[go: up one dir, main page]

CN104200161B - Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method - Google Patents

Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method Download PDF

Info

Publication number
CN104200161B
CN104200161B CN201410381591.1A CN201410381591A CN104200161B CN 104200161 B CN104200161 B CN 104200161B CN 201410381591 A CN201410381591 A CN 201410381591A CN 104200161 B CN104200161 B CN 104200161B
Authority
CN
China
Prior art keywords
detection
module
file
sandbox
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410381591.1A
Other languages
Chinese (zh)
Other versions
CN104200161A (en
Inventor
李凯
李海彬
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201410381591.1A priority Critical patent/CN104200161B/en
Publication of CN104200161A publication Critical patent/CN104200161A/en
Application granted granted Critical
Publication of CN104200161B publication Critical patent/CN104200161B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

本发明涉及恶意代码检测领域,旨在提供一种实现沙箱智能检测文件的方法及其沙箱智能检测系统。该种实现沙箱智能检测文件的方法,通过在沙箱进行文件行为检测时,将被检测文件提交到沙箱运行后,检测模块调用被检测文件,并通过API HOOK模块监控程序的运行行为,同时通过检测模块的智能模拟模块来充分还原被检测文件在真实环境下的运行情况。本发明通过专有程序实现了模拟人工操作,解决了当前动态行为分析过程中无法完整还原程序运行轨迹而导致恶意行为漏报的问题;通过API HOOK劫持技术解决了文件检测过程中被检测文件反虚拟化的问题。

The invention relates to the field of malicious code detection, and aims to provide a method for realizing sandbox intelligent detection of files and a sandbox intelligent detection system thereof. This method for realizing the intelligent detection of files in the sandbox, when the file behavior detection is performed in the sandbox, after submitting the detected file to the sandbox for operation, the detection module calls the detected file, and monitors the running behavior of the program through the API HOOK module, At the same time, the intelligent simulation module of the detection module can fully restore the running conditions of the detected files in the real environment. The invention realizes the simulated manual operation through the proprietary program, and solves the problem that the running track of the program cannot be fully restored in the current dynamic behavior analysis process, which leads to the underreporting of malicious behavior; through the API HOOK hijacking technology, it solves the anti-corruption problem of the detected file in the file detection process. Problems with virtualization.

Description

一种实现沙箱智能检测文件的方法及其沙箱智能检测系统A method for realizing sandbox intelligent detection of files and its sandbox intelligent detection system

技术领域technical field

本发明是关于恶意代码检测领域,特别涉及一种实现沙箱智能检测文件的方法及其沙箱智能检测系统。The invention relates to the field of malicious code detection, in particular to a method for realizing sandbox intelligent detection of files and a sandbox intelligent detection system thereof.

背景技术Background technique

现在的恶意软件会使用一些技巧,例如插入垃圾代码,代码位置互换,寄存器重新分配、等价代码替换等方式来躲避传统的基于签名的反恶意软件的检测,为了解决这类问题,众多厂商采用沙箱的方式来增强对恶意代码攻击行为的检测能力。Today's malware uses some tricks, such as inserting junk code, swapping code positions, reallocating registers, and replacing equivalent codes, etc. to evade the detection of traditional signature-based anti-malware software. In order to solve such problems, many manufacturers The sandbox method is used to enhance the ability to detect malicious code attacks.

在使用沙箱进行恶意代码检测的过程中,恶意行为的判断基本上都是基于特征匹配的,例如在中国专利,一种恶意代码样本自动处理的方法及装置,CN201410032004.8的专利申请中,提出了采用提取静态特征匹配的方法,同时采用动态特征匹配作为补充。虽然很多沙箱也采用动态分析的方法,但在动态分析过程中存在沙箱环境下无法真实还原被检测文件运行轨迹的问题。In the process of using the sandbox to detect malicious code, the judgment of malicious behavior is basically based on feature matching. For example, in the patent application of CN201410032004.8, a Chinese patent, a method and device for automatic processing of malicious code samples, A method using extracted static feature matching is proposed, while using dynamic feature matching as a supplement. Although many sandboxes also use dynamic analysis methods, there is a problem that the running track of the detected files cannot be truly restored in the sandbox environment during the dynamic analysis process.

在使用沙箱作为文件分析的过程中,如何判断当前文件已经完成检测,各个厂家也有自己的标准,常用做法是设定一个程序的最长运行时间,当程序达到最长运行时间时判定程序检测完成,结束结束当前检测任务。这种方法存在的问题在于单个文件文件时间过长,即使文件已经无后续操作还需要等待运行超时,导致检测过程中存在无用的工作,降低了检测效率。In the process of using the sandbox as a file analysis, how to judge that the current file has been tested, each manufacturer also has its own standards, the common practice is to set the maximum running time of a program, and determine the program detection when the program reaches the maximum running time Done, end to end the current detection task. The problem with this method is that the time for a single file is too long, and even if the file has no follow-up operations, it still needs to wait for the timeout to run, resulting in useless work in the detection process and reducing the detection efficiency.

发明内容Contents of the invention

本发明的主要目的在于克服现有技术中的不足,提供一种实现沙箱智能检测文件的方法及其系统。为解决上述技术问题,本发明的解决方案是:The main purpose of the present invention is to overcome the deficiencies in the prior art, and to provide a method and system for realizing the sandbox intelligent detection of files. In order to solve the problems of the technologies described above, the solution of the present invention is:

提供一种实现沙箱智能检测文件的方法,用于对文件进行文件执行行为检测,具体包括下述步骤:A method for realizing intelligent sandbox detection of files is provided for performing file execution behavior detection on files, which specifically includes the following steps:

步骤一:沙箱模块接收待检测文件,根据规则生成检测任务,并将检测任务写入数据库中,检测任务状态标记为待检测;Step 1: The sandbox module receives the file to be detected, generates a detection task according to the rules, writes the detection task into the database, and marks the detection task status as pending detection;

所述检测任务包括自增类型的任务ID、检测文件的文件保存路径和文件类型(通过Magic方式结合文件后缀获取文件类型:若Magic方式能取得文件类型,则将以Magic方式获取到的类型作为当前文件的文件类型,若Magic无法获取到程序文件类型时,则使用文件名后缀作为可执行文件的文件类型)、检测文件的校验值(使用哈希算法获取检测文件的校验值)、指定当次检测文件的检测时间;Described detection task comprises the task ID of self-incrementing type, the file preservation path of detection file and file type (obtain file type in conjunction with file suffix by Magic mode: if Magic mode can obtain file type, then the type that then will obtain with Magic mode as The file type of the current file, if Magic cannot obtain the program file type, the file name suffix is used as the file type of the executable file), the check value of the detected file (use the hash algorithm to obtain the check value of the detected file), Specify the detection time of the current detection file;

步骤一重复执行,且步骤一使用单独线程循环执行;Step 1 is executed repeatedly, and Step 1 is executed cyclically using a separate thread;

步骤二:沙箱模块连接并查询数据库,查询数据库中是否存在检测任务状态为待检测的任务,若无该状态的检测任务,则沙箱模块等待特定时间后重新进行查询操作;Step 2: The sandbox module connects to and queries the database, and checks whether there is a task in the database whose detection task status is pending detection. If there is no detection task in this state, the sandbox module waits for a specific time and then performs the query operation again;

若沙箱模块查询到检测任务状态为待检测的任务,沙箱模块调用虚拟主机公开接口函数(例如使用VBoxManage showvminfo函数获取虚拟主机的当前运行状态)查询当前是否存在可用于执行检测任务的虚拟主机(已关闭或者已保存的虚拟主机均可用于执行检测任务):若当前虚拟主机均无法进行任务检测,则沙箱模块等待特定时间重新获取虚拟主机状态,若当前存在能用于进行任务检测的虚拟主机,则调用虚拟主机公开接口(例如使用VBoxManage startvm)启动虚拟主机;If the sandbox module finds that the detection task status is a task to be detected, the sandbox module calls the public interface function of the virtual host (for example, using the VBoxManage showvminfo function to obtain the current running status of the virtual host) to query whether there is currently a virtual host that can be used to perform the detection task (Virtual hosts that have been closed or saved can be used to perform detection tasks): If the current virtual host cannot perform task detection, the sandbox module waits for a specific time to reacquire the status of the virtual host. If there is currently a task detection that can be used Virtual host, call the public interface of the virtual host (for example, use VBoxManage startvm) to start the virtual host;

