[go: up one dir, main page]

WO2025189909A1 - Application processing method and apparatus, and attack defense system - Google Patents

Application processing method and apparatus, and attack defense system

Info

Publication number
WO2025189909A1
WO2025189909A1 PCT/CN2024/143017 CN2024143017W WO2025189909A1 WO 2025189909 A1 WO2025189909 A1 WO 2025189909A1 CN 2024143017 W CN2024143017 W CN 2024143017W WO 2025189909 A1 WO2025189909 A1 WO 2025189909A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
computer device
sample program
dynamic link
link library
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/143017
Other languages
French (fr)
Chinese (zh)
Inventor
易蜀锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2025189909A1 publication Critical patent/WO2025189909A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of computer security, and in particular to an application processing method and device, and an attack defense system.
  • Shellcode is a piece of machine code executed to exploit software vulnerabilities. It's used to perform specific tasks within a computer system, such as providing remote access or escalating privileges. Therefore, shellcode is often used to launch malicious attacks against computer systems. In other words, shellcode is a form of malicious code. Because shellcode is simply a piece of machine code, it can easily evade detection through methods such as distortion or encryption. Furthermore, shellcode is often used to decrypt malicious files and execute them in memory. Since shellcode itself doesn't perform any actual malicious functions, it can easily evade static anti-virus (AV) detection.
  • AV static anti-virus
  • related technologies provide a solution for identifying malicious programs running on the computer device by performing memory scanning on the computer device to detect whether malicious files are loaded into the computer device's memory.
  • the malicious program can only be identified after the shellcode has loaded the malicious file into the computer device's memory.
  • the shellcode may have already run the malicious file, indicating that actual malicious behavior has already occurred, resulting in the computer device being remotely attacked, such as the computer device being remotely controlled by the attacker or the data in the computer device being stolen by the attacker.
  • the present application provides an application processing method and device, and an attack defense system.
  • a method for processing an application includes: a computer device monitors whether a sample program running on the computer device loads a network dynamic link library.
  • the network dynamic link library is used to support network communication of the application.
  • the network dynamic link library includes one or more network connection functions.
  • the computer device determines whether a target memory block meets the shellcode running condition, where the target memory block is the memory block where the running code for loading the network dynamic link library is located in the sample program. If the target memory block meets the shellcode running condition, the computer device executes a malicious program processing flow for the sample program.
  • the malicious program processing flow includes: terminating the execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library.
  • the target memory block meets the shellcode running condition, that is, the running code in the target memory block is shellcode.
  • the sample program when a computer device determines that shellcode is running in a sample program, the sample program is treated as a malicious program, so that the sample program is terminated before the network connection function in the network dynamic link library is successfully called, so as to prevent the application from connecting to the remote server, thereby preventing the computer device from being controlled by an attacker through the remote server, or the internal data of the computer device from being stolen by an attacker through the remote server, thereby achieving protection for the computer device.
  • the target memory block is determined to meet the shellcode execution condition when the target memory block meets any one of the following conditions.
  • the conditions include: the size of the target memory block is equal to the memory page size in the operating system of the computer device; the target memory block has private permission, writable permission, and executable permission; and the target memory block contains a format header of a portable executable (PE) file (or the target memory block contains a complete PE file).
  • PE portable executable
  • an implementation method for a computer device to monitor whether a sample program running on the computer device loads a network dynamic link library includes: the computer device hooks a dynamic library loading function in the operating system of the computer device through a first hook function to monitor whether the sample program loads the network dynamic link library, and the dynamic library loading function is used to load the network dynamic link library.
  • the computer device uses hook technology to monitor whether the running sample program loads the network dynamic link library.
  • the first hook function is a user-mode hook function in the sample program, and the first hook function is injected into the sample program after the sample program is started.
  • the first hook function is a kernel-mode hook function in the kernel of the computer device.
  • the computer device uses user-mode hook technology to monitor whether the running sample program loads the network dynamic link library, or uses kernel-mode hook technology to monitor whether the running sample program loads the network dynamic link library.
  • the computer device executes a malicious program processing process on the sample program, including: obtaining network connection parameters provided by the sample program when the sample program attempts to call a network connection function in a network dynamic link library, and terminating execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library.
  • the network connection parameters include network address information of a remote server that the sample program attempts to connect to.
  • This application helps to provide security protection against network attacks carried out by the attacker through the control facility by obtaining the network address information of the attacker's control facility before the malicious program in the computer device commits any actual malicious behavior.
  • one implementation of a computer device obtaining network connection parameters provided by a sample program when attempting to call a network connection function in a network dynamic link library includes: the computer device suspending execution of the sample program and, during the suspension period, hooking the network connection function in the network dynamic link library using a second hook function. After the computer device completes hooking the network connection function in the network dynamic link library using the second hook function, it resumes execution of the sample program. In response to the sample program calling the network connection function in the network dynamic link library, the computer device obtains, through the second hook function, the network connection parameters provided by the sample program when calling the network connection function.
  • the computer device uses hook technology to obtain the network connection parameters provided by the sample program without querying the configuration file of the sample program.
  • the network address information of the attacker's control facility can also be obtained for fileless attack scenarios. It is highly feasible and can cover more attack scenarios.
  • the second hook function is a user-mode hook function in the sample program, and the second hook function is injected into the sample program after the sample program is started.
  • the second hook function is a kernel-mode hook function in the kernel of the computer device.
  • the computer device also sends the network address information of the remote server to a protection device deployed between the computer device and the remote server, and the network address information of the remote server is used by the protection device to intercept traffic from and/or traffic to the remote server.
  • the computer device provides the protection device with the network address information of the remote server identified as the attacker's control facility.
  • the protection device can prevent the data in the computer devices within the protected network from being stolen by intercepting the traffic sent from the protected network to the remote server.
  • the protection device can prevent the computer devices within the protected network from being remotely controlled by intercepting the traffic sent from the remote server to the protected network.
  • the network address information of the remote server includes one or more of the Internet Protocol (IP) address of the remote server, the domain name address of the remote server, or the port number of the remote server.
  • IP Internet Protocol
  • the above method is executed by security software running in a computer device.
  • a device for processing malicious programs is provided.
  • the device is applied to a computer device.
  • the device includes multiple functional modules that interact with each other to implement the method of the first aspect and its respective embodiments.
  • the multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be arbitrarily combined or divided based on the specific implementation.
  • a computer device comprising: a memory, a network interface, and at least one processor.
  • the memory is configured to store program instructions, and the at least one processor reads the program instructions stored in the memory, thereby causing the computer device to execute the method of the first aspect and its respective embodiments.
  • an attack defense system comprising: a computer device and a protection device, wherein the computer device is located within a protected network protected by the protection device, wherein the computer device is configured to execute the method of the first aspect and its respective embodiments.
  • a computer device is configured to monitor whether a sample program running on the computer device loads a network dynamic link library (DLL), which is used to support network communication for applications and includes one or more network connection functions.
  • the computer device is further configured to, in response to monitoring the sample program loading the DLL, determine whether a target memory block meets a shellcode execution condition, where the target memory block is the memory block containing the execution code in the sample program used to load the DLL. If the target memory block meets the shellcode execution condition, execute a malicious program processing flow on the sample program.
  • the malicious program processing flow includes obtaining network connection parameters provided by the sample program when attempting to call a network connection function in the DLL, and terminating execution of the sample program before the sample program successfully calls the network connection function in the DLL.
  • the network connection parameters include network address information of a remote server that the sample program attempts to connect to.
  • the computer device is further configured to transmit the remote server's network address information to a protection device.
  • the protection device is configured to intercept traffic from and/or to the remote server based on the remote server's network address information.
  • the attack defense system further includes a cloud security server.
  • the computer device and/or the protection device is further configured to send the network address information of the remote server to the cloud security server.
  • the cloud security server is configured to aggregate the network address information of remote servers (malicious servers) collected from various sources.
  • the cloud security server is further configured to provide the subscriber with an attacker profile based on subscription requirements.
  • the attacker profile includes, but is not limited to, the malicious server's network address information and/or attack behavior characteristics.
  • an attack defense system comprising: a computer device and a cloud security server, wherein the computer device is configured to execute the method of the first aspect and its respective embodiments.
  • a computer device is used to monitor whether a sample program running on the computer device loads a network dynamic link library, which is used to support network communication for applications and includes one or more network connection functions.
  • the computer device is also used to, in response to monitoring the sample program loading the network dynamic link library, determine whether a target memory block meets the shellcode execution condition, where the target memory block is the memory block where the execution code used to load the network dynamic link library in the sample program is located; and if the target memory block meets the shellcode execution condition, execute a malicious program processing flow on the sample program, wherein the malicious program processing flow includes: obtaining network connection parameters provided when the sample program attempts to call a network connection function in the network dynamic link library, and terminating execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library, wherein the network connection parameters include network address information of a remote server that the sample program attempts to connect to.
  • the computer device is also used to send the network address information of the remote server to a cloud security server.
  • the cloud security server is used to aggregate the network address information of remote servers (i.e., malicious servers) collected from various sources.
  • the cloud security server is also used to provide the subscriber with an attack organization portrait according to subscription requirements.
  • the attack organization portrait includes but is not limited to the network address information and/or attack behavior characteristics of the malicious server.
  • the attack defense system further includes a protection device, wherein the computer device is located within a protected network protected by the protection device.
  • the computer device and/or the cloud security server is further configured to send the network address information of the remote server to the protection device.
  • the protection device is configured to intercept traffic from and/or traffic destined for the remote server based on the network address information of the remote server.
  • a computer-readable storage medium on which instructions are stored.
  • the instructions are executed by a processor, the method in the above-mentioned first aspect and its various embodiments is implemented.
  • a computer program product comprising a computer program, which, when executed by a processor, implements the method in the above-mentioned first aspect and its various embodiments.
  • a chip which includes a programmable logic circuit and/or program instructions. When the chip is running, it implements the method in the above-mentioned first aspect and its various embodiments.
  • FIG1 is a schematic diagram of an implementation scenario provided by an embodiment of the present application.
  • FIG2 is a schematic diagram of the hardware structure of a computer device provided in an embodiment of the present application.
  • FIG3 is a schematic diagram of the hardware structure of a protective device provided in an embodiment of the present application.
  • FIG4 is a flow chart of an application processing method provided in an embodiment of the present application.
  • FIG5 is a schematic structural diagram of an application processing device provided in an embodiment of the present application.
  • Shellcode a piece of machine code executed to exploit software vulnerabilities, is often used to launch malicious attacks against computer systems.
  • attackers implementing advanced threat or fileless attacks do not directly provide a malicious program with actual malicious functionality. Instead, they inject shellcode into a computer device as a malicious program.
  • the attacker retrieves a fully functional encrypted dynamic link library (DLL) from the network and decrypts the encrypted DLL.
  • the decrypted DLL is then loaded into the computer device's memory and the functions within it are executed, thereby attacking the computer device.
  • the attacker stores the fully functional encrypted DLL in the malicious program's local directory or its own resource segment.
  • the attacker then injects the shellcode into the computer device along with the file containing the fully functional encrypted DLL.
  • the attacker decrypts the injected encrypted DLL, then loads the decrypted DLL into the computer device's memory and executes the functions within the DLL, thereby attacking the computer device.
  • the decrypted dynamic link library is the real attack payload.
  • the shellcode may have already run the attack payload, causing the computer device to be remotely attacked, such as the computer device has been remotely controlled by the attacker, or the data in the computer device has been stolen by the attacker.
  • the present application provides a technical solution, which monitors and analyzes the application running on the computer device in real time to determine whether the application is a malicious program containing shellcode, or whether it is injected with shellcode (i.e., infected by a malicious program), and terminates the execution of the malicious program before the malicious program performs any substantial malicious behavior, thereby ensuring the security of the computer system.
  • the technical solution of the present application is as follows: the computer device monitors whether the application running on the computer device loads a network dynamic link library, which is used to support the application to perform network communication. In response to monitoring that the application loads the network dynamic link library, the computer device determines whether the memory block where the running code for loading the network dynamic link library in the application meets the shellcode running conditions.
  • the computer device executes the malicious program processing flow for the application to terminate the execution of the application before the application successfully calls the network connection function in the network dynamic link library.
  • the present application determines whether the running code in the memory block used to load the network dynamic link library in the application is shellcode by judging whether the memory block where the running code is located meets the shellcode running conditions. If the running code is shellcode, it means that the application is very likely to be a malicious program, or the application is very likely to have been infected by a malicious program. Then, if the application continues to run, it is likely to cause the computer device to be attacked by the malicious program, and the security of the computer device will be threatened.
  • the present application determines that there is shellcode running in the memory space of the application, the application is treated as a malicious program, so that the application is terminated before the network connection function in the network dynamic link library is successfully called, so as to avoid the application from connecting to the remote server, thereby preventing the computer device from being controlled by the attacker through the remote server, or the internal data of the computer device from being stolen by the attacker through the remote server.
  • the solution of the present application it is possible to prevent shellcode from connecting to the remote server, thereby preventing shellcode from downloading a fully functional encrypted dynamic link library from the network.
  • the second attack scenario mentioned above by implementing the solution of the present application, it is possible to prevent shellcode from connecting to the remote server, thereby preventing shellcode from loading the attack payload into the memory and then connecting to the attacker's server after execution.
  • the shellcode running conditions are determined based on the characteristics of the memory block in which the shellcode is running. Before the shellcode is run in a computer device, it is necessary to apply for a memory block in the computer device's memory for running the shellcode. Since the characteristics of the memory block used to run the shellcode are somewhat different from the characteristics of the memory block used to run a normal application, the characteristics of the memory block include but are not limited to the memory block size, memory block permissions or memory block content. Therefore, the present application summarizes the characteristics of the memory block used to run the shellcode, and realizes the judgment based on the memory block size, memory block permissions or memory block content whether the memory block where the running code is located meets the shellcode running conditions, that is, judges whether the running code is shellcode.
  • the specific judgment method is as follows: when the size of the memory block where the running code is located is equal to the memory page size in the operating system of the computer device, or the memory block where the running code is located has private permissions, writable permissions and executable permissions, or the memory block where the running code is located contains the format header of the PE file, it is determined that the memory block where the running code is located meets the shellcode running conditions.
  • the judgment principle based on the above three conditions is explained below.
  • Judgment condition 1 When the size of the memory block where the running code is located is equal to the memory page size in the operating system of the computer device, it is determined that the memory block meets the shellcode running condition.
  • the memory page size in the operating system is the smallest memory allocation unit in the operating system.
  • the memory page size in the Windows operating system generally defaults to 4 kilobytes (KB).
  • the above judgment condition 1 is: when the size of the memory block where the running code is located is equal to 4KB, it is determined that the memory block meets the shellcode running condition. Since the code segment of a normal application usually contains compiler code when running in memory, the memory occupied by the code segment of a normal application is generally much larger than the memory page size in the operating system (such as 4KB).
  • Shellcode as a machine code, requires very little memory to run, usually less than the memory page size in the operating system (such as 4KB). Therefore, if the memory block size where the running code is located is equal to the memory page size in the operating system of the computer device, then the running code is very likely to be shellcode. It is worth noting that the memory page size in the operating system can be configured and modified. For example, the memory page size in the Windows operating system can be set to other values such as 8KB or 32KB.
  • Judgment condition 2 When the memory block where the running code is located has private permissions, writable permissions, and executable permissions, it is determined that the memory block meets the shellcode running conditions. Since the memory block where the code segment of a normal application is located usually only has read permissions and executable permissions, the memory block where the shellcode is located must have private permissions, writable permissions, and executable permissions to support the normal operation of the shellcode. Therefore, if the memory block where the running code is located has private permissions, writable permissions, and executable permissions, then the running code is very likely to be shellcode.
  • Judgment condition 3 When the memory block where the running code is located contains the format header of the PE file, it is determined that the memory block meets the shellcode running condition. Since the format header of the PE file of a normal application is read-only, and the code segment of the PE file of a normal application is readable and executable, and the permissions of the same memory block are the same, when a normal application is running in the memory, the format header and code segment of the PE file will be loaded into different memory blocks, so that the format header and code segment of the PE file have different read and write permissions. When the shellcode is running in the memory of the computer device, the PE file of the shellcode will be loaded completely into the same memory block.
  • the memory block where the running code is located also contains the format header of the PE file, then the running code is very likely to be shellcode. Since the memory block where the running code is located must include the code segment of the PE file, if the memory block also contains the format header of the PE file, it means that the memory block contains a complete PE file. Accordingly, in the above judgment condition 3, "the memory block contains the format header of the PE file" can also be replaced with: the memory block contains the complete PE file, or the memory block contains the format header and code segment of the PE file.
  • a computer device when a computer device processes an application as a malicious program, it obtains the network connection parameters provided by the application when it attempts to call a network connection function in a network dynamic link library, and terminates the execution of the application before the application successfully calls the network connection function in the network dynamic link library.
  • the network connection parameters include the network address information of the remote server that the application attempts to connect to.
  • the network address information of the remote server includes one or more of the IP address of the remote server, the domain name address of the remote server, or the port number of the remote server.
  • the application Since the application provides network connection parameters including the network address information of the remote server when calling the network connection function in the network dynamic link library to try to connect to the remote server, for a malicious program, the remote server that the malicious program attempts to connect to is usually the attacker's control facility.
  • This application helps to provide security protection against network attacks carried out by the attacker through the control facility by obtaining the network address information of the attacker's control facility before the malicious program in the computer device commits any substantial malicious behavior.
  • the computer device is located in a protected network protected by a protective device, that is, a protective device is deployed between the computer device and the remote server.
  • a protective device is deployed between the computer device and the remote server.
  • the computer device After obtaining the network address information of the remote server, the computer device sends the network address information of the remote server to the protective device deployed between the computer device and the remote server.
  • the protective device intercepts the traffic from the remote server and/or the traffic sent to the remote server based on the network address information of the remote server. By intercepting the traffic sent from the protected network to the remote server, the protective device can prevent the data in the computer device in the protected network from being stolen. By intercepting the traffic sent from the remote server to the protected network, the protective device can prevent the computer device in the protected network from being remotely controlled.
  • the present application realizes a global ban on the attacker's control facilities by linking the computer device with the protective device, thereby protecting the computer devices in the protected network from remote attacks by the attacker.
  • the computer device can also output the network address information of the remote server, and the security operation and maintenance personnel can input the network address information of the remote server into the protective device through manual configuration, so that the protective device can intercept the sending traffic and/or receiving traffic (collectively referred to as attack traffic) of the remote server.
  • attack traffic collectively referred to as attack traffic
  • the computer device is a terminal device installed with a Windows operating system, including but not limited to a server, host, personal computer, mobile phone, or workstation.
  • Windows operating systems include but are not limited to Windows XP, Windows Server 2003, Windows 7, Windows 8, or Windows 10.
  • Embodiments of the present application can handle various shellcode-based remote attack scenarios, such as commercial remote control systems that use shellcode, including but not limited to CobaltStrike, MeterPreter, Gh0stRat, Silver, and Brute Ratel C4.
  • shellcode including but not limited to CobaltStrike, MeterPreter, Gh0stRat, Silver, and Brute Ratel C4.
  • fileless Trojan attacks that use shellcode, including but not limited to Icedid, Emotet, and Ursnif.
  • Figure 1 is a schematic diagram of an implementation scenario provided by an embodiment of the present application. As shown in Figure 1, this implementation scenario primarily involves three types of devices: a protective device, a computer device, and a remote server. The following provides examples of each of these three types of devices.
  • Protection devices are deployed between external networks (such as the Internet) and protected networks.
  • protection devices are typically deployed at the boundaries of protected networks to protect computer devices within the protected network from attacks from external networks.
  • Protection devices can securely filter traffic entering and leaving the protected network, blocking attack traffic to ensure the security of computer devices within the protected network, while allowing normal traffic to ensure that computer devices within the protected network can communicate normally with the external network.
  • Protection devices include, but are not limited to, firewalls, security gateways (such as routers or switches), intrusion detection systems (IDS) devices, intrusion prevention systems (IPS) devices, unified threat management (UTM) devices, AV devices, anti-distributed denial of service (anti-DDoS) devices, and next-generation firewalls (NGFWs), integrated with one or more of these.
  • the computer device is a protected device located in a protected network. From the perspective of the computer device, the protected network in which the computer device is located is an internal network, and the Internet is an external network.
  • the computer device is a protected server that provides services to normal clients (not shown in the figure) in the protected network and the Internet.
  • computer devices include but are not limited to application servers or web servers.
  • application servers include but are not limited to game servers, video application servers, file servers, search engine servers, instant messaging servers, etc.
  • Web servers are also called World Wide Web (web) servers or website servers.
  • a remote server is a control facility used by attackers to launch remote attacks.
  • the remote server is located on an external network (such as the internet), allowing attackers to launch remote attacks from the external network to computers within the protected network.
  • Remote servers for example, are command and control (CC) servers, which support cyberattacks, hacker activities, or other illegal activities.
  • CC servers are characterized by high controllability and configurability, and can communicate with malicious programs to remotely control and operate infected computers.
  • This implementation scenario also involves a cloud security server.
  • the cloud security server is communicatively connected to a computer device to receive the network address information of a malicious server sent by the computer device; and/or, the cloud security server is communicatively connected to a protective device to receive the network address information of a malicious server sent by the protective device (Figure 1 takes the communication connection between the cloud security server and the computer device as an example).
  • the cloud security server is used to collect and aggregate the network address information of malicious servers collected from various sources, and is further used to provide attack organization portraits to subscribers according to subscription requirements. Attack organization portraits include but are not limited to network address information of malicious servers and/or attack behavior characteristics.
  • Figure 2 is a schematic diagram of the hardware structure of a computer device provided in an embodiment of the present application.
  • computer device 200 includes a processor 201 and a memory 202, and processor 201 and memory 202 are connected via a bus 203.
  • Figure 2 illustrates processor 201 and memory 202 as independent of each other.
  • processor 201 and memory 202 are integrated together.
  • computer device 200 shown in Figure 2 is any computer device in the implementation scenario shown in Figure 1.
  • Memory 202 is used to store computer programs, including an operating system and program code.
  • the operating system is a Windows operating system.
  • Memory 202 is a storage medium of various types, such as read-only memory (ROM), random access memory (RAM), electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM), flash memory, optical memory, register, optical disk storage, optical disc storage, magnetic disk, or other magnetic storage device.
  • the processor 201 is a general-purpose processor or a dedicated processor.
  • the processor 201 may be a single-core processor or a multi-core processor.
  • the processor 201 includes at least one circuit to execute the application processing method provided in the embodiment of the present application.
  • the computer device 200 further includes a network interface 204, which is connected to the processor 201 and the memory 202 via the bus 203.
  • the network interface 204 enables the computer device 200 to communicate with other devices.
  • computer device 200 further includes an input/output (I/O) interface 205, which is connected to processor 201 and memory 202 via bus 203.
  • I/O interface 205 is used to connect computer device 200 to input devices, such as a keyboard and a mouse.
  • the network interface 204 and I/O interface 205 are collectively referred to as a communication interface.
  • the computer device 200 further includes a display 206, which is connected to the processor 201 and the memory 202 via the bus 203.
  • the display 206 can be used to display intermediate results and/or final results generated by the processor 201 executing the application processing method provided in the embodiments of the present application, such as network address information of a remote server.
  • the display 206 is a touch screen display to provide a human-computer interaction interface.
  • the bus 203 is any type of communication bus for interconnecting the internal components of the computer device 200, such as a system bus.
  • the embodiments of the present application illustrate the example of interconnecting the aforementioned components within the computer device 200 via the bus 203.
  • the aforementioned components within the computer device 200 may be communicatively connected to each other using other connection methods besides the bus 203, such as interconnecting the aforementioned components within the computer device 200 via a logical interface within the computer device 200.
  • the above-mentioned devices can be provided on separate chips, or at least partially or entirely on the same chip. Whether to provide each device independently on different chips or to integrate them on one or more chips often depends on the product design requirements. The embodiments of this application do not limit the specific implementation of the above-mentioned devices.
  • the computer device 200 shown in FIG2 is merely exemplary. During implementation, the computer device 200 includes other components, which are not listed here.
  • the computer device 200 shown in FIG2 can process malicious programs by executing all or part of the steps of the data backup method provided in the embodiment of the present application.
  • FIG 3 is a schematic diagram of the hardware structure of a protection device provided in an embodiment of the present application.
  • protection device 300 includes a central processing unit (CPU) 301, a dedicated hardware chip 302, and at least one network interface 303.
