[go: up one dir, main page]

CN104008336A - ShellCode detecting method and device - Google Patents

ShellCode detecting method and device Download PDF

Info

Publication number
CN104008336A
CN104008336A CN201410191246.1A CN201410191246A CN104008336A CN 104008336 A CN104008336 A CN 104008336A CN 201410191246 A CN201410191246 A CN 201410191246A CN 104008336 A CN104008336 A CN 104008336A
Authority
CN
China
Prior art keywords
shellcode
file
analysis
module
instruction sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410191246.1A
Other languages
Chinese (zh)
Other versions
CN104008336B (en
Inventor
喻民
姜建国
李敏
刘超
仇新梁
黄超
王菲飞
王冉晴
赵双
刘坤颖
高翔
胡波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201410191246.1A priority Critical patent/CN104008336B/en
Publication of CN104008336A publication Critical patent/CN104008336A/en
Application granted granted Critical
Publication of CN104008336B publication Critical patent/CN104008336B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

本发明提供一种ShellCode检测方法和装置,包括:建立包含ShellCode特征序列的ShellCode指令序列特征库;载入待检测文件,对所述待检测文件进行解析,形成解析文件;对所述解析文件进行指令的模拟执行和分析,记录可疑指令序列并与所述ShellCode指令序列特征库中的ShellCode特征序列进行对比,判断所述解析文件中是否包含ShellCode;输出检测结果。本发明能够在ShellCode执行之前即进行检测,防止了ShellCode对系统造成的影响,及时阻止了其进行恶意篡改的可能性。

The present invention provides a ShellCode detection method and device, comprising: establishing a ShellCode instruction sequence feature library comprising a ShellCode feature sequence; loading a file to be detected, analyzing the file to be detected to form an analysis file; performing an analysis on the analysis file Simulated execution and analysis of instructions, recording suspicious instruction sequences and comparing them with the ShellCode feature sequences in the ShellCode instruction sequence feature library, judging whether ShellCode is included in the analysis file; outputting detection results. The invention can detect the ShellCode before executing the ShellCode, prevents the impact of the ShellCode on the system, and prevents the possibility of malicious tampering in time.

Description

一种ShellCode检测方法和装置A ShellCode detection method and device

技术领域technical field

本发明涉及网络安全领域,尤其涉及一种ShellCode检测方法和装置。The invention relates to the field of network security, in particular to a ShellCode detection method and device.

背景技术Background technique

当前,缓冲区溢出是多种系统攻击、获取系统控制权的一个主要跳板,而具体实施缓冲区溢出攻击,必须要通过ShellCode来进行,进行攻击的数据中一定包含相应的ShellCode。因此,加强对缓冲区溢出等攻击的检测是信息安全领域的一个重要研究内容。同时,当前广泛使用的软件如Office、Adobe Reader等文档处理软件成为很多ShellCode的攻击跳板,许多攻击者将ShellCode隐藏在DOC和PDF等这些常用文档中进行攻击。At present, buffer overflow is a main springboard for various system attacks and gaining control of the system. To implement buffer overflow attacks, ShellCode must be used, and the attack data must contain the corresponding ShellCode. Therefore, strengthening the detection of attacks such as buffer overflow is an important research content in the field of information security. At the same time, currently widely used software such as Office, Adobe Reader and other document processing software has become a springboard for many ShellCode attacks. Many attackers hide ShellCode in these commonly used documents such as DOC and PDF to attack.

当前对ShellCode的检测,主要分为静态检测和动态检测,静态ShellCode检测技术一般采用模式匹配和静态反汇编技术,通过对数据进行扫描和分析,根据ShellCode知识库中的特征码,识别出可能存在的ShellCode。其特点是检测速度快,但存在针对性不强,无法检测未知ShellCode的问题。同时,静态二进制分析没有实际执行指令,无法自动捕获指令的控制转移,完全依赖人工分析程序的控制流图。The current detection of ShellCode is mainly divided into static detection and dynamic detection. Static ShellCode detection technology generally uses pattern matching and static disassembly technology. By scanning and analyzing the data, according to the feature code in the ShellCode knowledge base, it is possible to identify possible existence of ShellCode. Its characteristic is that the detection speed is fast, but it has the problem that it is not well targeted and cannot detect unknown ShellCode. At the same time, static binary analysis does not actually execute instructions, and cannot automatically capture the control transfer of instructions, and relies entirely on manual analysis of the control flow graph of the program.