虚拟主机启动后,随虚拟主机一同启动的检测模块启动指定端口的监听工作(监听端口号可在检测模块程序中予以指定);沙箱模块连接虚拟主机的监听端口,沙箱模块通过网络方式,将待检测任务提交给用于本次任务检测的虚拟主机中的检测模块;沙箱模块将当前提交的任务状态标记为已提交,并保持连接等待检测模块数据返回;After the virtual host is started, the detection module started together with the virtual host starts the monitoring work of the specified port (the monitoring port number can be specified in the detection module program); the sandbox module is connected to the monitoring port of the virtual host, and the sandbox module is through the network. Submit the task to be detected to the detection module in the virtual host used for this task detection; the sandbox module marks the status of the currently submitted task as submitted, and keeps the connection waiting for the data return of the detection module;

检测模块接收到检测任务,读取任务中的文件类型,并查询当前系统中是否存在对应的执行程序可用于执行该待检测文件,若存在则返回初始化成功,否则返回初始化失败;The detection module receives the detection task, reads the file type in the task, and queries whether there is a corresponding execution program in the current system that can be used to execute the file to be detected. If it exists, it returns initialization success, otherwise it returns initialization failure;

步骤三:沙箱模块接收步骤二中检测模块返回的初始化信息,根据初始化是否成功来判断该虚拟主机是否可以进行当前检测任务,若初始化成功则表示可以检测当前文件,继续步骤四的处理;若初始化失败则表示不能执行当前检测任务,检测任务结束;沙箱模块将数据库中的当前检测任务状态标记为不可检测;Step 3: The sandbox module receives the initialization information returned by the detection module in step 2, and judges whether the virtual host can perform the current detection task according to whether the initialization is successful. If the initialization is successful, it means that the current file can be detected, and continue to the processing of step 4; if If the initialization fails, it means that the current detection task cannot be executed, and the detection task ends; the sandbox module marks the current detection task status in the database as undetectable;

步骤四:沙箱模块通过网络方式上传待检测文件给检测模块,待检测文件传输完毕,沙箱模块保存与虚拟主机的连接,用来接收检测结果信息;沙箱模块标记当前任务状态为检测中;Step 4: The sandbox module uploads the file to be detected to the detection module through the network. After the transmission of the file to be detected is completed, the sandbox module saves the connection with the virtual host to receive the detection result information; the sandbox module marks the current task status as detection ;

步骤五:虚拟主机中的检测模块接收待检测文件,计算待检测文件的校验值,并与检测任务中的校验值进行比较,确认待检测文件是否完整(校验值一致则表示数据传输完整);若待检测文件传输不完整,则检测模块与沙箱模块通信,要求沙箱模块重传待检测文件;若待检测文件传输完整,检测模块启动待检测文件,并使用suspend参数暂停该文件进程,同时启动定时器来记录该文件已经执行的时间;文件被暂停运行后,检测模块调用APIHOOK模块注入到被检测文件的运行空间中(API HOOK典型应用为microsoft的processmonitor,本发明使用相同思路进行API HOOK操作;本发明中的API HOOK模块运行在虚拟主机上,主要用于HOOK虚拟主机上的系统函数,包括但不限于创建进程函数、读写文件函数、删除文件函数、网络连接函数、访问注册表函数,并将记录的被检测文件的相关运行信息输出给检测模块;同时API HOOK函数还实现了对部分文件访问的访问劫持操作,当被检测文件尝试访问系统的特定资源时,例如检测模块尝试访问虚拟主机的VBoxService文件时,API HOOK模块劫持该访问请求,直接返回文件访问失败,以此来达到防止被检测文件通过访问虚拟机特征文件来判断当前运行环境是否为虚拟机的目的,API劫持的典型应用为部分杀毒软件使用的文件防火墙,本例使用其相同的思路实现),API HOOK模块注入成功后,检测模块恢复被检测文件运行,API HOOK模块记录被检测文件的相关行为信息并将检测结果返回给检测模块;API HOOK模块在特定时间内未检测到被检测文件调用API HOOK模块中HOOK的系统函数,返回“特定时间无操作”给检测模块,检测模块根据该特征判断文件检测完成,跳转到步骤七执行;检测模块将接收到的API HOOK模块返回的文件行为信息通过网络方式传输给沙箱模块;若待检测文件启动失败或API HOOK模块注入失败则检测结束,同时返回检测异常指令给沙箱模块;沙箱模块在接受到检测失败的信息后,标记数据库中当前检测任务状态为检测失败,并跳到步骤七执行;Step 5: The detection module in the virtual host receives the file to be detected, calculates the check value of the file to be detected, and compares it with the check value in the detection task to confirm whether the file to be detected is complete (if the check value is consistent, it means data transmission complete); if the transmission of the file to be detected is incomplete, the detection module communicates with the sandbox module and requires the sandbox module to retransmit the file to be detected; if the transmission of the file to be detected is complete, the detection module starts the file to be detected and uses the suspend parameter to suspend the File process, start timer simultaneously to record the time that this file has been carried out; After file is suspended operation, detection module transfers APIHOOK module and injects in the running space of detected file (API HOOK typical application is the processmonitor of microsoft, and the present invention uses the same The idea is to perform API HOOK operations; the API HOOK module in the present invention runs on the virtual host, and is mainly used for system functions on the HOOK virtual host, including but not limited to creating process functions, reading and writing file functions, deleting file functions, and network connection functions , access the registry function, and output the recorded running information of the detected file to the detection module; at the same time, the API HOOK function also implements the access hijacking operation for partial file access. When the detected file tries to access a specific resource of the system, For example, when the detection module tries to access the VBoxService file of the virtual host, the API HOOK module hijacks the access request and directly returns the file access failure, so as to prevent the detected file from judging whether the current operating environment is a virtual machine by accessing the virtual machine feature file Purpose, the typical application of API hijacking is the file firewall used by some anti-virus software, this example uses the same idea to implement), after the API HOOK module is successfully injected, the detection module resumes the operation of the detected file, and the API HOOK module records the relevant information of the detected file Behavior information and return the detection result to the detection module; the API HOOK module does not detect the detected file within a certain period of time, calls the HOOK system function in the API HOOK module, and returns "no operation for a certain time" to the detection module, and the detection module according to this feature Judging that the file detection is completed, jump to step 7 for execution; the detection module transmits the received file behavior information returned by the API HOOK module to the sandbox module through the network; if the file to be detected fails to start or the API HOOK module fails to inject, the detection ends , and return the detection exception instruction to the sandbox module at the same time; after the sandbox module receives the detection failure information, it marks the current detection task status in the database as detection failure, and skips to step 7 for execution;

步骤六:检测模块启动智能模拟模块,智能模拟模块指通过程序方式识别被检测文件(文件为exe类型)的运行窗口,并通过获取窗口内按钮及按钮标题,对比获取到的窗口标题与程序中预先设置的标题(预先设置的标题为智能模拟模块中预先设置的一些需要操作的按钮标题,这些标题包括但不限于“yes”、“ok”、“install”、“agree”、“run”、“continue”、“finish”、“accept”、“extract”、“接受”、“同意”、“下一步”、“完成”)是否一致,用于判断是否需要对被检测文件施行人工模拟干预,来达到还原文件运行环境的目的,尝试获取被检测文件运行窗口、子窗口及窗口按钮(获取程序运行窗口、子窗口、按钮相关操作的典型应用为microsoft的SPY++工具,本发明使用与其相同的思路进行相关信息获取);Step 6: The detection module starts the intelligent simulation module. The intelligent simulation module refers to the running window that identifies the detected file (the file is an exe type) through the program, and compares the obtained window title with the program by obtaining the button and button title in the window. Pre-set titles (pre-set titles are the titles of some buttons that need to be operated in advance in the intelligent simulation module, these titles include but are not limited to "yes", "ok", "install", "agree", "run", "continue", "finish", "accept", "extract", "accept", "agree", "next", "complete") are consistent, and are used to determine whether manual intervention is required on the detected file, To achieve the purpose of restoring the file running environment, try to obtain the detected file running window, sub-window and window button (the typical application of obtaining program running window, sub-window, and button related operations is the SPY++ tool of microsoft, and the present invention uses the same thinking with it to obtain relevant information);

若智能模拟模块获取被检测文件运行窗口、子窗口及窗口按钮成功,则匹配获取到的窗口按钮标题与预先设置的标题进行匹配:若匹配成功,智能模拟模块移动鼠标至匹配上标题的按钮上,执行鼠标左键单击操作,然后重复执行步骤六;若匹配不成功,则以当次检测任务中设置的检测时间来判断被检测文件运行是否结束,若在检测时间范围内,程序正常退出,则执行步骤八,若被检测文件运行时间达到检测任务中设置的检测时间,被检测文件依然在运行,执行步骤七;If the intelligent simulation module obtains the detected file running window, sub-window and window button successfully, then match the obtained window button title with the preset title: if the matching is successful, the intelligent simulation module moves the mouse to the button that matches the title , execute the operation of left-clicking the mouse, and then repeat step 6; if the matching is unsuccessful, the detection time set in the current detection task will be used to judge whether the running of the detected file is over. If it is within the detection time range, the program will exit normally , then execute step eight, if the running time of the detected file reaches the detection time set in the detection task, the detected file is still running, execute step seven;