  • CPU 301 and dedicated hardware chip 302 may be collectively referred to as a processor.
  • protection device 300 shown in Figure 3 is the protection device in the implementation scenario shown in Figure 1.
  • CPU 301 is a general-purpose central processing unit (CPU) with high scalability and flexibility.
  • CPU 301 may be, for example, a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
  • the dedicated hardware chip 302 is a high-performance processing hardware module.
  • the dedicated hardware chip 302 includes at least one of an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a network processor (NP).
  • ASIC application-specific integrated circuit
  • FPGA field-programmable gate array
  • NP network processor
  • At least one network interface 303 includes, for example, network interface 1, network interface 2, network interface 3...network interface n in Figure 3.
  • the network interface 303 uses any transceiver-like device to communicate with other devices.
  • the network interface 1 in Figure 3 communicates with a computer device, and the network interface 2 in Figure 3 communicates with a remote server.
  • the network interface 303 includes at least one of a wired network interface or a wireless network interface.
  • the wired network interface is, for example, an Ethernet interface.
  • the Ethernet interface is, for example, an optical interface, an electrical interface, or a combination thereof.
  • the wireless network interface is, for example, a wireless local area network (WLAN) interface, a cellular network interface, or a combination thereof.
  • WLAN wireless local area network
  • At least one network interface 303 is connected to the dedicated hardware chip 302, and the dedicated hardware chip 302 is connected to the CPU 301 via an internal connection 304.
  • the internal connection 304 includes a path for transmitting data between the network interface 303, the dedicated hardware chip 302, and the CPU 301.
  • the internal connection 304 is a single board or a bus.
  • the internal connection 304 is Ethernet, Fibre Channel, PCI-E (Peripheral Component Interconnect Express, PCI Express, a high-speed serial computer bus), RapidIO (a high-performance, low-pin-count, packet-switched interconnect architecture), InfiniBand, or a XAUI bus (an interface extender that connects the Ethernet Media Access Control (MAC) layer to the physical layer).
  • PCI-E Peripheral Component Interconnect Express
  • RapidIO a high-performance, low-pin-count, packet-switched interconnect architecture
  • InfiniBand or a XAUI bus (an interface extender that connects the Ethernet Media Access
  • protection device 300 further includes a content addressable memory (CAM) 305.
  • CAM 305 is, for example, a ternary content addressable memory (TCAM).
  • TCAM ternary content addressable memory
  • CAM 305 is used to store, for example, the network address information of a remote server (the attacker's control facility).
  • CAM 305 exists independently and is connected to dedicated hardware chip 302 via the aforementioned internal connection 304.
  • CAM 305 and dedicated hardware chip 302 are integrated, such that CAM 305 functions as internal memory within dedicated hardware chip 302.
  • the protection device 300 further includes a memory 306.
  • the memory 306 may be, for example, a ROM or other type of static storage device capable of storing static information and instructions, a RAM or other type of dynamic storage device capable of storing information and instructions, an EEPROM, a CD-ROM or other optical disk storage, an optical disk storage (including a compact disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium capable of carrying or storing the desired program code 308 in the form of instructions or data structures and accessible by a computer, but is not limited thereto.
  • the memory 306 may be, for example, independent and connected to the CPU 301 via the internal connection 304. Alternatively, the memory 306 and the CPU 301 may be integrated.
  • Memory 306 stores an operating system 307 and program code 308.
  • CPU 301 reads operating system 307 from memory 306 and executes it.
  • CPU 301 also reads program code 308 from memory 306 and implements the method provided in the embodiments of the present application by executing program code 308 on operating system 307.
  • Protection device 300 intercepts traffic from and/or to a remote server based on the network address information of the remote server.
  • the above-mentioned devices are respectively provided on independent chips, or at least partially or entirely provided on the same chip. Whether each device is provided independently on different chips or integrated on one or more chips often depends on the needs of product design.
  • the embodiments of the present application do not limit the specific implementation of the above-mentioned devices.
  • FIG4 is a flow chart of an application processing method 400 provided in an embodiment of the present application.
  • the method 400 includes but is not limited to the following steps 401 to 403.
  • the method 400 is applied to a computer device.
  • the method 400 is executed by security software running on the computer device, and the security software is, for example, endpoint detection and response (EDR) software.
  • EDR endpoint detection and response
  • the computer device in the method 400 is any computer device in FIG1 .
  • the computer device in the method 400 has the hardware structure shown in FIG2 .
  • Step 401 The computer device monitors whether the sample program running on the computer device has loaded a network dynamic link library.
  • the network dynamic link library is used to support the application program to perform network communication, and the network dynamic link library includes one or more network connection functions.
  • the network dynamic link library is a library file (DLL file) that comes with the operating system of the computer device.
  • DLL file library file
  • the embodiment of the present application does not exclude the possibility of the application program carrying the network dynamic link library.
  • the file type of the network dynamic link library includes but is not limited to ws2_32.dll, dnsapi.dll, Winhttp.dll or urlmon.dll.
  • the network connection functions in the network dynamic link library include, but are not limited to, one or more of the following: InternetConnectA function, InternetConnectW function, UrlDownloadToFile function, connect function, WinHttpConnect function, or DnsQuery function.
  • An application on a computer device can achieve network connection by loading the network dynamic link library and further calling the network connection functions in the network dynamic link library.
  • sample program is used to refer to any application program running on a computer device.
  • a sample program may be, for example, a browser, office software, or game software.
  • the computer device uses hook technology to monitor whether the running sample program loads the network dynamic link library.
  • the implementation method of the above-mentioned step 401 is that the computer device hooks the dynamic library loading function in the operating system of the computer device through the first hook function to monitor whether the sample program loads the network dynamic link library.
  • the first hook function hooks the dynamic library loading function in the operating system of the computer device, that is, the first hook function hooks the application programming interface (API) that calls the dynamic library loading function.
  • API application programming interface
  • the dynamic library loading function is a function in a dynamic link library (different from a network dynamic link library) that comes with the operating system of the computer device.
  • the dynamic link library function is used to load a dynamic link library, for example, to load a network dynamic link library.
  • the dynamic library loading function includes a LoadLibrary function or an LdrLoadDll function.
  • the computer device uses user-state hook technology to monitor whether the running sample program loads the network dynamic link library.
  • User-state hook technology is a technology for intercepting and modifying function calls made in an application.
  • the first hook function is a user-state hook function in the sample program, and the first hook function is injected into the sample program after the sample program is started.
  • the user-state hook function used to hook the dynamic library loading function in the operating system of the computer device is referred to as the first user-state hook function.
  • the computer device detects that the sample program is started, it injects the first user-state hook function into the sample program through security software.
  • the computer device injects the first user-state hook function into the sample program by injecting a DLL.
  • a user-mode hook function refers to a hook function that runs in user mode.
  • User mode refers to the non-privileged mode in which applications run, with limited access to restricted resources and no direct hardware manipulation or privileged instruction execution.
  • Applications enter kernel mode through the system call interface and request privileged operations from the operating system.
  • User-mode hooking techniques may include, but are not limited to, inline hooking or import address table (IAT) hooking.
  • the computer device uses kernel-state hook technology to monitor whether the running sample program loads the network dynamic link library.
  • Kernel-state hook technology is a technology for intercepting and modifying function calls performed in the kernel of the operating system.
  • the first hook function is a kernel-state hook function in the kernel of the computer device.
  • the kernel-state hook function used to hook the dynamic library loading function in the operating system of the computer device is referred to as the first kernel-state hook function.
  • the first kernel-state hook function is injected into the kernel of the computer device.
  • injecting the kernel-state hook function into the kernel of the computer device can be understood as implementing the function of the hook function in the kernel-state driver of the operating system.
  • kernel-state hook function refers to a hook function that runs in kernel state.
  • Kernel state refers to the kernel running in privileged mode, with access to all resources and the ability to execute privileged instructions.
  • the operating system executes system calls and handles interrupts in kernel state.
  • kernel-state hooks are implemented based on a hypervisor.
  • kernel-state hook technologies include, but are not limited to, model-specific register hooks (MSR hooks) or extended page table hooks (EPT hooks).
  • Step 402 In response to monitoring that the sample program loads the network dynamic link library, the computer device determines whether a target memory block meets the shellcode execution condition, where the target memory block is a memory block where the execution code for loading the network dynamic link library in the sample program is located.
  • the target memory block meets any one of the following conditions, it is determined that the target memory block meets the shellcode running condition.
  • the multiple conditions include: the size of the target memory block is equal to the memory page size in the operating system of the computer device; the target memory block has private permissions, writable permissions, and executable permissions; the target memory block contains the format header of the PE file. That is, when the size of the target memory block is equal to the memory page size in the operating system of the computer device, it is determined that the target memory block meets the shellcode running condition. Alternatively, when the target memory block has private permissions, writable permissions, and executable permissions, it is determined that the target memory block meets the shellcode running condition. Alternatively, when the target memory block contains the format header of the PE file, it is determined that the target memory block meets the shellcode running condition.
  • the computer device sequentially determines whether the size, permissions, and content of the target memory block meet the shellcode execution conditions. Once it is determined that the target memory block meets the shellcode execution conditions, the computer device stops executing the judgment process.
  • the embodiment of the present application does not limit the order of judging these three judgment conditions.
  • the target memory block does not meet the shellcode execution conditions, it indicates that the code running in the target memory block for loading the network dynamic link library is normal code, and the computer device does not interfere with the network behavior after the code is executed. If the target memory block meets the shellcode execution conditions, it indicates that the code running in the target memory block for loading the network dynamic link library is shellcode, and the computer device needs to block the network behavior after the shellcode.
  • the specific implementation method is shown in step 403 below.
  • Step 403 If the target memory block meets the shellcode running condition, the computer device executes a malicious program processing flow for the sample program, wherein the malicious program processing flow includes: terminating the execution of the sample program before the sample program successfully calls a network connection function in a network dynamic link library.
  • the computer device terminates execution of the sample program, including closing the sample program and releasing the memory space occupied by the sample program.
  • the sample program when a computer device determines that shellcode is running in a sample program, the sample program is treated as a malicious program, so that the sample program is terminated before the network connection function in the network dynamic link library is successfully called, so as to prevent the application from connecting to the remote server, thereby preventing the computer device from being controlled by an attacker through the remote server, or preventing the internal data of the computer device from being stolen by an attacker through the remote server, thereby protecting the computer device.
  • the computer device before terminating the execution of the sample program, the computer device also obtains the network address information of the remote server that the sample program attempts to connect to. Accordingly, the computer device executes a malicious program processing process on the sample program, including: the computer device obtains the network connection parameters provided when the sample program attempts to call the network connection function in the network dynamic link library, and terminates the execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library.
  • the network connection parameters include the network address information of the remote server that the sample program attempts to connect to.
  • the network address information of the remote server includes but is not limited to one or more of the IP address of the remote server, the domain name address of the remote server, or the port number of the remote server.
  • the network connection parameters also include information such as a user name and a login password. Based on the network connection parameters provided by the sample program, the computer device can connect to the remote server.
  • the computer device uses hook technology to obtain the network connection parameters provided by the sample program. Accordingly, the computer device obtains the network connection parameters provided when the sample program attempts to call the network connection function in the network dynamic link library in the following implementation method, including the following steps S1 to S3.
  • step S1 the computer device suspends the execution of the sample program and, during the suspension, hooks the network connection function in the network dynamic link library through the second hook function.
  • the second hook function hooks the network connection function in the network dynamic link library, that is, the second hook function hooks the API that calls the network connection function in the network dynamic link library, so that the second hook function can monitor the behavior of the sample program calling the network connection function to connect to the remote server.
  • the second hook function is a user-mode hook function in the sample program, which is injected into the sample program after the sample program is launched.
  • the user-mode hook function used to hook the network connection function in the network dynamic link library is referred to as the second user-mode hook function.
  • the computer device upon detecting the launch of the sample program, injects the second user-mode hook function into the sample program via security software.
  • the computer device injects the second user-mode hook function into the sample program by injecting a DLL.
  • the computer device when the computer device detects that the sample program is started, it injects the first user-state hook function and the second user-state hook function into the sample program at the same time, and hooks the dynamic library loading function in the operating system of the computer device through the first user-state hook function. Thereafter, when it is necessary to obtain the network connection parameters of the remote server to which the sample program attempts to connect, it hooks the network connection function in the network dynamic link library through the second user-state hook function.
  • the computer device detects that the sample program is started, it injects the first user-state hook function into the sample program, and hooks the dynamic library loading function in the operating system of the computer device through the first user-state hook function.
  • the sample program injects the second user-state hook function into the sample program, and hooks the network connection function in the network dynamic link library through the second user-state hook function. That is, the first user-state hook function and the second user-state hook function can be injected into the sample program at one time, or can be injected into the sample program separately.
  • the second hook function is a kernel-mode hook function in the kernel of the computer device.
  • the kernel-mode hook function used to hook the network connection function in the network dynamic link library is referred to as the second kernel-mode hook function.
  • the second kernel-mode hook function is injected into the kernel of the computer device.
  • the first kernel-state hook function and the second kernel-state hook function are simultaneously injected into the kernel of the computer device, and the first kernel-state hook function is used to hook the dynamic library loading function in the operating system of the computer device.
  • the second kernel-state hook function is used to hook the network connection function in the network dynamic link library.
  • the first kernel-state hook function is injected into the kernel of the computer device, and the first kernel-state hook function is used to hook the dynamic library loading function in the operating system of the computer device.
  • the second kernel-state hook function is injected into the kernel of the computer device, and the second kernel-state hook function is used to hook the network connection function in the network dynamic link library.
  • the first kernel-state hook function and the second kernel-state hook function can be injected into the kernel of the computer device at once, or can be injected into the kernel of the computer device separately.
  • step S2 after the computer device completes hooking the network connection function in the network dynamic link library through the second hook function, it resumes executing the sample program.
  • the computer device After the computer device completes hooking all network connection functions in the network dynamic link library through the second hook function, it resumes executing the sample program.
  • the second hook function can monitor it, thereby achieving comprehensive monitoring of the network connection behavior of the sample program.
  • step S3 in response to the sample program calling the network connection function in the network dynamic link library, the computer device obtains the network connection parameters provided by the sample program when calling the network connection function through the second hook function.
  • the computer device terminates execution of the sample program.
  • the second hook function hooks the network connection function in the network dynamic link library
  • the second hook function can monitor the sample program's call to the network connection function in the network dynamic link library, thereby obtaining the network connection parameters provided by the sample program when calling the network connection function.
  • the remote server the shellcode attempts to connect to is typically the attacker's control facility.
  • the embodiments of the present application help provide security protection against network attacks carried out by the attacker through the control facility.
  • the computer device is located within a protected network protected by the protection device, and the computer device further transmits the network address information of the remote server to the protection device deployed between the computer device and the remote server.
  • the network address information of the remote server is used by the protection device to intercept traffic from and/or traffic to the remote server.
  • a computer device provides the protection device with the network address information of a remote server identified as the attacker's control facility.
  • the protection device can prevent data from being stolen from computer devices within the protected network by intercepting traffic sent from the protected network to the remote server.
  • the protection device can prevent computer devices within the protected network from being remotely controlled by intercepting traffic sent from the remote server to the protected network.
  • the present application achieves a global blockade of the attacker's control facility by linking computer devices with the protection device, thereby protecting all computer devices within the protected network from remote attacks by the attacker.
  • the computer device also reports the network address information of the remote server identified as the attacker's control facility to the cloud.
  • the cloud analyzes the attacker's attack behavior characteristics, such as the attacker's target, the industry, and whether the attack is targeting a specific local area network or type of computer device or an indiscriminate attack. This creates a profile of the attacking organization to help businesses and individuals prevent and respond to cyberattacks. This profile includes, but is not limited to, the network address information of the malicious server and/or attack behavior characteristics.
  • Figure 5 is a schematic diagram of the structure of an application processing device provided in an embodiment of the present application.
  • the application processing device having the structure shown in Figure 5 is used to implement the method 400 described in the above embodiment.
  • the application processing device shown in Figure 5 is the computer device shown in Figure 1 or Figure 2, or the application processing device shown in Figure 5 is the security software in the computer device shown in Figure 1 or Figure 2.
  • the application processing device 500 includes a monitoring module 501 and a processing module 502.
  • the application processing device 500 also includes a transceiver module 503.
  • the monitoring module 501 is configured to monitor whether the sample program running on the computer device has loaded a network dynamic link library (DLL), which is used to support network communication for the application program and includes one or more network connection functions.
  • the processing module 502 is configured to, in response to monitoring that the sample program has loaded the DLL, determine whether a target memory block satisfies a shellcode execution condition.
  • the target memory block is the memory block containing the execution code in the sample program used to load the DLL; and if the target memory block satisfies the shellcode execution condition, execute a malicious program processing flow on the sample program.
  • the malicious program processing flow includes: terminating the sample program before the sample program successfully calls a network connection function in the DLL.
  • the target memory block meets any one of the following conditions, it is determined that the target memory block meets the shellcode execution condition, and the multiple conditions include: the size of the target memory block is equal to the memory page size in the operating system of the computer device; the target memory block has private permission, writable permission and executable permission; the target memory block contains the format header of the PE file.
  • the monitoring module 501 is specifically configured to hook a dynamic library loading function in the operating system of the computer device through a first hook function to monitor whether the sample program loads a network dynamic link library, where the dynamic library loading function is used to load the network dynamic link library.
  • the first hook function is a user-mode hook function in the sample program, and the first hook function is injected into the sample program after the sample program is started.
  • the first hook function is a kernel-mode hook function in the kernel of the computer device.
  • the processing module 502 is specifically configured to obtain network connection parameters provided when the sample program attempts to call a network connection function in a network dynamic link library if the target memory block meets the shellcode running conditions, and terminate the execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library, where the network connection parameters include network address information of a remote server that the sample program attempts to connect to.
  • the processing module 502 is specifically used to: if the target memory block meets the shellcode running conditions, suspend the execution of the sample program, and hook the network connection function in the network dynamic link library through the second hook function during the suspension period; after the hooking of the network connection function in the network dynamic link library is completed through the second hook function, resume the execution of the sample program; in response to the sample program calling the network connection function in the network dynamic link library, obtain the network connection parameters provided by the sample program when calling the network connection function through the second hook function; and terminate the execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library.
  • the second hook function is a user-mode hook function in the sample program, and the second hook function is injected into the sample program after the sample program is started.
  • the second hook function is a kernel-mode hook function in the kernel of the computer device.
  • the transceiver module 503 is used to send the network address information of the remote server to the protection device deployed between the computer device and the remote server.
  • the network address information of the remote server is used by the protection device to intercept traffic from the remote server and/or traffic sent to the remote server.
  • the network address information of the remote server includes one or more of an IP address of the remote server, a domain name address of the remote server, or a port number of the remote server.
  • the device embodiment described in FIG5 is merely schematic.
  • the division of the modules is merely a logical functional division.
  • multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed.
  • the functional modules in the various embodiments of the present application may be integrated into a processing module, or each module may exist physically separately, or two or more modules may be integrated into one module.
  • the above-mentioned modules in FIG5 may be implemented in the form of hardware or in the form of software functional units.
  • the above-mentioned monitoring module 501 and processing module 502 may be implemented as software functional modules generated by the processor 201 in FIG2 after reading the program code stored in the memory 202.
  • the modules described above in FIG5 may also be implemented separately by different hardware components of the computer device.
  • the monitoring module 501 and processing module 502 may be implemented by a portion of the processing resources of the processor 201 in FIG2 (e.g., one core in a multi-core processor), while the transceiver module 503 may be implemented by the network interface 204 in FIG2 and the remaining processing resources of the processor 201 (e.g., other cores in a multi-core processor).
  • the functional modules described above may also be implemented using a combination of software and hardware.
  • the transceiver module 503 may be implemented by a hardware programmable device, while the monitoring module 501 and processing module 502 may be software functional modules generated by the processor after reading program instructions stored in the memory.
  • an embodiment of the present application provides an attack defense system, comprising: a computer device and a protection device.
  • the computer device is located within a protected network protected by the protection device.
  • the computer device is configured to execute the above-described method 400.
  • the structure of the attack defense system is, for example, as shown in FIG1 .
  • a computer device is configured to monitor whether a sample program running on the computer device loads a network dynamic link library (DLL), which is used to support network communication for applications and includes one or more network connection functions.
  • the computer device is further configured to, in response to monitoring the sample program loading the DLL, determine whether a target memory block meets a shellcode execution condition, where the target memory block is the memory block containing the execution code in the sample program used to load the DLL. If the target memory block meets the shellcode execution condition, execute a malicious program processing flow on the sample program.
  • the malicious program processing flow includes obtaining network connection parameters provided by the sample program when attempting to call a network connection function in the DLL, and terminating execution of the sample program before the sample program successfully calls the network connection function in the DLL.
  • the network connection parameters include network address information of a remote server that the sample program attempts to connect to.
  • the computer device is further configured to transmit the remote server's network address information to a protection device.
  • the protection device is configured to intercept traffic from and/or to the remote server based on the remote server's network address information.
  • the attack defense system further includes a cloud security server.
  • the computer device and/or the protection device is further configured to send the network address information of the remote server to the cloud security server.
  • the cloud security server is configured to aggregate the network address information of the remote server (malicious server) collected from various sources.
  • the cloud security server is also used to provide the subscriber with an attacker profile according to subscription requirements.
  • the attacker profile includes but is not limited to the network address information of the malicious server and/or attack behavior characteristics.
  • an embodiment of the present application provides another attack defense system, including: a computer device and a cloud security server.
  • a computer device is used to monitor whether a sample program running on the computer device loads a network dynamic link library, which is used to support network communication for applications and includes one or more network connection functions.
  • the computer device is also used to, in response to monitoring the sample program loading the network dynamic link library, determine whether a target memory block meets the shellcode execution conditions, where the target memory block is the memory block where the execution code used to load the network dynamic link library in the sample program is located; and if the target memory block meets the shellcode execution conditions, execute a malicious program processing flow on the sample program, wherein the malicious program processing flow includes: obtaining network connection parameters provided by the sample program when attempting to call a network connection function in the network dynamic link library, and terminating execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library, wherein the network connection parameters include network address information of a remote server that the sample program attempts to connect to.
  • the computer device is also used to send the network address information of the remote server to a cloud security server.
  • the cloud security server is used
  • the cloud security server is also used to provide the subscriber with an attack organization portrait according to subscription requirements.
  • the attack organization portrait includes but is not limited to the network address information and/or attack behavior characteristics of the malicious server.
  • the attack defense system further includes a protection device, wherein the computer device is located within a protected network protected by the protection device.
  • the computer device and/or the cloud security server is further configured to send the network address information of the remote server to the protection device.
  • the protection device is configured to intercept traffic from and/or traffic destined for the remote server based on the network address information of the remote server.
  • An embodiment of the present application further provides a computer device comprising: a memory, a network interface, and at least one processor.
  • the memory is configured to store program instructions, and the at least one processor reads the program instructions stored in the memory, causing the computer device to execute the above-described method 400.
  • the hardware structure of the computer device is shown in FIG2 .
  • An embodiment of the present application further provides a computer-readable storage medium having instructions stored thereon.
  • the instructions are executed by a processor of a computer device, the steps executed by the computer device in the above method embodiment are implemented; or, when the instructions are executed by a processor of a management device, the steps executed by the management device in the above method embodiment are implemented.
  • An embodiment of the present application also provides a computer program product, including a computer program, which, when executed by a processor of a computer device, implements the steps performed by the computer device in the above method embodiment; or, when executed by a processor of a management device, implements the steps performed by the management device in the above method embodiment.
  • traffic is also referred to as network traffic or data traffic.
  • Traffic refers to the data transmitted over a network at a given point in time.
  • the traffic received by a device at time T refers to all packets received by the device at that point in time.
  • A refers to B, which means that A is the same as B or A is a simple variant of B.
  • all or part of the embodiments are implemented by software, hardware, firmware or any combination thereof.
  • all or part of the embodiments are implemented in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer is a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer instructions are stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer instructions can be transmitted from one website, computer, server or data center to another website, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means.
  • the computer-readable storage medium is any available medium that can be accessed by a computer or a data storage device such as a server or data center that includes one or more available media integrated therein.
  • the available medium is a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital video disk (DVD)), or a semiconductor medium (e.g., a solid state disk (SSD)).
  • a magnetic medium e.g., a floppy disk, a hard disk, a magnetic tape
  • an optical medium e.g., a digital video disk (DVD)
  • DVD digital video disk
  • SSD solid state disk

