CN118797636A - Memory horse detection method, device and electronic equipment - Google Patents

Abstract

The invention discloses a memory horse detection method and device and electronic equipment. Relates to the technical field of network security. Wherein the method comprises the following steps: determining a target process in an operation state in target equipment; traversing class objects loaded by a target process, and determining whether to take the class objects as the class objects to be detected in the detection according to a target mapping cache aiming at each traversed class object, wherein the target mapping cache records: mapping relation between process information of the process and detected class object information of the process; under the condition that the traversed class object is used as the class object to be detected in the detection, detecting a constant pool of the class object to be detected to obtain a detection result; and determining whether the target process is injected into the memory horse according to the detection result. The invention solves the technical problems of low detection efficiency of detecting the memory horses by injecting the detection program into the process to be detected or detecting the memory horses by downloading the byte code files for decompilation.

Description

Memory horse detection method, device and electronic equipment

Technical Field

The present invention relates to the field of network security technology, and in particular to a memory horse detection method, device and electronic equipment.

Background Art

With the continuous updating and iteration of attack and defense technologies, memory Trojans have gradually developed into a popular attack method. Attackers use vulnerabilities or exploit chains of web middleware (software components or libraries located between web servers and web applications, used to implement additional functions, process requests, and provide services to applications) to inject malicious backdoors or Trojans into the memory of the target server and execute them, thereby remotely controlling the target server. In related technologies, the following two methods are mainly used to detect memory Trojans.

Method 1: Inject a program for detecting Java (a programming language) memory malware into the process to be detected, and obtain the Class byte streams of all Java classes loaded in the process to be detected by rewriting related functions to perform memory malware detection and analysis. However, this method requires parsing all byte stream contents according to the format of Class files, and then performing memory malware detection based on the parsing results. The detection efficiency is low, and is affected by the version differences of JDK (Java Development Kit) or JRE (Java Runtime Environment). This method has compatibility issues and requires writing corresponding agents (agent detection programs) for different versions. In addition, the detection program is injected into the target process, which is invasive. In addition, the detection engine runs in the target JVM (Java virtual machine), which increases the memory overhead of the process to be detected, further reducing the detection efficiency of memory malware.

Method 2: traverse all the underlying classes of the target JVM, download the entire bytecode of the class, decompile it, and then detect whether the process to be detected contains memory horses. The performance is low and the detection efficiency is poor.

To address the above-mentioned problems, no effective solution has been proposed yet.

Summary of the invention

The embodiments of the present invention provide a memory horse detection method, device and electronic device to at least solve the technical problem of low detection efficiency in the related art of injecting a detection program into a process to be detected to detect a memory horse, or downloading a bytecode file for decompilation to detect a memory horse.

According to one aspect of an embodiment of the present invention, a memory horse detection method is provided, comprising: determining a target process in a running state in a target device; traversing the class objects loaded by the target process, and for each traversed class object, determining whether to use the class object as a class object to be detected in this detection according to a target mapping cache, wherein the target mapping cache records: a mapping relationship between process information of a process and information on detected class objects of the process; in the case of using the traversed class object as a class object to be detected in this detection, detecting a constant pool of the class object to be detected to obtain a detection result; and determining whether a memory horse is injected into the target process according to the detection result.

Furthermore, the constant pool of the object of the class to be detected is detected to obtain a detection result, including: determining the constant pool of the object of the class to be detected; parsing the constant pool based on the storage format of the constant pool of the object of the class to be detected in the memory of the target process to obtain a parsing result; using a target detection tool to load a preset detection rule to detect the parsing result to obtain a detection result corresponding to the object of the class to be detected.

Furthermore, the storage format of the constant pool includes at least: a first array and a second array, wherein the first array is used to store the type of the constant pool, and the second array is used to store data of the constant pool; parsing the constant pool based on the storage format of the constant pool of the class object to be detected in the memory of the target process to obtain the parsing result includes: parsing the constant pool of the class object to be detected based on the first array and the second array to obtain the parsing result.

Further, based on the first array and the second array, parsing the constant pool of the class object to be detected to obtain the parsing result includes: parsing the first array to obtain the type of the constant pool of the class object to be detected, and parsing the second array to obtain data of the constant pool of the class object to be detected; based on the type of the constant pool, replacing symbolic references in the data of the constant pool to obtain the parsing result, wherein the symbolic reference indicates that the data content is described by using symbols.

Furthermore, the memory horse detection method also includes: when there is a target class object whose attribute information has changed in the detected class objects, updating the target mapping cache according to the changed attribute information of the target class object; and/or, after obtaining the detection result corresponding to the constant pool of the class object to be detected, updating the target mapping cache according to the attribute information of the class object to be detected and the process information of the target process.

Further, based on the target mapping cache, determining whether to use the class object as the class object to be detected in this detection includes: determining whether the attribute information of the class object is stored in the target mapping cache; determining to use the class object as the class object to be detected in this detection when the attribute information of the class object is not stored in the target mapping cache or the attribute information of the class object has changed after the last detection; determining not to use the class object as the class object to be detected in this detection when the attribute information of the class object is stored in the target mapping cache and the attribute information of the class object has not changed after the last detection.

Furthermore, the memory horse detection method also includes: when it is determined that the first type of object currently traversed is not to be used as the object of the class to be detected in this detection, according to the target mapping cache, obtaining the historical detection result obtained by detecting the constant pool of the first type of object; according to the detection result, determining whether the target process is injected with a memory horse, including: determining whether the target process is injected with a memory horse according to the historical detection result of the first type of object and the detection result of the second type of object, wherein the second type of object is used as the object of the class to be detected in this detection.

According to another aspect of an embodiment of the present invention, a memory horse detection device is also provided, including: a first determination unit, used to determine a target process in a running state in a target device; a processing unit, used to traverse the class objects loaded by the target process, and for each traversed class object, determine whether to use the class object as a class object to be detected for this detection according to a target mapping cache, wherein the target mapping cache records: a mapping relationship between process information of a process and information on detected class objects of the process; a detection unit, used to detect a constant pool of the class object to be detected when the traversed class object is used as the class object to be detected for this detection, and obtain a detection result; a second determination unit, used to determine whether a memory horse is injected into the target process according to the detection result.

Furthermore, the detection unit includes: a first determination subunit, used to determine the constant pool of the object of the class to be detected; a parsing subunit, used to parse the constant pool based on the storage format of the constant pool of the object of the class to be detected in the memory of the target process, and obtain a parsing result; a detection subunit, used to use a target detection tool to load preset detection rules to detect the parsing result, and obtain a detection result corresponding to the object of the class to be detected.