步骤七:检测模块调用Processkill函数结束被检测文件;Step 7: The detection module calls the Processkill function to end the detected file;

步骤八:检测模块返回检测完成指令给沙箱模块;Step 8: The detection module returns the detection completion command to the sandbox module;

步骤九:若沙箱模块接收到检测模块返回的检测异常指令,则标记当次检测任务为检测异常;Step 9: If the sandbox module receives the abnormal detection command returned by the detection module, mark the current detection task as abnormal detection;

若沙箱模块在接收到检测完成指令前未接收到检测异常指令,则沙箱模块标记当次检测任务为检测完成,保存文件检测结果到文件,并将检测结果文件路径附加至当前检测任务中,以供其他程序使用;If the sandbox module does not receive an abnormal detection command before receiving the detection completion command, the sandbox module marks the current detection task as detection complete, saves the file detection result to a file, and appends the detection result file path to the current detection task , for use by other programs;

沙箱模块在接收到检测完成的指令后,调用虚拟主机公开接口函数(例如VBoxManage controlvm)关闭执行当前检测任务的虚拟主机;The sandbox module calls the virtual host public interface function (such as VBoxManage controlvm) to close the virtual host that performs the current detection task after receiving the instruction that the detection is completed;

虚拟主机关闭完成后,沙箱模块调用镜像恢复函数(例如VBoxManage snapshot)恢复虚拟主机镜像,当次检测任务完成,重复执行步骤二。After the shutdown of the virtual host is completed, the sandbox module calls the image recovery function (such as VBoxManage snapshot) to restore the virtual host image, and when the detection task is completed, repeat step 2.

提供基于所述的一种实现沙箱智能检测文件的方法的沙箱智能检测系统,包括沙箱模块、虚拟主机;沙箱模块与虚拟主机构成了沙箱的主体;数据库包含于沙箱模块中,检测模块及其附属的智能模拟模块、API HOOK模块运行于虚拟主机中;A sandbox intelligent detection system based on the method for realizing sandbox intelligent detection files is provided, including a sandbox module and a virtual host; the sandbox module and the virtual host constitute the main body of the sandbox; the database is included in the sandbox module , the detection module and its attached intelligent simulation module and API HOOK module run in the virtual host;

所述沙箱模块是沙箱智能检测系统的主体模块,负责接收待检测文件并生成检测任务、管理检测任务、发起文件检测、调度并管理虚拟主机、接收并保存检测结果;The sandbox module is the main module of the sandbox intelligent detection system, responsible for receiving files to be detected and generating detection tasks, managing detection tasks, initiating file detection, scheduling and managing virtual hosts, receiving and saving detection results;

所述数据库能采用任意类型的数据库,用于存储检测任务,供沙箱模块生成检测任务并管理检测任务使用;The database can use any type of database for storing detection tasks for use by the sandbox module to generate detection tasks and manage detection tasks;

所述检测模块是运行在虚拟主机上的检测执行程序,用于与沙箱模块通信,获取检测任务与被检测文件、执行文件检测并通过API HOOK模块监控文件执行过程、以网络方式回传被检测文件运行行为数据给沙箱模块;检测模块内置于虚拟主机中,随虚拟主机系统一同启动;其中,待检测文件是指检测任务中没有被提交检测的文件,该文件被提交至虚拟主机中进行检测时,则被称为被检测文件;The detection module is a detection execution program running on a virtual host, used to communicate with the sandbox module, obtain detection tasks and detected files, perform file detection and monitor the file execution process through the API HOOK module, and return the detected files through the network. The running behavior data of the detection file is sent to the sandbox module; the detection module is built into the virtual host and starts together with the virtual host system; among them, the file to be detected refers to the file that has not been submitted for detection in the detection task, and the file is submitted to the virtual host When testing, it is called the detected file;

所述虚拟主机是运行在沙箱环境下的虚拟化程序以及在虚拟化程序下运行的操作系统(例如在VirtualBox虚拟化软件中运行的windows操作系统),虚拟主机将启动后的状态保存为还原点。Described virtual host is the virtualization program running under the sandbox environment and the operating system (such as the windows operating system running in the VirtualBox virtualization software) running under the virtualization program, and the virtual host saves the state after starting as restoring point.

本发明的工作原理:在沙箱进行文件行为检测时,被检测文件提交到沙箱运行后,检测模块调用被检测文件,并通过API HOOK模块监控程序的运行行为,同时通过检测模块的智能模拟模块来充分还原被检测文件在真实环境下的运行情况。The working principle of the present invention: when the sandbox performs file behavior detection, after the detected file is submitted to the sandbox for operation, the detection module calls the detected file, and monitors the running behavior of the program through the API HOOK module, and at the same time through the intelligent simulation of the detection module module to fully restore the operation of the detected file in the real environment.

与现有技术相比,本发明的有益效果是:Compared with prior art, the beneficial effect of the present invention is:

通过专有程序实现了模拟人工操作,解决了当前动态行为分析过程中无法完整还原程序运行轨迹而导致恶意行为漏报的问题;通过API HOOK劫持技术解决了文件检测过程中被检测文件反虚拟化的问题。The simulation of manual operation is realized through a proprietary program, which solves the problem that the current dynamic behavior analysis process cannot completely restore the running track of the program, which leads to the underreporting of malicious behavior; through the API HOOK hijacking technology, it solves the anti-virtualization of detected files in the file detection process The problem.

附图说明Description of drawings

图1为本发明的文件检测的主体流程图。Fig. 1 is a main flow chart of file detection in the present invention.

图2为本发明的实现智能检测的流程图。Fig. 2 is a flow chart of realizing intelligent detection in the present invention.

图3为文件类型与执行程序对照表图。Figure 3 is a chart of the comparison table between file types and execution programs.

具体实施方式detailed description

首先需要说明的是,本发明涉及恶意代码检测技术,是计算机技术在信息安全技术领域的一种应用。在本发明的实现过程中,会涉及到多个软件功能模块的应用。申请人认为,如在仔细阅读申请文件、准确理解本发明的实现原理和发明目的以后,在结合现有公知技术的情况下,本领域技术人员完全可以运用其掌握的软件编程技能实现本发明。前述软件功能模块包括但不限于:沙箱模块、检测模块、API HOOK模块、智能模拟模块,凡本发明申请文件提及的均属此范畴,申请人不再一一列举。First of all, it should be explained that the present invention relates to malicious code detection technology, which is an application of computer technology in the field of information security technology. During the implementation of the present invention, the application of multiple software function modules will be involved. The applicant believes that, after carefully reading the application documents and accurately understanding the realization principle and purpose of the present invention, combined with existing known technologies, those skilled in the art can fully implement the present invention by using their software programming skills. The aforementioned software functional modules include but are not limited to: sandbox module, detection module, API HOOK module, and intelligent simulation module. All mentioned in the application documents of the present invention belong to this category, and the applicant will not list them one by one.

下面结合附图与具体实施方式对本发明作进一步详细描述:Below in conjunction with accompanying drawing and specific embodiment the present invention is described in further detail:

一种实现沙箱智能检测文件的方法,用于对待检测文件进行检测,具体包括下述步骤:A method for realizing a sandbox intelligent detection file, which is used for detecting a file to be detected, specifically includes the following steps:

步骤一:沙箱模块循环接收被检测文件,根据规则(通过Magic方式结合文件后缀获取文件类型,Magic方式可以取得文件类型的,以该种方式获取到的类型作为当前文件的文件类型,Magic无法获取到程序文件类型时,使用文件名后缀作为可执行文件的文件类型;使用哈希算法获取待检测文件的校验值;指定当次待检测任务的检测时间)生成待检测任务,将检测任务状态标记为待检测,并将任务写入mysql数据库的task表中。Step 1: The sandbox module cyclically receives the detected files, according to the rules (the file type can be obtained by combining the file suffix with the Magic method, the file type can be obtained by the Magic method, and the type obtained in this way is used as the file type of the current file, and Magic cannot When the program file type is obtained, use the file name suffix as the file type of the executable file; use the hash algorithm to obtain the verification value of the file to be detected; specify the detection time of the current task to be detected) to generate the task to be detected, and the detection task The status is marked as pending, and the task is written to the task table in the mysql database.