动态的ShellCode检测技术是将数据流当作可执行代码模拟执行,其通过实际运行程序,可以自动捕获程序指令的控制转移,可以对程序的运行数据访问进行监控和分析,不受代码混淆技术的影响。但现有的基于内存搜索的ShellCode检测技术,是在ShellCode已载入内存后才进行检测,难以防止ShellCode所做的更改,并且在数据量大的情况下难以对内存进行准确有效的搜索;基于虚拟执行的ShellCode检测技术,需要相应虚拟机技术的支持,在数据量大的情况下,需要部署大量的虚拟机,并且当前众多ShellCode代码都具有虚拟机对抗功能。The dynamic ShellCode detection technology simulates the execution of the data flow as an executable code. By actually running the program, it can automatically capture the control transfer of the program instruction, monitor and analyze the program's running data access, and is not affected by the code obfuscation technology. Influence. However, the existing ShellCode detection technology based on memory search is to detect after the ShellCode has been loaded into the memory, it is difficult to prevent the changes made by the ShellCode, and it is difficult to accurately and effectively search the memory when the amount of data is large; Virtually executed ShellCode detection technology requires the support of corresponding virtual machine technology. In the case of a large amount of data, a large number of virtual machines need to be deployed, and many current ShellCode codes have the function of virtual machine confrontation.

另外,当前已经实现的技术大多是针对网络数据流的分析,但对攻击本地程序的ShellCode的检测方面支持不足,并且无法避免ShellCode已经对系统造成的伤害。In addition, most of the currently implemented technologies are aimed at the analysis of network data flow, but there is insufficient support for the detection of ShellCode attacking local programs, and the damage that ShellCode has already caused to the system cannot be avoided.

发明内容Contents of the invention

(一)要解决的技术问题(1) Technical problems to be solved

本发明提供一种ShellCode检测方法和装置,以解决现有技术仅能在ShellCode运行之后进行检测,无法避免对系统造成既成伤害的技术问题和混淆技术导致难以静态检测ShellCode的问题。The invention provides a ShellCode detection method and device to solve the technical problem that the existing technology can only detect after the ShellCode is running, which cannot avoid the existing damage to the system and the confusion technology makes it difficult to statically detect the ShellCode.

(二)技术方案(2) Technical solution

为解决上述技术问题,本发明提供一种ShellCode检测方法,包括:In order to solve the problems of the technologies described above, the invention provides a ShellCode detection method, comprising:

建立包含ShellCode特征序列的ShellCode指令序列特征库;Establish a ShellCode instruction sequence feature library containing the ShellCode feature sequence;

载入待检测文件,对所述待检测文件进行解析,形成解析文件;Loading the file to be detected, analyzing the file to be detected to form an analysis file;

对所述解析文件进行指令的模拟执行和分析,记录可疑指令序列并与所述ShellCode指令序列特征库中的ShellCode特征序列进行对比,判断所述解析文件中是否包含ShellCode;Carry out the simulated execution and analysis of instructions to the analysis file, record the suspicious instruction sequence and compare it with the ShellCode feature sequence in the ShellCode instruction sequence feature library, and judge whether ShellCode is included in the analysis file;

输出检测结果。Output the detection result.

进一步地,所述对所述待检测文件进行解析,形成解析文件包括:Further, said parsing the file to be detected to form the parsing file includes:

根据待检测文件的类型进行解析,转换为统一格式的解析文件。Parse according to the type of the file to be detected, and convert it into a parsing file in a unified format.