Furthermore, the storage format of the constant pool includes at least: a first array and a second array, wherein the first array is used to store the type of the constant pool, and the second array is used to store the data of the constant pool; the parsing subunit includes: a parsing module, which is used to parse the constant pool of the class object to be detected based on the first array and the second array to obtain the parsing result.

Furthermore, the parsing module includes: a parsing submodule, used to parse the first array to obtain the type of the constant pool of the class object to be detected, and to parse the second array to obtain the data of the constant pool of the class object to be detected; a replacement submodule, used to replace the symbolic reference in the data of the constant pool based on the type of the constant pool to obtain the parsing result, wherein the symbolic reference indicates that the data content is described using symbols.

Furthermore, the memory horse detection device also includes: a first update unit, which is used to update the target mapping cache according to the changed attribute information of the target class object when there is a target class object whose attribute information has changed in the detected class objects; and/or, a second update unit, which is used to update the target mapping cache according to the attribute information of the class object to be detected and the process information of the target process after obtaining the detection result corresponding to the constant pool of the class object to be detected.

Further, the processing unit includes: a second determination subunit, used to determine whether the attribute information of the class object is stored in the target mapping cache; a third determination subunit, used to determine that the class object is used as the class object to be detected in this detection when the attribute information of the class object is not stored in the target mapping cache or the attribute information of the class object has changed after the last detection; and a fourth determination subunit, used to determine that the class object is not used as the class object to be detected in this detection when the attribute information of the class object is stored in the target mapping cache and the attribute information of the class object has not changed since the last detection.

Furthermore, the memory horse detection device also includes: an acquisition unit, which is used to obtain historical detection results obtained by detecting the constant pool of the first type of object according to the target mapping cache when it is determined that the first type of object currently traversed is not to be used as the object of the class to be detected in this detection; the second determination unit includes: a processing subunit, which is used to determine whether the target process is injected with a memory horse based on the historical detection results of the first type of object and the detection results of the second type of object, wherein the second type of object is used as the object of the class to be detected in this detection.

According to another aspect of an embodiment of the present invention, there is also provided an electronic device, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the memory horse detection method in the embodiment of the present application by executing the executable instructions.

According to another aspect of an embodiment of the present invention, a computer-readable storage medium is provided, which stores a computer program, wherein when the computer program is running, the device where the computer-readable storage medium is located is controlled to execute the memory horse detection method in the embodiment of the present application.

In the present invention, the target process in the target device that is in the running state is determined; the class objects loaded by the target process are traversed, and for each traversed class object, it is determined according to the target mapping cache whether the class object is used as the class object to be detected in this detection, wherein the target mapping cache records: the mapping relationship between the process information of the process and the class object information of the process that has been detected; in the case of using the traversed class object as the class object to be detected in this detection, the constant pool of the class object to be detected is detected to obtain the detection result; according to the detection result, it is determined whether the target process is injected with a memory horse. This solves the technical problem of low detection efficiency in the related art of injecting a detection program into the process to be detected to detect a memory horse, or downloading a bytecode file for decompilation to detect a memory horse.

In the present invention, by traversing the class objects loaded in the target process and searching the constant pool, it is determined whether the process to be detected is injected with a memory horse by parsing the constant pool of the class object, and the cache of the detected class objects (i.e., the target mapping cache) is used to avoid repeated detection of the same class, so that the purpose of performing memory horse detection on the process to be detected is achieved without injecting a detection program into the process to be detected, obtaining the Class byte stream, and downloading the bytecode file for decompilation, thereby achieving the technical effect of improving the detection efficiency of memory horses.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings described herein are used to provide a further understanding of the present invention and constitute a part of this application. The exemplary embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute an improper limitation of the present invention. In the drawings:

FIG1 is a flow chart of a memory horse detection method according to an embodiment of the present invention;

FIG2 is a schematic diagram of a relationship between variables constants and a constant pool according to an embodiment of the present invention;

FIG3 is a Klass search route map of an array+linked list according to an embodiment of the present invention;

FIG4 is a Klass search route map in a linked list form according to an embodiment of the present invention;

5 is a schematic diagram of a layout of a constant pool ConstantPool in memory according to an embodiment of the present invention;

FIG6 is a schematic diagram of a parsing result of a constant pool according to an embodiment of the present invention;

7 is a schematic diagram of a Java memory horse detection process with class object cache according to an embodiment of the present invention;

FIG8 is a schematic diagram of a memory horse detection system according to an embodiment of the present invention;

FIG9 is a schematic diagram of a memory horse detection device according to an embodiment of the present invention;

FIG. 10 is a schematic diagram of an electronic device according to an embodiment of the present invention.

DETAILED DESCRIPTION

In order to enable those skilled in the art to better understand the scheme of the present invention, the technical scheme in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work should fall within the scope of protection of the present invention.

It should be noted that the terms "first", "second", etc. in the specification and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchanged where appropriate, so that the embodiments of the present invention described herein can be implemented in an order other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, for example, a process, method, system, product or device that includes a series of steps or units is not necessarily limited to those steps or units that are clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products or devices.

It should be noted that the embodiments or examples of the present invention are not exhaustive, but are only illustrative of some embodiments or examples, and are not intended to be specific limitations on the scope of protection of the present invention. In the absence of contradiction, each step in a certain embodiment or example can be implemented as an independent example, and the steps can be arbitrarily combined. For example, the scheme after removing some steps in a certain embodiment or example can also be implemented as an independent example, and the order of the steps in a certain embodiment or example can be arbitrarily exchanged. In addition, the optional methods or optional examples in a certain embodiment or example can be arbitrarily combined; in addition, the various embodiments or examples can be arbitrarily combined. For example, some or all steps of different embodiments or examples can be arbitrarily combined, and a certain embodiment or example can be arbitrarily combined with the optional methods or optional examples of other embodiments or examples.

For the convenience of description, some terms or nouns involved in the embodiments of the present invention are explained below.

Memory Trojans, also known as fileless Trojans, are a type of attack method that does not drop files onto disk. Compared with conventional attack methods, memory Trojans are more hidden and difficult to detect because they do not drop files onto disk and only exist in memory. Due to the popularity of the Java language in the web field (Internet field), Java memory Trojans have become a major disaster area for hacker memory Trojan attacks, seriously threatening the security of corporate network assets.

Embodiment 1

According to an embodiment of the present invention, a method embodiment of a memory horse detection method is provided. It should be noted that the steps shown in the flowchart of the accompanying drawings can be executed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowchart, in some cases, the steps shown or described can be executed in an order different from that shown here.