步骤二:沙箱模块连接mysql数据,查询task表,尝试获取检测任务状态为待检测的检测任务,若存在检测任务状态为待检测的检测任务,沙箱模块调用VBoxManageshowvminfo函数查询当前是否存在已关闭或者被挂起的虚拟主机可以用于当前检测任务,若当前虚拟主机均在运行状态,则沙箱模块间隔1秒重新获取虚拟主机状态,若当前存在可以用于检测的虚拟主机,则调用虚拟VBoxManage startvm函数启动虚拟主机;沙箱模块尝试连接虚拟主机的8000端口(8000端口为检测模块启动后进行通信监听的端口),端口连接成功,沙箱以文件的方式通过http协议上传检测任务给检测模块,检测任务上传完成,沙箱模块修改mysql数据库中当前待检测任务为已提交,同时等待检测模块传回的初始化结果;Step 2: The sandbox module connects to mysql data, queries the task table, and tries to obtain the detection tasks whose detection task status is pending detection. If there are detection tasks whose detection task status is pending detection, the sandbox module calls the VBoxManageshowvminfo function to query whether there are currently closed tasks. Or the suspended virtual host can be used for the current detection task. If the current virtual host is running, the sandbox module will reacquire the status of the virtual host every 1 second. If there is currently a virtual host that can be used for detection, it will call the virtual The VBoxManage startvm function starts the virtual host; the sandbox module tries to connect to port 8000 of the virtual host (port 8000 is the port for communication monitoring after the detection module starts), the port is successfully connected, and the sandbox uploads the detection task to the detection through the http protocol in the form of a file module, the detection task upload is completed, the sandbox module modifies the current pending detection task in the mysql database as submitted, and waits for the initialization result returned by the detection module;

检测模块随虚拟主机启动,并启动8000端口进行通信监听,检测模块接收到沙箱模块上传的检测任务文件后,读取当次检测任务文件,根据检测任务文件中的文件类型结合程序内部定义的文件类型执行方式,判断该文件是否可以正常运行,上述条件满足时,检测模块回传初始化成功给沙箱主程序,继续步骤三的处理;若初始化失败,检测模块回传初始化失败的信息给沙箱模块,沙箱模块接收到初始化失败的信息后,修改mysql数据库中的检测任务状态为不可检测,执行步骤六;The detection module starts with the virtual host, and starts port 8000 for communication monitoring. After the detection module receives the detection task file uploaded by the sandbox module, it reads the current detection task file, and according to the file type in the detection task file combined with the internal definition of the program File type execution mode, to judge whether the file can run normally. When the above conditions are met, the detection module returns the initialization success to the sandbox main program, and continues the processing of step 3; if the initialization fails, the detection module returns the initialization failure information to the sandbox Box module, after the sandbox module receives the message of initialization failure, modify the status of the detection task in the mysql database to be undetectable, and perform step 6;

步骤三:沙箱模块接收到初始化成功的信息后,沙箱模块通过http方式上传待检测文件给检测模块,检测模块完成待检测文件的接收工作后,计算待检测文件的校验值,并与检测任务文件中记录的文件校验值进行对比,若校验值不一致则表示文件上传异常,检测模块回传文件异常给沙箱模块,要求沙箱模块重传被检测文件;若校验值一致则表示文件上传成功,检测模块使用suspend参数方式执行待检测文件,同时检测模块调用timer函数记录文件运行的时间;待检测文件被执行并暂停后,检测模块调用API Hook模块注入被检测文件的运行空间中,API HOOK模块注入成功,检测模块恢复被检测文件的运行,并接收API HOOK模块传回的被检测文件的文件行为信息,将这些行为通过http方式回传给给沙箱模块;若API HOOK模块注入失败,检测模块发送注入失败的信息给沙箱模块,沙箱模块修改mysql数据库中当前任务状态为检测失败;执行步骤四;Step 3: After the sandbox module receives the information that the initialization is successful, the sandbox module uploads the file to be detected to the detection module through http. After the detection module completes the receiving work of the file to be detected, it calculates the check value of the file to be detected, and Compare the file verification values recorded in the detection task file. If the verification values are inconsistent, it means that the file upload is abnormal. The detection module returns the file abnormality to the sandbox module and requires the sandbox module to retransmit the detected file; if the verification values are consistent It means that the file upload is successful, the detection module uses the suspend parameter to execute the file to be detected, and at the same time the detection module calls the timer function to record the running time of the file; after the file to be detected is executed and suspended, the detection module calls the API Hook module to inject the running time of the detected file space, the API HOOK module is successfully injected, the detection module resumes the operation of the detected file, and receives the file behavior information of the detected file returned by the API HOOK module, and sends these behaviors back to the sandbox module through http; if the API HOOK module injection fails, the detection module sends injection failure information to the sandbox module, and the sandbox module modifies the current task status in the mysql database to detection failure; perform step 4;

在检测模块执行被检测文件过程中,若API HOOK模块在特定的时间内未检测到被检测文件调用API HOOK模块中HOOK的系统函数,则API HOOK模块返回“特定时间无操作”给检测模块;检测模块在接收到API HOOK模块返回的“特定时间无操作”后,执行步骤四;During the execution of the detected file by the detection module, if the API HOOK module does not detect that the detected file calls the HOOK system function in the API HOOK module within a specific time, the API HOOK module returns "no operation for a specific time" to the detection module; The detection module performs step 4 after receiving the "no operation at a specific time" returned by the API HOOK module;

在检测模块执行被检测文件过程中,若API HOOK模块监控到被检测文件请求获取虚拟主机相关特征文件时,通过Windows的API hook技术劫持该文件请求,并返回请求文件不存在的结果信息给被检测文件;During the execution of the detected file by the detection module, if the API HOOK module monitors that the detected file requests to obtain a virtual host-related feature file, it hijacks the file request through the Windows API hook technology, and returns the result information that the requested file does not exist to the detected file. test file;

其中,检测模块对被检测文件执行行为检测的具体过程为:Among them, the specific process of the detection module performing behavior detection on the detected file is as follows:

A、检测模块使用suspend方式启动被检测文件;A. The detection module uses the suspend mode to start the detected file;

B、沙箱模块生成定时器,用以记录程序运行时间;B. The sandbox module generates a timer to record the running time of the program;

C、被检测文件被挂起后,检测模块调用API HOOK模块执行进程注入操作,进程注入成功后,API HOOK模块开始过滤并记录文件行为信息,并将相关文件行为信息回传给检测模块;C. After the detected file is suspended, the detection module calls the API HOOK module to perform a process injection operation. After the process injection is successful, the API HOOK module starts to filter and record the file behavior information, and returns the relevant file behavior information to the detection module;

D、程序注入程序后,检测模块调用智能模拟模块,智能模拟模块具体工作包括:D. After the program is injected into the program, the detection module calls the intelligent simulation module. The specific work of the intelligent simulation module includes:

a、通过EnumWindows函数与EnumWindowsProc函数获取程序运行窗口信息;a. Obtain the program running window information through the EnumWindows function and EnumWindowsProc function;

b、通过IsWindowVisible函数获取可视窗口;b. Obtain the visible window through the IsWindowVisible function;

c、通过EnumChildWindows获取子窗口;c. Obtain the child window through EnumChildWindows;

d、通过GetClassName函数获取窗口属性为Button的窗口;d. Obtain the window whose window property is Button through the GetClassName function;

e、通过GetWindowsText获取Button的文本信息;e. Obtain the text information of Button through GetWindowsText;

f、通过GetWindowRect获取Button的屏幕相对左上角的坐标范围;f. Obtain the coordinate range of the Button's screen relative to the upper left corner through GetWindowRect;

g、对比获取到的按钮文本是否在检测模块预先设置的文本列表内(文本列表为:{yes,ok,install,agree,run,continue,finish,accept,extract,接受,同意,下一步,完成}),若Button文本在文本列表范围内,则调用SetForegroundWindow函数将当前窗口前置,调用SetCursorPos函数将当前鼠标移至当前Button坐标范围,调用mouse_event函数执行鼠标左键单击操作;若Button文本不攒文本列表范围内,则继续获取下一个Button文件信息;g. Compare whether the obtained button text is in the text list preset by the detection module (the text list is: {yes, ok, install, agree, run, continue, finish, accept, extract, accept, agree, next step, complete }), if the Button text is within the range of the text list, call the SetForegroundWindow function to bring the current window to the front, call the SetCursorPos function to move the current mouse to the current Button coordinate range, and call the mouse_event function to execute the mouse left button click operation; if the Button text is not If it is within the scope of the text list, continue to obtain the information of the next Button file;

h、重复执行步骤D;h. Repeat step D;

