chart.The method that the present embodiment is provided is mainly used for the detection procedure that protection runs under virtual machine sandbox isolation environment
Address space, prevents the malice sample process escaped by sandbox from accessing, discharge or revealing, it is to avoid confidential information is stolen.Such as Fig. 5 institutes
Show, the method comprises the following steps:
Step S501, obtains the relevant information of each detection subprocess, and the relevant information of each detection subprocess is write into process
In filter list.
After the driver of auxiliary detection procedure loading core detection procedure, in reading target detection configuration file
Relevant field, parsing obtains the process name of one or more detection subprocess, and entering for each detection subprocess is obtained according to process name
Journey ID, core detection procedure is sent to by IO control codes by the process ID of each detection subprocess.
Core detection procedure is received auxiliary detection procedure (user's layer process) and is entered by each detection that IO control codes send
The process ID of journey.Specifically, core detection procedure is slow from input after the IO control codes labeled as " process ID filtering " are received
Rush in area and obtain when time process ID of transmission, the relevant information of detection subprocess is obtained according to process ID.In this method, correlation letter
Breath can be specially EPROCESS structures address.Core detection procedure obtain it is each detection subprocess EPROCESS structures address it
Afterwards, by the EPROCESS structures address write-in process filter list of each detection subprocess.
Step S502, using hook technology, before specified API is called, obtains when the correlation of front upper and lower background text process
The relevant information of information and operation target process.
This method is linked up with to the specified API on process, thread, memory address space operation, and API is specified in Hook
Afterwards, step S502- steps S504 is realized in SQL.In step S502, obtain when front upper and lower background text process
EPROCESS structures address and the EPROCESS structures address of operation target process.
Step S503, judges to operate whether the relevant information of target process is recorded in process filter list, and it is current on
Whether the relevant information of lower background text process is not recorded in process filter list, if so, then performing step S504;If it is not, then
Perform step S505.
Alternatively, judge to operate whether the EPROCESS structures address of target process is recorded in process filter list, and
In whether the EPROCESS structures address of front upper and lower background text process is not recorded in process filter list.
Specified API is called in step S504, termination.
If judge to operate the EPROCESS structures address of target process to record in process filter list, and when front upper and lower
The EPROCESS structures address of background text process is not recorded in process filter list, then show to be attempted to access that in the presence of other processes
Certain detection subprocess, then need to be prevented.For example, returning to the conditional code of denied access, specified API is called in termination.
Step S505, continues to call specified API, and the return value for specifying API is returned to caller.
If judge to operate the EPROCESS structures address of target process to be not recorded in process filter list, or, when
The EPROCESS structures address of front upper and lower background text process is recorded in process filter list, then continue to call specified API, to tune
User returns to the return value for specifying API.
According to the kernel Hole Detection process protection method based on virtual machine that the present embodiment is provided, by each detection subprocess
Relevant information write-in process filter list in, before specified API is called, using hook obtain when front upper and lower background text process
Relevant information and operation target process relevant information, by will work as front upper and lower background text process relevant information and operation mesh
The relevant information of mark process matches with process filter list, determines whether that specified API is called in termination.Using this method, can protect
The address space of the detection procedure run under virtual machine sandbox isolation environment is protected, the malice sample process escaped by sandbox is prevented
Access, it is to avoid confidential information is stolen, is lifted at the security of kernel Hole Detection under virtual machine sandbox isolation environment.
Fig. 6 shows the kernel Hole Detection document protection method based on virtual machine according to an embodiment of the invention
Flow chart.The method that the present embodiment is provided is mainly used for protecting produced detection file in detection process, such as journal file
Deng, prevent by sandbox escape malice sample process accesses, distort, encrypt or damages, it is to avoid therefore it is caused detection unsuccessfully or
Results abnormity, safeguards the stabilization and performance of sandbox system.As shown in fig. 6, the method comprises the following steps:
Step S601, obtains the relevant information of each detection subprocess, and the relevant information of each detection subprocess is write into process
In filter list.
After the driver of auxiliary detection procedure loading core detection procedure, in reading target detection configuration file
Relevant field, parsing obtains the process name of one or more detection subprocess, and entering for each detection subprocess is obtained according to process name
Journey ID, core detection procedure is sent to by IO control codes by the process ID of each detection subprocess.