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present application relates to the field of computer security, and provides an application processing method and apparatus, and an attack defense system. A computer device monitors whether an application running on the computer device loads a network dynamic link library. If it is detected that the application loads the network dynamic link library, and a memory block where the running code used for loading the network dynamic link library in the application is located meets a shellcode running condition, the execution of the application is terminated before the application successfully calls a network connection function in the network dynamic link library. In this way, an application running shellcode can be prevented from being connected to a remote server, thereby preventing the computer device from being controlled by an attacker by means of the remote server or preventing internal data of the computer device from being stolen by the attacker by means of the remote server.

Description

应用程序处理方法及装置、攻击防御系统Application processing method and device, attack defense system

本申请要求于2024年03月11日提交的申请号为202410272421.3、发明名称为“应用程序处理方法及装置、攻击防御系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese patent application number 202410272421.3, filed on March 11, 2024, entitled “Application Processing Method and Device, Attack Defense System,” the entire contents of which are incorporated herein by reference.

技术领域Technical Field

本申请涉及计算机安全领域,特别涉及一种应用程序处理方法及装置、攻击防御系统。The present application relates to the field of computer security, and in particular to an application processing method and device, and an attack defense system.

背景技术Background Art

壳代码(shellcode)是一段用于利用软件漏洞而执行的机器代码,用于在计算机系统中执行特定任务,如提供远程访问、或权限提升等。因此shellcode常被用作对计算机系统进行恶意攻击,换句话说,shellcode是恶意代码的一种实现形式。由于shellcode只是一段简单的机器代码,容易通过变形或加密等手段逃避检测。另外shellcode经常用于解密恶意文件,并在内存中执行解密后的恶意文件。shellcode本身并不执行真正的恶意功能,因此shellcode很容易避开反病毒(anti-virus,AV)静态检测。Shellcode is a piece of machine code executed to exploit software vulnerabilities. It's used to perform specific tasks within a computer system, such as providing remote access or escalating privileges. Therefore, shellcode is often used to launch malicious attacks against computer systems. In other words, shellcode is a form of malicious code. Because shellcode is simply a piece of machine code, it can easily evade detection through methods such as distortion or encryption. Furthermore, shellcode is often used to decrypt malicious files and execute them in memory. Since shellcode itself doesn't perform any actual malicious functions, it can easily evade static anti-virus (AV) detection.

相关技术针对将shellcode作为恶意程序对计算机设备实施攻击的场景,提供了通过对计算机设备进行内存扫描,以检测计算机设备的内存中是否加载有恶意文件,从而识别出计算机设备中运行的恶意程序的方案。但是,采用相关技术提供的内存扫描技术时,只有在shellcode已经将恶意文件加载到计算机设备的内存中后才能识别出恶意程序,在识别出恶意程序之前,shellcode很有可能已经运行了恶意文件,即已经发生了实质的恶意行为,导致计算机设备已经受到远程攻击,比如计算机设备已经被攻击者远程控制,或者计算机设备中的数据已经被攻击者窃取。In scenarios where shellcode is used as a malicious program to attack a computer device, related technologies provide a solution for identifying malicious programs running on the computer device by performing memory scanning on the computer device to detect whether malicious files are loaded into the computer device's memory. However, when using the memory scanning technology provided by related technologies, the malicious program can only be identified after the shellcode has loaded the malicious file into the computer device's memory. Before the malicious program is identified, the shellcode may have already run the malicious file, indicating that actual malicious behavior has already occurred, resulting in the computer device being remotely attacked, such as the computer device being remotely controlled by the attacker or the data in the computer device being stolen by the attacker.

发明内容Summary of the Invention

本申请提供了一种应用程序处理方法及装置、攻击防御系统。The present application provides an application processing method and device, and an attack defense system.

第一方面,提供了一种应用程序处理方法。该方法包括:计算机设备监控该计算机设备上运行的样本程序是否加载网络动态链接库。该网络动态链接库用于支持应用程序进行网络通信。该网络动态链接库中包括一个或多个网络连接函数。响应于监控到该样本程序加载该网络动态链接库,计算机设备判断目标内存块是否满足shellcode运行条件,目标内存块是该样本程序中用于加载该网络动态链接库的运行代码所在的内存块。如果目标内存块满足shellcode运行条件,计算机设备对该样本程序执行恶意程序处理流程。其中,恶意程序处理流程包括:在该样本程序调用成功该网络动态链接库中的网络连接函数之前终止执行该样本程序。目标内存块满足shellcode运行条件,也即是,目标内存块中的运行代码为shellcode。In a first aspect, a method for processing an application is provided. The method includes: a computer device monitors whether a sample program running on the computer device loads a network dynamic link library. The network dynamic link library is used to support network communication of the application. The network dynamic link library includes one or more network connection functions. In response to monitoring that the sample program loads the network dynamic link library, the computer device determines whether a target memory block meets the shellcode running condition, where the target memory block is the memory block where the running code for loading the network dynamic link library is located in the sample program. If the target memory block meets the shellcode running condition, the computer device executes a malicious program processing flow for the sample program. The malicious program processing flow includes: terminating the execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library. The target memory block meets the shellcode running condition, that is, the running code in the target memory block is shellcode.

本申请中,计算机设备在确定样本程序中存在shellcode正在运行的情况下,将该样本程序作为恶意程序进行处理,使得该样本程序在调用成功网络动态链接库中的网络连接函数之前被终止执行,以避免该应用程序连接上远程服务器,从而能够避免计算机设备被攻击者通过远程服务器控制,或者计算机设备的内部数据被攻击者通过远程服务器窃取,实现对计算机设备的保护。In the present application, when a computer device determines that shellcode is running in a sample program, the sample program is treated as a malicious program, so that the sample program is terminated before the network connection function in the network dynamic link library is successfully called, so as to prevent the application from connecting to the remote server, thereby preventing the computer device from being controlled by an attacker through the remote server, or the internal data of the computer device from being stolen by an attacker through the remote server, thereby achieving protection for the computer device.

可选地,当目标内存块满足以下多个条件中的任一条件时,确定目标内存块满足shellcode运行条件。该多个条件包括:目标内存块的大小等于计算机设备的操作系统中的内存页大小;目标内存块具有私有权限、可写权限和可执行权限;目标内存块中包含可移动可执行(portable executable,PE)文件的格式头(或者,目标内存块中包含完整的PE文件)。Optionally, the target memory block is determined to meet the shellcode execution condition when the target memory block meets any one of the following conditions. The conditions include: the size of the target memory block is equal to the memory page size in the operating system of the computer device; the target memory block has private permission, writable permission, and executable permission; and the target memory block contains a format header of a portable executable (PE) file (or the target memory block contains a complete PE file).

可选地,计算机设备监控计算机设备上运行的样本程序是否加载网络动态链接库的一种实现方式,包括:计算机设备通过第一钩子函数挂钩计算机设备的操作系统中的动态库加载函数,以监控样本程序是否加载网络动态链接库,动态库加载函数用于加载网络动态链接库。Optionally, an implementation method for a computer device to monitor whether a sample program running on the computer device loads a network dynamic link library includes: the computer device hooks a dynamic library loading function in the operating system of the computer device through a first hook function to monitor whether the sample program loads the network dynamic link library, and the dynamic library loading function is used to load the network dynamic link library.

本申请中,计算机设备采用挂钩(hook)技术来监控运行的样本程序是否加载网络动态链接库。In this application, the computer device uses hook technology to monitor whether the running sample program loads the network dynamic link library.

可选地,第一钩子函数为样本程序中的用户态钩子函数,第一钩子函数是在样本程序启动后注入至样本程序中的。或者,第一钩子函数为计算机设备的内核中的内核态钩子函数。Optionally, the first hook function is a user-mode hook function in the sample program, and the first hook function is injected into the sample program after the sample program is started. Alternatively, the first hook function is a kernel-mode hook function in the kernel of the computer device.

本申请中,计算机设备采用用户态hook技术来监控运行的样本程序是否加载网络动态链接库,或者采用内核态hook技术来监控运行的样本程序是否加载网络动态链接库。In this application, the computer device uses user-mode hook technology to monitor whether the running sample program loads the network dynamic link library, or uses kernel-mode hook technology to monitor whether the running sample program loads the network dynamic link library.

可选地,计算机设备对样本程序执行恶意程序处理流程,包括:计算机设备获取该样本程序尝试调用网络动态链接库中的网络连接函数时提供的网络连接参数,并在该样本程序调用成功网络动态链接库中的网络连接函数之前终止执行样本程序。该网络连接参数包括样本程序尝试连接的远程服务器的网络地址信息。Optionally, the computer device executes a malicious program processing process on the sample program, including: obtaining network connection parameters provided by the sample program when the sample program attempts to call a network connection function in a network dynamic link library, and terminating execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library. The network connection parameters include network address information of a remote server that the sample program attempts to connect to.

本申请通过在计算机设备中的恶意程序未发生实质的恶意行为之前获取攻击者的控制设施的网络地址信息,有助于针对攻击者通过该控制设施实施的网络攻击进行安全防护。This application helps to provide security protection against network attacks carried out by the attacker through the control facility by obtaining the network address information of the attacker's control facility before the malicious program in the computer device commits any actual malicious behavior.

可选地,计算机设备获取样本程序尝试调用网络动态链接库中的网络连接函数时提供的网络连接参数的一种实现方式,包括:计算机设备暂停执行该样本程序,并在暂停期间通过第二钩子函数挂钩网络动态链接库中的网络连接函数。计算机设备在通过第二钩子函数对网络动态链接库中的网络连接函数挂钩完成之后,恢复执行该样本程序。响应于样本程序调用网络动态链接库中的网络连接函数,计算机设备通过第二钩子函数获取样本程序调用网络连接函数时提供的网络连接参数。Optionally, one implementation of a computer device obtaining network connection parameters provided by a sample program when attempting to call a network connection function in a network dynamic link library includes: the computer device suspending execution of the sample program and, during the suspension period, hooking the network connection function in the network dynamic link library using a second hook function. After the computer device completes hooking the network connection function in the network dynamic link library using the second hook function, it resumes execution of the sample program. In response to the sample program calling the network connection function in the network dynamic link library, the computer device obtains, through the second hook function, the network connection parameters provided by the sample program when calling the network connection function.

本申请中,计算机设备采用hook技术来获取该样本程序提供的网络连接参数,无需查询该样本程序的配置文件,针对无文件攻击场景也能获取攻击者的控制设施的网络地址信息,可实现性高同时能够覆盖更多的攻击场景。In this application, the computer device uses hook technology to obtain the network connection parameters provided by the sample program without querying the configuration file of the sample program. The network address information of the attacker's control facility can also be obtained for fileless attack scenarios. It is highly feasible and can cover more attack scenarios.

可选地,第二钩子函数为样本程序中的用户态钩子函数,第二钩子函数是在样本程序启动后注入至样本程序中的。或者,第二钩子函数为计算机设备的内核中的内核态钩子函数。Optionally, the second hook function is a user-mode hook function in the sample program, and the second hook function is injected into the sample program after the sample program is started. Alternatively, the second hook function is a kernel-mode hook function in the kernel of the computer device.

可选地,计算机设备还向部署于计算机设备与远程服务器之间的防护设备发送该远程服务器的网络地址信息,该远程服务器的网络地址信息用于防护设备拦截来自该远程服务器的流量和/或发往该远程服务器的流量。Optionally, the computer device also sends the network address information of the remote server to a protection device deployed between the computer device and the remote server, and the network address information of the remote server is used by the protection device to intercept traffic from and/or traffic to the remote server.

本申请中,计算机设备向防护设备提供被确定为攻击者的控制设施的远程服务器的网络地址信息,防护设备通过拦截受保护网络向该远程服务器发送的流量,能够避免受保护网络内的计算机设备中的数据被窃取。防护设备通过拦截该远程服务器向受保护网络发送的流量,能够避免受保护网络内的计算机设备被远程控制。本申请通过计算机设备联动防护设备,实现了对攻击者的控制设施的全局封禁,从而保护受保护网络内的所有计算机设备免受攻击者的远程攻击。In this application, the computer device provides the protection device with the network address information of the remote server identified as the attacker's control facility. The protection device can prevent the data in the computer devices within the protected network from being stolen by intercepting the traffic sent from the protected network to the remote server. The protection device can prevent the computer devices within the protected network from being remotely controlled by intercepting the traffic sent from the remote server to the protected network. This application realizes the global ban of the attacker's control facility by linking the computer device with the protection device, thereby protecting all computer devices within the protected network from remote attacks by the attacker.

可选地,远程服务器的网络地址信息包括远程服务器的互联网协议(Internet Protocol,IP)地址、远程服务器的域名地址或远程服务器的端口号中的一个或多个。Optionally, the network address information of the remote server includes one or more of the Internet Protocol (IP) address of the remote server, the domain name address of the remote server, or the port number of the remote server.

可选地,上述方法由运行于计算机设备中的安全软件执行。Optionally, the above method is executed by security software running in a computer device.

第二方面,提供了一种恶意程序的处理装置。所述装置应用于计算机设备。所述装置包括多个功能模块,所述多个功能模块相互作用,实现上述第一方面及其各实施方式中的方法。所述多个功能模块可以基于软件、硬件或软件和硬件的结合实现,且所述多个功能模块可以基于具体实现进行任意组合或分割。In a second aspect, a device for processing malicious programs is provided. The device is applied to a computer device. The device includes multiple functional modules that interact with each other to implement the method of the first aspect and its respective embodiments. The multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be arbitrarily combined or divided based on the specific implementation.

第三方面,提供了一种计算机设备,包括:存储器、网络接口和至少一个处理器。所述存储器用于存储程序指令,所述至少一个处理器读取所述存储器中保存的程序指令后,使得所述计算机设备执行上述第一方面及其各实施方式中的方法。In a third aspect, a computer device is provided, comprising: a memory, a network interface, and at least one processor. The memory is configured to store program instructions, and the at least one processor reads the program instructions stored in the memory, thereby causing the computer device to execute the method of the first aspect and its respective embodiments.

第四方面,提供了一种攻击防御系统,包括:计算机设备和防护设备,所述计算机设备位于所述防护设备所保护的受保护网络内。其中,计算机设备用于执行上述第一方面及其各实施方式中的方法。In a fourth aspect, an attack defense system is provided, comprising: a computer device and a protection device, wherein the computer device is located within a protected network protected by the protection device, wherein the computer device is configured to execute the method of the first aspect and its respective embodiments.

举例来说,计算机设备用于监控该计算机设备上运行的样本程序是否加载网络动态链接库,该网络动态链接库用于支持应用程序进行网络通信,该网络动态链接库中包括一个或多个网络连接函数。计算机设备还用于响应于监控到该样本程序加载该网络动态链接库,判断目标内存块是否满足shellcode运行条件,目标内存块是该样本程序中用于加载该网络动态链接库的运行代码所在的内存块;以及,如果目标内存块满足该shellcode运行条件,对该样本程序执行恶意程序处理流程,其中,恶意程序处理流程包括:获取该样本程序尝试调用该网络动态链接库中的网络连接函数时提供的网络连接参数,并在该样本程序调用成功该网络动态链接库中的网络连接函数之前终止执行该样本程序,网络连接参数包括该样本程序尝试连接的远程服务器的网络地址信息。计算机设备还用于向防护设备发送该远程服务器的网络地址信息。防护设备用于根据该远程服务器的网络地址信息拦截来自该远程服务器的流量和/或发往该远程服务器的流量。For example, a computer device is configured to monitor whether a sample program running on the computer device loads a network dynamic link library (DLL), which is used to support network communication for applications and includes one or more network connection functions. The computer device is further configured to, in response to monitoring the sample program loading the DLL, determine whether a target memory block meets a shellcode execution condition, where the target memory block is the memory block containing the execution code in the sample program used to load the DLL. If the target memory block meets the shellcode execution condition, execute a malicious program processing flow on the sample program. The malicious program processing flow includes obtaining network connection parameters provided by the sample program when attempting to call a network connection function in the DLL, and terminating execution of the sample program before the sample program successfully calls the network connection function in the DLL. The network connection parameters include network address information of a remote server that the sample program attempts to connect to. The computer device is further configured to transmit the remote server's network address information to a protection device. The protection device is configured to intercept traffic from and/or to the remote server based on the remote server's network address information.