进一步地,所述文档类型包括:Further, the document types include:

DOC、DOCX、XLS、XLSX、PPT、PPTX、PDF中的一种或多种。One or more of DOC, DOCX, XLS, XLSX, PPT, PPTX, PDF.

进一步地,所述对所述解析文件进行指令的模拟执行和分析,记录可疑指令序列并与所述ShellCode指令序列特征库中的ShellCode特征序列进行对比,判断所述解析文件中是否包含ShellCode,包括:Further, the simulated execution and analysis of instructions are performed on the analysis file, the suspicious instruction sequence is recorded and compared with the ShellCode feature sequence in the ShellCode instruction sequence feature library, and whether the ShellCode is included in the analysis file is judged, including :

步骤S1:初始化可疑指令序列步长;Step S1: Initialize the step size of the suspicious instruction sequence;

步骤S2:将所述解析文件作为二进制串进行指令的模拟执行和分析,当检测到可疑指令时,执行步骤S3,否则,执行步骤S6;Step S2: Using the parsed file as a binary string to simulate execution and analysis of instructions, when a suspicious instruction is detected, execute step S3, otherwise, execute step S6;

步骤S3:将所述可疑指令序列步长加1;Step S3: adding 1 to the step size of the suspicious instruction sequence;

步骤S4:比较所述可疑指令序列步长是否达到所述ShellCode指令序列特征库中的ShellCode特征序列的阀值,如果达到阀值,执行步骤S5,否则,执行步骤S6;Step S4: compare whether the step size of the suspicious instruction sequence reaches the threshold value of the ShellCode feature sequence in the ShellCode instruction sequence feature library, if it reaches the threshold value, execute step S5, otherwise, execute step S6;

步骤S5:判定所述解析文件数据中包含ShellCode,记录告警信息;Step S5: Determine that the parsed file data contains ShellCode, and record the alarm information;

步骤S6:判断是否对所述解析文件中的所有数据完成检测,如果完成了所有数据检测,判定所述解析文件中不包含ShellCode,否则,回到步骤S2。Step S6: Judging whether the detection of all data in the analysis file is completed, if all data detection is completed, it is determined that the analysis file does not contain ShellCode, otherwise, return to step S2.

进一步地,所述方法还包括:Further, the method also includes:

利用ShellCode检测结果对所述ShellCode指令序列特征库中的ShellCode特征序列进行更新。The ShellCode feature sequence in the ShellCode instruction sequence feature library is updated by using the ShellCode detection result.

另一方面,本发明还提供一种ShellCode检测装置,包括:特征库模块、调度模块、文件解析模块、模拟分析模块和结果输出模块,所述调度模块与所述文件解析模块相连,所述模拟分析模块分别与所述特征库模块、文件解析模块和结果输出模块相连,其中:On the other hand, the present invention also provides a ShellCode detection device, comprising: a feature library module, a scheduling module, a file parsing module, a simulation analysis module and a result output module, the scheduling module is connected to the file parsing module, and the simulation The analysis module is respectively connected with the feature library module, the file parsing module and the result output module, wherein:

特征库模块,用于建立包含ShellCode特征序列的ShellCode指令序列特征库;A feature library module, used to set up a ShellCode instruction sequence feature library that includes a ShellCode feature sequence;

调度模块,用于载入待检测文件;A scheduling module for loading files to be detected;

文件解析模块,用于对所述待检测文件进行解析,形成解析文件;A file analysis module, configured to analyze the file to be detected to form an analysis file;

模拟分析模块,用于对所述解析文件进行指令的模拟执行和分析,记录可疑指令序列并与所述ShellCode指令序列特征库中的ShellCode特征序列进行对比,判断所述解析文件中是否包含ShellCode;The simulation analysis module is used to simulate execution and analysis of instructions to the analysis file, record suspicious instruction sequences and compare them with the ShellCode feature sequence in the ShellCode instruction sequence feature library, and determine whether ShellCode is included in the analysis file;

结果输出模块,用于输出检测结果。The result output module is used to output the detection result.