Core detection procedure is received auxiliary detection procedure (user's layer process) and is entered by each detection that IO control codes send
The process ID of journey.Specifically, core detection procedure is slow from input after the IO control codes labeled as " process ID filtering " are received
Rush in area and obtain when time process ID of transmission, the relevant information of detection subprocess is obtained according to process ID.In this method, correlation letter
Breath can be specially EPROCESS structures address.Core detection procedure obtain it is each detection subprocess EPROCESS structures address it
Afterwards, by the EPROCESS structures address write-in process filter list of each detection subprocess.
Step S602, obtains the store path information of detection file, will detect that the store path information write-in of file is privately owned
In catalogue list.
After the driver of auxiliary detection procedure loading core detection procedure, in reading target detection configuration file
Relevant field, parsing obtain one or more detection files store paths, by IO control codes by it is each detection file storage
Path is sent to core detection procedure.
Core detection procedure receives each detection file that auxiliary detection procedure (user's layer process) is sent by IO control codes
Store path.Specifically, core detection procedure is buffered after the IO control codes labeled as " privately owned catalogue " are received from input
The store path of the detection file when time transmission is obtained in area, the store path according to detection file constructs string and makees
It is the store path information of detection file, in detecting that the store path information of file writes privately owned catalogue list.
Step S603, when file access operation is produced, judges whether the store path information of file access object records
In privately owned catalogue list.
The present embodiment realizes that the protection of detection file is mainly realized in the function body of IRP distribution functions.For example,
READ, WRITE, CREATE, SET_INFORMATION, DIRECTORY_CONTROL decile are sent a letter and several realize function body certainly
In, realization judges whether the store path information of file access object is recorded in privately owned catalogue list, if so, then performing step
S604;If it is not, performing step S606.
Whether step S604, judges record in the process filter list when the relevant information of front upper and lower background text process
In.
If judging the store path information record of file access object in privately owned catalogue list, determine whether to work as
Whether the relevant information of front upper and lower background text process is recorded in process filter list, specifically, is judged when front upper and lower background text
Whether the EPROCESS structures address of process is recorded in process filter list, if so, then performing step S606;If it is not, then holding
Row step S605.
Step S605, if judging to be not recorded in process filter list when the relevant information of front upper and lower background text process,
Then refuse file access operation.
If the store path information record of file access object is in privately owned catalogue list, and work as front upper and lower background text process
Relevant information is not recorded in process filter list, shows have other processes to attempt to access that detection file, then IPR does not divide still further below
Hair, refuses file access operation.
Step S606, if judging, the store path information of file access object is not recorded in privately owned catalogue list, or
Person, judges to be recorded in the process filter list when the relevant information of front upper and lower background text process, then proceed to respond to file
Access operation.
If the store path information of file access object is not recorded in privately owned catalogue list, show that what is accessed is not required to guarantor
The detection file of shield, then IPR continuation distribution downwards, response file accesses operation.If the store path information of file access object
Record is shown to be in privately owned catalogue list, and when the relevant information of front upper and lower background text process is recorded in process filter list
Detection subprocess attempts to access that detection file, then IPR continues distribution downwards, and response file accesses operation.
According to the kernel Hole Detection document protection method based on virtual machine that the present embodiment is provided, by each detection subprocess
Relevant information write-in process filter list in, in detecting that the store path information of file writes privately owned catalogue list, work as product
During raw file access operation, by the store path information of file access object and the relevant information point when front upper and lower background text process
Not with process filter list and privately owned directory name is single-phase matches, determine whether to refuse file access operation.Using this method, can protect
The detection file produced under virtual machine sandbox isolation environment is protected, prevent from being accessed, distorted by the malice sample process that sandbox is escaped,
Encryption is damaged, it is to avoid therefore caused detection failure or results abnormity, safeguard the stabilization and performance of sandbox system.