可选地,该攻击防御系统还包括云安全服务器。计算机设备和/或防护设备还用于向云安全服务器发送该远程服务器的网络地址信息。云安全服务器用于汇总从各个来源收集到的远程服务器(恶意服务器)的网络地址信息。可选地,云安全服务器还用于按照订阅需求,向订阅方提供攻击者画像,攻击者画像包括但不限于恶意服务器的网络地址信息和/或攻击行为特征。Optionally, the attack defense system further includes a cloud security server. The computer device and/or the protection device is further configured to send the network address information of the remote server to the cloud security server. The cloud security server is configured to aggregate the network address information of remote servers (malicious servers) collected from various sources. Optionally, the cloud security server is further configured to provide the subscriber with an attacker profile based on subscription requirements. The attacker profile includes, but is not limited to, the malicious server's network address information and/or attack behavior characteristics.

第五方面,提供了一种攻击防御系统,包括:计算机设备和云安全服务器。其中,计算机设备用于执行上述第一方面及其各实施方式中的方法。In a fifth aspect, an attack defense system is provided, comprising: a computer device and a cloud security server, wherein the computer device is configured to execute the method of the first aspect and its respective embodiments.

举例来说,计算机设备用于监控该计算机设备上运行的样本程序是否加载网络动态链接库,该网络动态链接库用于支持应用程序进行网络通信,该网络动态链接库中包括一个或多个网络连接函数。计算机设备还用于响应于监控到该样本程序加载该网络动态链接库,判断目标内存块是否满足shellcode运行条件,目标内存块是该样本程序中用于加载该网络动态链接库的运行代码所在的内存块;以及,如果目标内存块满足该shellcode运行条件,对该样本程序执行恶意程序处理流程,其中,恶意程序处理流程包括:获取该样本程序尝试调用该网络动态链接库中的网络连接函数时提供的网络连接参数,并在该样本程序调用成功该网络动态链接库中的网络连接函数之前终止执行该样本程序,网络连接参数包括该样本程序尝试连接的远程服务器的网络地址信息。计算机设备还用于向云安全服务器发送该远程服务器的网络地址信息。云安全服务器用于汇总从各个来源收集到的远程服务器(即恶意服务器)的网络地址信息。可选地,云安全服务器还用于按照订阅需求,向订阅方提供攻击组织画像,攻击组织画像包括但不限于恶意服务器的网络地址信息和/或攻击行为特征。For example, a computer device is used to monitor whether a sample program running on the computer device loads a network dynamic link library, which is used to support network communication for applications and includes one or more network connection functions. The computer device is also used to, in response to monitoring the sample program loading the network dynamic link library, determine whether a target memory block meets the shellcode execution condition, where the target memory block is the memory block where the execution code used to load the network dynamic link library in the sample program is located; and if the target memory block meets the shellcode execution condition, execute a malicious program processing flow on the sample program, wherein the malicious program processing flow includes: obtaining network connection parameters provided when the sample program attempts to call a network connection function in the network dynamic link library, and terminating execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library, wherein the network connection parameters include network address information of a remote server that the sample program attempts to connect to. The computer device is also used to send the network address information of the remote server to a cloud security server. The cloud security server is used to aggregate the network address information of remote servers (i.e., malicious servers) collected from various sources. Optionally, the cloud security server is also used to provide the subscriber with an attack organization portrait according to subscription requirements. The attack organization portrait includes but is not limited to the network address information and/or attack behavior characteristics of the malicious server.

可选地,该攻击防御系统还包括防护设备,计算机设备位于该防护设备所保护的受保护网络内。计算机设备和/或云安全服务器还用于向该防护设备发送该远程服务器的网络地址信息。防护设备用于根据该远程服务器的网络地址信息拦截来自该远程服务器的流量和/或发往该远程服务器的流量。Optionally, the attack defense system further includes a protection device, wherein the computer device is located within a protected network protected by the protection device. The computer device and/or the cloud security server is further configured to send the network address information of the remote server to the protection device. The protection device is configured to intercept traffic from and/or traffic destined for the remote server based on the network address information of the remote server.

第六方面,提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有指令,当所述指令被处理器执行时,实现上述第一方面及其各实施方式中的方法。In a sixth aspect, a computer-readable storage medium is provided, on which instructions are stored. When the instructions are executed by a processor, the method in the above-mentioned first aspect and its various embodiments is implemented.

第七方面,提供了一种计算机程序产品,包括计算机程序,所述计算机程序被处理器执行时,实现上述第一方面及其各实施方式中的方法。In a seventh aspect, a computer program product is provided, comprising a computer program, which, when executed by a processor, implements the method in the above-mentioned first aspect and its various embodiments.

第八方面,提供了一种芯片,芯片包括可编程逻辑电路和/或程序指令,当芯片运行时,实现上述第一方面及其各实施方式中的方法。In an eighth aspect, a chip is provided, which includes a programmable logic circuit and/or program instructions. When the chip is running, it implements the method in the above-mentioned first aspect and its various embodiments.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本申请实施例提供的一种实施场景示意图;FIG1 is a schematic diagram of an implementation scenario provided by an embodiment of the present application;

图2是本申请实施例提供的一种计算机设备的硬件结构示意图;FIG2 is a schematic diagram of the hardware structure of a computer device provided in an embodiment of the present application;

图3是本申请实施例提供的一种防护设备的硬件结构示意图;FIG3 is a schematic diagram of the hardware structure of a protective device provided in an embodiment of the present application;

图4是本申请实施例提供的一种应用程序处理方法的流程示意图;FIG4 is a flow chart of an application processing method provided in an embodiment of the present application;

图5是本申请实施例提供的一种应用程序处理装置的结构示意图。FIG5 is a schematic structural diagram of an application processing device provided in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of this application clearer, the implementation methods of this application will be further described in detail below with reference to the accompanying drawings.

Shellcode作为一段用于利用软件漏洞而执行的机器代码,常被用作对计算机系统进行恶意攻击。比如在第一种攻击场景中,攻击者实施高级威胁或无文件攻击,不会直接提供放置有真正的恶意功能的恶意程序,而是将shellcode作为恶意程序注入到计算机设备中,通过在计算机设备上运行shellcode,从网络上拉取全功能的加密形式的动态链接库(dynamic link library,DLL)到计算机设备中,并在计算机设备中对加密形式的动态链接库进行解密,然后将解密后的动态链接库加载到计算机设备的内存中并执行动态链接库中的函数,以实现对计算机设备的攻击。又比如在第二种攻击场景中,攻击者将全功能的加密形式的动态链接库存放在恶意程序的本地目录或自身的资源段中,然后将shellcode作为恶意程序连同存放有全功能的加密形式的动态链接库的文件一起注入到计算机设备中,通过在计算机设备上运行shellcode,对注入到计算机设备中的加密形式的动态链接库进行解密,然后将解密后的动态链接库加载到计算机设备的内存中并执行动态链接库中的函数,以实现对计算机设备的攻击。其中,解密后的动态链接库为真正的攻击载荷(payload)。Shellcode, a piece of machine code executed to exploit software vulnerabilities, is often used to launch malicious attacks against computer systems. For example, in the first attack scenario, attackers implementing advanced threat or fileless attacks do not directly provide a malicious program with actual malicious functionality. Instead, they inject shellcode into a computer device as a malicious program. By running the shellcode on the computer device, the attacker retrieves a fully functional encrypted dynamic link library (DLL) from the network and decrypts the encrypted DLL. The decrypted DLL is then loaded into the computer device's memory and the functions within it are executed, thereby attacking the computer device. For another example, in the second attack scenario, the attacker stores the fully functional encrypted DLL in the malicious program's local directory or its own resource segment. The attacker then injects the shellcode into the computer device along with the file containing the fully functional encrypted DLL. By running the shellcode on the computer device, the attacker decrypts the injected encrypted DLL, then loads the decrypted DLL into the computer device's memory and executes the functions within the DLL, thereby attacking the computer device. Among them, the decrypted dynamic link library is the real attack payload.

由于采用相关技术提供的内存扫描技术时,只有在shellcode已经将攻击载荷加载到计算机设备的内存中后才能识别到计算机设备中存在恶意程序正在运行,然而在识别出恶意程序之前,shellcode很有可能已经运行了攻击载荷,导致计算机设备已经受到远程攻击,比如计算机设备已经被攻击者远程控制,或者计算机设备中的数据已经被攻击者窃取。When using the memory scanning technology provided by the related technology, it can be identified that a malicious program is running in the computer device only after the shellcode has loaded the attack payload into the memory of the computer device. However, before the malicious program is identified, the shellcode may have already run the attack payload, causing the computer device to be remotely attacked, such as the computer device has been remotely controlled by the attacker, or the data in the computer device has been stolen by the attacker.

基于此,本申请提供了一种技术方案,通过对计算机设备上运行的应用程序进行实时监控和分析处理,以判定该应用程序是否为包含shellcode的恶意程序,或者是否被注入shellcode(即被恶意程序感染),并在恶意程序发生实质的恶意行为之前终止执行该恶意程序,从而保证计算机系统的安全。本申请技术方案具体如下,由计算机设备监控该计算机设备上运行的应用程序是否加载网络动态链接库,该网络动态链接库用于支持应用程序进行网络通信。响应于监控到该应用程序加载网络动态链接库,计算机设备判断该应用程序中用于加载该网络动态链接库的运行代码所在的内存块是否满足shellcode运行条件。如果该内存块满足该shellcode运行条件,则计算机设备对该应用程序执行恶意程序处理流程,以在该应用程序调用成功网络动态链接库中的网络连接函数之前终止执行该应用程序。本申请通过判断应用程序中用于加载网络动态链接库的运行代码所在的内存块是否满足shellcode运行条件,来判断该内存块中的运行代码是否为shellcode,如果该运行代码为shellcode,则说明该应用程序极有可能为恶意程序,或者该应用程序极有可能已经被恶意程序感染,那么,如果该应用程序继续运行,则大概率会导致计算机设备受到恶意程序的攻击,计算机设备的安全就会受到威胁。因此,本申请在判定应用程序的内存空间中存在shellcode正在运行的情况下,将该应用程序作为恶意程序进行处理,使得该应用程序在调用成功网络动态链接库中的网络连接函数之前被终止执行,以避免该应用程序连接上远程服务器,从而能够避免计算机设备被攻击者通过远程服务器控制,或者计算机设备的内部数据被攻击者通过远程服务器窃取。Based on this, the present application provides a technical solution, which monitors and analyzes the application running on the computer device in real time to determine whether the application is a malicious program containing shellcode, or whether it is injected with shellcode (i.e., infected by a malicious program), and terminates the execution of the malicious program before the malicious program performs any substantial malicious behavior, thereby ensuring the security of the computer system. The technical solution of the present application is as follows: the computer device monitors whether the application running on the computer device loads a network dynamic link library, which is used to support the application to perform network communication. In response to monitoring that the application loads the network dynamic link library, the computer device determines whether the memory block where the running code for loading the network dynamic link library in the application meets the shellcode running conditions. If the memory block meets the shellcode running conditions, the computer device executes the malicious program processing flow for the application to terminate the execution of the application before the application successfully calls the network connection function in the network dynamic link library. The present application determines whether the running code in the memory block used to load the network dynamic link library in the application is shellcode by judging whether the memory block where the running code is located meets the shellcode running conditions. If the running code is shellcode, it means that the application is very likely to be a malicious program, or the application is very likely to have been infected by a malicious program. Then, if the application continues to run, it is likely to cause the computer device to be attacked by the malicious program, and the security of the computer device will be threatened. Therefore, when the present application determines that there is shellcode running in the memory space of the application, the application is treated as a malicious program, so that the application is terminated before the network connection function in the network dynamic link library is successfully called, so as to avoid the application from connecting to the remote server, thereby preventing the computer device from being controlled by the attacker through the remote server, or the internal data of the computer device from being stolen by the attacker through the remote server.

举例来说,针对上述第一种攻击场景,通过实施本申请方案,能够阻止shellcode连接远程服务器,从而能够避免shellcode从网络上下载全功能的加密形式的动态链接库。针对上述第二种攻击场景,通过实施本申请方案,能够阻止shellcode连接远程服务器,从而能够避免shellcode将攻击载荷加载到内存中执行后连接攻击者服务器。简单来说,通过实施本申请方案,能够识别出计算机设备上是否运行了shellcode,在识别出计算机设备上运行了shellcode之后,进一步阻止shellcode连接远程服务器,这样能够避免计算机设备受到远程服务器的攻击和控制,从而实现对计算机设备的保护。For example, for the first attack scenario mentioned above, by implementing the solution of the present application, it is possible to prevent shellcode from connecting to the remote server, thereby preventing shellcode from downloading a fully functional encrypted dynamic link library from the network. For the second attack scenario mentioned above, by implementing the solution of the present application, it is possible to prevent shellcode from connecting to the remote server, thereby preventing shellcode from loading the attack payload into the memory and then connecting to the attacker's server after execution. In short, by implementing the solution of the present application, it is possible to identify whether shellcode is running on a computer device. After identifying that shellcode is running on the computer device, it is further possible to prevent shellcode from connecting to the remote server, thereby preventing the computer device from being attacked and controlled by the remote server, thereby achieving protection for the computer device.

可选地,shellcode运行条件根据运行shellcode的内存块的特征确定。Shellcode在计算机设备中运行前,需要在计算机设备的内存中申请用于运行shellcode的内存块。由于用于运行shellcode的内存块的特征与用于运行正常的应用程序的内存块的特征存在一定的差别,内存块的特征包括但不限于内存块大小、内存块权限或内存块内容,因此本申请通过对用于运行shellcode的内存块的特征进行归纳总结,实现基于内存块大小、内存块权限或内存块内容来判断运行代码所在的内存块是否满足shellcode运行条件,即判断该运行代码是否为shellcode。具体判断方式如下,当运行代码所在的内存块的大小等于计算机设备的操作系统中的内存页大小,或者,运行代码所在的内存块具有私有权限、可写权限和可执行权限,又或者,运行代码所在的内存块中包含PE文件的格式头时,确定该运行代码所在的内存块满足shellcode运行条件。下面对基于上述三个条件的判断原理进行说明。Optionally, the shellcode running conditions are determined based on the characteristics of the memory block in which the shellcode is running. Before the shellcode is run in a computer device, it is necessary to apply for a memory block in the computer device's memory for running the shellcode. Since the characteristics of the memory block used to run the shellcode are somewhat different from the characteristics of the memory block used to run a normal application, the characteristics of the memory block include but are not limited to the memory block size, memory block permissions or memory block content. Therefore, the present application summarizes the characteristics of the memory block used to run the shellcode, and realizes the judgment based on the memory block size, memory block permissions or memory block content whether the memory block where the running code is located meets the shellcode running conditions, that is, judges whether the running code is shellcode. The specific judgment method is as follows: when the size of the memory block where the running code is located is equal to the memory page size in the operating system of the computer device, or the memory block where the running code is located has private permissions, writable permissions and executable permissions, or the memory block where the running code is located contains the format header of the PE file, it is determined that the memory block where the running code is located meets the shellcode running conditions. The judgment principle based on the above three conditions is explained below.

(1)判断条件1:当运行代码所在的内存块的大小等于计算机设备的操作系统中的内存页大小时,确定该内存块满足shellcode运行条件。操作系统中的内存页大小即操作系统中的最小内存分配单位,例如Windows操作系统中的内存页大小一般默认为4千字节(kilobyte,KB),这种情况下,上述判断条件1也即是:当运行代码所在的内存块的大小等于4KB时,确定该内存块满足shellcode运行条件。由于正常的应用程序的代码段在内存中运行时通常都会包含编译器代码,因此正常的应用程序的代码段占用的内存一般远大于操作系统中的内存页大小(如4KB),而shellcode作为一种机器代码,运行所需的内存很小,通常小于操作系统中的内存页大小(如4KB)。因此,如果运行代码所在的内存块大小等于计算机设备的操作系统中的内存页大小,那么该运行代码极有可能就是shellcode。值得说明的是,操作系统中的内存页大小可配置修改,例如Windows操作系统中的内存页大小可设置成8KB或32KB等其它数值。(1) Judgment condition 1: When the size of the memory block where the running code is located is equal to the memory page size in the operating system of the computer device, it is determined that the memory block meets the shellcode running condition. The memory page size in the operating system is the smallest memory allocation unit in the operating system. For example, the memory page size in the Windows operating system generally defaults to 4 kilobytes (KB). In this case, the above judgment condition 1 is: when the size of the memory block where the running code is located is equal to 4KB, it is determined that the memory block meets the shellcode running condition. Since the code segment of a normal application usually contains compiler code when running in memory, the memory occupied by the code segment of a normal application is generally much larger than the memory page size in the operating system (such as 4KB). Shellcode, as a machine code, requires very little memory to run, usually less than the memory page size in the operating system (such as 4KB). Therefore, if the memory block size where the running code is located is equal to the memory page size in the operating system of the computer device, then the running code is very likely to be shellcode. It is worth noting that the memory page size in the operating system can be configured and modified. For example, the memory page size in the Windows operating system can be set to other values such as 8KB or 32KB.

(2)判断条件2:当运行代码所在的内存块具有私有权限、可写权限和可执行权限时,确定该内存块满足shellcode运行条件。由于正常的应用程序的代码段所在的内存块通常只具有可读权限和可执行权限,而shellcode所在的内存块需要具有私有权限、可写权限和可执行权限,才能支持shellcode的正常运行。因此,如果运行代码所在的内存块具有私有权限、可写权限和可执行权限,那么该运行代码极有可能就是shellcode。(2) Judgment condition 2: When the memory block where the running code is located has private permissions, writable permissions, and executable permissions, it is determined that the memory block meets the shellcode running conditions. Since the memory block where the code segment of a normal application is located usually only has read permissions and executable permissions, the memory block where the shellcode is located must have private permissions, writable permissions, and executable permissions to support the normal operation of the shellcode. Therefore, if the memory block where the running code is located has private permissions, writable permissions, and executable permissions, then the running code is very likely to be shellcode.

(3)判断条件3:当运行代码所在的内存块中包含PE文件的格式头时,确定该内存块满足shellcode运行条件。由于正常的应用程序的PE文件的格式头是只读的,正常的应用程序的PE文件的代码段是可读可执行的,而同一内存块的权限是相同的,因此正常的应用程序在内存中运行时,PE文件的格式头和代码段会被加载在不同内存块中,使得PE文件的格式头和代码段具有不同的读写权限。而shellcode在计算机设备的内存中运行时,shellcode的PE文件会被完整地加载在同一内存块中,因此,如果运行代码所在的内存块中还包含PE文件的格式头,那么该运行代码极有可能就是shellcode。由于运行代码所在的内存块中必然包括PE文件的代码段,因此如果该内存块中还包含PE文件的格式头,就说明该内存块中包含完整的PE文件。相应地,上述判断条件3中“内存块中包含PE文件的格式头”,也可替换描述为:内存块中包含完整的PE文件,或者,内存块中包含PE文件的格式头和代码段。(3) Judgment condition 3: When the memory block where the running code is located contains the format header of the PE file, it is determined that the memory block meets the shellcode running condition. Since the format header of the PE file of a normal application is read-only, and the code segment of the PE file of a normal application is readable and executable, and the permissions of the same memory block are the same, when a normal application is running in the memory, the format header and code segment of the PE file will be loaded into different memory blocks, so that the format header and code segment of the PE file have different read and write permissions. When the shellcode is running in the memory of the computer device, the PE file of the shellcode will be loaded completely into the same memory block. Therefore, if the memory block where the running code is located also contains the format header of the PE file, then the running code is very likely to be shellcode. Since the memory block where the running code is located must include the code segment of the PE file, if the memory block also contains the format header of the PE file, it means that the memory block contains a complete PE file. Accordingly, in the above judgment condition 3, "the memory block contains the format header of the PE file" can also be replaced with: the memory block contains the complete PE file, or the memory block contains the format header and code segment of the PE file.

在一些实施例中,计算机设备将应用程序作为恶意程序进行处理的过程中,获取该应用程序尝试调用网络动态链接库中的网络连接函数时提供的网络连接参数,并在该应用程序调用成功网络动态链接库中的网络连接函数之前终止执行该应用程序。其中,网络连接参数包括该应用程序尝试连接的远程服务器的网络地址信息。可选地,远程服务器的网络地址信息包括该远程服务器的IP地址、该远程服务器的域名地址或该远程服务器的端口号中的一个或多个。由于应用程序在调用网络动态链接库中的网络连接函数时,会提供包含远程服务器的网络地址信息在内的网络连接参数以尝试连接该远程服务器,对于恶意程序来说,恶意程序尝试连接的远程服务器通常为攻击者的控制设施,本申请通过在计算机设备中的恶意程序未发生实质的恶意行为之前获取攻击者的控制设施的网络地址信息,有助于针对攻击者通过该控制设施实施的网络攻击进行安全防护。In some embodiments, when a computer device processes an application as a malicious program, it obtains the network connection parameters provided by the application when it attempts to call a network connection function in a network dynamic link library, and terminates the execution of the application before the application successfully calls the network connection function in the network dynamic link library. The network connection parameters include the network address information of the remote server that the application attempts to connect to. Optionally, the network address information of the remote server includes one or more of the IP address of the remote server, the domain name address of the remote server, or the port number of the remote server. Since the application provides network connection parameters including the network address information of the remote server when calling the network connection function in the network dynamic link library to try to connect to the remote server, for a malicious program, the remote server that the malicious program attempts to connect to is usually the attacker's control facility. This application helps to provide security protection against network attacks carried out by the attacker through the control facility by obtaining the network address information of the attacker's control facility before the malicious program in the computer device commits any substantial malicious behavior.