进一步地,所述文件解析模块还用于:Further, the file parsing module is also used for:

根据待检测文件的类型进行解析,转换为统一格式的解析文件。Parse according to the type of the file to be detected, and convert it into a parsing file in a unified format.

进一步地,所述模拟分析模块还用于执行以下步骤:Further, the simulation analysis module is also used to perform the following steps:

步骤S1:初始化可疑指令序列步长;Step S1: Initialize the step size of the suspicious instruction sequence;

步骤S2:将所述解析文件作为二进制串进行指令的模拟执行和分析,当检测到可疑指令时,执行步骤S3,否则,执行步骤S6;Step S2: Using the parsed file as a binary string to simulate execution and analysis of instructions, when a suspicious instruction is detected, execute step S3, otherwise, execute step S6;

步骤S3:将所述可疑指令序列步长加1;Step S3: adding 1 to the step size of the suspicious instruction sequence;

步骤S4:比较所述可疑指令序列步长是否达到所述ShellCode指令序列特征库中的ShellCode特征序列的阀值,如果是,执行步骤S5,否则,执行步骤S6;Step S4: compare whether the step size of the suspicious instruction sequence reaches the threshold value of the ShellCode feature sequence in the ShellCode instruction sequence feature library, if yes, perform step S5, otherwise, perform step S6;

步骤S5:判定所述解析文件数据中包含ShellCode,记录告警信息;Step S5: Determine that the parsed file data contains ShellCode, and record the alarm information;

步骤S6:判断是否对所述解析文件中的所有数据完成检测,如果完成了所有数据检测,判定所述解析文件中不包含ShellCode,否则,回到步骤S2。Step S6: Judging whether the detection of all data in the analysis file is completed, if all data detection is completed, it is determined that the analysis file does not contain ShellCode, otherwise, return to step S2.

进一步地,所述模拟分析模块为:Further, the simulation analysis module is:

一种可执行指定步长的指令模拟器,其可以模拟寄存器和/或FPU指令执行所需的关键部件。An instruction simulator capable of executing a specified step size, which can simulate registers and/or key components required for FPU instruction execution.

进一步地,所述装置还包括:Further, the device also includes:

更新模块,与所述特征库模块和所述结果输出模块相连,用于利用ShellCode检测结果对所述ShellCode指令序列特征库中的ShellCode特征序列进行更新。An update module, connected with the feature library module and the result output module, is used to update the ShellCode feature sequence in the ShellCode instruction sequence feature library by using the ShellCode detection result.

(三)有益效果(3) Beneficial effects

可见,在本发明实施例提供的一种ShellCode检测方法和装置中,能够采用文档分析和指令模拟技术,对待检测文件进行解析,然后用模拟指令判断是否存在可疑指令序列,并与预先建立的指令序列特征库进行对比,以判断是否包含ShellCode。本发明实施例的ShellCode检测方法能够在ShellCode执行之前即进行检测,防止了ShellCode对系统造成的影响,及时阻止了其进行恶意篡改的可能性。并且,本发明实施例可针对指令序列,在无需部署完整的虚拟机的情况下解析指令,降低了部署的要求和成本。It can be seen that in the ShellCode detection method and device provided in the embodiment of the present invention, document analysis and instruction simulation technology can be used to analyze the file to be detected, and then use the simulation instruction to judge whether there is a suspicious instruction sequence, and compare it with the pre-established instruction Sequence feature library is compared to determine whether ShellCode is included. The ShellCode detection method in the embodiment of the present invention can detect the ShellCode before the execution of the ShellCode, which prevents the impact of the ShellCode on the system and prevents the possibility of malicious tampering in time. Moreover, the embodiment of the present invention can analyze the instruction sequence without deploying a complete virtual machine, which reduces deployment requirements and costs.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1是本发明实施例ShellCode检测方法的基本流程示意图;Fig. 1 is the basic flowchart schematic diagram of the ShellCode detection method of the embodiment of the present invention;