Fig. 7 shows the functional block of the kernel Hole Detection device based on virtual machine according to an embodiment of the invention
Figure.The present apparatus is specifically to be run under server end virtual machine sandbox isolation environment, for being carried out for the sample file specified
Dynamic kernel vulnerability exploit detection.As shown in fig. 7, the device includes:Communication agent module 701, scheduling management and control module 702,
Auxiliary detection module 703, core detection module 704.
Communication agent module 701, is suitable to start communication agent process, communication agent process is monitored designated port, waits
And detection bag and sample file that virtual machine external host is transmitted are received, detection bag is respectively stored into detection mesh with sample file
Under record and temp directory.The process that communication agent process is responsible for virtual machine external host carries out data interaction, file is transmitted.
When service end VME operating system is started shooting, the self-starting therewith of communication agent process.Communication agent process monitors designated port,
Wait and receive the detection bag and sample file of the associated process transmission of virtual machine external host.Communication agent process is wrapped to detection
Decompression operations are carried out, the file storage for obtaining will be decompressed and arrived under detection catalogue;In addition, communication agent process stores sample file
To under temp directory.Then, communication agent thread starts the scheduling management and control process in detection bag.
Scheduling management and control module 702, is suitable to start the scheduling management and control process in detection bag, scheduling management and control process is obtained sample
File store path, recognize sample file type, according to it is general detection configuration file in config option selection detection pattern and
Each detection function point, to create the target detection configuration file for the sample file.After management and control process initiation is dispatched,
Scheduling management and control process obtains sample file store path, recognizes sample file type.Then, scheduling management and control process reads itself and closes
The general detection configuration file of connection, according to sample file type selecting detection pattern and each detection function point, initializes itself each
Function, creates the target detection configuration file for sample file.Then, scheduling management and control process initiation auxiliary detection procedure, and
The store path (can be URL) of sample file is passed into auxiliary detection procedure by way of parameter.
Auxiliary detection module 703, is suitable to start auxiliary detection procedure, auxiliary detection procedure is configured text using target detection
The switch of each detection function point of part control.After auxiliary detection procedure starts, auxiliary detection procedure is configured according to target detection
File is initialized, and loads the driver of core detection procedure, and each detection function is controlled using target detection configuration file
The switch of point.
Core detection module 704, is suitable to start core detection procedure, core detection procedure is received auxiliary detection procedure and sends out
The switching information of the relevant information of the sample file for sending and each detection function point, performs Hole Detection, is given birth to according to testing result
Into journal file, by under journal file storage to Log Directory.The driving journey of core detection procedure is loaded in auxiliary detection procedure
After sequence, core detection procedure starts.Core detection procedure receive auxiliary detection procedure send sample file relevant information with
And the switching information of each detection function point, perform initialization operation.Then, according to sample file relevant information and each detection
The switching information of function point performs the detection of sample file, and journal file is generated according to testing result, and journal file storage is arrived
Under Log Directory.
Communication agent module 701 is further adapted for:Make communication agent process creation message communicating thread, set up and the tune
Communication connection between degree management and control process.After management and control process initiation is dispatched, communication agent process creation message communicating thread can
Selection of land, communication connection is set up by RPC with scheduling management and control process.Using the communication connection, subsequently received can be come from
The message packets for dispatching management and control process are forwarded to virtual machine external host in real time.
Scheduling management and control module 702 is further adapted for:Make scheduling management and control process creation screen interception thread, at predetermined time intervals
Screen printing image;Using the communication connection for dispatching foundation between management and control process and communication agent process, the screen map that will be intercepted
As being sent to the communication agent process in real time.
Communication agent module 701 is further adapted for:Make communication agent process that the screen picture of the interception is sent into void
Plan machine external host.
Scheduling management and control module 702 is further adapted for:Scheduling management and control process creation mouse emulation is clicked on thread, be directed at random
Screen coordinate analog mouse clicking operation, and for particular control analog mouse clicking operation.
Scheduling management and control module 702 is further adapted for:Make configuration of the scheduling management and control process in general detection configuration file
The overtime restrictive condition of option selection;In the detection process for performing sample file, judge whether to meet overtime restrictive condition, if
It is, then detection of end process that testing result is packaged as into packet is sent to the communication agent process, for the communication generation
The packet is sent to virtual machine external host by reason process.