FIG. 1 is a flow chart of a memory horse detection method according to an embodiment of the present invention. As shown in FIG. 1 , the method includes the following steps:

Step S101, determining a target process in a running state in a target device;

The above-mentioned target device may include but is not limited to a virtual machine, a host or a container, etc., and the above-mentioned target process type may include but is not limited to a Java process. In the Java language, after a Class class file is loaded by the JVM, a class object can be generated to represent the class. When the class is to be used later, the class object generates an instance object for use, that is, the class object can represent a Java class or class file loaded by the JVM.

Step S102, traverse the class objects loaded by the target process, and for each traversed class object, determine whether to use the class object as the class object to be detected in this detection according to the target mapping cache, wherein the target mapping cache records: the mapping relationship between the process information of the process and the detected class object information of the process.

In order to avoid the situation in the related art where the same class needs to be repeatedly detected each time the process to be detected is detected, resulting in low detection efficiency, in the present embodiment, the class objects loaded by the target process can be traversed, and for all the traversed class objects, the changed class objects at the same memory address can be used as the class objects to be detected based on the target mapping cache, while the unchanged class objects at the same memory address do not need to be used as the class objects to be detected this time, and the unchanged class objects at the same memory address can directly use the last detection result corresponding to the unchanged class object in the target mapping cache, i.e., avoiding repeated detection of the same class object.

The above-mentioned target mapping cache can record the process information of the process that has been detected whether it has been injected into the memory horse, the attribute information of the class object loaded by the process, and the mapping relationship between the process information and the detected class object information of the process, so as to determine whether each traversed class object has been detected before and whether the class object has changed.

In this embodiment, the process information of the process may include: process identification; the class object information may include: attribute information of the class object, and the attribute information of the class object includes at least one of the address of the class object in the memory, the class name, the inherited class and interface name, etc.

Step S103, when the traversed class object is used as the class object to be detected in this detection, the constant pool of the class object to be detected is detected to obtain the detection result.

The above-mentioned detection results can be used to indicate whether the class object to be detected contains memory horse. In order to avoid the situation in which the detection program is injected into the process to be detected in the related technology, the Class byte stream of all Java classes is obtained, and the memory horse detection based on the parsing result of the Class byte stream is inefficient and invasive. In this embodiment, if a certain class object is used as the class object to be detected this time, the constant pool of the class object can be searched, and the specific data in the constant pool can be obtained by parsing the constant pool of the class object. The specific data of the constant pool can be detected according to the preset detection rules, so as to determine whether the class object contains memory horse and obtain the detection result of the class object.

When searching for the constant pool of the class object, the class containing the attribute information of the constant pool associated with the class object can be searched, and then the memory address storing the constant pool can be found according to the attribute information of the constant pool in the class, thereby achieving the purpose of not having to obtain the Class byte stream and download the entire bytecode during the memory horse detection process.

Step S104: Determine whether the target process is injected into the memory based on the detection result.

In this embodiment, whether the target process is injected with a memory horse can be determined based on whether the class object to be detected contains a memory horse and whether other class objects except the class object to be detected among all class objects loaded by the target process contain a memory horse. For example, if at least one class object in the target process contains a memory horse, it can be determined that the target process is injected with a memory horse.

Through the above steps, in this embodiment, by traversing the class objects loaded in the target device, searching the constant pool, parsing the constant pool of the class object, determining whether the process to be detected is injected with a memory horse, and using the cache of the detected class object (i.e., the target mapping cache) to avoid repeated detection of the same class, the purpose of performing memory horse detection on the process to be detected without injecting the detection program into the process to be detected, obtaining the Class byte stream, and downloading the bytecode file for decompilation is achieved, thereby achieving the technical effect of improving the detection efficiency of the memory horse. Further, the technical problem of low detection efficiency in the related art of injecting the detection program into the process to be detected to detect the memory horse, or downloading the bytecode file for decompilation to detect the memory horse is solved.

Optionally, the constant pool of the object to be detected is detected to obtain a detection result, including: determining the constant pool of the object to be detected; parsing the constant pool based on the storage format of the constant pool of the object to be detected in the memory of the target process to obtain a parsing result; using a target detection tool to load a preset detection rule to detect the parsing result, and obtain a detection result corresponding to the object to be detected.

Here, the memory of the target process may be a memory block or a memory page allocated to the target process in the target device.

Determining a constant pool of an object of a class to be detected may include: determining a storage structure of the object of the class to be detected in a memory of a target process to obtain a storage structure type; searching for a target class based on the storage structure type, and determining a constant pool based on the found target class, wherein the target class records properties of the constant pool.

For example, in order to avoid the low efficiency of injecting the detection program into the process to be detected and then rewriting the related functions to obtain the loaded Java Class byte stream and parse the Class byte stream to obtain the constant pool in the related technology, in this embodiment, the Java class loaded by the JVM will be saved in the memory in a specific structure, and based on the Java version associated with the class object (for example, the JDK version), the storage structure of the class object to be detected in the memory of the target process can be determined to obtain the storage structure type of the class object to be detected. For example, the storage structure type in JDK8 and JDK9 versions can be an array + linked list form (that is, a combination type of an array and a linked list), and the storage structure type in JDK10 and above versions can be a linked list form (or a linked list type).

After obtaining the storage structure type of the class object to be detected in the memory of the target process, the target class can be found according to the storage structure type. According to the attribute information of the constant pool recorded in the target class, the address of the constant pool in the memory can be determined, and then the above-mentioned constant pool can be found. For example, Figure 2 is a schematic diagram of an optional relationship between a variable constants and a constant pool according to an embodiment of the present invention. As shown in Figure 2, there is a variable "_constants" in InstanceKlass (class object), which represents the constant pool of the corresponding Java class.

According to the storage structure of the class object to be detected in the memory, the target class is found, and then the constant pool associated with the class object to be detected (i.e., the constant pool) is found, so that the purpose of determining the constant pool can be achieved without invading the target process and obtaining the Class byte stream, thereby achieving the technical effect of improving the efficiency of obtaining the constant pool.

The above-mentioned storage structure type includes one of the following: a combination type of an array and a linked list, and a linked list type. Based on the storage structure type, the target class is searched, including: when the storage structure type is a combination type, based on the memory address of the specified variable, traversing the linked list in the hash table array to search for the target class, wherein the hash table array is used to record the address of the target class; or, when the storage structure type is a linked list type, finding the class loader, and searching for the target class based on the class loader, wherein the class loader is stored in the memory of the target process in the form of a linked list.

The above-mentioned target class may record the attribute information of the constant pool. When the storage structure type is a composite type, the linked list in the hash table array may be traversed based on the memory address of the specified variable to find the target class.