在一些实施例中,计算机设备位于防护设备所保护的受保护网络内,即计算机设备与远程服务器之间部署有防护设备。计算机设备在获取远程服务器的网络地址信息之后,向部署于该计算机设备与该远程服务器之间的防护设备发送该远程服务器的网络地址信息。防护设备根据该远程服务器的网络地址信息拦截来自该远程服务器的流量和/或发往该远程服务器的流量。防护设备通过拦截受保护网络向远程服务器发送的流量,能够避免受保护网络内的计算机设备中的数据被窃取。防护设备通过拦截远程服务器向受保护网络发送的流量,能够避免受保护网络内的计算机设备被远程控制。本申请通过计算机设备联动防护设备,实现了对攻击者的控制设施的全局封禁,从而保护受保护网络内的计算机设备免受攻击者的远程攻击。或者,计算机设备在获取远程服务器的网络地址信息之后,也可以输出该远程服务器的网络地址信息,由安全运维人员通过手动配置的方式向防护设备输入该远程服务器的网络地址信息,以供防护设备对该远程服务器的发送流量和/或接收流量(统称为攻击流量)进行拦截。本申请对防护设备获取计算机设备采集到的远程服务器的网络地址信息的方式不做限定。In some embodiments, the computer device is located in a protected network protected by a protective device, that is, a protective device is deployed between the computer device and the remote server. After obtaining the network address information of the remote server, the computer device sends the network address information of the remote server to the protective device deployed between the computer device and the remote server. The protective device intercepts the traffic from the remote server and/or the traffic sent to the remote server based on the network address information of the remote server. By intercepting the traffic sent from the protected network to the remote server, the protective device can prevent the data in the computer device in the protected network from being stolen. By intercepting the traffic sent from the remote server to the protected network, the protective device can prevent the computer device in the protected network from being remotely controlled. The present application realizes a global ban on the attacker's control facilities by linking the computer device with the protective device, thereby protecting the computer devices in the protected network from remote attacks by the attacker. Alternatively, after obtaining the network address information of the remote server, the computer device can also output the network address information of the remote server, and the security operation and maintenance personnel can input the network address information of the remote server into the protective device through manual configuration, so that the protective device can intercept the sending traffic and/or receiving traffic (collectively referred to as attack traffic) of the remote server. This application does not limit the manner in which the protection device obtains the network address information of the remote server collected by the computer device.

下面从实施场景、硬件装置、方法流程、软件装置、系统等多个角度,对本申请技术方案进行详细介绍。The following is a detailed introduction to the technical solution of this application from multiple perspectives, including implementation scenarios, hardware devices, method flows, software devices, and systems.

下面对本申请实施例的实施场景举例说明。The following is an example of an implementation scenario of the embodiment of the present application.

本申请实施例提供的应用程序处理方法能够应用于可能受到基于shellcode实施的远程攻击的各种计算机设备。计算机设备例如为安装有Windows操作系统的终端设备,计算机设备包括但不限于服务器、主机、个人计算机、手机或者工作站。Windows操作系统包括但不限于WindowsXP、WindowsServer2003、Windows7、Windows8或Windows10。The application processing methods provided in the embodiments of the present application can be applied to various computer devices that may be vulnerable to remote attacks based on shellcode. For example, the computer device is a terminal device installed with a Windows operating system, including but not limited to a server, host, personal computer, mobile phone, or workstation. Windows operating systems include but are not limited to Windows XP, Windows Server 2003, Windows 7, Windows 8, or Windows 10.

本申请实施例能够应对基于shellcode实施的多种远程攻击场景,比如能够应对使用shellcode的商业远程控制,商业远程控制家族包括但不限于CobaltStrike,MeterPreter,Gh0stRat,Silver,Brute Ratel C4。又比如能够应对使用shellcode的无文件木马攻击,无文件木马家族包括但不限于Icedid,Emotet,Ursnif。Embodiments of the present application can handle various shellcode-based remote attack scenarios, such as commercial remote control systems that use shellcode, including but not limited to CobaltStrike, MeterPreter, Gh0stRat, Silver, and Brute Ratel C4. Another example is fileless Trojan attacks that use shellcode, including but not limited to Icedid, Emotet, and Ursnif.

可选地,本申请实施例中的计算机设备位于防护设备所保护的受保护网络内,即计算机设备为受保护设备。例如,图1是本申请实施例提供的一种实施场景示意图。如图1所示,该实施场景主要涉及三类设备,这三类设备分别是防护设备、计算机设备和远程服务器。下面对这三类设备分别举例说明。Optionally, the computer device in the embodiments of the present application is located within a protected network protected by a protective device, i.e., the computer device is a protected device. For example, Figure 1 is a schematic diagram of an implementation scenario provided by an embodiment of the present application. As shown in Figure 1, this implementation scenario primarily involves three types of devices: a protective device, a computer device, and a remote server. The following provides examples of each of these three types of devices.

(1)防护设备(1) Protective equipment

防护设备部署于外部网络(如互联网)与受保护网络之间,例如防护设备通常部署在受保护网络的边界,用于保护受保护网络中的计算机设备免受外部网络的攻击。防护设备能够对出入受保护网络的流量进行安全过滤,阻断攻击流量从而保证受保护网络内的计算机设备的安全性,同时放行正常流量从而保证受保护网络内的计算机设备能够与外部网络正常通信。防护设备包括但不限于防火墙、安全网关(如路由器或交换机)、入侵检测系统(intrusion detection system,IDS)类设备、入侵防御系统(intrusion prevention system,IPS)类设备、统一威胁管理(unified threat management,UTM)设备、AV设备、抗分布式拒绝服务攻击(anti-DDoS)设备、下一代防火墙(next generation firewall,NGFW)中一项或多项的集成。Protection devices are deployed between external networks (such as the Internet) and protected networks. For example, protection devices are typically deployed at the boundaries of protected networks to protect computer devices within the protected network from attacks from external networks. Protection devices can securely filter traffic entering and leaving the protected network, blocking attack traffic to ensure the security of computer devices within the protected network, while allowing normal traffic to ensure that computer devices within the protected network can communicate normally with the external network. Protection devices include, but are not limited to, firewalls, security gateways (such as routers or switches), intrusion detection systems (IDS) devices, intrusion prevention systems (IPS) devices, unified threat management (UTM) devices, AV devices, anti-distributed denial of service (anti-DDoS) devices, and next-generation firewalls (NGFWs), integrated with one or more of these.

(2)计算机设备(2) Computer equipment

计算机设备为位于受保护网络中的受保护设备。从计算机设备的角度来看,计算机设备所在的受保护网络为内部网络,互联网为外部网络。可选地,计算机设备为受保护的服务器,用于向受保护网络和互联网中的正常客户端(图中未示出)提供服务。比如计算机设备包括但不限于应用服务器或网页服务器。其中,应用服务器包括但不限于游戏服务器、视频应用服务器、文件服务器、搜索引擎服务器、即时通信服务器等等。网页服务器也称万维网(world wide web,web)服务器或者网站服务器。The computer device is a protected device located in a protected network. From the perspective of the computer device, the protected network in which the computer device is located is an internal network, and the Internet is an external network. Optionally, the computer device is a protected server that provides services to normal clients (not shown in the figure) in the protected network and the Internet. For example, computer devices include but are not limited to application servers or web servers. Among them, application servers include but are not limited to game servers, video application servers, file servers, search engine servers, instant messaging servers, etc. Web servers are also called World Wide Web (web) servers or website servers.

(3)远程服务器(3) Remote Server

远程服务器是攻击者实施远程攻击的控制设施。可选地,远程服务器位于外部网络(如互联网)中,即攻击者通过远程服务器从外部网络向受保护网络中的计算机设备发起远程攻击。远程服务器例如为指挥与控制(command and control,CC)服务器,它的作用是为网络攻击、黑客活动或其他违法行为提供支持。CC服务器的特点是高可控性和可配置性,能够与恶意程序通信,从而对被感染的计算机设备进行远程控制和操作。A remote server is a control facility used by attackers to launch remote attacks. Optionally, the remote server is located on an external network (such as the internet), allowing attackers to launch remote attacks from the external network to computers within the protected network. Remote servers, for example, are command and control (CC) servers, which support cyberattacks, hacker activities, or other illegal activities. CC servers are characterized by high controllability and configurability, and can communicate with malicious programs to remotely control and operate infected computers.

可选地,请继续参见图1,该实施场景还涉及云安全服务器。云安全服务器与计算机设备通信连接,以接收计算机设备发送的恶意服务器的网络地址信息;和/或,云安全服务器与防护设备通信连接,以接收防护设备发送的恶意服务器的网络地址信息(图1中以云安全服务器与计算机设备通信连接为例)。可选地,云安全服务器用于收集和汇总从各个来源收集到的恶意服务器的网络地址信息,进一步还用于按照订阅需求,向订阅方提供攻击组织画像。攻击组织画像包括但不限于恶意服务器的网络地址信息和/或攻击行为特征。Optionally, please continue to refer to Figure 1. This implementation scenario also involves a cloud security server. The cloud security server is communicatively connected to a computer device to receive the network address information of a malicious server sent by the computer device; and/or, the cloud security server is communicatively connected to a protective device to receive the network address information of a malicious server sent by the protective device (Figure 1 takes the communication connection between the cloud security server and the computer device as an example). Optionally, the cloud security server is used to collect and aggregate the network address information of malicious servers collected from various sources, and is further used to provide attack organization portraits to subscribers according to subscription requirements. Attack organization portraits include but are not limited to network address information of malicious servers and/or attack behavior characteristics.

下面对本申请实施例涉及的基本硬件结构举例说明。The following is an example of the basic hardware structure involved in the embodiments of the present application.

例如,图2是本申请实施例提供的一种计算机设备的硬件结构示意图。如图2所示,计算机设备200包括处理器201和存储器202,处理器201与存储器202通过总线203连接。图2以处理器201和存储器202相互独立说明。可选地,处理器201和存储器202集成在一起。可选地,结合图1来看,图2示出的计算机设备200是图1示出的实施场景中的任一计算机设备。For example, Figure 2 is a schematic diagram of the hardware structure of a computer device provided in an embodiment of the present application. As shown in Figure 2, computer device 200 includes a processor 201 and a memory 202, and processor 201 and memory 202 are connected via a bus 203. Figure 2 illustrates processor 201 and memory 202 as independent of each other. Optionally, processor 201 and memory 202 are integrated together. Optionally, in conjunction with Figure 1, computer device 200 shown in Figure 2 is any computer device in the implementation scenario shown in Figure 1.

其中,存储器202用于存储计算机程序,计算机程序包括操作系统和程序代码。可选地,该操作系统为Windows操作系统。存储器202是各种类型的存储介质,例如只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、电可擦可编程只读存储器(electrically erasable programmable read-only Memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)、闪存、光存储器、寄存器、光盘存储、光碟存储、磁盘或者其它磁存储设备。Memory 202 is used to store computer programs, including an operating system and program code. Optionally, the operating system is a Windows operating system. Memory 202 is a storage medium of various types, such as read-only memory (ROM), random access memory (RAM), electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM), flash memory, optical memory, register, optical disk storage, optical disc storage, magnetic disk, or other magnetic storage device.

其中,处理器201是通用处理器或专用处理器。处理器201可能是单核处理器或多核处理器。处理器201包括至少一个电路,以执行本申请实施例提供的应用程序处理方法。The processor 201 is a general-purpose processor or a dedicated processor. The processor 201 may be a single-core processor or a multi-core processor. The processor 201 includes at least one circuit to execute the application processing method provided in the embodiment of the present application.

可选地,计算机设备200还包括网络接口204,网络接口204通过总线203与处理器201和存储器202连接。网络接口204能够实现计算机设备200与其它设备通信。Optionally, the computer device 200 further includes a network interface 204, which is connected to the processor 201 and the memory 202 via the bus 203. The network interface 204 enables the computer device 200 to communicate with other devices.

可选地,计算机设备200还包括输入/输出(input/output,I/O)接口205,I/O接口205通过总线203与处理器201和存储器202连接。处理器201能够通过I/O接口205接收输入的命令或数据等。I/O接口205用于计算机设备200连接输入设备,这些输入设备例如是键盘、鼠标等。可选地,在一些可能的场景中,上述网络接口204和I/O接口205被统称为通信接口。Optionally, computer device 200 further includes an input/output (I/O) interface 205, which is connected to processor 201 and memory 202 via bus 203. Processor 201 can receive input commands or data through I/O interface 205. I/O interface 205 is used to connect computer device 200 to input devices, such as a keyboard and a mouse. Optionally, in some possible scenarios, the network interface 204 and I/O interface 205 are collectively referred to as a communication interface.

可选地,计算机设备200还包括显示器206,显示器206通过总线203与处理器201和存储器202连接。显示器206能够用于显示处理器201执行本申请实施例提供的应用程序处理方法所产生的中间结果和/或最终结果等,比如远程服务器的网络地址信息等。在一种可能的实现方式中,显示器206是触控显示屏,以提供人机交互接口。Optionally, the computer device 200 further includes a display 206, which is connected to the processor 201 and the memory 202 via the bus 203. The display 206 can be used to display intermediate results and/or final results generated by the processor 201 executing the application processing method provided in the embodiments of the present application, such as network address information of a remote server. In one possible implementation, the display 206 is a touch screen display to provide a human-computer interaction interface.

其中,总线203是任何类型的,用于实现计算机设备200的内部器件互连的通信总线。例如系统总线。本申请实施例以计算机设备200内部的上述器件通过总线203互连为例说明,可选地,计算机设备200内部的上述器件采用除了总线203之外的其他连接方式彼此通信连接,例如计算机设备200内部的上述器件通过计算机设备200内部的逻辑接口互连。The bus 203 is any type of communication bus for interconnecting the internal components of the computer device 200, such as a system bus. The embodiments of the present application illustrate the example of interconnecting the aforementioned components within the computer device 200 via the bus 203. Alternatively, the aforementioned components within the computer device 200 may be communicatively connected to each other using other connection methods besides the bus 203, such as interconnecting the aforementioned components within the computer device 200 via a logical interface within the computer device 200.

上述器件可以分别设置在彼此独立的芯片上,也可以至少部分的或者全部的设置在同一块芯片上。将各个器件独立设置在不同的芯片上,还是整合设置在一个或者多个芯片上,往往取决于产品设计的需要。本申请实施例对上述器件的具体实现形式不做限定。The above-mentioned devices can be provided on separate chips, or at least partially or entirely on the same chip. Whether to provide each device independently on different chips or to integrate them on one or more chips often depends on the product design requirements. The embodiments of this application do not limit the specific implementation of the above-mentioned devices.

图2所示的计算机设备200仅仅是示例性的,在实现过程中,计算机设备200包括其他组件,本文不再一一列举。图2所示的计算机设备200可以通过执行本申请实施例提供的数据备份方法的全部或部分步骤来实现对恶意程序的处理。The computer device 200 shown in FIG2 is merely exemplary. During implementation, the computer device 200 includes other components, which are not listed here. The computer device 200 shown in FIG2 can process malicious programs by executing all or part of the steps of the data backup method provided in the embodiment of the present application.

例如,图3是本申请实施例提供的一种防护设备的硬件结构示意图。如图3所示,防护设备300包括中央处理器(central processing unit,CPU)301、专用硬件芯片302和至少一个网络接口303。其中,CPU 301和专用硬件芯片302可统称为处理器。可选地,结合图1来看,图3示出的防护设备300是图1示出的实施场景中的防护设备。For example, Figure 3 is a schematic diagram of the hardware structure of a protection device provided in an embodiment of the present application. As shown in Figure 3, protection device 300 includes a central processing unit (CPU) 301, a dedicated hardware chip 302, and at least one network interface 303. CPU 301 and dedicated hardware chip 302 may be collectively referred to as a processor. Optionally, in conjunction with Figure 1, protection device 300 shown in Figure 3 is the protection device in the implementation scenario shown in Figure 1.

CPU 301是指通用的中央处理器,其扩展性和灵活性较高。CPU 301例如是一个单核处理器(single-CPU),又如是一个多核处理器(multi-CPU)。CPU 301 is a general-purpose central processing unit (CPU) with high scalability and flexibility. CPU 301 may be, for example, a single-core processor (single-CPU) or a multi-core processor (multi-CPU).

专用硬件芯片302是一个高性能处理的硬件模块。专用硬件芯片302包括专用集成电路(application-specific integrated circuit,ASIC)、现场可编程逻辑门阵列(field-programmable gate array,FPGA)或者网络处理器(network processer,NP)中的至少一项。The dedicated hardware chip 302 is a high-performance processing hardware module. The dedicated hardware chip 302 includes at least one of an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a network processor (NP).

至少一个网络接口303例如包括图3中的网络接口1、网络接口2、网络接口3……网络接口n。网络接口303使用任何收发器一类的装置,用于与其它设备通信。例如,图3中的网络接口1与计算机设备通信,图3中的网络接口2与远程服务器通信。可选地,网络接口303包括有线网络接口或者无线网络接口中的至少一项。其中,有线网络接口例如为以太网接口。以太网接口例如是光接口,电接口或其组合。无线网络接口例如为无线受保护网络(wireless local area networks,WLAN)接口,蜂窝网络接口或其组合等。At least one network interface 303 includes, for example, network interface 1, network interface 2, network interface 3...network interface n in Figure 3. The network interface 303 uses any transceiver-like device to communicate with other devices. For example, the network interface 1 in Figure 3 communicates with a computer device, and the network interface 2 in Figure 3 communicates with a remote server. Optionally, the network interface 303 includes at least one of a wired network interface or a wireless network interface. The wired network interface is, for example, an Ethernet interface. The Ethernet interface is, for example, an optical interface, an electrical interface, or a combination thereof. The wireless network interface is, for example, a wireless local area network (WLAN) interface, a cellular network interface, or a combination thereof.

至少一个网络接口303与专用硬件芯片302之间,以及专用硬件芯片302与CPU 301之间通过内部连接304相连。内部连接304包括一通路,在网络接口303、专用硬件芯片302与CPU 301之间传输数据。可选的,内部连接304是单板或总线。例如,内部连接304为以太网、光纤信道(fibre channel)、PCI-E(peripheral component interconnect express,PCI Express,一种高速串行计算机总线)、RapidIO(一种高性能、低引脚数、基于数据包交换的互连体系结构)、无限带宽(InfiniBand)或XAUI总线(一个接口扩展器,特点是把以太网媒体访问控制(Media Access Control,MAC)层与物理层相连)。At least one network interface 303 is connected to the dedicated hardware chip 302, and the dedicated hardware chip 302 is connected to the CPU 301 via an internal connection 304. The internal connection 304 includes a path for transmitting data between the network interface 303, the dedicated hardware chip 302, and the CPU 301. Optionally, the internal connection 304 is a single board or a bus. For example, the internal connection 304 is Ethernet, Fibre Channel, PCI-E (Peripheral Component Interconnect Express, PCI Express, a high-speed serial computer bus), RapidIO (a high-performance, low-pin-count, packet-switched interconnect architecture), InfiniBand, or a XAUI bus (an interface extender that connects the Ethernet Media Access Control (MAC) layer to the physical layer).

可选地,防护设备300还包括内容可寻址存储器(content addressable memory,CAM)305。CAM 305例如是三态内容寻址存储器(ternary content addressable memory,TCAM)等。CAM 305例如用于存储远程服务器(攻击者的控制设施)的网络地址信息。可选地,CAM 305独立存在,并通过上述内部连接304与专用硬件芯片302相连接。或者,CAM 305和专用硬件芯片302集成在一起,即CAM 305作为专用硬件芯片302内部的存储器。Optionally, protection device 300 further includes a content addressable memory (CAM) 305. CAM 305 is, for example, a ternary content addressable memory (TCAM). CAM 305 is used to store, for example, the network address information of a remote server (the attacker's control facility). Optionally, CAM 305 exists independently and is connected to dedicated hardware chip 302 via the aforementioned internal connection 304. Alternatively, CAM 305 and dedicated hardware chip 302 are integrated, such that CAM 305 functions as internal memory within dedicated hardware chip 302.

可选地,防护设备300还包括存储器306。存储器306例如是ROM或可存储静态信息和指令的其它类型的静态存储设备,又如是RAM或者可存储信息和指令的其它类型的动态存储设备,又如是EEPROM、只读光盘CD-ROM或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其它磁存储设备,或者是能够用于携带或存储具有指令或数据结构形式的期望的程序代码308并能够由计算机存取的任何其它介质,但不限于此。存储器306例如是独立存在,并通过内部连接304与CPU 301相连接。或者存储器306和CPU 301集成在一起。Optionally, the protection device 300 further includes a memory 306. The memory 306 may be, for example, a ROM or other type of static storage device capable of storing static information and instructions, a RAM or other type of dynamic storage device capable of storing information and instructions, an EEPROM, a CD-ROM or other optical disk storage, an optical disk storage (including a compact disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium capable of carrying or storing the desired program code 308 in the form of instructions or data structures and accessible by a computer, but is not limited thereto. The memory 306 may be, for example, independent and connected to the CPU 301 via the internal connection 304. Alternatively, the memory 306 and the CPU 301 may be integrated.

存储器306中存储有操作系统307和程序代码308。可选地,CPU 301从存储器306中读取操作系统307并运行该操作系统307,CPU 301还从存储器306读取程序代码308,通过在该操作系统307上运行该程序代码308实现本申请实施例提供的方法。例如,防护设备300是图1示出的实施场景中的防护设备,CPU 301在运行程序代码308的过程中,执行以下过程:防护设备300根据远程服务器的网络地址信息拦截来自该远程服务器的流量和/或发往该远程服务器的流量。Memory 306 stores an operating system 307 and program code 308. Optionally, CPU 301 reads operating system 307 from memory 306 and executes it. CPU 301 also reads program code 308 from memory 306 and implements the method provided in the embodiments of the present application by executing program code 308 on operating system 307. For example, if protection device 300 is the protection device in the implementation scenario shown in FIG. 1 , while executing program code 308, CPU 301 performs the following process: Protection device 300 intercepts traffic from and/or to a remote server based on the network address information of the remote server.

可选地,上述器件分别设置在彼此独立的芯片上,或者至少部分的或者全部的设置在同一块芯片上。将各个器件独立设置在不同的芯片上,还是整合设置在一个或者多个芯片上,往往取决于产品设计的需要。本申请实施例对上述器件的具体实现形式不做限定。Optionally, the above-mentioned devices are respectively provided on independent chips, or at least partially or entirely provided on the same chip. Whether each device is provided independently on different chips or integrated on one or more chips often depends on the needs of product design. The embodiments of the present application do not limit the specific implementation of the above-mentioned devices.