E、若步骤D执行过程中,被检测文件退出,则执行步骤六;E. If the detected file exits during the execution of step D, then perform step 6;

F、若API HOOK模块在特定时间内未检测到被检测文件存在文件操作的行为,则API HOOK模块放回“特定时间无操作”给检测模块;检测模块在接收到APIHOOK模块返回的该特征后,执行步骤四;F. If the API HOOK module does not detect that there is a file operation behavior on the detected file within a specific time, the API HOOK module will return "no operation for a specific time" to the detection module; after the detection module receives the feature returned by the API HOOK module , execute step 4;

G、若步骤D未获取到在存在于文本列表内的文本信息,或被检测文件在检测任务设定的时间范围内未完成检测并退出程序,则执行步骤四;G. If step D does not obtain the text information that exists in the text list, or the detected file has not completed the detection and exits the program within the time range set by the detection task, then perform step 4;

步骤四:检测模块调用ExitProcess函数结束当前被检测文件执行进程Step 4: The detection module calls the ExitProcess function to end the execution process of the currently detected file

步骤五:检测模块返回检测完成指令给沙箱模块;Step 5: The detection module returns the detection completion command to the sandbox module;

步骤六:若沙箱模块接收到检测模块返回的检测异常指令,则标记当次检测任务为检测异常;若沙箱模块在接收到检测完成指令前未接收到检测异常指令,则沙箱模块标记当次检测任务为检测完成,保存文件检测结果到文件,并将检测结果文件路径附加至当前检测任务中,以供其他程序使用;Step 6: If the sandbox module receives the abnormal detection command returned by the detection module, it will mark the current detection task as a detection abnormality; if the sandbox module does not receive the abnormal detection command before receiving the detection completion command, the sandbox module will mark When the detection task is completed, save the file detection result to a file, and attach the detection result file path to the current detection task for use by other programs;

沙箱模块在接收到检测完成的指令后,调用虚拟主机公开接口函数VBoxManagecontrolvm关闭执行当前检测任务的虚拟主机;After the sandbox module receives the instruction that the detection is completed, it calls the public interface function VBoxManagecontrolvm of the virtual host to close the virtual host that performs the current detection task;

虚拟主机关闭完成后,沙箱模块调用镜像恢复函数VBoxManage snapshot恢复虚拟主机镜像,当次检测任务完成,重复执行步骤二;After the virtual host is shut down, the sandbox module calls the image recovery function VBoxManage snapshot to restore the virtual host image. When the detection task is completed, repeat step 2;

本发明提供基于所述的一种实现沙箱智能检测文件的方法的沙箱智能检测系统,包括沙箱、沙箱模块、检测模块、虚拟主机;沙箱、沙箱模块、检测模块、虚拟主机之间的具体联系是:沙箱模块与虚拟主机构成了沙箱的主体,检测模块是运行在虚拟主机上,主要用于与沙箱通信,获取检测任务及待检测文件、执行待检测文件的文件检测任务,并将检测结果回传给沙箱模块;检测模块被配置在虚拟主机的开机启动中,随虚拟主机一同启动;The present invention provides a sandbox intelligent detection system based on the method for realizing sandbox intelligent detection files, including a sandbox, a sandbox module, a detection module, and a virtual host; a sandbox, a sandbox module, a detection module, and a virtual host The specific connection between them is: the sandbox module and the virtual host constitute the main body of the sandbox. The detection module runs on the virtual host and is mainly used to communicate with the sandbox, obtain detection tasks and files to be detected, and execute files to be detected. File detection tasks, and send the detection results back to the sandbox module; the detection module is configured in the booting of the virtual host and starts together with the virtual host;

本发明仅针对智能沙箱系统中的文件行为分析过程,对于基于文件行为的恶意代码分析不在本发明的范围内;The present invention is only aimed at the file behavior analysis process in the intelligent sandbox system, and the malicious code analysis based on file behavior is not within the scope of the present invention;

本发明中所述沙箱模块是沙箱智能检测系统的主体模块,负责接收待检测文件并生成检测任务、管理检测任务、发起文件检测、调度并管理虚拟主机、接收并保存检测结果;The sandbox module described in the present invention is the main module of the sandbox intelligent detection system, responsible for receiving files to be detected and generating detection tasks, managing detection tasks, initiating file detection, scheduling and managing virtual hosts, receiving and saving detection results;

本发明中所述数据库可以为任意类型的数据库,用于存储检测任务,供沙箱模块生成检测任务并管理检测任务使用;The database described in the present invention can be any type of database, which is used to store detection tasks, and is used by the sandbox module to generate detection tasks and manage detection tasks;

本发明中所述检测模块是运行在虚拟主机上的检测执行程序,用于与沙箱模块通信,获取检测任务与被检测文件、执行文件检测并通过API HOOK模块监控文件执行过程、以网络方式回传被检测文件运行行为数据给沙箱模块;检测模块内置于虚拟主机中,随虚拟主机系统一同启动;The detection module described in the present invention is a detection execution program running on a virtual host, which is used to communicate with the sandbox module, obtain detection tasks and detected files, execute file detection and monitor the file execution process through the API HOOK module, in a network manner Return the running behavior data of the detected file to the sandbox module; the detection module is built into the virtual host and starts together with the virtual host system;

本发明中所述虚拟主机是运行在沙箱环境下的虚拟化程序以及在虚拟化程序下运行的操作系统(例如在VirtualBox虚拟化软件中运行的windows操作系统),虚拟主机将启动后的状态保存为还原点;The virtual host described in the present invention is the virtualization program running under the sandbox environment and the operating system (such as the windows operating system running in the VirtualBox virtualization software) running under the virtualization program, and the virtual host will start the state save as a restore point;

本发明中所述待检测文件是指检测任务中没有被提交检测的文件,该文件被提交至虚拟主机中进行检测时,则被称为被检测文件;The file to be detected in the present invention refers to the file that has not been submitted for detection in the detection task, and when the file is submitted to the virtual host for detection, it is called the detected file;

下面的实施例可以使本专业的专业技术人员更全面地理解本发明,但不以任何方式限制本发明。The following examples can enable those skilled in the art to understand the present invention more comprehensively, but do not limit the present invention in any way.

一种沙箱智能检测系统,该系统实现下述功能:A sandbox intelligent detection system, the system realizes the following functions:

步骤一:获取待检测文件,生成检测任务;Step 1: Obtain the file to be detected and generate a detection task;

步骤一称为任务生成步骤,任务生成步骤使用单独线程循环执行。The first step is called the task generation step, and the task generation step is executed in a loop using a separate thread.

其中任务获取待检测文件类型包括以下4种:windows下的PE格式类型的文件,包括exe文件,dll文件、文档类型的文件,包括word文档,excel表格,ppt演示文档,PDF文档、脚本文件,包括bat文件,cmd文件,vbs文件、解析程序文件,包括py文件,jar文件。文件来源有2类:一类是通过流量监控等手段,采用流量文件分离方式获取指定类型的文件并提交检测,另一类是技术人员手工提交可以文件给沙箱系统进行检测。Among them, the types of files to be detected for task acquisition include the following four types: PE format files under windows, including exe files, dll files, and document type files, including word documents, excel tables, ppt presentation documents, PDF documents, script files, Including bat files, cmd files, vbs files, parsing program files, including py files, jar files. There are two types of file sources: one is to use flow monitoring and other means to obtain specified types of files and submit them for detection by means of traffic file separation, and the other is to manually submit acceptable files to the sandbox system for detection by technicians.

任务生成步骤子步骤包括:The task generation step sub-steps include:

步骤101,沙箱读取待检测文件,并取得待检测文件的完整文件保存路径。Step 101, the sandbox reads the file to be detected, and obtains the complete file storage path of the file to be detected.

步骤102,沙箱模块调用Magic方式提取待检测文件的文件类型,无法获取文件类型的,使用文件名后缀作为该文件的文件类型;Step 102, the sandbox module calls the Magic mode to extract the file type of the file to be detected, if the file type cannot be obtained, use the file name suffix as the file type of the file;

步骤103,沙箱模块使用MD5、CRC等哈希算法计算待检测文件的校验值;Step 103, the sandbox module uses hash algorithms such as MD5 and CRC to calculate the verification value of the file to be detected;

步骤104,沙箱模块获取待检测文件本次任务的执行时间,生成任务时未指定任务执行时间的,沙箱模块默认使用5分钟作为文件检测任务执行;Step 104, the sandbox module obtains the execution time of the current task of the file to be detected. If the task execution time is not specified when generating the task, the sandbox module uses 5 minutes as the file detection task execution by default;

步骤105,沙箱获取当前时间作为任务提交时间;Step 105, the sandbox obtains the current time as the task submission time;

步骤106,沙箱获取任务数据库中已存在的最后一条任务ID,将当前最后一条任务的任务ID数值递增1作为新任务的任务ID;Step 106, the sandbox obtains the last task ID existing in the task database, and increments the task ID value of the current last task by 1 as the task ID of the new task;

步骤107,沙箱模块将上述获取到的信息通过sql语句写入到mysql数据库中的检测任务表中,生成当前检测任务,标记该任务状态为待检测状态。Step 107, the sandbox module writes the obtained information into the detection task table in the mysql database through the sql statement, generates the current detection task, and marks the state of the task as the state to be detected.