Figure 3 is a Klass search route map of an array + linked list according to an embodiment of the present invention. As shown in Figure 3, it includes: SystemDictionary (SystemDictionary.hpp), Dictionary (dictionary.hpp), TwoQopHashtable<Klass*, mtClass>, Hashtable<Klass*, mtClass>, BasicHashtable<mtClass>, HashTableBucket<mtClass>, BasicHashTableEntry<mtClass>, HashtableEntry<Klass*, mtClass>, Klass, InstanceKlass.

Among them, SystemDictionary (SystemDictionary.hpp) can refer to the symbol table exposed in libjvm.so (a dynamic library loaded by the Java virtual machine), which is used to store variables in Java classes;

Dictionary (dictionary.hpp) can represent a hash table, which can be organized in the form of array + linked list. It is a subclass of TwoQopHashtable<Klass*, mtClass>;

TwoQopHashtable<Klass*, mtClass> is a template class that accepts two parameters and is used to implement a hash table (Klass* represents the type of the key; mtClass represents the type of the value); it is a subclass of Hashtable<Klass*, mtClass>;

Hashtable<Klass*, mtClass> is also an implementation of a hash table and a subclass of BasicHashtable<mtClass>;

BasicHashtable<mtClass> represents a basic hash table data structure. Its member variable _table_size represents the number of buckets (the length of the hash table array), and _buckets represents the hash table array.

HashTableBucket<mtClass> is the implementation of a bucket in a hash table. It is a data structure used to store elements in a hash table. Each bucket can store one or more elements.

BasicHashTableEntry<mtClass> is a general data structure used to represent the data stored in a hash table bucket. Its _next member variable can be used to find the next data in the same bucket.

HashtableEntry<Klass*, mtClass> is a subclass of BasicHashTableEntry<mtClass>, which stores the address of Klass;

InstanceKlass is a subclass of Klass and represents a class object.

The following is an example of the process of finding Klass (corresponding to the above target class) in conjunction with Figure 3:

(1) Parse the memory addresses of key member variables such as SystemDictionary, BasicHashTable, BasicHashTableEntry, and HashTableEntry in gHotSpotVMStructs (corresponding to the specified variables mentioned above);

(2) SystemDictionary::_dictionary is a static variable, so the address of _dictionary in memory can be directly read. It is a pointer that can point to Dictionary (Dictionary can be regarded as a hash table, which is a subclass of BasicHashTable. The organization form of the hash table can be array + linked list).

(3) BasicHashTable<mtClass>::_table_size represents the length of the hash table array, BasicHashTable<mtClass>::_buckets represents the hash table array, each element in it is a list (linked list), and each node in the list is a BasicHashTableEntry. Combined with BasicHashTableEntry::_next (the next entry in the linked list), this linked list can be traversed to obtain all HashTableEntry nodes in the hash table.

(4) HashTableEntry::_literal points to Klass, from which a Java class loaded by the JVM can be found.

When the storage structure type is a linked list type, the class loader may be searched first, the class loader may be found, and then the loaded target class may be found using the class loader, and then the constant pool of the class object to be detected may be found.

Figure 4 is a Klass search route map in the form of a linked list according to an embodiment of the present invention. As shown in Figure 4, it includes: ClassLoaderDataGraph (classLoaderData.hpp), ClassLoaderData (classLoaderData.hpp), Klass (corresponding to the target class) and InstanceKlass, wherein ClassLoaderDataGraph (classLoaderData.hpp) organizes the class loaders in the form of a linked list, ClassLoaderData (classLoaderData.hpp) represents a specific class loader, Klass corresponds to the above-mentioned target class, and InstanceKlass represents a class object.

The following is an example of the process of finding Klass with reference to Figure 4:

Parse the memory addresses of the ClassLoaderDataGraph, ClassLoaderData, and Klass key member variables in gHotSpotVMStructs (symbol table);

ClassLoaderDataGraph::_head (the head node of the class loader's linked list, the nodes in the linked list represent all the class loaders in the current target process) is a static variable, so the address of _head in memory can be read directly.

Starting from the _head pointer, you can traverse all ClassLoaderData objects (class loaders) by reading ClassLoaderData::_next;

Starting from ClassLoaderData::_klasses, you can traverse all Klass (i.e. target class) loaded by the current ClassLoaderData by reading Klass::_next_link (a pointer representing the address of the next class object loaded by the same class loader).

According to the storage structure of the Java class loaded by the JVM in the memory, the target class containing the attribute information (or variables) of the constant pool is searched, avoiding the low efficiency of downloading the Class byte stream to determine the constant pool by injecting a detection program in the related technology, and achieving the technical effect of improving the search efficiency of the constant pool.

In this embodiment, the constant pool may also be parsed based on the storage format of the constant pool in the memory of the target process to obtain a parsing result.

The storage format of the above-mentioned constant pool in the memory of the target process may refer to the layout or storage method of the constant pool in the memory. Different types of constant pools have different storage methods in the memory. In this embodiment, the constant pool may be parsed according to the format in which the JVM saves the constant pool to obtain specific data of the constant pool, that is, the above-mentioned parsing result.

By using the target detection tool to load the preset detection rules to detect the parsing results, it can be determined whether the object of the class to be detected contains memory horses.

The above-mentioned target detection tool can detect the specific data of the constant pool according to the preset detection rules to determine whether the class object to be detected contains a memory horse. The above-mentioned target detection tool may include but is not limited to: Yara (a malicious code detection tool, a tool for malware analysis and detection). The target detection tool can be used to load pre-defined rules containing Java memory horse features (i.e., preset detection rules), and then the pre-defined rules can be used to detect whether the parsing results in the constant pool contain these features, thereby determining whether the corresponding Java class in the process to be detected (i.e., the class object to be detected) contains a memory horse, and obtaining the detection result of the class object to be detected.

By parsing the parsing result of the constant pool of the class object to be detected, it is determined whether the class object to be detected contains a memory horse, avoiding downloading the bytecode of the class object, and there is no need to decompile the bytecode, thereby achieving the purpose of improving the detection performance. In this embodiment, a cache of the detected class objects (corresponding to the target mapping cache) can also be established. For the class objects that have not changed and have been detected, it is not necessary to repeat the detection, and the result of the last time can be used directly, thereby achieving the purpose of improving the detection efficiency.

Optionally, the storage format of the constant pool includes at least: a first array and a second array, wherein the first array is used to store the type of the constant pool, and the second array is used to store data in the constant pool; based on the storage format of the constant pool of the class object to be detected in the memory of the target process, parsing the constant pool to obtain the parsing result includes: parsing the constant pool of the class object to be detected based on the first array and the second array to obtain the parsing result.