下面对本申请实施例的方法流程举例说明。The following is an example of the method flow of the embodiment of the present application.

例如,图4是本申请实施例提供的一种应用程序处理方法400的流程示意图。如图4所示,方法400包括但不限于以下步骤401至步骤403。该方法400应用于计算机设备。可选地,该方法400由运行于计算机设备上的安全软件执行,安全软件例如是终端检测响应(endpoint detection and response,EDR)软件。可选地,结合图1示出的实施场景,该方法400中的计算机设备为图1中的任一计算机设备。可选地,该方法400中的计算机设备具有图2所示的硬件结构。For example, FIG4 is a flow chart of an application processing method 400 provided in an embodiment of the present application. As shown in FIG4 , the method 400 includes but is not limited to the following steps 401 to 403. The method 400 is applied to a computer device. Optionally, the method 400 is executed by security software running on the computer device, and the security software is, for example, endpoint detection and response (EDR) software. Optionally, in combination with the implementation scenario shown in FIG1 , the computer device in the method 400 is any computer device in FIG1 . Optionally, the computer device in the method 400 has the hardware structure shown in FIG2 .

步骤401、计算机设备监控该计算机设备上运行的样本程序是否加载网络动态链接库。Step 401: The computer device monitors whether the sample program running on the computer device has loaded a network dynamic link library.

其中,网络动态链接库用于支持应用程序进行网络通信,该网络动态链接库中包括一个或多个网络连接函数。The network dynamic link library is used to support the application program to perform network communication, and the network dynamic link library includes one or more network connection functions.

可选地,网络动态链接库是计算机设备的操作系统自带的一种库文件(DLL文件)。当然,本申请实施例也不排除应用程序中自带网络动态链接库的可能性。可选地,网络动态链接库的文件类型包括但不限于ws2_32.dll、dnsapi.dll、Winhttp.dll或urlmon.dll。Optionally, the network dynamic link library is a library file (DLL file) that comes with the operating system of the computer device. Of course, the embodiment of the present application does not exclude the possibility of the application program carrying the network dynamic link library. Optionally, the file type of the network dynamic link library includes but is not limited to ws2_32.dll, dnsapi.dll, Winhttp.dll or urlmon.dll.

可选地,网络动态链接库中的网络连接函数包括但不限于InternetConnectA函数、InternetConnectW函数、UrlDownloadToFile函数、connect函数、WinHttpConnect函数或DnsQuery函数中的一个或多个。计算机设备上的应用程序通过加载网络动态链接库,进一步调用网络动态链接库中的网络连接函数,能够实现网络连接。Optionally, the network connection functions in the network dynamic link library include, but are not limited to, one or more of the following: InternetConnectA function, InternetConnectW function, UrlDownloadToFile function, connect function, WinHttpConnect function, or DnsQuery function. An application on a computer device can achieve network connection by loading the network dynamic link library and further calling the network connection functions in the network dynamic link library.

本申请实施例中,样本程序用于指代计算机设备上运行的任一应用程序。样本程序例如为浏览器、办公软件或游戏软件等。In the embodiments of the present application, a sample program is used to refer to any application program running on a computer device. A sample program may be, for example, a browser, office software, or game software.

可选地,计算机设备采用hook技术来监控运行的样本程序是否加载网络动态链接库。相应地,上述步骤401的实现方式为,计算机设备通过第一钩子函数挂钩计算机设备的操作系统中的动态库加载函数,以监控该样本程序是否加载该网络动态链接库。第一钩子函数挂钩计算机设备的操作系统中的动态库加载函数,也即是,第一钩子函数挂钩调用动态库加载函数的应用程序编程接口(application programming interface,API),这样,第一钩子函数就能够监测到样本程序调用该动态库加载函数来加载网络动态链接库的行为。Optionally, the computer device uses hook technology to monitor whether the running sample program loads the network dynamic link library. Accordingly, the implementation method of the above-mentioned step 401 is that the computer device hooks the dynamic library loading function in the operating system of the computer device through the first hook function to monitor whether the sample program loads the network dynamic link library. The first hook function hooks the dynamic library loading function in the operating system of the computer device, that is, the first hook function hooks the application programming interface (API) that calls the dynamic library loading function. In this way, the first hook function can monitor the behavior of the sample program calling the dynamic library loading function to load the network dynamic link library.

其中,动态库加载函数是计算机设备的操作系统中自带的一个动态链接库(不同于网络动态链接库)中的函数。动态链接库函数用于加载动态链接库,例如用于加载网络动态链接库。可选地,动态库加载函数包括LoadLibrary函数或LdrLoadDll函数。The dynamic library loading function is a function in a dynamic link library (different from a network dynamic link library) that comes with the operating system of the computer device. The dynamic link library function is used to load a dynamic link library, for example, to load a network dynamic link library. Optionally, the dynamic library loading function includes a LoadLibrary function or an LdrLoadDll function.

可选地,计算机设备采用用户态hook技术来监控运行的样本程序是否加载网络动态链接库。用户态hook技术是一种在应用程序中进行的函数调用拦截和修改的技术。这种实现方式下,第一钩子函数为样本程序中的用户态钩子函数,第一钩子函数是在样本程序启动后注入至样本程序中的。为了便于区分,本申请实施例中将用于挂钩计算机设备的操作系统中的动态库加载函数的用户态钩子函数称为第一用户态钩子函数。例如,计算机设备在检测到样本程序启动的情况下,通过安全软件向该样本程序中注入第一用户态钩子函数。可选地,计算机设备通过注入DLL的方式将第一用户态钩子函数注入至样本程序中。Optionally, the computer device uses user-state hook technology to monitor whether the running sample program loads the network dynamic link library. User-state hook technology is a technology for intercepting and modifying function calls made in an application. In this implementation, the first hook function is a user-state hook function in the sample program, and the first hook function is injected into the sample program after the sample program is started. For ease of distinction, in the embodiment of the present application, the user-state hook function used to hook the dynamic library loading function in the operating system of the computer device is referred to as the first user-state hook function. For example, when the computer device detects that the sample program is started, it injects the first user-state hook function into the sample program through security software. Optionally, the computer device injects the first user-state hook function into the sample program by injecting a DLL.

其中,用户态钩子函数是指运行在用户态的钩子函数。用户态是指应用程序运行在非特权模式下,只能访问受限资源,不能直接操作硬件和执行特权指令。应用程序通过系统调用接口进入内核态,向操作系统请求执行特权操作。可选地,用户态hook技术包括但不限于内联挂钩(inline hook)技术或导入地址表(import address table,IAT)挂钩(IAT hook)技术。A user-mode hook function refers to a hook function that runs in user mode. User mode refers to the non-privileged mode in which applications run, with limited access to restricted resources and no direct hardware manipulation or privileged instruction execution. Applications enter kernel mode through the system call interface and request privileged operations from the operating system. User-mode hooking techniques may include, but are not limited to, inline hooking or import address table (IAT) hooking.

或者,计算机设备采用内核态hook技术来监控运行的样本程序是否加载网络动态链接库。内核态hook技术是一种在操作系统内核中进行的函数调用拦截和修改的技术。这种实现方式下,第一钩子函数为计算机设备的内核中的内核态钩子函数。为了便于区分,本申请实施例中将用于挂钩计算机设备的操作系统中的动态库加载函数的内核态钩子函数称为第一内核态钩子函数。例如,计算机设备上的安全软件启动后,向计算机设备的内核中注入第一内核态钩子函数。其中,向计算机设备的内核中注入内核态钩子函数,可理解为在操作系统的内核态驱动程序中实现钩子函数的功能。Alternatively, the computer device uses kernel-state hook technology to monitor whether the running sample program loads the network dynamic link library. Kernel-state hook technology is a technology for intercepting and modifying function calls performed in the kernel of the operating system. In this implementation, the first hook function is a kernel-state hook function in the kernel of the computer device. For ease of distinction, in the embodiment of the present application, the kernel-state hook function used to hook the dynamic library loading function in the operating system of the computer device is referred to as the first kernel-state hook function. For example, after the security software on the computer device is started, the first kernel-state hook function is injected into the kernel of the computer device. Among them, injecting the kernel-state hook function into the kernel of the computer device can be understood as implementing the function of the hook function in the kernel-state driver of the operating system.

其中,内核态钩子函数是指运行在内核态的钩子函数。内核态是指内核运行在特权模式下,拥有访问所有资源和执行特权指令的权限。操作系统在内核态下执行系统调用和处理中断。可选地,内核态hook基于虚拟机管理程序(hypervisor)实现,例如内核态hook技术包括但不限于模型特定寄存器挂钩(model specific register hook,MSR hook)技术或扩展页表挂钩(extend page table hook,EPT hook)技术。A kernel-state hook function refers to a hook function that runs in kernel state. Kernel state refers to the kernel running in privileged mode, with access to all resources and the ability to execute privileged instructions. The operating system executes system calls and handles interrupts in kernel state. Optionally, kernel-state hooks are implemented based on a hypervisor. For example, kernel-state hook technologies include, but are not limited to, model-specific register hooks (MSR hooks) or extended page table hooks (EPT hooks).

步骤402、响应于监控到该样本程序加载该网络动态链接库,计算机设备判断目标内存块是否满足shellcode运行条件,目标内存块是该样本程序中用于加载该网络动态链接库的运行代码所在的内存块。Step 402: In response to monitoring that the sample program loads the network dynamic link library, the computer device determines whether a target memory block meets the shellcode execution condition, where the target memory block is a memory block where the execution code for loading the network dynamic link library in the sample program is located.

可选地,当目标内存块满足以下多个条件中的任一条件时,确定目标内存块满足shellcode运行条件。该多个条件包括:目标内存块的大小等于计算机设备的操作系统中的内存页大小;目标内存块具有私有权限、可写权限和可执行权限;目标内存块中包含PE文件的格式头。也就是说,当目标内存块的大小等于计算机设备的操作系统中的内存页大小时,确定目标内存块满足shellcode运行条件。或者,当目标内存块具有私有权限、可写权限和可执行权限时,确定目标内存块满足shellcode运行条件。又或者,当目标内存块中包含PE文件的格式头时,确定目标内存块满足shellcode运行条件。Optionally, when the target memory block meets any one of the following conditions, it is determined that the target memory block meets the shellcode running condition. The multiple conditions include: the size of the target memory block is equal to the memory page size in the operating system of the computer device; the target memory block has private permissions, writable permissions, and executable permissions; the target memory block contains the format header of the PE file. That is, when the size of the target memory block is equal to the memory page size in the operating system of the computer device, it is determined that the target memory block meets the shellcode running condition. Alternatively, when the target memory block has private permissions, writable permissions, and executable permissions, it is determined that the target memory block meets the shellcode running condition. Alternatively, when the target memory block contains the format header of the PE file, it is determined that the target memory block meets the shellcode running condition.

可选地,计算机设备依次判断目标内存块的大小、权限和内容是否满足shellcode运行条件,一旦确定了目标内存块满足shellcode运行条件,则停止执行该判断流程。本申请实施例对这三个判断条件的判断先后顺序不做限定。Optionally, the computer device sequentially determines whether the size, permissions, and content of the target memory block meet the shellcode execution conditions. Once it is determined that the target memory block meets the shellcode execution conditions, the computer device stops executing the judgment process. The embodiment of the present application does not limit the order of judging these three judgment conditions.

如果目标内存块不满足shellcode运行条件,说明目标内存块中用于加载网络动态链接库的运行代码为正常代码,则计算机设备不干预该运行代码之后的网络行为。如果目标内存块满足shellcode运行条件,说明目标内存块中用于加载网络动态链接库的运行代码为shellcode,则计算机设备需要阻止该shellcode之后的网络行为,具体实现方式参见以下步骤403。If the target memory block does not meet the shellcode execution conditions, it indicates that the code running in the target memory block for loading the network dynamic link library is normal code, and the computer device does not interfere with the network behavior after the code is executed. If the target memory block meets the shellcode execution conditions, it indicates that the code running in the target memory block for loading the network dynamic link library is shellcode, and the computer device needs to block the network behavior after the shellcode. The specific implementation method is shown in step 403 below.

步骤403、如果目标内存块满足该shellcode运行条件,计算机设备对该样本程序执行恶意程序处理流程,其中,该恶意程序处理流程包括:在该样本程序调用成功网络动态链接库中的网络连接函数之前终止执行该样本程序。Step 403: If the target memory block meets the shellcode running condition, the computer device executes a malicious program processing flow for the sample program, wherein the malicious program processing flow includes: terminating the execution of the sample program before the sample program successfully calls a network connection function in a network dynamic link library.

计算机设备终止执行该样本程序,包括关闭该样本程序并释放该样本程序占用的内存空间。The computer device terminates execution of the sample program, including closing the sample program and releasing the memory space occupied by the sample program.

本申请实施例中,计算机设备在确定样本程序中存在shellcode正在运行的情况下,将该样本程序作为恶意程序进行处理,使得该样本程序在调用成功网络动态链接库中的网络连接函数之前被终止执行,以避免该应用程序连接上远程服务器,从而能够避免计算机设备被攻击者通过远程服务器控制,或者计算机设备的内部数据被攻击者通过远程服务器窃取,实现对计算机设备的保护。In an embodiment of the present application, when a computer device determines that shellcode is running in a sample program, the sample program is treated as a malicious program, so that the sample program is terminated before the network connection function in the network dynamic link library is successfully called, so as to prevent the application from connecting to the remote server, thereby preventing the computer device from being controlled by an attacker through the remote server, or preventing the internal data of the computer device from being stolen by an attacker through the remote server, thereby protecting the computer device.

可选地,计算机设备在终止执行该样本程序之前,还获取该样本程序尝试连接的远程服务器的网络地址信息。相应地,计算机设备对样本程序执行恶意程序处理流程,包括:计算机设备获取该样本程序尝试调用网络动态链接库中的网络连接函数时提供的网络连接参数,并在该样本程序调用成功该网络动态链接库中的网络连接函数之前终止执行该样本程序。其中,网络连接参数包括样本程序尝试连接的远程服务器的网络地址信息。该远程服务器的网络地址信息包括但不限于该远程服务器的IP地址、该远程服务器的域名地址或该远程服务器的端口号中的一种或多种。可选地,网络连接参数还包括用户名和登录密码等信息。计算机设备基于该样本程序提供的网络连接参数,能够连接上远程服务器。Optionally, before terminating the execution of the sample program, the computer device also obtains the network address information of the remote server that the sample program attempts to connect to. Accordingly, the computer device executes a malicious program processing process on the sample program, including: the computer device obtains the network connection parameters provided when the sample program attempts to call the network connection function in the network dynamic link library, and terminates the execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library. Among them, the network connection parameters include the network address information of the remote server that the sample program attempts to connect to. The network address information of the remote server includes but is not limited to one or more of the IP address of the remote server, the domain name address of the remote server, or the port number of the remote server. Optionally, the network connection parameters also include information such as a user name and a login password. Based on the network connection parameters provided by the sample program, the computer device can connect to the remote server.

可选地,计算机设备采用hook技术来获取该样本程序提供的网络连接参数。相应地,计算机设备获取样本程序尝试调用网络动态链接库中的网络连接函数时提供的网络连接参数的实现方式如下,包括以下步骤S1至步骤S3。Optionally, the computer device uses hook technology to obtain the network connection parameters provided by the sample program. Accordingly, the computer device obtains the network connection parameters provided when the sample program attempts to call the network connection function in the network dynamic link library in the following implementation method, including the following steps S1 to S3.

在步骤S1中,计算机设备暂停执行样本程序,并在暂停期间通过第二钩子函数挂钩网络动态链接库中的网络连接函数。In step S1, the computer device suspends the execution of the sample program and, during the suspension, hooks the network connection function in the network dynamic link library through the second hook function.

其中,第二钩子函数挂钩网络动态链接库中的网络连接函数,也即是,第二钩子函数挂钩调用网络动态链接库中的网络连接函数的API,这样,第二钩子函数就能够监测到样本程序调用该网络连接函数来连接远程服务器的行为。Among them, the second hook function hooks the network connection function in the network dynamic link library, that is, the second hook function hooks the API that calls the network connection function in the network dynamic link library, so that the second hook function can monitor the behavior of the sample program calling the network connection function to connect to the remote server.

可选地,第二钩子函数为样本程序中的用户态钩子函数,第二钩子函数是在样本程序启动后注入至样本程序中的。为了便于区分,本申请实施例中将用于挂钩网络动态链接库中的网络连接函数的用户态钩子函数称为第二用户态钩子函数。例如,计算机设备在检测到样本程序启动的情况下,通过安全软件向该样本程序中注入第二用户态钩子函数。可选地,计算机设备通过注入DLL的方式将第二用户态钩子函数注入至样本程序中。Optionally, the second hook function is a user-mode hook function in the sample program, which is injected into the sample program after the sample program is launched. For ease of distinction, in the embodiments of the present application, the user-mode hook function used to hook the network connection function in the network dynamic link library is referred to as the second user-mode hook function. For example, upon detecting the launch of the sample program, the computer device injects the second user-mode hook function into the sample program via security software. Optionally, the computer device injects the second user-mode hook function into the sample program by injecting a DLL.

可选地,计算机设备在检测到样本程序启动的情况下,将第一用户态钩子函数和第二用户态钩子函数同时注入样本程序中,并通过第一用户态钩子函数挂钩计算机设备的操作系统中的动态库加载函数,之后,在需要获取样本程序尝试连接的远程服务器的网络连接参数时,再通过第二用户态钩子函数挂钩网络动态链接库中的网络连接函数。或者,计算机设备在检测到样本程序启动的情况下,将第一用户态钩子函数注入样本程序中,并通过第一用户态钩子函数挂钩计算机设备的操作系统中的动态库加载函数,之后,在需要获取样本程序尝试连接的远程服务器的网络连接参数时,再将第二用户态钩子函数注入样本程序中,并通过第二用户态钩子函数挂钩网络动态链接库中的网络连接函数。也就是说,第一用户态钩子函数和第二用户态钩子函数可以是一次性注入样本程序中的,或者也可以是分别注入样本程序中的。Optionally, when the computer device detects that the sample program is started, it injects the first user-state hook function and the second user-state hook function into the sample program at the same time, and hooks the dynamic library loading function in the operating system of the computer device through the first user-state hook function. Thereafter, when it is necessary to obtain the network connection parameters of the remote server to which the sample program attempts to connect, it hooks the network connection function in the network dynamic link library through the second user-state hook function. Alternatively, when the computer device detects that the sample program is started, it injects the first user-state hook function into the sample program, and hooks the dynamic library loading function in the operating system of the computer device through the first user-state hook function. Thereafter, when it is necessary to obtain the network connection parameters of the remote server to which the sample program attempts to connect, it injects the second user-state hook function into the sample program, and hooks the network connection function in the network dynamic link library through the second user-state hook function. That is, the first user-state hook function and the second user-state hook function can be injected into the sample program at one time, or can be injected into the sample program separately.

或者,第二钩子函数为计算机设备的内核中的内核态钩子函数。为了便于区分,本申请实施例中将用于挂钩网络动态链接库中的网络连接函数的内核态钩子函数称为第二内核态钩子函数。例如,计算机设备上的安全软件启动后,向计算机设备的内核中注入第二内核态钩子函数。Alternatively, the second hook function is a kernel-mode hook function in the kernel of the computer device. For ease of distinction, in the embodiments of the present application, the kernel-mode hook function used to hook the network connection function in the network dynamic link library is referred to as the second kernel-mode hook function. For example, after the security software on the computer device is started, the second kernel-mode hook function is injected into the kernel of the computer device.

可选地,计算机设备上的安全软件启动后,将第一内核态钩子函数和第二内核态钩子函数同时注入计算机设备的内核中,并通过第一内核态钩子函数挂钩计算机设备的操作系统中的动态库加载函数,之后,在需要获取样本程序尝试连接的远程服务器的网络连接参数时,再通过第二内核态钩子函数挂钩网络动态链接库中的网络连接函数。或者,计算机设备上的安全软件启动后,将第一内核态钩子函数注入计算机设备的内核中,并通过第一内核态钩子函数挂钩计算机设备的操作系统中的动态库加载函数,之后,在需要获取样本程序尝试连接的远程服务器的网络连接参数时,再将第二内核态钩子函数注入计算机设备的内核中,并通过第二内核态钩子函数挂钩网络动态链接库中的网络连接函数。也就是说,第一内核态钩子函数和第二内核态钩子函数可以是一次性注入计算机设备的内核中的,或者也可以是分别注入计算机设备的内核中的。Optionally, after the security software on the computer device is started, the first kernel-state hook function and the second kernel-state hook function are simultaneously injected into the kernel of the computer device, and the first kernel-state hook function is used to hook the dynamic library loading function in the operating system of the computer device. Thereafter, when it is necessary to obtain the network connection parameters of the remote server to which the sample program attempts to connect, the second kernel-state hook function is used to hook the network connection function in the network dynamic link library. Alternatively, after the security software on the computer device is started, the first kernel-state hook function is injected into the kernel of the computer device, and the first kernel-state hook function is used to hook the dynamic library loading function in the operating system of the computer device. Thereafter, when it is necessary to obtain the network connection parameters of the remote server to which the sample program attempts to connect, the second kernel-state hook function is injected into the kernel of the computer device, and the second kernel-state hook function is used to hook the network connection function in the network dynamic link library. In other words, the first kernel-state hook function and the second kernel-state hook function can be injected into the kernel of the computer device at once, or can be injected into the kernel of the computer device separately.

在步骤S2中,计算机设备在通过第二钩子函数对网络动态链接库中的网络连接函数挂钩完成之后,恢复执行该样本程序。In step S2, after the computer device completes hooking the network connection function in the network dynamic link library through the second hook function, it resumes executing the sample program.