步骤二:沙箱模块将待检测任务提交到虚拟主机进行检测,并取回检测结果;Step 2: The sandbox module submits the task to be detected to the virtual host for detection, and retrieves the detection result;

步骤二称为任务执行步骤,可具体包括如下子步骤。Step 2 is called the task execution step, and may specifically include the following sub-steps.

步骤201,沙箱模块通过检测虚拟主机状态判断是否存在空闲的虚拟主机可用于进行新的任务检测Step 201, the sandbox module judges whether there is an idle virtual host available for new task detection by detecting the status of the virtual host

若存在虚拟主机状态为关闭、保存状态,则存在虚拟主机可用于新任务检测,执行步骤202If there is a virtual host whose status is closed and saved, then there is a virtual host that can be used for new task detection, and step 202 is performed

若当前虚拟主机均为运行状态,则沙箱模块等待1秒时间,重新查询虚拟主机状态,直到存在虚拟主机状态为关闭、保存状态时,执行步骤202If the current virtual hosts are all in the running state, the sandbox module waits for 1 second, and re-queries the status of the virtual host until there is a virtual host whose status is closed or saved, and then execute step 202

步骤202,沙箱模块查询mysql数据库的检测任务表,查找检测任务表中是否存在任务状态为待检测的任务;Step 202, the sandbox module queries the detection task table of the mysql database, and finds whether there is a task whose task status is to be detected in the detection task table;

若当前mysql数据库中的检测任务表中不存在任务状态为待检测的任务,则沙箱模块等待1秒时间,重复执行待检测状态任务的查找工作;If there is no task whose task state is to be detected in the detection task table in the current mysql database, the sandbox module waits for 1 second, and repeats the search work of the task to be detected;

若检测任务表中仅查询到一条待检测任务,则沙箱模块执行步骤203进行任务提交;If only one task to be detected is found in the detection task table, the sandbox module executes step 203 to submit the task;

若检测任务表中查询到多条待检测任务,则沙箱模块按任务提交顺序依次获取检测任务,执行步骤203进行任务提交,同时标记当前任务为已提交;沙箱模块可最多提交的同时进行文件检测的任务数量小于等于沙箱中配置的虚拟主机的数量;If multiple tasks to be detected are found in the detection task table, the sandbox module obtains the detection tasks sequentially according to the order of task submission, performs step 203 to submit the task, and marks the current task as submitted; the sandbox module can submit at most simultaneously The number of tasks for file detection is less than or equal to the number of virtual hosts configured in the sandbox;

步骤203,沙箱模块提交任务到虚拟主机,并取回文件检测记录,具体步骤包括:Step 203, the sandbox module submits the task to the virtual host, and retrieves the file detection record, and the specific steps include:

沙箱模块执行操作如下:The sandbox module performs the following operations:

1)、沙箱模块调用VBoxManage startvm函数启动虚拟主机;1), the sandbox module calls the VBoxManage startvm function to start the virtual host;

2)、沙箱模块尝试连接虚拟主机的8000端口,端口连接成功则表示虚拟主机启动完成;2), the sandbox module tries to connect to port 8000 of the virtual host, and if the port is successfully connected, it means that the virtual host is started;

3)、沙箱模块通过http方式传输任务列表到虚拟主机,等待检测模块返回初始化结果;若检测模块返回初始化成功,则执行步骤4,若检测模块返回初始化失败,则关执行步骤204;沙箱模块标记当前检测任务为不可检测;3), the sandbox module transmits the task list to the virtual host through http, and waits for the detection module to return the initialization result; if the detection module returns the initialization success, then execute step 4, if the detection module returns the initialization failure, then execute step 204; sandbox The module marks the current detection task as undetectable;

沙箱模块在接到虚拟主机返回系统初始化成功,读取待检测文件,并通过http方式将待检测文件传输给检测模块;The sandbox module receives the virtual host and returns the system initialization success, reads the file to be detected, and transmits the file to be detected to the detection module through http;

虚拟主机启动后执行操作如下:After the virtual host starts, perform the following operations:

1)、虚拟主机启动后,内置于虚拟主机的检测模块随虚拟主机一同启动;1) After the virtual host is started, the detection module built in the virtual host starts together with the virtual host;

2)、检测模块开启8000端口进行端口监听;2), the detection module opens port 8000 for port monitoring;

3)、检测模块接收到沙箱模块上传的任务配置信息,读取配置文件,获取待检测文件的文件类型,并通过文件类型及执行程序对照表(图3)查看当前是否存在相应的程序可以执行待检测文件;3), the detection module receives the task configuration information uploaded by the sandbox module, reads the configuration file, obtains the file type of the file to be detected, and checks whether there is currently a corresponding program through the file type and execution program comparison table (Figure 3). Execute the file to be detected;

若存在待检测文件对应的执行程序,检测模块通过8000端口返回初始化成功给沙箱模块,表示可以接收待检测文件;If there is an execution program corresponding to the file to be detected, the detection module returns initialization success to the sandbox module through port 8000, indicating that the file to be detected can be received;

若不存在待检测文件对应的执行程序,检测模块通过8000端口返回初始化失败给沙箱模块,表示当前系统无法完成该类型文件的检测,检测模块执行步骤206;If there is no execution program corresponding to the file to be detected, the detection module returns an initialization failure to the sandbox module through port 8000, indicating that the current system cannot complete the detection of this type of file, and the detection module executes step 206;

4)、检测模块完成待检测文件的接收工作,调用哈希算法计算待检测文件校验值,并对比配置文件中的待检测文件校验值,若校验值一致则表示程序完整,执行5),若校验值不一致则删除当前已接受文件,并要求沙箱模块重新传输该文件,直至文件完整,执行5);4), the detection module completes the receiving work of the file to be detected, calls the hash algorithm to calculate the verification value of the file to be detected, and compares the verification value of the file to be detected in the configuration file, if the verification value is consistent, it means that the program is complete, and execute 5 ), if the verification value is inconsistent, delete the currently accepted file, and ask the sandbox module to retransmit the file until the file is complete, then execute 5);

5)、检测模块以suspend参数方式执行待检测文件,待检测文件被暂停后,检测模块调用API HOOK模块执行API HOOK注入操作;若待检测文件执行失败,或者API HOOK注入失败,则直接步骤206;5), the detection module executes the file to be detected in the suspend parameter mode, after the file to be detected is suspended, the detection module calls the API HOOK module to perform the API HOOK injection operation; if the execution of the file to be detected fails, or the API HOOK injection fails, then go directly to step 206 ;

6)、若待检测文件执行成功,API HOOK注入成功,则检测模块调用智能模拟模块执行模拟检测;智能模拟模块执行步骤详见发明内容中检测模块对被检测文件执行行为检测的具体过程中的步骤D,在此不再赘述;6) If the file to be detected is successfully executed and the API HOOK injection is successful, the detection module calls the intelligent simulation module to perform simulation detection; the execution steps of the intelligent simulation module are detailed in the specific process of the detection module performing behavior detection on the detected file in the content of the invention Step D, no more details here;

7)、执行文件检测过程中,API HOOK模块在10秒内未检测到被检测文件调用APIHOOK模块中HOOK的系统函数,则返回“特定时间无操作”给检测模块,执行步骤204;7), during the execution of file detection, if the API HOOK module does not detect that the detected file calls the system function of HOOK in the APIHOOK module within 10 seconds, then return "no operation for a specific time" to the detection module, and execute step 204;

8)、执行文件检测过程中,若被检测文件正常退出,执行步骤206;8), during the execution of file detection, if the detected file exits normally, execute step 206;

9)、执行文件检测过程中,被检测文件持续执行,API HOOK模块未返回“特定时间无操作”给检测模块,若检测时间达到了检测任务中设定的时间(默认为5分钟),执行步骤204;9) During the execution of file detection, the detected file continues to execute, and the API HOOK module does not return "no operation for a specific time" to the detection module. If the detection time reaches the time set in the detection task (the default is 5 minutes), execute Step 204;

步骤204,检测模块调用ExitProcess函数关闭被检测文件进程;Step 204, the detection module calls the ExitProcess function to close the detected file process;

步骤205,检测模块返回检测成功;Step 205, the detection module returns detection success;

步骤206,沙箱模块调用VBoxManage controlvm函数关闭执行当前检测任务的虚拟主机;沙箱模块将mysql数据库中检测任务表的当前检测任务状态修改为检测完成;沙箱模块将接收到的文件行为信息保存至磁盘的目录中,并将该文件的路径信息添加至检测任务表的任务结果中;Step 206, the sandbox module calls the VBoxManage controlvm function to close the virtual host that performs the current detection task; the sandbox module modifies the current detection task status of the detection task table in the mysql database to detection completion; the sandbox module saves the received file behavior information to the directory of the disk, and add the path information of the file to the task result of the detection task table;

步骤207,沙箱模块使用VBoxManage snapshot函数恢复虚拟主机镜像;Step 207, the sandbox module uses the VBoxManage snapshot function to restore the virtual host image;

至此,一个待检测文件的检测任务完成。So far, the detection task of a file to be detected is completed.