Figure 5 is a schematic diagram of the layout of a constant pool ConstantPool in memory according to an embodiment of the present invention. As shown in Figure 5, it includes a virtual table pointer inherited from a parent class, member variables of the ConstantPool (constant pool) class itself, and constant pool data of _length pointer width.

_tags in FIG. 5 (corresponding to the first array) may refer to an array, each element in the array may represent the type of a constant pool, and the total number of items in the constant pool (or the length of the array) may be saved by _length. When loading a Java class, the JVM may store the type of the constant pool in the _tags array in the ConstantPool class, and the specific constant pool data may be stored in a space of length pointer widths opened up after the ConstantPool class, which may also be referred to as a pointer array of length length (corresponding to the second array mentioned above), and the subscripts of the two arrays correspond one to one. (That is, the _tags array may only store the type of the constant pool, and the corresponding subscript element in the pointer array stores the specific information or specific data of the constant pool). In this embodiment, the constant pool may be parsed based on both the _tags array and the pointer data to obtain the above-mentioned parsing result.

In one example, in the JVM's memory, the possible values of the constant pool type are as follows:

The following are examples of constant pool storage formats:

(1) Regarding JVM_CONSTANT_Utf8/JVM_CONSTANT_String, the constant pool of character type, the pointer array (i.e., the second array) may store a pointer pointing to a Symbol object (a symbol object is a special object used to represent a string constant). The Symbol structure is shown in Table 1.

Table 1

Among them, "length" indicates the length of the stored characters, "_body[1]" indicates the starting address of the stored characters, and the length bytes from this address onwards are the specific constant pool data.

(2) Regarding JVM_CONSTANT_Long/JVM_CONSTANT_Double, the long and double numeric type constant pools can occupy eight bytes in the pointer array to store the corresponding data values, with the upper 4 bytes storing high_bytes and the lower 4 bytes storing low_bytes.

(3) Regarding JVM_CONSTANT_Class/JVM_CONSTANT_UnresolvedClass, the Class item is quite special. Its corresponding constant pool type may be JVM_CONSTANT_Class or JVM_CONSTANT_UnresolvedClass. If it is JVM_CONSTANT_Class, the pointer array can store a pointer to Klass* (secondary pointer), through which the called class name can be resolved. If it is JVM_CONSTANT_UnresolvedClass, the pointer width of _length in Figure 5 (i.e., the pointer array) can store a CPSlot(Symbol*s) object (a Symbol pointer with the lowest bit set to 1).

In this embodiment, the first array and the second array are used together to parse the constant pool to obtain specific data of the constant pool, which can improve the accuracy of the detection result of the subsequent memory horse detection.

Optionally, based on the first array and the second array, parsing the constant pool of the class object to be detected to obtain a parsing result includes: parsing the first array to obtain the type of the constant pool of the class object to be detected, and parsing the second array to obtain the data of the constant pool of the class object to be detected; based on the type of the constant pool, replacing the symbolic reference in the data of the constant pool to obtain the parsing result, wherein the symbolic reference indicates that the data content is described using symbols.

FIG. 6 is a schematic diagram of a parsing result of a constant pool according to an embodiment of the present invention. The parsing result of the constant pool is described in conjunction with FIG. 6 .

The leftmost box in Figure 6 shows (1) the parsed _tags array content, which stores the type of the constant pool; the middle box in Figure 6 shows (2) the constant pool data stored in _length pointer widths, which is the content stored in the second array after parsing, i.e., the specific data of the constant pool (with symbolic references); the rightmost box in Figure 6 shows (3) the product after inverse parsing: the symbolic reference will be further parsed to obtain its text description, i.e., the constant pool data obtained after replacing the symbolic reference (parsing result), which can be used for memory horse detection.

In Figure 6, the constant pool data of the row where #1 is located is "#4.#22", and "#4.#22" is a symbol reference. At this time, #4.#22 can be replaced as follows:

Replace #4: The constant pool data corresponding to the row where #4 is located in the _tags array is #26. At this time, #26 is also a symbolic reference, so #26 can be replaced. The constant pool data corresponding to #26 in the _tags array is java/Lang/Object, not a symbolic reference. Therefore, after replacing the symbolic reference, #4 can be java/Lang/Object.

Replace #22: The constant pool data corresponding to the row where #22 is located in the _tags array is #12:#13, which is still a symbolic reference. The constant pool data corresponding to the row where #12 is located in the _tags array is <init>, and the constant pool data corresponding to the row where #13 is located in the _tags array is ()v. That is, after replacing the symbolic reference in #22, it can be "<init>":()v.

Therefore, after replacing the symbolic reference in the constant pool data #4.#22 in the line where #1 is located, it can be java/Lang/Object."<init>":()v.

By using the _tags array and pointer data together to parse the constant pool and obtain the specific data of the constant pool, it is convenient to improve the accuracy of the subsequent memory horse detection results.

Optionally, the memory horse detection method also includes: when there is a target class object whose attribute information has changed in the detected class objects, updating the target mapping cache according to the changed attribute information of the target class object; and/or, after completing the detection of whether the target process is injected with a memory horse based on the constant pool of the class object to be detected, updating the target mapping cache according to the attribute information of the class object to be detected and the process information of the target process.

Since during the entire life cycle of the JVM, if this class has not changed, it will not be reloaded, that is, the class object will not be updated. Therefore, in order to avoid repeated detection of the same class object in the related art and the low efficiency of memory horse detection, in this embodiment, a target mapping cache can be set. In the case of the first response to the detection request (that is, the first detection of whether the process to be detected is injected with a memory horse), a target mapping cache can be created to save some basic attributes of the class object related to the detected process (for example: the address in the memory, the class name, the inherited class or interface name, etc.) (corresponding to the attribute information). When these basic attributes have not changed, it means that the class object has not changed, and there is no need to detect it again. The last detection result can be used directly. After completing the detection of whether the target process is injected with a memory horse based on the constant pool of the class object to be detected, the target mapping cache can also be updated according to the detection result of this time. For example, the attribute information of the changed target class object can be updated in the target mapping cache, and the detection result of whether the target class object contains a memory horse can be updated according to the current detection result of the target class object.

In one example, ParsedClassInfo (a data structure used to store and represent information about parsed class objects) can be used to save the basic properties of a detected Java class. When these properties of the class object have not changed, it is considered that the Java class has not changed. ParedClassesCache.ClassesCacheMap (ParedClassesCache is a class used to manage detected class objects; ClassesCacheMap is its member variable, which stores information about specific class objects, namely: ParsedClassInfo) is used to save the identifier of the Java process and the basic properties of all detected Java classes in the process. The saved information can be updated in real time with each detection and is persistently saved on disk, achieving the purpose of ensuring the real-time information of the class objects in the target mapping cache.