可选地,计算机设备在通过第二钩子函数对网络动态链接库中的所有网络连接函数挂钩完成之后,恢复执行该样本程序,这样,样本程序无论调用网络动态链接库中的哪个网络连接函数,第二钩子函数都能监测到,实现对样本程序的网络连接行为的全面监测。Optionally, after the computer device completes hooking all network connection functions in the network dynamic link library through the second hook function, it resumes executing the sample program. In this way, no matter which network connection function in the network dynamic link library is called by the sample program, the second hook function can monitor it, thereby achieving comprehensive monitoring of the network connection behavior of the sample program.

在步骤S3中,响应于该样本程序调用网络动态链接库中的网络连接函数,计算机设备通过第二钩子函数获取该样本程序调用网络连接函数时提供的网络连接参数。In step S3, in response to the sample program calling the network connection function in the network dynamic link library, the computer device obtains the network connection parameters provided by the sample program when calling the network connection function through the second hook function.

之后,计算机设备终止执行该样本程序。Afterwards, the computer device terminates execution of the sample program.

由于第二钩子函数挂钩了网络动态链接库中的网络连接函数,因此第二钩子函数能够监测到样本程序调用网络动态链接库中的网络连接函数的行为,从而能够获取该样本程序调用网络连接函数时提供的网络连接参数。对于应用程序中运行的shellcode来说,shellcode尝试连接的远程服务器通常为攻击者的控制设施,本申请实施例通过在计算机设备中的恶意程序未发生实质的恶意行为之前获取攻击者的控制设施的网络地址信息,有助于针对攻击者通过该控制设施实施的网络攻击进行安全防护。Because the second hook function hooks the network connection function in the network dynamic link library, the second hook function can monitor the sample program's call to the network connection function in the network dynamic link library, thereby obtaining the network connection parameters provided by the sample program when calling the network connection function. For shellcode running in an application, the remote server the shellcode attempts to connect to is typically the attacker's control facility. By obtaining the network address information of the attacker's control facility before the malicious program in the computer device actually performs any malicious behavior, the embodiments of the present application help provide security protection against network attacks carried out by the attacker through the control facility.

可选地,计算机设备位于防护设备所保护的受保护网络内,计算机设备还向部署于该计算机设备与远程服务器之间的防护设备发送该远程服务器的网络地址信息。该远程服务器的网络地址信息用于防护设备拦截来自该远程服务器的流量和/或发往该远程服务器的流量。Optionally, the computer device is located within a protected network protected by the protection device, and the computer device further transmits the network address information of the remote server to the protection device deployed between the computer device and the remote server. The network address information of the remote server is used by the protection device to intercept traffic from and/or traffic to the remote server.

本申请实施例中,计算机设备向防护设备提供被确定为攻击者的控制设施的远程服务器的网络地址信息,防护设备通过拦截受保护网络向该远程服务器发送的流量,能够避免受保护网络内的计算机设备中的数据被窃取。防护设备通过拦截该远程服务器向受保护网络发送的流量,能够避免受保护网络内的计算机设备被远程控制。本申请通过计算机设备联动防护设备,实现了对攻击者的控制设施的全局封禁,从而保护受保护网络内的所有计算机设备免受攻击者的远程攻击。In an embodiment of the present application, a computer device provides the protection device with the network address information of a remote server identified as the attacker's control facility. The protection device can prevent data from being stolen from computer devices within the protected network by intercepting traffic sent from the protected network to the remote server. The protection device can prevent computer devices within the protected network from being remotely controlled by intercepting traffic sent from the remote server to the protected network. The present application achieves a global blockade of the attacker's control facility by linking computer devices with the protection device, thereby protecting all computer devices within the protected network from remote attacks by the attacker.

可选地,计算机设备还向云端上报被确定为攻击者的控制设施的远程服务器的网络地址信息。云端通过收集不同计算机设备上报的信息,分析攻击者的攻击行为特征,比如分析攻击者的攻击对象,攻击行业,是针对某个局域网或某个类型的计算机设备发起的网络攻击还是无差别攻击,从而构建攻击组织画像,以帮助企业和个人预防和应对网络攻击。其中,攻击组织画像包括但不限于恶意服务器的网络地址信息和/或攻击行为特征。Optionally, the computer device also reports the network address information of the remote server identified as the attacker's control facility to the cloud. By collecting information reported by different computer devices, the cloud analyzes the attacker's attack behavior characteristics, such as the attacker's target, the industry, and whether the attack is targeting a specific local area network or type of computer device or an indiscriminate attack. This creates a profile of the attacking organization to help businesses and individuals prevent and respond to cyberattacks. This profile includes, but is not limited to, the network address information of the malicious server and/or attack behavior characteristics.

本申请实施例提供的应用程序处理方法的步骤的先后顺序能够进行适当调整,步骤也能够根据情况进行相应增减。任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化的方法,都应涵盖在本申请的保护范围之内。The order of the steps of the application processing method provided in the embodiments of the present application can be adjusted appropriately, and the steps can be increased or decreased accordingly. Any method that can be easily conceived by a person skilled in the art within the technical scope disclosed in this application should be included in the scope of protection of this application.

下面对本申请实施例的虚拟装置举例说明。The following describes the virtual device in the embodiment of the present application by way of example.

图5是本申请实施例提供的一种应用程序处理装置的结构示意图。具有图5所示结构的应用程序处理装置用于实现上述实施例描述的方法400。可选地,图5所示的应用程序处理装置是图1或图2所示的计算机设备,或者,图5所示的应用程序处理装置是图1或图2所示的计算机设备中的安全软件。如图5所示,应用程序处理装置500包括监控模块501和处理模块502。可选地,请继续参见图5,应用程序处理装置500还包括收发模块503。Figure 5 is a schematic diagram of the structure of an application processing device provided in an embodiment of the present application. The application processing device having the structure shown in Figure 5 is used to implement the method 400 described in the above embodiment. Optionally, the application processing device shown in Figure 5 is the computer device shown in Figure 1 or Figure 2, or the application processing device shown in Figure 5 is the security software in the computer device shown in Figure 1 or Figure 2. As shown in Figure 5, the application processing device 500 includes a monitoring module 501 and a processing module 502. Optionally, please continue to refer to Figure 5, the application processing device 500 also includes a transceiver module 503.

其中,监控模块501,用于监控计算机设备上运行的样本程序是否加载网络动态链接库,网络动态链接库用于支持应用程序进行网络通信,网络动态链接库中包括一个或多个网络连接函数。处理模块502,用于响应于监控到样本程序加载网络动态链接库,判断目标内存块是否满足shellcode运行条件,目标内存块是样本程序中用于加载网络动态链接库的运行代码所在的内存块;以及,如果目标内存块满足shellcode运行条件,对样本程序执行恶意程序处理流程,其中,恶意程序处理流程包括:在样本程序调用成功网络动态链接库中的网络连接函数之前终止执行样本程序。The monitoring module 501 is configured to monitor whether the sample program running on the computer device has loaded a network dynamic link library (DLL), which is used to support network communication for the application program and includes one or more network connection functions. The processing module 502 is configured to, in response to monitoring that the sample program has loaded the DLL, determine whether a target memory block satisfies a shellcode execution condition. The target memory block is the memory block containing the execution code in the sample program used to load the DLL; and if the target memory block satisfies the shellcode execution condition, execute a malicious program processing flow on the sample program. The malicious program processing flow includes: terminating the sample program before the sample program successfully calls a network connection function in the DLL.

可选地,当目标内存块满足以下多个条件中的任一条件时,确定目标内存块满足shellcode运行条件,多个条件包括:目标内存块的大小等于计算机设备的操作系统中的内存页大小;目标内存块具有私有权限、可写权限和可执行权限;目标内存块中包含PE文件的格式头。Optionally, when the target memory block meets any one of the following conditions, it is determined that the target memory block meets the shellcode execution condition, and the multiple conditions include: the size of the target memory block is equal to the memory page size in the operating system of the computer device; the target memory block has private permission, writable permission and executable permission; the target memory block contains the format header of the PE file.

可选地,监控模块501,具体用于通过第一钩子函数挂钩计算机设备的操作系统中的动态库加载函数,以监控样本程序是否加载网络动态链接库,动态库加载函数用于加载网络动态链接库。Optionally, the monitoring module 501 is specifically configured to hook a dynamic library loading function in the operating system of the computer device through a first hook function to monitor whether the sample program loads a network dynamic link library, where the dynamic library loading function is used to load the network dynamic link library.

可选地,第一钩子函数为样本程序中的用户态钩子函数,第一钩子函数是在样本程序启动后注入至样本程序中的。或者,第一钩子函数为计算机设备的内核中的内核态钩子函数。Optionally, the first hook function is a user-mode hook function in the sample program, and the first hook function is injected into the sample program after the sample program is started. Alternatively, the first hook function is a kernel-mode hook function in the kernel of the computer device.

可选地,处理模块502,具体用于如果目标内存块满足shellcode运行条件,获取样本程序尝试调用网络动态链接库中的网络连接函数时提供的网络连接参数,并在样本程序调用成功网络动态链接库中的网络连接函数之前终止执行样本程序,网络连接参数包括样本程序尝试连接的远程服务器的网络地址信息。Optionally, the processing module 502 is specifically configured to obtain network connection parameters provided when the sample program attempts to call a network connection function in a network dynamic link library if the target memory block meets the shellcode running conditions, and terminate the execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library, where the network connection parameters include network address information of a remote server that the sample program attempts to connect to.

可选地,处理模块502,具体用于:如果目标内存块满足shellcode运行条件,暂停执行样本程序,并在暂停期间通过第二钩子函数挂钩网络动态链接库中的网络连接函数;在通过第二钩子函数对网络动态链接库中的网络连接函数挂钩完成之后,恢复执行样本程序;响应于样本程序调用网络动态链接库中的网络连接函数,通过第二钩子函数获取样本程序调用网络连接函数时提供的网络连接参数;在样本程序调用成功网络动态链接库中的网络连接函数之前终止执行样本程序。Optionally, the processing module 502 is specifically used to: if the target memory block meets the shellcode running conditions, suspend the execution of the sample program, and hook the network connection function in the network dynamic link library through the second hook function during the suspension period; after the hooking of the network connection function in the network dynamic link library is completed through the second hook function, resume the execution of the sample program; in response to the sample program calling the network connection function in the network dynamic link library, obtain the network connection parameters provided by the sample program when calling the network connection function through the second hook function; and terminate the execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library.

可选地,第二钩子函数为样本程序中的用户态钩子函数,第二钩子函数是在样本程序启动后注入至样本程序中的。或者,第二钩子函数为计算机设备的内核中的内核态钩子函数。Optionally, the second hook function is a user-mode hook function in the sample program, and the second hook function is injected into the sample program after the sample program is started. Alternatively, the second hook function is a kernel-mode hook function in the kernel of the computer device.

可选地,收发模块503,用于向部署于计算机设备与远程服务器之间的防护设备发送远程服务器的网络地址信息,远程服务器的网络地址信息用于防护设备拦截来自远程服务器的流量和/或发往远程服务器的流量。Optionally, the transceiver module 503 is used to send the network address information of the remote server to the protection device deployed between the computer device and the remote server. The network address information of the remote server is used by the protection device to intercept traffic from the remote server and/or traffic sent to the remote server.

可选地,远程服务器的网络地址信息包括远程服务器的IP地址、远程服务器的域名地址或远程服务器的端口号中的一个或多个。Optionally, the network address information of the remote server includes one or more of an IP address of the remote server, a domain name address of the remote server, or a port number of the remote server.

附图5所描述的装置实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。在本申请各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。附图5中上述各个模块既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。例如,采用软件实现时,上述监控模块501和处理模块502可以是由附图2中的处理器201读取存储器202中存储的程序代码后,生成的软件功能模块来实现。图5中上述各个模块也可以由计算机设备的不同硬件分别实现,例如上述监控模块501和处理模块502由附图2中处理器201中的一部分处理资源(例如多核处理器中的一个核)实现,而收发模块503由附图2的网络接口204和处理器201中的其余部分处理资源(例如多核处理器中的其他核)完成。显然上述功能模块也可以采用软件硬件相结合的方式来实现,例如收发模块503由硬件可编程器件实现,而上述监控模块501和处理模块502是由处理器读取存储器中存储的程序指令后,生成的软件功能模块。The device embodiment described in FIG5 is merely schematic. For example, the division of the modules is merely a logical functional division. In actual implementation, there may be other division methods. For example, multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed. The functional modules in the various embodiments of the present application may be integrated into a processing module, or each module may exist physically separately, or two or more modules may be integrated into one module. The above-mentioned modules in FIG5 may be implemented in the form of hardware or in the form of software functional units. For example, when implemented in software, the above-mentioned monitoring module 501 and processing module 502 may be implemented as software functional modules generated by the processor 201 in FIG2 after reading the program code stored in the memory 202. The modules described above in FIG5 may also be implemented separately by different hardware components of the computer device. For example, the monitoring module 501 and processing module 502 may be implemented by a portion of the processing resources of the processor 201 in FIG2 (e.g., one core in a multi-core processor), while the transceiver module 503 may be implemented by the network interface 204 in FIG2 and the remaining processing resources of the processor 201 (e.g., other cores in a multi-core processor). Obviously, the functional modules described above may also be implemented using a combination of software and hardware. For example, the transceiver module 503 may be implemented by a hardware programmable device, while the monitoring module 501 and processing module 502 may be software functional modules generated by the processor after reading program instructions stored in the memory.

下面对本申请实施例的系统举例说明。The following is an example of the system in the embodiment of the present application.

例如,本申请实施例提供了一种攻击防御系统,包括:计算机设备和防护设备。计算机设备位于该防护设备所保护的受保护网络内。其中,计算机设备用于执行上述方法400。可选地,该攻击防御系统的结构例如参考图1。For example, an embodiment of the present application provides an attack defense system, comprising: a computer device and a protection device. The computer device is located within a protected network protected by the protection device. The computer device is configured to execute the above-described method 400. Optionally, the structure of the attack defense system is, for example, as shown in FIG1 .

举例来说,计算机设备用于监控该计算机设备上运行的样本程序是否加载网络动态链接库,该网络动态链接库用于支持应用程序进行网络通信,该网络动态链接库中包括一个或多个网络连接函数。计算机设备还用于响应于监控到该样本程序加载该网络动态链接库,判断目标内存块是否满足shellcode运行条件,目标内存块是该样本程序中用于加载该网络动态链接库的运行代码所在的内存块;以及,如果目标内存块满足该shellcode运行条件,对该样本程序执行恶意程序处理流程,其中,恶意程序处理流程包括:获取该样本程序尝试调用该网络动态链接库中的网络连接函数时提供的网络连接参数,并在该样本程序调用成功该网络动态链接库中的网络连接函数之前终止执行该样本程序,网络连接参数包括该样本程序尝试连接的远程服务器的网络地址信息。计算机设备还用于向防护设备发送该远程服务器的网络地址信息。防护设备用于根据该远程服务器的网络地址信息拦截来自该远程服务器的流量和/或发往该远程服务器的流量。For example, a computer device is configured to monitor whether a sample program running on the computer device loads a network dynamic link library (DLL), which is used to support network communication for applications and includes one or more network connection functions. The computer device is further configured to, in response to monitoring the sample program loading the DLL, determine whether a target memory block meets a shellcode execution condition, where the target memory block is the memory block containing the execution code in the sample program used to load the DLL. If the target memory block meets the shellcode execution condition, execute a malicious program processing flow on the sample program. The malicious program processing flow includes obtaining network connection parameters provided by the sample program when attempting to call a network connection function in the DLL, and terminating execution of the sample program before the sample program successfully calls the network connection function in the DLL. The network connection parameters include network address information of a remote server that the sample program attempts to connect to. The computer device is further configured to transmit the remote server's network address information to a protection device. The protection device is configured to intercept traffic from and/or to the remote server based on the remote server's network address information.

可选地,该攻击防御系统还包括云安全服务器。计算机设备和/或防护设备还用于向云安全服务器发送该远程服务器的网络地址信息。云安全服务器用于汇总从各个来源收集到的远程服务器(恶意服务器)的网络地址信息。Optionally, the attack defense system further includes a cloud security server. The computer device and/or the protection device is further configured to send the network address information of the remote server to the cloud security server. The cloud security server is configured to aggregate the network address information of the remote server (malicious server) collected from various sources.

可选地,云安全服务器还用于按照订阅需求,向订阅方提供攻击者画像,攻击者画像包括但不限于恶意服务器的网络地址信息和/或攻击行为特征。Optionally, the cloud security server is also used to provide the subscriber with an attacker profile according to subscription requirements. The attacker profile includes but is not limited to the network address information of the malicious server and/or attack behavior characteristics.

又例如,本申请实施例提供了另一种攻击防御系统,包括:计算机设备和云安全服务器。其中,计算机设备用于执行上述方法400。For another example, an embodiment of the present application provides another attack defense system, including: a computer device and a cloud security server.

举例来说,计算机设备用于监控该计算机设备上运行的样本程序是否加载网络动态链接库,该网络动态链接库用于支持应用程序进行网络通信,该网络动态链接库中包括一个或多个网络连接函数。计算机设备还用于响应于监控到该样本程序加载该网络动态链接库,判断目标内存块是否满足shellcode运行条件,目标内存块是该样本程序中用于加载该网络动态链接库的运行代码所在的内存块;以及,如果目标内存块满足该shellcode运行条件,对该样本程序执行恶意程序处理流程,其中,恶意程序处理流程包括:获取该样本程序尝试调用该网络动态链接库中的网络连接函数时提供的网络连接参数,并在该样本程序调用成功该网络动态链接库中的网络连接函数之前终止执行该样本程序,网络连接参数包括该样本程序尝试连接的远程服务器的网络地址信息。计算机设备还用于向云安全服务器发送该远程服务器的网络地址信息。云安全服务器用于汇总从各个来源收集到的远程服务器(恶意服务器)的网络地址信息。For example, a computer device is used to monitor whether a sample program running on the computer device loads a network dynamic link library, which is used to support network communication for applications and includes one or more network connection functions. The computer device is also used to, in response to monitoring the sample program loading the network dynamic link library, determine whether a target memory block meets the shellcode execution conditions, where the target memory block is the memory block where the execution code used to load the network dynamic link library in the sample program is located; and if the target memory block meets the shellcode execution conditions, execute a malicious program processing flow on the sample program, wherein the malicious program processing flow includes: obtaining network connection parameters provided by the sample program when attempting to call a network connection function in the network dynamic link library, and terminating execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library, wherein the network connection parameters include network address information of a remote server that the sample program attempts to connect to. The computer device is also used to send the network address information of the remote server to a cloud security server. The cloud security server is used to aggregate the network address information of remote servers (malicious servers) collected from various sources.

可选地,云安全服务器还用于按照订阅需求,向订阅方提供攻击组织画像,攻击组织画像包括但不限于恶意服务器的网络地址信息和/或攻击行为特征。Optionally, the cloud security server is also used to provide the subscriber with an attack organization portrait according to subscription requirements. The attack organization portrait includes but is not limited to the network address information and/or attack behavior characteristics of the malicious server.

可选地,该攻击防御系统还包括防护设备,计算机设备位于该防护设备所保护的受保护网络内。计算机设备和/或云安全服务器还用于向该防护设备发送该远程服务器的网络地址信息。防护设备用于根据该远程服务器的网络地址信息拦截来自该远程服务器的流量和/或发往该远程服务器的流量。Optionally, the attack defense system further includes a protection device, wherein the computer device is located within a protected network protected by the protection device. The computer device and/or the cloud security server is further configured to send the network address information of the remote server to the protection device. The protection device is configured to intercept traffic from and/or traffic destined for the remote server based on the network address information of the remote server.

本申请实施例还提供了一种计算机设备,包括:存储器、网络接口和至少一个处理器。所述存储器用于存储程序指令,所述至少一个处理器读取所述存储器中保存的程序指令后,使得所述计算机设备执行上述方法400。可选地,该计算机设备的硬件结构如图2所示。An embodiment of the present application further provides a computer device comprising: a memory, a network interface, and at least one processor. The memory is configured to store program instructions, and the at least one processor reads the program instructions stored in the memory, causing the computer device to execute the above-described method 400. Optionally, the hardware structure of the computer device is shown in FIG2 .

本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有指令,当所述指令被计算机设备的处理器执行时,实现上述方法实施例中计算机设备执行的步骤;或者,当所述指令被管理设备的处理器执行时,实现上述方法实施例中管理设备执行的步骤。An embodiment of the present application further provides a computer-readable storage medium having instructions stored thereon. When the instructions are executed by a processor of a computer device, the steps executed by the computer device in the above method embodiment are implemented; or, when the instructions are executed by a processor of a management device, the steps executed by the management device in the above method embodiment are implemented.

本申请实施例还提供了一种计算机程序产品,包括计算机程序,所述计算机程序被计算机设备的处理器执行时,实现上述方法实施例中计算机设备执行的步骤;或者,所述计算机程序被管理设备的处理器执行时,实现上述方法实施例中管理设备执行的步骤。An embodiment of the present application also provides a computer program product, including a computer program, which, when executed by a processor of a computer device, implements the steps performed by the computer device in the above method embodiment; or, when executed by a processor of a management device, implements the steps performed by the management device in the above method embodiment.

本申请实施例中术语流量(traffic)也称网络流量(network traffic)或数据流量(data traffic)。流量是指在一个给定时间点通过网络传输的数据。例如,设备在时间点T接收的流量是指设备在时间点T接收的所有报文。In the embodiments of this application, the term "traffic" is also referred to as network traffic or data traffic. Traffic refers to the data transmitted over a network at a given point in time. For example, the traffic received by a device at time T refers to all packets received by the device at that point in time.

本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分可互相参考,每个实施例重点说明的都是与其他实施例的不同之处。The various embodiments in this specification are described in a progressive manner. The same or similar parts between the various embodiments can be referenced to each other, and each embodiment focuses on the differences from other embodiments.