Core detection module 704 is further adapted for:Make core detection procedure receive the auxiliary detection procedure to be controlled by IO
The switching information of the relevant information of the sample file that the mode of code processed sends and each detection function point.
The kernel Hole Detection device based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment,
Realize being transmitted with the data interaction of virtual machine external host and file by communication agent process, by scheduling management and control process and auxiliary
Detection procedure is helped to aid in core detection procedure to realize the detection of sample file.The present apparatus by the detection of kernel leak with it is outside every
From, for suspicious sample provides a detection environment for closing, even if suspicious sample is implicitly present in leak, also will not be to server
Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.In the present apparatus, scheduling management and control process is according to logical
Overtime restrictive condition is selected with the config option in detection configuration file, by configuring overtime restrictive condition, it is to avoid be subsequently directed to
The detection of certain sample file took the efficiency for lifting detection for a long time.Scheduling management and control process creation screen interception thread and/
Or mouse emulation clicks on thread, the image that server screen is presented can be passed to virtual machine external host, outside virtual machine
The user of main frame checks the progress and concrete condition of detection process, and effect of visualization is good.
Fig. 8 shows the functional block of the kernel Hole Detection device based on virtual machine in accordance with another embodiment of the present invention
Figure.The device runs under virtual machine sandbox isolation environment, as shown in figure 8, the device includes:Load-on module 801, receiver module
802, starting module 803, add module 804, detection module 805, daily record memory module 806.
Load-on module 801, is suitable to load driver program.In load driver program, initialization drives journey to load-on module 801
Related data structures object and variable needed for sequence.The process ID of at least one system process is recorded, HAL routine address tables are recorded
(HalDispatchTable) at least one Key Functions pointer value of storage in, for example
The function pointer value such as HALQuerySystemInformatica.
Receiver module 802, is suitable to receive the relevant information of the sample file that user's layer process sends and respectively detects function
The switching information of point.In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Connect
Receive module 802 and receive the various IO control codes that auxiliary detection procedure sends, the related letter that parsing obtains sample file is carried out to it
The switching information of breath and each detection function point.Specifically, the mark of " kernel is using monitoring " is identified by parsing IO control codes
Note, then according to the data of incoming buffering area (Buffer), selection enters in corresponding distribution processor routine.
Starting module 803, is suitable to open inner nuclear layer behavior monitoring master control switch according to the switching information of each detection function point.
Add module 804, is suitable to, when the new process of system creation, new process is added in process creation record list.
Detection module 805, is suitable to detect each operation behavior of inner nuclear layer of the new process.
Daily record memory module 806, is suitable to generate journal file according to testing result, by journal file storage to Log Directory
Under.
Further, the device also includes:Hook configuration module 807, be suitable to according to the relevant information of sample file and
The switching information of each detection function point, in hook SSDT for each Function detection point specified API and
NtQueryIntervalProfile.The present apparatus realizes the inspection to each operation behavior of inner nuclear layer of new process by hook technology
Survey.The switching information of relevant information and each detection function point according to sample file, each Function detection is directed in hook SSDT
The specified API and NtQueryIntervalProfile of point.The API for being linked up with is specially for internal memory, privilege, registration table, enters
The crucial NTAPI of the operations such as journey/thread, file.
Further, the device also includes:Routine setup module 808, is suitable to set process creation notification routines;Described
The property value of the new process that record is created in process creation notification routines.When the new process of system creation, routine setup module
808 property values that the new process for being created is recorded in process creation notification routines, for example:Privileges、UserSID、
The property values such as OwnerSID.
Above-mentioned detection module 805 is further adapted for:Using hook technology, call NtQueryIntervalProfile it
Before, obtain at least one the Key Functions pointer value stored in HAL routine address tables;By in acquired HAL routine address tables
At least one Key Functions pointer value of storage and storage in the HAL routine address tables recorded in load driver program process
At least one Key Functions pointer value is compared;If at least one Key Functions pointer value comparison is inconsistent, detect
Go out the new process presence and propose power behavior.