最后,需要注意的是,以上列举的仅是本发明的较佳实施例,并不用以限制本发明,本领域的普通技术人员能从本发明公开的内容中直接导出或联想到的所有变形,均应包含在本发明的保护范围内。Finally, it should be noted that the above-listed are only preferred embodiments of the present invention, and are not intended to limit the present invention. Those skilled in the art can directly derive or associate all the deformations from the content disclosed in the present invention. All should be included in the scope of protection of the present invention.

Claims (2)

1. a kind of method realizing sandbox Intelligent Measurement file, for file is carried out with file process performing detection, its feature exists In specifically including following step:
Step one: sandbox module receives file to be detected, generates Detection task according to rule, and by Detection task write into Databasce In, Detection task status indication is to be detected;
Described Detection task is included from task id of increasing type, the file storing path of detection file and file type, detection literary composition The check value of part, the specified detection time when secondary detection file;
Step one repeats, and step one uses individual threads circulation execution;
Step 2: sandbox module connects and inquire about data base, it is to be detected for whether there is Detection task state in inquiry data base Task, if the Detection task of no this state, sandbox module re-starts inquiry operation after waiting special time;
If sandbox module polls are task to be detected to Detection task state, sandbox module calls the open interface letter of fictitious host computer The current fictitious host computer that can be used for perform detection task that whether there is of number inquiry: if current virtual main frame all cannot be carried out task inspection Survey, then sandbox module waits special time to reacquire fictitious host computer state, if there is currently can be used for carrying out task detection Fictitious host computer, then call the open interface of fictitious host computer to start fictitious host computer;
After fictitious host computer starts, start the monitoring work of designated port with the detection module that fictitious host computer together starts;Sandbox mould Block connects the listening port of fictitious host computer, and sandbox module passes through network mode, and task to be detected is submitted to for this subtask Detection module in the fictitious host computer of detection;The current task status submitted to is labeled as having been filed on by sandbox module, and keeps even Connect wait detection module data to return;
Detection module receives Detection task, the file type in reading task, and inquires about in current system with the presence or absence of correspondence Configuration processor can be used for executing this file to be detected, if existed; would return initialize successfully, otherwise return initialize unsuccessfully;
Step 3: whether the initialization information that in sandbox module receiving step two, detection module returns, successfully come according to initialization Judge whether this fictitious host computer can carry out current detection task, if initializing successfully, representing and can detect current file, continuing The process of continuous step 4;If initializing unsuccessfully, representing and can not execute current detection task, Detection task terminates;Sandbox module will Current detection task status in data base is labeled as undetectable;
Step 4: sandbox module uploads file to be detected to detection module by network mode, file end of transmission to be detected, husky Tank module preserves the connection with fictitious host computer, for receiving testing result information;Sandbox module marks current task state is inspection In survey;
Step 5: detection module in fictitious host computer receives file to be detected, calculates the check value of file to be detected, and with detection Check value in task is compared, and confirms whether file to be detected is complete;If file transmission to be detected is imperfect, detect mould Block is communicated with sandbox module it is desirable to sandbox module retransmits file to be detected;If file transmission to be detected is complete, detection module starts File to be detected, and suspend this document process using suspend parameter, starts intervalometer simultaneously and has executed recording this document Time;After file is suspended operation, detection module calls api hook module to be injected in the running space of detected file, After the injection success of api hook module, detection module recovers detected running paper, and apihook module record is detected file Testing result is simultaneously returned to detection module by corelation behaviour information;Api hook module is not detected by being detected in special time File calls the system function of hook in api hook module, returns " special time no operates " to detection module, detection module Judge that file detection completes according to this feature, jump to step 7 execution;The api receiving hook module is returned by detection module The file behavioural information returned is transferred to sandbox module by network mode;If file start failure to be detected or api hook module Inject unsuccessfully then detection terminate, simultaneously return detection exceptional instructions to sandbox module;Sandbox module detects unsuccessfully receiving After information, in registration database, current detection task status is to detect unsuccessfully, and jumps to step 7 execution;
Step 6: detection module starts artificial intelligence module, artificial intelligence module refers to by the detected file of program mode (PM) identification Human window, and by obtaining button and button title in window, contrast in the window title that gets and program and set in advance Whether the title put is consistent, is used for judging whether to need to implement manual simulation intervention to detected file, to reach also original The purpose of running environment, attempts obtaining detected running paper window, subwindow and window button;
If artificial intelligence module obtains detected running paper window, subwindow and window button success, coupling gets Window button title is mated with the title pre-setting: if the match is successful, the mobile mouse of artificial intelligence module is to matching On the button of title, execute left mouse button single-click operation, then repeated execution of steps six;If coupling is unsuccessful, with when time inspection In survey task, judging whether detected running paper terminates, if in the range of detection time, program is just for the detection time of setting Often exit, then execution step eight, if the detected running paper time reaches the detection time of setting in Detection task, be detected literary composition Part is still running, execution step seven;
Step 7: detection module calls processkill function to terminate detected file;
Step 8: detection module returns detection and completes instruction to sandbox module;
Step 9: if sandbox module receives the detection exceptional instructions of detection module return, labelling is inspection when time Detection task Survey abnormal;
If sandbox module does not receive detection exceptional instructions before receiving detection and completing instruction, sandbox module marks are when time inspection Survey task completes for detection, preserves file detection result to file, and testing result file path is attached to current detection and appoint In business, so that other programs use;
Sandbox module, after receiving the instruction that detection completes, calls the open interface function of fictitious host computer to close execution current detection The fictitious host computer of task;
After the completion of fictitious host computer cuts out, sandbox module calls image recovery function to recover fictitious host computer mirror image, when secondary Detection task Complete, repeated execution of steps two.
2. the sandbox intelligent checking system based on a kind of method realizing sandbox Intelligent Measurement file described in claim 1, its It is characterised by, including sandbox module, fictitious host computer;Sandbox module and fictitious host computer constitute the main body of sandbox;Data base comprises In sandbox module, detection module and its attached artificial intelligence module, api hook module run in fictitious host computer;
Described sandbox module is the main body module of sandbox intelligent checking system, is responsible for receiving file to be detected and generating detection appointing Business, management Detection task, initiation file detect, dispatch and manage fictitious host computer, receive and preserve testing result;
Described data base can adopt any type of data base, for storing Detection task, generates Detection task for sandbox module And manage Detection task use;
Described detection module is the detection configuration processor operating on fictitious host computer, for communicating with sandbox module, obtains detection Task is detected with detected file, execution file and is returned by api hook module monitors file implementation procedure, with network mode Pass detected running paper behavioral data to sandbox module;Detection module is built in fictitious host computer, with fictitious host computer system one With startup;Wherein, file to be detected refers to the file not having submitted detection in Detection task, and this document is submitted to virtual master When being detected in machine, then it is referred to as detected file;
Described fictitious host computer is virtualization program and the operation system running under virtualization program operating under sandbox environment System, the state after starting is saved as restoration point by fictitious host computer.
CN201410381591.1A 2014-08-05 2014-08-05 Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method Active CN104200161B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410381591.1A CN104200161B (en) 2014-08-05 2014-08-05 Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410381591.1A CN104200161B (en) 2014-08-05 2014-08-05 Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method

Publications (2)

Publication Number Publication Date
CN104200161A CN104200161A (en) 2014-12-10
CN104200161B true CN104200161B (en) 2017-01-25

Family

ID=52085452

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410381591.1A Active CN104200161B (en) 2014-08-05 2014-08-05 Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method

Country Status (1)

Country Link
CN (1) CN104200161B (en)