本申请实施例的说明书和权利要求书中的术语“第一”和“第二”等是用于区别不同的对象,而不是用于描述对象的特定顺序,也不能理解为指示或暗示相对重要性。The terms "first" and "second" and the like in the description and claims of the embodiments of this application are used to distinguish different objects, rather than to describe a specific order of objects, and cannot be understood as indicating or implying relative importance.

在本申请实施例的描述中,除非另有说明,“至少一个”的含义是指一个或多个。“多个”的含义是指两个或两个以上。In the description of the embodiments of the present application, unless otherwise specified, "at least one" means one or more, and "a plurality of" means two or more.

A参考B,指的是A与B相同或者A为B的简单变形。A refers to B, which means that A is the same as B or A is a simple variant of B.

本申请中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示存在三种关系,例如,A和/或B,表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。In this application, the term "and/or" simply describes a relationship between related objects, indicating the existence of three relationships. For example, A and/or B means: A exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in this document generally indicates that the related objects are in an "or" relationship.

可选地,在上述实施例中,全部或部分地通过软件、硬件、固件或者其任意组合来实现。可选地,当使用软件实现时,全部或部分地以计算机程序产品的形式实现。计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请实施例描述的流程或功能。可选地,计算机是通用计算机、专用计算机、计算机网络、或者其他可编程装置。可选地,计算机指令存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,计算机指令能够从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。可选地,计算机可读存储介质是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。可选地,可用介质是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如数字视盘(digital video disk,DVD))、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。Optionally, in the above embodiments, all or part of the embodiments are implemented by software, hardware, firmware or any combination thereof. Optionally, when implemented using software, all or part of the embodiments are implemented in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated. Optionally, the computer is a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. Optionally, the computer instructions are stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions can be transmitted from one website, computer, server or data center to another website, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. Optionally, the computer-readable storage medium is any available medium that can be accessed by a computer or a data storage device such as a server or data center that includes one or more available media integrated therein. Optionally, the available medium is a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital video disk (DVD)), or a semiconductor medium (e.g., a solid state disk (SSD)).

以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然能够对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。As described above, the above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them. Although the present application has been described in detail with reference to the above embodiments, ordinary technicians in this field should understand that they can still modify the technical solutions recorded in the above embodiments, or make equivalent replacements for some of the technical features therein. These modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present application.

Claims (22)

一种应用程序处理方法,其特征在于,所述方法包括:A method for processing an application, characterized in that the method comprises: 监控计算机设备上运行的样本程序是否加载网络动态链接库,所述网络动态链接库用于支持应用程序进行网络通信,所述网络动态链接库中包括一个或多个网络连接函数;Monitoring whether a sample program running on a computer device has loaded a network dynamic link library, wherein the network dynamic link library is used to support network communication of an application program, and the network dynamic link library includes one or more network connection functions; 响应于监控到所述样本程序加载所述网络动态链接库,判断目标内存块是否满足壳代码shellcode运行条件,所述目标内存块是所述样本程序中用于加载所述网络动态链接库的运行代码所在的内存块;In response to monitoring that the sample program loads the network dynamic link library, determining whether a target memory block meets a shellcode execution condition, the target memory block being a memory block where an execution code for loading the network dynamic link library in the sample program is located; 如果所述目标内存块满足所述shellcode运行条件,对所述样本程序执行恶意程序处理流程,其中,所述恶意程序处理流程包括:在所述样本程序调用成功所述网络动态链接库中的网络连接函数之前终止执行所述样本程序。If the target memory block meets the shellcode running condition, a malicious program processing flow is executed on the sample program, wherein the malicious program processing flow includes: terminating the execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library. 根据权利要求1所述的方法,其特征在于,当所述目标内存块满足以下多个条件中的任一条件时,确定所述目标内存块满足所述shellcode运行条件,所述多个条件包括:The method according to claim 1, wherein the target memory block is determined to meet the shellcode execution condition when the target memory block meets any one of the following conditions, the conditions comprising: 所述目标内存块的大小等于所述计算机设备的操作系统中的内存页大小;The size of the target memory block is equal to the memory page size in the operating system of the computer device; 所述目标内存块具有私有权限、可写权限和可执行权限;The target memory block has private permission, writable permission and executable permission; 所述目标内存块中包含可移动可执行PE文件的格式头。The target memory block includes a format header of a movable executable PE file. 根据权利要求1或2所述的方法,其特征在于,所述监控计算机设备上运行的样本程序是否加载网络动态链接库,包括:The method according to claim 1 or 2, wherein monitoring whether the sample program running on the computer device loads the network dynamic link library comprises: 通过第一钩子函数挂钩所述计算机设备的操作系统中的动态库加载函数,以监控所述样本程序是否加载所述网络动态链接库,所述动态库加载函数用于加载所述网络动态链接库。The dynamic library loading function in the operating system of the computer device is hooked by a first hook function to monitor whether the sample program loads the network dynamic link library, and the dynamic library loading function is used to load the network dynamic link library. 根据权利要求3所述的方法,其特征在于,所述第一钩子函数为所述样本程序中的用户态钩子函数,所述第一钩子函数是在所述样本程序启动后注入至所述样本程序中的;或者,所述第一钩子函数为所述计算机设备的内核中的内核态钩子函数。The method according to claim 3 is characterized in that the first hook function is a user-mode hook function in the sample program, and the first hook function is injected into the sample program after the sample program is started; or, the first hook function is a kernel-mode hook function in the kernel of the computer device. 根据权利要求1至4任一所述的方法,其特征在于,所述对所述样本程序执行恶意程序处理流程,包括:The method according to any one of claims 1 to 4, wherein executing a malicious program processing process on the sample program comprises: 获取所述样本程序尝试调用所述网络动态链接库中的网络连接函数时提供的网络连接参数,并在所述样本程序调用成功所述网络动态链接库中的网络连接函数之前终止执行所述样本程序,所述网络连接参数包括所述样本程序尝试连接的远程服务器的网络地址信息。Obtain network connection parameters provided by the sample program when attempting to call a network connection function in the network dynamic link library, and terminate execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library, wherein the network connection parameters include network address information of a remote server that the sample program attempts to connect to. 根据权利要求5所述的方法,其特征在于,所述获取所述样本程序尝试调用所述网络动态链接库中的网络连接函数时提供的网络连接参数,包括:The method according to claim 5, wherein obtaining the network connection parameters provided by the sample program when attempting to call the network connection function in the network dynamic link library comprises: 暂停执行所述样本程序,并在暂停期间通过第二钩子函数挂钩所述网络动态链接库中的网络连接函数;Pausing the execution of the sample program, and hooking the network connection function in the network dynamic link library through a second hook function during the suspension period; 在通过所述第二钩子函数对所述网络动态链接库中的网络连接函数挂钩完成之后,恢复执行所述样本程序;After the network connection function in the network dynamic link library is hooked by the second hook function, resuming execution of the sample program; 响应于所述样本程序调用所述网络动态链接库中的网络连接函数,通过所述第二钩子函数获取所述样本程序调用所述网络连接函数时提供的所述网络连接参数。In response to the sample program calling the network connection function in the network dynamic link library, the network connection parameters provided by the sample program when calling the network connection function are obtained through the second hook function. 根据权利要求6所述的方法,其特征在于,所述第二钩子函数为所述样本程序中的用户态钩子函数,所述第二钩子函数是在所述样本程序启动后注入至所述样本程序中的;或者,所述第二钩子函数为所述计算机设备的内核中的内核态钩子函数。The method according to claim 6 is characterized in that the second hook function is a user-mode hook function in the sample program, and the second hook function is injected into the sample program after the sample program is started; or, the second hook function is a kernel-mode hook function in the kernel of the computer device. 根据权利要求5至7任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 5 to 7, characterized in that the method further comprises: 向部署于所述计算机设备与所述远程服务器之间的防护设备发送所述远程服务器的网络地址信息,所述远程服务器的网络地址信息用于所述防护设备拦截来自所述远程服务器的流量和/或发往所述远程服务器的流量。The network address information of the remote server is sent to a protection device deployed between the computer device and the remote server, and the network address information of the remote server is used by the protection device to intercept traffic from and/or traffic to the remote server. 根据权利要求5至8任一所述的方法,其特征在于,所述远程服务器的网络地址信息包括所述远程服务器的互联网协议IP地址、所述远程服务器的域名地址或所述远程服务器的端口号中的一个或多个。The method according to any one of claims 5 to 8 is characterized in that the network address information of the remote server includes one or more of the Internet Protocol IP address of the remote server, the domain name address of the remote server, or the port number of the remote server. 根据权利要求1至9任一所述的方法,其特征在于,所述方法由运行于所述计算机设备中的安全软件执行。The method according to any one of claims 1 to 9, characterized in that the method is performed by security software running on the computer device. 一种计算机设备,其特征在于,包括:存储器、网络接口和至少一个处理器,A computer device, comprising: a memory, a network interface, and at least one processor, 所述存储器用于存储程序指令,The memory is used to store program instructions, 所述至少一个处理器读取所述存储器中保存的程序指令后,使得所述计算机设备执行以下操作:After the at least one processor reads the program instructions stored in the memory, the computer device is caused to perform the following operations: 监控所述计算机设备上运行的样本程序是否加载网络动态链接库,所述网络动态链接库用于支持应用程序进行网络通信,所述网络动态链接库中包括一个或多个网络连接函数;monitoring whether a sample program running on the computer device has loaded a network dynamic link library, wherein the network dynamic link library is used to support network communication of the application program, and the network dynamic link library includes one or more network connection functions; 响应于监控到所述样本程序加载所述网络动态链接库,判断目标内存块是否满足壳代码shellcode运行条件,所述目标内存块是所述样本程序中用于加载所述网络动态链接库的运行代码所在的内存块;In response to monitoring that the sample program loads the network dynamic link library, determining whether a target memory block meets a shellcode execution condition, the target memory block being a memory block where an execution code for loading the network dynamic link library in the sample program is located; 如果所述目标内存块满足所述shellcode运行条件,对所述样本程序执行恶意程序处理流程,其中,所述恶意程序处理流程包括:在所述样本程序调用成功所述网络动态链接库中的网络连接函数之前终止执行所述样本程序。If the target memory block meets the shellcode running condition, a malicious program processing flow is executed on the sample program, wherein the malicious program processing flow includes: terminating the execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library. 根据权利要求11所述的计算机设备,其特征在于,当所述目标内存块满足以下多个条件中的任一条件时,确定所述目标内存块满足所述shellcode运行条件,所述多个条件包括:The computer device according to claim 11, wherein the target memory block is determined to meet the shellcode execution condition when the target memory block meets any one of the following conditions, the conditions comprising: 所述目标内存块的大小等于所述计算机设备的操作系统中的内存页大小;The size of the target memory block is equal to the memory page size in the operating system of the computer device; 所述目标内存块具有私有权限、可写权限和可执行权限;The target memory block has private permission, writable permission and executable permission; 所述目标内存块中包含可移动可执行PE文件的格式头。The target memory block includes a format header of a movable executable PE file. 根据权利要求11或12所述的计算机设备,其特征在于,所述程序指令被所述至少一个处理器读取后,使得所述计算机设备执行以下操作:The computer device according to claim 11 or 12, wherein after the program instructions are read by the at least one processor, the computer device performs the following operations: 通过第一钩子函数挂钩所述计算机设备的操作系统中的动态库加载函数,以监控所述样本程序是否加载所述网络动态链接库,所述动态库加载函数用于加载所述网络动态链接库。The dynamic library loading function in the operating system of the computer device is hooked through a first hook function to monitor whether the sample program loads the network dynamic link library, and the dynamic library loading function is used to load the network dynamic link library. 根据权利要求13所述的计算机设备,其特征在于,所述第一钩子函数为所述样本程序中的用户态钩子函数,所述第一钩子函数是在所述样本程序启动后注入至所述样本程序中的;或者,所述第一钩子函数为所述计算机设备的内核中的内核态钩子函数。The computer device according to claim 13 is characterized in that the first hook function is a user-mode hook function in the sample program, and the first hook function is injected into the sample program after the sample program is started; or, the first hook function is a kernel-mode hook function in the kernel of the computer device. 根据权利要求11至14任一所述的计算机设备,其特征在于,所述程序指令被所述至少一个处理器读取后,使得所述计算机设备执行以下操作:The computer device according to any one of claims 11 to 14, wherein after the program instructions are read by the at least one processor, the computer device performs the following operations: 如果所述目标内存块满足所述shellcode运行条件,获取所述样本程序尝试调用所述网络动态链接库中的网络连接函数时提供的网络连接参数,并在所述样本程序调用成功所述网络动态链接库中的网络连接函数之前终止执行所述样本程序,所述网络连接参数包括所述样本程序尝试连接的远程服务器的网络地址信息。If the target memory block meets the shellcode execution condition, network connection parameters provided by the sample program when attempting to call a network connection function in the network dynamic link library are obtained, and execution of the sample program is terminated before the sample program successfully calls the network connection function in the network dynamic link library, wherein the network connection parameters include network address information of a remote server that the sample program attempts to connect to. 根据权利要求15所述的计算机设备,其特征在于,所述程序指令被所述至少一个处理器读取后,使得所述计算机设备执行以下操作:The computer device according to claim 15, wherein after the program instructions are read by the at least one processor, the computer device performs the following operations: 如果所述目标内存块满足所述shellcode运行条件,暂停执行所述样本程序,并在暂停期间通过第二钩子函数挂钩所述网络动态链接库中的网络连接函数;If the target memory block meets the shellcode running condition, suspending the execution of the sample program, and hooking the network connection function in the network dynamic link library through the second hook function during the suspension; 在通过所述第二钩子函数对所述网络动态链接库中的网络连接函数挂钩完成之后,恢复执行所述样本程序;After the network connection function in the network dynamic link library is hooked by the second hook function, resuming execution of the sample program; 响应于所述样本程序调用所述网络动态链接库中的网络连接函数,通过所述第二钩子函数获取所述样本程序调用所述网络连接函数时提供的所述网络连接参数;In response to the sample program calling a network connection function in the network dynamic link library, obtaining, through the second hook function, the network connection parameters provided by the sample program when calling the network connection function; 在所述样本程序调用成功所述网络动态链接库中的网络连接函数之前终止执行所述样本程序。The execution of the sample program is terminated before the sample program successfully calls the network connection function in the network dynamic link library. 根据权利要求16所述的计算机设备,其特征在于,所述第二钩子函数为所述样本程序中的用户态钩子函数,所述第二钩子函数是在所述样本程序启动后注入至所述样本程序中的;或者,所述第二钩子函数为所述计算机设备的内核中的内核态钩子函数。The computer device according to claim 16 is characterized in that the second hook function is a user-mode hook function in the sample program, and the second hook function is injected into the sample program after the sample program is started; or, the second hook function is a kernel-mode hook function in the kernel of the computer device. 根据权利要求15至17任一所述的计算机设备,其特征在于,所述程序指令被所述至少一个处理器读取后,使得所述计算机设备还执行以下操作:The computer device according to any one of claims 15 to 17, wherein after the program instructions are read by the at least one processor, the computer device further performs the following operations: 向部署于所述计算机设备与所述远程服务器之间的防护设备发送所述远程服务器的网络地址信息,所述远程服务器的网络地址信息用于所述防护设备拦截来自所述远程服务器的流量和/或发往所述远程服务器的流量。The network address information of the remote server is sent to a protection device deployed between the computer device and the remote server, and the network address information of the remote server is used by the protection device to intercept traffic from and/or traffic to the remote server. 根据权利要求15至18任一所述的计算机设备,其特征在于,所述远程服务器的网络地址信息包括所述远程服务器的互联网协议IP地址、所述远程服务器的域名地址或所述远程服务器的端口号中的一个或多个。The computer device according to any one of claims 15 to 18 is characterized in that the network address information of the remote server includes one or more of an Internet Protocol (IP) address of the remote server, a domain name address of the remote server, or a port number of the remote server. 一种攻击防御系统,其特征在于,包括:计算机设备和防护设备,所述计算机设备位于所述防护设备所保护的受保护网络内;An attack defense system, characterized by comprising: a computer device and a protection device, wherein the computer device is located in a protected network protected by the protection device; 所述计算机设备用于监控所述计算机设备上运行的样本程序是否加载网络动态链接库,所述网络动态链接库用于支持应用程序进行网络通信,所述网络动态链接库中包括一个或多个网络连接函数;The computer device is used to monitor whether the sample program running on the computer device has loaded a network dynamic link library, wherein the network dynamic link library is used to support the application program to perform network communication, and the network dynamic link library includes one or more network connection functions; 所述计算机设备还用于响应于监控到所述样本程序加载所述网络动态链接库,判断目标内存块是否满足壳代码shellcode运行条件,所述目标内存块是所述样本程序中用于加载所述网络动态链接库的运行代码所在的内存块;以及,如果所述目标内存块满足所述shellcode运行条件,对所述样本程序执行恶意程序处理流程,其中,所述恶意程序处理流程包括:获取所述样本程序尝试调用所述网络动态链接库中的网络连接函数时提供的网络连接参数,并在所述样本程序调用成功所述网络动态链接库中的网络连接函数之前终止执行所述样本程序,所述网络连接参数包括所述样本程序尝试连接的远程服务器的网络地址信息;The computer device is further configured to, in response to monitoring that the sample program loads the network dynamic link library, determine whether a target memory block satisfies a shellcode running condition, the target memory block being a memory block in the sample program where the running code for loading the network dynamic link library is located; and, if the target memory block satisfies the shellcode running condition, execute a malicious program processing flow for the sample program, wherein the malicious program processing flow comprises: obtaining network connection parameters provided when the sample program attempts to call a network connection function in the network dynamic link library, and terminating execution of the sample program before the sample program successfully calls the network connection function in the network dynamic link library, the network connection parameters comprising network address information of a remote server to which the sample program attempts to connect; 所述计算机设备还用于向所述防护设备发送所述远程服务器的网络地址信息;The computer device is further configured to send the network address information of the remote server to the protection device; 所述防护设备用于根据所述远程服务器的网络地址信息拦截来自所述远程服务器的流量和/或发往所述远程服务器的流量。The protection device is used to intercept traffic from the remote server and/or traffic destined for the remote server according to the network address information of the remote server. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有指令,当所述指令被处理器执行时,实现如权利要求1至10任一所述的方法。A computer-readable storage medium, characterized in that instructions are stored on the computer-readable storage medium, and when the instructions are executed by a processor, the method according to any one of claims 1 to 10 is implemented. 一种计算机程序产品,其特征在于,包括计算机程序,所述计算机程序被处理器执行时,实现如权利要求1至10任一所述的方法。A computer program product, characterized in that it comprises a computer program, and when the computer program is executed by a processor, it implements the method according to any one of claims 1 to 10.
PCT/CN2024/143017 2024-03-11 2024-12-27 Application processing method and apparatus, and attack defense system Pending WO2025189909A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202410272421.3A CN120632867A (en) 2024-03-11 2024-03-11 Application processing method and device, attack defense system
CN202410272421.3 2024-03-11

Publications (1)

Publication Number Publication Date
WO2025189909A1 true WO2025189909A1 (en) 2025-09-18

Family

ID=96950759

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/143017 Pending WO2025189909A1 (en) 2024-03-11 2024-12-27 Application processing method and apparatus, and attack defense system

Country Status (2)

Country Link
CN (1) CN120632867A (en)
WO (1) WO2025189909A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106991324A (en) * 2017-03-30 2017-07-28 兴华永恒(北京)科技有限责任公司 It is a kind of that the malicious code Tracking Recognition method that type is monitored is protected based on internal memory
US10210329B1 (en) * 2015-09-30 2019-02-19 Fireeye, Inc. Method to detect application execution hijacking using memory protection
CN112395610A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Detection method and device for kernel layer shellcode
CN112395609A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Detection method and device for application layer shellcode
CN115600204A (en) * 2022-10-26 2023-01-13 安芯网盾(北京)科技有限公司(Cn) Method and system for detecting shellcode malicious code and computer equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10210329B1 (en) * 2015-09-30 2019-02-19 Fireeye, Inc. Method to detect application execution hijacking using memory protection
CN106991324A (en) * 2017-03-30 2017-07-28 兴华永恒(北京)科技有限责任公司 It is a kind of that the malicious code Tracking Recognition method that type is monitored is protected based on internal memory
CN112395610A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Detection method and device for kernel layer shellcode
CN112395609A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Detection method and device for application layer shellcode
CN115600204A (en) * 2022-10-26 2023-01-13 安芯网盾(北京)科技有限公司(Cn) Method and system for detecting shellcode malicious code and computer equipment

Also Published As

Publication number Publication date
CN120632867A (en) 2025-09-12

Similar Documents

Publication Publication Date Title
US12192170B2 (en) System and method for implementing content and network security inside a chip
US11036836B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
CA3006003C (en) Dual memory introspection for securing multiple network endpoints
US10599841B2 (en) System and method for reverse command shell detection
RU2738021C2 (en) System and methods for decrypting network traffic in a virtualized environment
US9912681B1 (en) Injection of content processing delay in an endpoint
ES2869400T3 (en) Systems and methods for using a reputation indicator to facilitate malware scanning
US7644271B1 (en) Enforcement of security policies for kernel module loading
JP6243479B2 (en) Inoculators and antibodies for computer security
WO2025189909A1 (en) Application processing method and apparatus, and attack defense system
US20250392567A1 (en) System and method for implementing content and network security inside a chip
CN120671126A (en) Method, device, equipment, storage medium and program product for processing malicious program
Ammeson et al. Enhancing ACLs with Host-Context
Kilpeläinen Privacy and Security of Smartphone Platforms
Zhong et al. Design and Implement of Host Security Monitoring System
HK1254985B (en) Dual memory introspection for securing multiple network endpoints

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24929352

Country of ref document: EP

Kind code of ref document: A1