Above-mentioned detection module 805 is further adapted for:Using hook technology, before specified API accordingly is called, according to plus
The process ID for carrying at least one system process recorded in driver process obtains at least one system process
EPROCESS structures address, while obtaining the EPROCESS structures address of the new process;By the EPROCESS of the new process
Token domains in the pointer value in the Token domains in structure address and the EPROCESS structures address of at least one system process
Pointer value is compared;If the pointer value in the Token domains in the EPROCESS structures address of the new process and one of system
The pointer value in the Token domains in the EPROCESS structures address of system process is compared unanimously, then detect that the new process is present and carry
Power behavior.
Above-mentioned detection module 805 is further adapted for:Using hook technology, before specified API accordingly is called, institute is obtained
State the property value of new process;By the property value of acquired described new process and recorded in the process creation notification routines
The property value of new process compare;If comparison is inconsistent, detects that the new process is present and propose power behavior.
Above-mentioned detection module 805 is further adapted for:By the Privileges of the new process of the acquisition, TokenUser,
And/or the Privileges of TokenOwner and new process recorded in the process creation notification routines, UserSID,
And/or OwnerSID compares.
Above-mentioned detection module 805 is further adapted for:Using hook technology, before specified API accordingly is called, institute is inquired about
Whether the ACL stated in the Token domains in the EPROCESS structures address of new process is set to null;If so, then detecting described newly to enter
Journey presence proposes power behavior.
Above-mentioned detection module 805 is further adapted for:Using hook technology, operation is carried out to CR4 registers in call stack
Before, check whether the call stack is the call stack for allowing to call CR4 register modifying instructions, or, detect the call stack
Whether the instruction of disabling SMEP is called;If so, then detecting that the new process is present proposes power behavior.
Above-mentioned detection module 805 is further adapted for:Detect whether to exist and be converted into conditional kernel address write operation
The behavior of kernel arbitrary address read-write operation, if so, then detecting that the new process is present proposes power behavior.
The kernel Hole Detection device based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment,
The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row
It is monitoring master control switch;The new process that monitoring system is created, each operation behavior of inner nuclear layer to new process is detected.The present apparatus
The detection of kernel leak is isolated from the outside, for suspicious sample provides a detection environment for closing, even if suspicious sample is true
Real storage will not also cause damage in leak to server side, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.This
Device sets Hook Function by hook technology for the corresponding API of each detection function point that user's layer process is provided, and is calling
Before API, perform detection operation can timely and effectively find the problems such as putting forward power and utilize, and improve the effect of kernel Hole Detection
Rate.
Fig. 9 shows the function of the kernel Hole Detection Process Protection based on virtual machine according to an embodiment of the invention
Block diagram.The device that the present embodiment is provided is mainly used for the ground of the detection procedure that protection runs under virtual machine sandbox isolation environment
Location space, prevents the malice sample process escaped by sandbox from accessing, discharge or revealing, it is to avoid confidential information is stolen.Such as Fig. 9 institutes
Show, the device includes:Writing module 901, links up with processing module 902, and judge module 903 terminates module 904.Alternatively, also wrap
Include:Receiver module 905 and calling module 906.
Receiver module 905, is suitable to receive the process ID of each detection subprocess that user's layer process sends.
After the driver of auxiliary detection procedure loading core detection procedure, in reading target detection configuration file
Relevant field, parsing obtains the process name of one or more detection subprocess, and entering for each detection subprocess is obtained according to process name
Journey ID, core detection procedure is sent to by IO control codes by the process ID of each detection subprocess.
Receiver module 905 inside core detection procedure receives auxiliary detection procedure (user's layer process) and passes through IO control codes
The process ID of each detection subprocess for sending.Specifically, receiver module 905 is receiving the IO controls labeled as " process ID filtering "
After code processed, obtained from input block when time process ID of transmission.
Writing module 901, is suitable to obtain the relevant information of each detection subprocess, and the relevant information of each detection subprocess is write
In entering process filter list.
Writing module 901 obtains the relevant information of detection subprocess according to process ID.Wherein, relevant information can be specially
EPROCESS structures address.Writing module 901 is obtained after the EPROCESS structures address of each detection subprocess, by each detection
In the EPROCESS structures address write-in process filter list of process.