Optionally, based on the target mapping cache, determining whether to use the class object as the class object to be detected in this detection includes: determining whether attribute information of the class object is stored in the target mapping cache; determining to use the class object as the class object to be detected in this detection if attribute information of the class object is not stored in the target mapping cache, or if the attribute information of the class object has changed after the last detection; determining not to use the class object as the class object to be detected in this detection if attribute information of the class object is stored in the target mapping cache and the attribute information of the class object has not changed after the last detection.

In the case of the first response to the detection request, all class objects loaded by the process to be detected can be used as the process to be detected. That is, when the process to be detected is detected for the first time, the constant pool of all class objects loaded by the process to be detected can be parsed, and based on the parsing results of the constant pool of all class objects, it is determined whether the process to be detected is injected into the memory horse.

In order to avoid the situation in related technologies where each detection requires detecting all underlying classes of the target JVM, which results in low detection efficiency, in the case of not the first response to a detection request, it is possible to determine whether each class object loaded by the process to be detected has changed based on the information recorded in the target mapping cache. There is no need to repeat the detection for class objects that have not changed. In this case, only the class objects that have changed can be used as class objects to be detected.

For example, in this embodiment, it can be determined whether the class object with the same memory address as the class object in the target mapping cache has changed (for example, whether the basic attributes of the class object have changed). In the case that the class object with the same memory address as the class object in the target mapping cache has not changed, the class object can directly use the last detection result without re-detecting the class object, that is, the class object that has not changed does not need to be used as the above-mentioned class object to be detected. In the case that the class object with the same memory address as the class object in the target mapping cache has changed, the class object can be used as the class object to be detected, that is, the constant pool of the class object can be re-parsed, and the class object can be detected based on the parsing result to determine whether it contains a memory horse, and the corresponding cache information in the target mapping cache can also be updated according to the detection result, so as to achieve the purpose of not needing to re-detect the object class that has not changed for the Java class at the same memory address, and realize the technical effect of improving the detection efficiency of memory horses.

FIG. 7 is a schematic diagram of a Java memory horse detection process with class object cache according to an embodiment of the present invention. The memory horse detection process is illustrated below with reference to FIG. 7 :

When the detection engine is started, the ClassesCacheMap information (class object cache information) can be read into the memory. When a Java process to be detected is detected for the first time (corresponding to the process to be detected), since there is no class object cache information, a cache (i.e., a target mapping cache) can be established; when the process is detected again, for the Java class at the same memory address, it can be determined whether it has changed based on the ParsedClassInfo information (i.e., the basic properties of the Java class). If not, there is no need to repeatedly parse and detect the Java class, and the last detection result can be used directly (i.e., the same Klass at the same memory address of the same process does not need to be detected repeatedly). If it is inconsistent with the information in ParsedClassInfo, further analysis and detection are required, and the detection results are reported to update the corresponding cache information.

Based on the target mapping cache, the Java classes that have not changed are prevented from being repeatedly detected, which leads to low efficiency in memory horse detection, thereby achieving the technical effect of improving the efficiency of memory horse detection.

Optionally, the memory horse detection method also includes: when it is determined that the first-class object currently traversed is not to be used as the class of object to be detected in this detection, according to the target mapping cache, obtaining the historical detection results obtained by detecting the constant pool of the first-class object; according to the detection results, determining whether the target process is injected with a memory horse, including: determining whether the target process is injected with a memory horse according to the historical detection results of the first-class object and the detection results of the second-class object, wherein the second-class object is used as the class of object to be detected in this detection.

The above-mentioned first category objects may refer to class objects that have not changed after the last memory horse detection among all the traversed class objects (that is, class objects other than the class objects to be detected among all the traversed target process). For the first category objects, there is no need to parse the constant pool, and the detection result of the last detection of the first category objects can be used directly, that is, the constant pool of the first category objects is read from the target mapping cache to perform the last detection result of the memory horse detection (that is, the historical detection result).

The above-mentioned second category of objects may refer to the objects to be detected in this detection. Based on the historical detection results of the first category of objects (i.e., whether the first category of objects contain memory horses) and the detection results of the second category of objects (i.e., whether the second category of objects contain memory horses), it can be determined whether the target process is injected with memory horses, thereby avoiding the situation where the same category of objects that have not changed are repeatedly detected, and achieving the technical effect of improving the detection efficiency of memory horses.

In one example, the final detection result (i.e., whether the target process is injected with a memory horse) can also be reported to the security protection center to respond to the memory horse attack in a timely manner and improve network security.

It should be noted that the memory horse detection method provided in this embodiment can also be applied to Java memory horse detection in hybrid cloud scenarios with JDK/JRE version 8 and above, regardless of whether the target process is running on the host or in a container. In one example, in an environment with both hosts and containers, Java business processes with different functions are running. Some processes exist on the host and some exist on the container. Due to historical reasons, the versions of JDK\JRE running Java processes are not the same, ranging from the older 1.8 version to the latest 21. Through this embodiment, memory horse detection of all Java business processes can be efficiently completed.

A memory horse detection system can be used to execute the memory horse detection method provided in this embodiment. FIG8 is a schematic diagram of a memory horse detection system according to an embodiment of the present invention. As shown in FIG8, it includes three modules: jvm memory parsing, yara and result. Among them, the jvm memory parsing module of the jvm memory parsing part can be responsible for parsing the constant pool of the Java class from the memory, and providing the constant pool to the yara module for scanning and detection. The yara part can identify whether the constant pool contains a memory horse according to a predetermined rule, and scan the constant pool. The result module can send the detection result to the control end.

The following is a detailed description of each part in Figure 8.

1. Java version detection module and memory operation module: The Java version detection module can be used to determine the version information of the target Java program to facilitate the subsequent selection of a specific Klass search route. The memory operation module can obtain the file descriptor (FD) for accessing the memory of the target process and read the content of a specified length from the memory according to the given address.

2. Klass search module: Java classes loaded by the JVM are stored in memory in a specific structure. Depending on the Java version, there are two main structures: (1) array + linked list format for JDK8 and 9 versions, and (2) linked list format for JDK10 and above versions. Klass of variables in the constant pool can be searched based on different structures.

3. Klass constant pool analysis: According to the layout of the constant pool ConstantPool in memory, the constant pool is analyzed.