Families Citing this family (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104410539A (en) * 2014-12-31 2015-03-11 中国移动通信集团广东有限公司 Comprehensive alarm collection method and system based on artificial intelligence
CN104766007B (en) * 2015-03-27 2017-07-21 杭州安恒信息技术有限公司 A kind of method that the fast quick-recovery of sandbox is realized based on file system filter driver
CN104852910B (en) * 2015-04-24 2018-11-27 新华三技术有限公司 A kind of method and apparatus of attack detecting
CN106301974A (en) * 2015-05-14 2017-01-04 阿里巴巴集团控股有限公司 A kind of website back door detection method and device
CN105117645B (en) * 2015-07-29 2018-03-06 杭州安恒信息技术有限公司 The method that the operation of sandbox virtual machine multisample is realized based on file system filter driver
CN105718793A (en) * 2015-09-25 2016-06-29 哈尔滨安天科技股份有限公司 Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification
CN106778239B (en) * 2015-11-24 2019-10-29 阿里巴巴集团控股有限公司 For improving the method and device of Java sandbox safety
CN105630877A (en) * 2015-12-17 2016-06-01 北京奇虎科技有限公司 File cleaning method and system
CN107102937B (en) * 2016-02-19 2021-03-02 腾讯科技(深圳)有限公司 User interface testing method and device
CN107483386A (en) * 2016-06-08 2017-12-15 阿里巴巴集团控股有限公司 Analyze the method and device of network data
CN106547608B (en) * 2016-09-09 2019-09-27 北京安天网络安全技术有限公司 A kind of the sandbox concurrent method and system of the active folding of page based on memory
CN107943676B (en) * 2016-10-12 2020-10-30 腾讯科技(深圳)有限公司 Performance test data processing method and device for operating nonvolatile memory by application
CN106341282A (en) * 2016-11-10 2017-01-18 广东电网有限责任公司电力科学研究院 Malicious code behavior analyzer
CN106682500A (en) * 2016-11-28 2017-05-17 北京奇虎科技有限公司 Detection method and device for target sample files
CN106650424A (en) * 2016-11-28 2017-05-10 北京奇虎科技有限公司 Method and device for detecting target sample file
CN106650423A (en) * 2016-11-28 2017-05-10 北京奇虎科技有限公司 Object sample file detecting method and device
CN106997436A (en) * 2017-04-14 2017-08-01 努比亚技术有限公司 The detection means and method of application program
CN107357717B (en) * 2017-06-07 2020-06-09 阿里巴巴集团控股有限公司 Method, Apparatus and Apparatus for Detecting Configuration Errors
CN107491691A (en) * 2017-08-08 2017-12-19 东北大学 A kind of long-range forensic tools Safety Analysis System based on machine learning
CN107729748B (en) * 2017-09-20 2019-11-08 杭州安恒信息技术股份有限公司 A method for describing file running trajectory graph in sandbox
CN107609396B (en) * 2017-09-22 2020-06-23 杭州安恒信息技术股份有限公司 An escape detection method based on sandbox virtual machine
CN108874658A (en) * 2017-12-25 2018-11-23 北京安天网络安全技术有限公司 A kind of sandbox analysis method, device, electronic equipment and storage medium
CN109472140B (en) * 2017-12-29 2021-11-12 北京安天网络安全技术有限公司 Method and system for preventing lasso software encryption based on window header verification
RU2697954C2 (en) * 2018-02-06 2019-08-21 Акционерное общество "Лаборатория Касперского" System and method of creating antivirus record
CN108595240B (en) * 2018-04-20 2021-12-14 北京天融信网络安全技术有限公司 Screen snapshot capturing method, device and equipment and readable storage medium
CN112558986A (en) * 2019-09-25 2021-03-26 上海哔哩哔哩科技有限公司 APK installation package online automatic analysis method and system
CN110825491B (en) * 2019-10-31 2022-02-01 福建天晴在线互动科技有限公司 Virtual environment detection method based on firewall registry characteristics
CN110837639A (en) * 2019-11-08 2020-02-25 浙江军盾信息科技有限公司 Active defense method and system for unknown threat
CN111460439B (en) * 2020-03-27 2023-03-21 中南大学 Multi-environment-based escape behavior detection method
CN112507330B (en) * 2020-11-04 2022-06-28 北京航空航天大学 A Malware Detection System Based on Distributed Sandbox
CN114692135A (en) * 2020-12-30 2022-07-01 网神信息技术(北京)股份有限公司 Malicious code detection method, system, electronic device, medium, and program product
CN113672917A (en) * 2021-08-04 2021-11-19 安天科技集团股份有限公司 Malicious code detection method and device, storage medium and electronic equipment
CN117540381B (en) * 2023-11-13 2024-09-03 中国人民解放军92493部队信息技术中心 Detection method and system for anti-virtualization malicious program
CN119808079A (en) * 2024-12-18 2025-04-11 朴道征信有限公司 A method, device, electronic device and storage medium for detecting malicious behavior

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102034050A (en) * 2011-01-25 2011-04-27 四川大学 Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception
CN103902903A (en) * 2013-11-12 2014-07-02 国家计算机网络与信息安全管理中心 Malicious code analyzing method and system based on dynamic sandbox environment
CN103927484A (en) * 2014-04-21 2014-07-16 西安电子科技大学宁波信息技术研究院 Malicious program behavior capture method based on Qemu
CN102314561B (en) * 2010-07-01 2014-07-23 电子科技大学 Automatic analysis method and system of malicious codes based on API (application program interface) HOOK

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006101549A2 (en) * 2004-12-03 2006-09-28 Whitecell Software, Inc. Secure system for allowing the execution of authorized computer program code

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102314561B (en) * 2010-07-01 2014-07-23 电子科技大学 Automatic analysis method and system of malicious codes based on API (application program interface) HOOK
CN102034050A (en) * 2011-01-25 2011-04-27 四川大学 Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception
CN103902903A (en) * 2013-11-12 2014-07-02 国家计算机网络与信息安全管理中心 Malicious code analyzing method and system based on dynamic sandbox environment
CN103927484A (en) * 2014-04-21 2014-07-16 西安电子科技大学宁波信息技术研究院 Malicious program behavior capture method based on Qemu

Also Published As

Publication number Publication date
CN104200161A (en) 2014-12-10

Similar Documents

Publication Publication Date Title
CN104200161B (en) Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method
CN104766007B (en) A kind of method that the fast quick-recovery of sandbox is realized based on file system filter driver
CN102736978B (en) A kind of method and device detecting the installment state of application program
CN105117645B (en) The method that the operation of sandbox virtual machine multisample is realized based on file system filter driver
CN101359355B (en) Method for raising user's authority for limitation account under Windows system
CN104794048B (en) A kind of UI automated testing methods and system
CN101788915A (en) White list updating method based on trusted process tree
CN106126423B (en) The test method of game application, apparatus and system
US8910161B2 (en) Scan systems and methods of scanning virtual machines
CN102236764B (en) Method and monitoring system for Android system to defend against desktop information attack
US20120311279A1 (en) Data recovery and backup system and process
CN109614203B (en) An Android application cloud data forensic analysis system and method based on application data simulation
CN104182340B (en) Database compatibility method of testing and system
CN114417335B (en) Malicious file detection method, device, electronic device and storage medium
CN101876921A (en) A virtual machine migration decision method, device and system
CN103514023A (en) Method and system for off-line and automatically installing software of virtual machine
CN114065196A (en) Java memory detection method, device, electronic device and storage medium
CN111783094A (en) A data analysis method, device, server and readable storage medium
US20140033179A1 (en) Application testing
CN115951949A (en) Method, device and computing device for recovering configuration parameters of BIOS
CN114416451A (en) Server testing method and device, computer equipment and storage medium
CN109032874A (en) A kind of memory pressure test method, device, terminal and storage medium
CN104820610A (en) Method for updating virtual machine image in cloud environment
US20140298002A1 (en) Method and device for identifying a disk boot sector virus, and storage medium
CN107203410A (en) A kind of VMI method and system based on redirection of system call

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer

Patentee after: Dbappsecurity Co.,Ltd.

Address before: Hangzhou City, Zhejiang province 310051 Binjiang District and Zhejiang road in the 15 storey building

Patentee before: Dbappsecurity Co.,ltd.

CP03 Change of name, title or address
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20141210

Assignee: Hangzhou Anheng Information Security Technology Co.,Ltd.

Assignor: Dbappsecurity Co.,Ltd.

Contract record no.: X2024980043370

Denomination of invention: A method for implementing sandbox intelligent file detection and its sandbox intelligent detection system

Granted publication date: 20170125

License type: Common License

Record date: 20241231

EE01 Entry into force of recordation of patent licensing contract