Hook processing module 902, is suitable to utilize hook technology, before specified API is called, obtains when front upper and lower background text
The relevant information of process and the relevant information of operation target process.
902 couples of specified API on process, thread, memory address space operation of hook processing module are linked up with,
After Hook specifies API, judge module 903 is realized in SQL and terminates the function of module 904.Hook processing module
902 obtain the EPROCESS of the EPROCESS structures address and operation target process for working as front upper and lower background text process structurally first
Location.
Judge module 903, is suitable to judge whether the relevant information of the operation target process is recorded in process filtering
It is in list and described in whether the relevant information of front upper and lower background text process is not recorded in the process filter list.Specifically
Ground, judge module 903 judges to operate whether the EPROCESS structures address of target process is recorded in process filter list, and works as
Whether the EPROCESS structures address of front upper and lower background text process is not recorded in process filter list.
Terminate module 904, judge to operate the relevant information of target process to record in process mistake if being suitable to judge module 903
In filter list, and in the relevant information of front upper and lower background text process is not recorded in process filter list, termination is called specified
API。
Calling module 906, if being suitable to judge module 903, to judge to operate the relevant information of target process to be not recorded in described
In process filter list, or, when the relevant information of front upper and lower background text process is recorded in process filter list, then continue to adjust
Specified API is used, the return value of the specified API is returned to caller.
According to the kernel Hole Detection Process Protection device based on virtual machine that the present embodiment is provided, by each detection subprocess
Relevant information write-in process filter list in, before specified API is called, using hook obtain when front upper and lower background text process
Relevant information and operation target process relevant information, by will work as front upper and lower background text process relevant information and operation mesh
The relevant information of mark process matches with process filter list, determines whether that specified API is called in termination.Using the present apparatus, can protect
The address space of the detection procedure run under virtual machine sandbox isolation environment is protected, the malice sample process escaped by sandbox is prevented
Access, it is to avoid confidential information is stolen, is lifted at the security of kernel Hole Detection under virtual machine sandbox isolation environment.
Figure 10 shows the work(of the kernel Hole Detection file protection based on virtual machine according to an embodiment of the invention
Can block diagram.The device that the present embodiment is provided is mainly used for protecting produced detection file in detection process, such as journal file
Deng, prevent by sandbox escape malice sample process accesses, distort, encrypt or damages, it is to avoid therefore it is caused detection unsuccessfully or
Results abnormity, safeguards the stabilization and performance of sandbox system.As shown in Figure 10, the device includes:First writing module 1001, second
Writing module 1002, the first judge module 1003, the second judge module 1004 refuses module 1005;Alternatively, the device is also wrapped
Include:Receiver module 1006 and respond module 1007.
Receiver module 1006, is suitable to receive the store path of the detection file that user's layer process sends.
After the driver of auxiliary detection procedure loading core detection procedure, in reading target detection configuration file
Relevant field, parsing obtains the process name of one or more detection subprocess and the storage road of one or more detection files
Footpath, the process ID of each detection subprocess is obtained according to process name, by IO control codes by the process ID of each detection subprocess and respectively
Detect that the store path of file is sent to core detection procedure.
Receiver module 1006 inside core detection procedure receives auxiliary detection procedure (user's layer process) by IO controls
The process ID and the store path of each detection file of each detection subprocess that code sends.Specifically, core detection procedure is being received
To after the IO control codes labeled as " process ID filtering ", obtained from input block when time process ID of transmission;Core is detected
Process is obtained when time detection file of transmission after the IO control codes labeled as " privately owned catalogue " are received from input block
Store path.
First writing module 1001, is suitable to obtain the relevant information of each detection subprocess, by the correlation of each detection subprocess
In information write-in process filter list.
First writing module 1001 obtains the relevant information of detection subprocess according to process ID.In this method, relevant information
EPROCESS structures address can be specially.First writing module 1001 obtain it is each detection subprocess EPROCESS structures address it
Afterwards, by the EPROCESS structures address write-in process filter list of each detection subprocess.
Second writing module 1002, is suitable to obtain the store path information of detection file, will detect the store path of file
Information is write in privately owned catalogue list.
Second writing module 1002 constructs string as detection file according to the store path of detection file
Store path information, in detecting that the store path information of file writes privately owned catalogue list.