4. Detected class object cache: In the Java language, after the class file is loaded by the JVM, a class object will be generated to represent the class. When the class is to be used later, the class object will generate an instance object for use. During the entire life cycle of the JVM, if the class has not changed, it will not be reloaded, that is, the class object will not be updated. Therefore, a mapping cache of class objects can be established to save some basic properties of the detected class objects (such as the address in memory, class name, inherited class or interface name, etc.). When these basic properties have not changed, it means that the class has not changed, and there is no need to re-detect it. The last detection result can be used directly to improve detection efficiency.

5. Yara and result output module: Yara (corresponding to the target detection tool) loads the pre-defined Yara rules (corresponding to the preset detection rules) containing Java memory horse features, and then uses these rules to detect whether these features are contained in the constant pool, thereby determining whether the corresponding Java class contains memory horses; finally, the result output module sends the detection results to the control terminal.

In this embodiment, according to the structure of JVM storing Java classes, Java classes are decrypted to avoid downloading the bytecode of class objects. There is no need to decompile the bytecode, so that the detection of memory horses can be completed, the detection performance can be improved, and a mapping cache of detected class objects is established to avoid repeated detection of the same class objects, thereby improving the detection efficiency. The memory horse detection method provided in this embodiment can be applied to Java memory horse detection of JDK/JRE version 8 and above. Memory horses are detected based on analyzing the memory of the target Java process. There is no need to attach (inject detection program), which is non-invasive to the target Java process. The scan is performed externally and does not need to be attached to the target Java process, so there is no need to increase the memory overhead of the target Java process.

Embodiment 2

Embodiment 2 of the present invention provides a memory horse detection device, and each implementation unit in the memory horse detection device corresponds to each implementation step in embodiment 1.

FIG9 is a schematic diagram of a memory horse detection device according to an embodiment of the present invention. As shown in FIG9 , the memory horse detection device includes: a first determination unit 91 , a processing unit 92 , a detection unit 93 , and a second determination unit 94 .

The first determining unit 91 is used to determine a target process in a running state in a target device;

The processing unit 92 is used to traverse the class objects loaded by the target process, and for each traversed class object, determine whether to use the class object as the class object to be detected in this detection according to the target mapping cache, wherein the target mapping cache records: the mapping relationship between the process information of the process and the detected class object information of the process;

The detection unit 93 is used to detect the constant pool of the class object to be detected when the traversed class object is used as the class object to be detected in this detection, and obtain the detection result;

The second determining unit 94 is used to determine whether the target process is injected into the memory horse according to the detection result.

In the memory horse detection device provided in the second embodiment of the present invention, the first determination unit 91 can be used to determine the target process in the running state in the target device, and the processing unit 92 can traverse the class objects loaded by the target process, and for each traversed class object, according to the target mapping cache, determine whether to use the class object as the class object to be detected in this detection, wherein the target mapping cache records: the mapping relationship between the process information of the process and the class object information of the process that has been detected, and the detection unit 93 uses the traversed class object as the class object to be detected in this detection. The constant pool of the class object to be detected is detected to obtain the detection result, and the second determination unit 94 determines whether the target process is injected with a memory horse according to the detection result. This solves the technical problem of low detection efficiency in the related art of injecting the detection program into the process to be detected to detect the memory horse, or downloading the bytecode file for decompilation to detect the memory horse.

In this embodiment, by traversing the class objects loaded in the target device and searching the constant pool, it is determined whether the process to be detected is injected with a memory horse by parsing the constant pool of the class object, and the cache of the detected class objects (i.e., the target mapping cache) is used to avoid repeated detection of the same class. The purpose of performing memory horse detection on the process to be detected is achieved without injecting a detection program into the process to be detected, obtaining the Class byte stream, and downloading the bytecode file for decompilation, thereby achieving the technical effect of improving the detection efficiency of memory horses.

Optionally, in the memory horse detection device provided in Example 2 of the present invention, the detection unit includes: a first determination subunit, used to determine the constant pool of the class object to be detected; a parsing subunit, used to parse the constant pool based on the storage format of the constant pool of the class object to be detected in the memory of the target process, and obtain the parsing result; the detection subunit, used to use the target detection tool to load the preset detection rules to detect the parsing result, and obtain the detection result corresponding to the class object to be detected.

Optionally, in the memory horse detection device provided in Embodiment 2 of the present invention, the storage format of the constant pool includes at least: a first array and a second array, wherein the first array is used to store the type of the constant pool, and the second array is used to store the data of the constant pool; the parsing subunit includes: a parsing module, which is used to parse the constant pool of the class object to be detected based on the first array and the second array to obtain a parsing result.

Optionally, in the memory horse detection device provided in the second embodiment of the present invention, the parsing module includes: a parsing submodule, used to parse the first array to obtain the type of the constant pool of the class object to be detected, and to parse the second array to obtain the data of the constant pool of the class object to be detected; a replacement submodule, used to replace the symbolic reference in the data of the constant pool based on the type of the constant pool to obtain the parsing result, wherein the symbolic reference indicates the use of symbols to describe the data content.

Optionally, in the memory horse detection device provided in Embodiment 2 of the present invention, the memory horse detection device also includes: a first update unit, used to update the target mapping cache according to the changed attribute information of the target class object when there is a target class object whose attribute information has changed in the detected class objects; and/or, a second update unit, used to update the target mapping cache according to the attribute information of the class object to be detected and the process information of the target process after completing the detection of whether the target process is injected with a memory horse according to the constant pool of the class object to be detected.

Optionally, in the memory horse detection device provided in Embodiment 2 of the present invention, the processing unit includes: a second determination subunit, used to determine whether attribute information of a class object is stored in a target mapping cache; a third determination subunit, used to determine that the class object is used as the class object to be detected for this detection when the attribute information of the class object is not stored in the target mapping cache or the attribute information of the class object has changed after the last detection; and a fourth determination subunit, used to determine that the class object is not used as the class object to be detected for this detection when the attribute information of the class object is stored in the target mapping cache and the attribute information of the class object has not changed since the last detection.

Optionally, in the memory horse detection device provided in the second embodiment of the present invention, the memory horse detection device also includes: an acquisition unit, which is used to obtain historical detection results obtained by detecting the constant pool of the first category of objects according to the target mapping cache when it is determined that the first category of objects currently traversed are not used as the category of objects to be detected for this detection; the second determination unit includes: a processing subunit, which is used to determine whether the target process is injected with a memory horse based on the historical detection results of the first category of objects and the detection results of the second category of objects, wherein the second category of objects are used as the category of objects to be detected for this detection.