First judge module 1003, is suitable to, when file access operation is produced, judge the store path of file access object
Whether information is recorded in privately owned catalogue list.
The present embodiment realizes that the protection of detection file is mainly realized in the function body of IRP distribution functions.For example,
READ, WRITE, CREATE, SET_INFORMATION, DIRECTORY_CONTROL decile are sent a letter and several realize function body certainly
In, realization judges whether the store path information of file access object is recorded in privately owned catalogue list.
Second judge module 1004, if the first judge module 1003 judges the store path information note of file access object
Record judges filter name in the process when whether the relevant information of front upper and lower background text process records in privately owned catalogue list, then
Dan Zhong.
If judging the store path information record of file access object in privately owned catalogue list, the second judge module
Whether 1004 determine whether record in process filter list when the relevant information of front upper and lower background text process, specifically, sentence
Whether the disconnected EPROCESS structures address for working as front upper and lower background text process is recorded in process filter list.
Refusal module 1005, if be suitable to the second judge module 1004 judging when the relevant information of front upper and lower background text process
It is not recorded in process filter list, then refuses file access operation.
If the store path information record of file access object is in privately owned catalogue list, and work as front upper and lower background text process
Relevant information is not recorded in process filter list, shows have other processes to attempt to access that detection file, then IPR does not divide still further below
Hair, refuses file access operation.
Respond module 1007, judges the store path information of file access object not if being suitable to the first judge module 1003
Record in privately owned catalogue list, or, the second judge module 1004 is judged when the relevant information of front upper and lower background text process
Record then proceeds to respond to file access operation in process filter list.
If the store path information of file access object is not recorded in privately owned catalogue list, show that what is accessed is not required to guarantor
The detection file of shield, then IPR continuation distribution downwards, response file accesses operation.If the store path information of file access object
Record is shown to be in privately owned catalogue list, and when the relevant information of front upper and lower background text process is recorded in process filter list
Detection subprocess attempts to access that detection file, then IPR continues distribution downwards, and response file accesses operation.
According to the kernel Hole Detection file protection device based on virtual machine that the present embodiment is provided, by each detection subprocess
Relevant information write-in process filter list in, in detecting that the store path information of file writes privately owned catalogue list, work as product
During raw file access operation, by the store path information of file access object and the relevant information point when front upper and lower background text process
Not with process filter list and privately owned directory name is single-phase matches, determine whether to refuse file access operation.Using the present apparatus, can protect
The detection file produced under virtual machine sandbox isolation environment is protected, prevent from being accessed, distorted by the malice sample process that sandbox is escaped,
Encryption is damaged, it is to avoid therefore caused detection failure or results abnormity, safeguard the stabilization and performance of sandbox system.
Present invention could apply to network security, terminal security, cloud security, using safety, safety management and security service
Etc. multiple fields.Product includes senior middle school low side next generation fire wall, intrusion prevention system, ddos attack system of defense, virtual comprehensive
The products such as Service Gateway, sandbox, big data Safety Analysis System are closed, and the corresponding solution for being directed to tradition threat and unknown threat
Certainly scheme.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this hair
Bright preferred forms.
In specification mentioned herein, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify one or more that the disclosure and helping understands in each inventive aspect, exist
Above to the description of exemplary embodiment of the invention in, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, and wherein each claim is in itself
All as separate embodiments of the invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Unit or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, can use any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can the alternative features of or similar purpose identical, equivalent by offer carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection is appointed
One of meaning mode can be used in any combination.
All parts embodiment of the invention can be realized with hardware, or be run with one or more processor
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) realize the inspection of the kernel leak based on virtual machine according to embodiments of the present invention
The some or all functions of some or all parts surveyed in device.The present invention is also implemented as performing institute here
Some or all equipment or program of device of the method for description are (for example, computer program and computer program are produced
Product).It is such to realize that program of the invention be stored on a computer-readable medium, or can have one or more
The form of signal.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or to appoint
What other forms is provided.
It should be noted that above-described embodiment the present invention will be described rather than limiting the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol being located between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element is not excluded the presence of as multiple
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.