The above-mentioned memory horse detection device can also include a processor and a memory. The above-mentioned first determination unit 91, processing unit 92, detection unit 93 and second determination unit 94 are all stored in the memory as program units, and the processor executes the above-mentioned program units stored in the memory to realize corresponding functions.

The above processor includes a kernel, which retrieves the corresponding program unit from the memory. One or more kernels can be set, and the kernel parameters are adjusted to traverse the class objects loaded in the target device, find the constant pool, and parse the constant pool of the class object to determine whether the process to be detected is injected with a memory horse, and use the cache of the detected class objects (i.e., the target mapping cache) to avoid repeated detection of the same class, so that the purpose of performing memory horse detection on the process to be detected is achieved without injecting the detection program into the process to be detected, obtaining the Class byte stream, and downloading the bytecode file for decompilation, thereby achieving the technical effect of improving the detection efficiency of memory horses.

The above-mentioned memory may include non-permanent memory in a computer-readable medium, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash RAM, and the memory includes at least one storage chip.

According to another aspect of an embodiment of the present invention, an electronic device is also provided, including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the memory horse detection method provided by any one of the above embodiments by executing the executable instructions.

According to another aspect of an embodiment of the present invention, a computer-readable storage medium is provided, which stores a computer program, wherein when the computer program is running, the device where the computer-readable storage medium is located is controlled to execute the memory horse detection method provided by any one of the above embodiments.

Figure 10 is a schematic diagram of an electronic device according to an embodiment of the present invention. As shown in Figure 10, an embodiment of the present invention provides an electronic device, which includes a processor, a memory, and a program stored in the memory and executable on the processor. When the processor executes the program, the memory horse detection method provided in any one of the above embodiments is implemented.

The serial numbers of the above embodiments of the present invention are only for description and do not represent the advantages or disadvantages of the embodiments.

In the above embodiments of the present invention, the description of each embodiment has its own emphasis. For parts that are not described in detail in a certain embodiment, reference can be made to the relevant descriptions of other embodiments.

In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. Among them, the device embodiments described above are only schematic. For example, the division of the units can be a logical function division. There may be other division methods in actual implementation. For example, multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of units or modules, which can be electrical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple units. Some or all of the units may be selected according to actual needs to achieve the purpose of the present embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.

If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including a number of instructions for a computer device (which can be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program codes.

The above is only a preferred embodiment of the present invention. It should be pointed out that for ordinary technicians in this technical field, several improvements and modifications can be made without departing from the principle of the present invention. These improvements and modifications should also be regarded as the scope of protection of the present invention.

Claims (10)

1. A memory horse detection method, characterized by comprising: Determine the target process in the target device that is running; Traversing the class objects loaded by the target process, and for each traversed class object, determining whether to use the class object as the class object to be detected for this detection according to the target mapping cache, wherein the target mapping cache records: a mapping relationship between process information of a process and information of the detected class objects of the process; When the traversed class object is used as the class object to be detected in this detection, the constant pool of the class object to be detected is detected to obtain the detection result; According to the detection result, it is determined whether the target process is injected into the memory horse. 2. The memory horse detection method according to claim 1 is characterized in that the constant pool of the object of the class to be detected is detected to obtain the detection result, including: Determine a constant pool of the class object to be detected; Based on the storage format of the constant pool of the class object to be detected in the memory of the target process, parse the constant pool to obtain a parsing result; The object detection tool is used to load the preset detection rules to detect the analysis results and obtain the detection results corresponding to the objects of the class to be detected. 3. The memory horse detection method according to claim 2, characterized in that the storage format of the constant pool at least includes: a first array and a second array, wherein the first array is used to store the type of the constant pool, and the second array is used to store the data of the constant pool; Based on the storage format of the constant pool of the class object to be detected in the memory of the target process, the constant pool is parsed to obtain a parsing result, including: Based on the first array and the second array, the constant pool of the object of the class to be detected is parsed to obtain the parsing result. 4. The memory horse detection method according to claim 3, characterized in that, based on the first array and the second array, parsing the constant pool of the class object to be detected to obtain the parsing result comprises: Parsing the first array to obtain the type of the constant pool of the class object to be detected, and parsing the second array to obtain the data of the constant pool of the class object to be detected; Based on the type of the constant pool, symbol references in the data of the constant pool are replaced to obtain the parsing result, wherein the symbol reference indicates that the data content is described by using symbols. 5. The memory horse detection method according to claim 1, characterized in that the method further comprises: When there is a target class object whose attribute information has changed among the detected class objects, updating the target mapping cache according to the changed attribute information of the target class object; and/or, After obtaining the detection result corresponding to the constant pool of the object of the class to be detected, the target mapping cache is updated according to the attribute information of the object of the class to be detected and the process information of the target process. 6. The memory horse detection method according to claim 1 is characterized in that, according to the target mapping cache, determining whether to use the class object as the class object to be detected in this detection comprises: Determine whether the target mapping cache stores attribute information of the class object; In the case that the attribute information of the class object is not stored in the target mapping cache, or the attribute information of the class object has changed after the last detection, determining to use the class object as the class object to be detected in this detection; If the attribute information of the class object is stored in the target mapping cache and the attribute information of the class object has not changed since the last detection, it is determined not to use the class object as the class object to be detected in this detection. 7. The memory horse detection method according to any one of claims 1 to 6, characterized in that the method further comprises: In the case where it is determined that the first class object currently traversed is not to be used as the class object to be detected in this detection, obtaining, according to the target mapping cache, a historical detection result obtained by detecting the constant pool of the first class object; Determining whether the target process is injected into a memory horse according to the detection result includes: According to the historical detection results of the first category objects and the detection results of the second category objects, it is determined whether the target process is injected into the memory horse, wherein the second category objects are used as the objects of the to-be-detected category for this detection. 8. A memory horse detection device, characterized by comprising: A first determining unit, used to determine a target process in a running state in a target device; A processing unit, configured to traverse the class objects loaded by the target process, and for each traversed class object, determine, according to a target mapping cache, whether to use the class object as a class object to be detected in this detection, wherein the target mapping cache records: a mapping relationship between process information of a process and information of the detected class objects of the process; The detection unit is used to detect the constant pool of the class object to be detected when the traversed class object is used as the class object to be detected in this detection, so as to obtain the detection result; The second determining unit is used to determine whether the target process is injected into the memory horse according to the detection result. 9. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, wherein when the computer program is running, the device where the computer-readable storage medium is located is controlled to execute the memory horse detection method described in any one of claims 1 to 7. 10. An electronic device, characterized in that it comprises one or more processors and a memory, wherein the memory is used to store one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors implement the memory horse detection method described in any one of claims 1 to 7.