图2是本发明实施例ShellCode检测方法的一个优选流程示意图;Fig. 2 is a preferred flowchart of the ShellCode detection method of the embodiment of the present invention;

图3是本发明实施例ShellCode判断过程示意图;Fig. 3 is a schematic diagram of the ShellCode judging process of the embodiment of the present invention;

图4是本发明实施例ShellCode检测装置的基本结构示意图;4 is a schematic diagram of the basic structure of a ShellCode detection device according to an embodiment of the present invention;

图5是本发明实施例ShellCode检测装置的一个优选结构示意图。Fig. 5 is a schematic diagram of a preferred structure of a ShellCode detection device according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

ShellCode是漏洞攻击的执行载体,一次完整的漏洞攻击需要漏洞利用技术和ShellCode的配合才能达到理想的攻击效果,针对此问题,本发明实施例首先提供一种ShellCode检测方法,参见图1,包括:ShellCode is the execution carrier of vulnerability attack. A complete vulnerability attack requires the cooperation of vulnerability utilization technology and ShellCode to achieve the desired attack effect. In view of this problem, the embodiment of the present invention firstly provides a ShellCode detection method, see Figure 1, including:

步骤101:建立包含ShellCode特征序列的ShellCode指令序列特征库。Step 101: Establish a ShellCode instruction sequence feature library containing the ShellCode feature sequence.

步骤102:载入待检测文件,对所述待检测文件进行解析,形成解析文件。Step 102: Load the file to be detected, analyze the file to be detected, and form an analysis file.

步骤103:对所述解析文件进行指令的模拟执行和分析,记录可疑指令序列并与所述ShellCode指令序列特征库中的ShellCode特征序列进行对比,判断所述解析文件中是否包含ShellCode。Step 103: Simulate execution and analysis of instructions on the analysis file, record suspicious instruction sequences and compare them with the ShellCode feature sequences in the ShellCode instruction sequence feature library, and determine whether the analysis file contains ShellCode.

步骤104:输出检测结果。Step 104: output the detection result.

可见,在本发明实施例提供的一种ShellCode检测方法中,能够采用文档分析和指令模拟技术,对待检测文件进行解析,然后用模拟指令判断是否存在可疑指令序列,并与预先建立的指令序列特征库进行对比,以判断是否包含ShellCode。本发明实施例的ShellCode检测方法能够在ShellCode执行之前即进行检测,防止了ShellCode对系统造成的影响,及时阻止了其进行恶意篡改的可能性。并且,本发明实施例可针对指令序列,在无需部署完整的虚拟机的情况下解析指令,降低了部署的要求和成本。It can be seen that in the ShellCode detection method provided by the embodiment of the present invention, document analysis and instruction simulation technology can be used to analyze the file to be detected, and then use the simulation instruction to judge whether there is a suspicious instruction sequence, and compare it with the pre-established instruction sequence characteristics. Libraries are compared to determine whether ShellCode is included. The ShellCode detection method in the embodiment of the present invention can detect the ShellCode before the execution of the ShellCode, which prevents the impact of the ShellCode on the system and prevents the possibility of malicious tampering in time. Moreover, the embodiment of the present invention can analyze the instruction sequence without deploying a complete virtual machine, which reduces deployment requirements and costs.

本发明实施例可以针对各种文件类型进行识别,优选地,对所述待检测文件进行解析,形成解析文件可以包括:根据待检测文件的类型进行解析,转换为统一格式的解析文件。The embodiment of the present invention can identify various file types. Preferably, analyzing the file to be detected, and forming the parsed file may include: parsing according to the type of the file to be detected, and converting it into a parsed file in a unified format.

优选地,文档类型可以包括:DOC、DOCX、XLS、XLSX、PPT、PPTX、PDF中的一种或多种。Preferably, the document type may include: one or more of DOC, DOCX, XLS, XLSX, PPT, PPTX, PDF.

优选地,对所述解析文件进行指令的模拟执行和分析,记录可疑指令序列并与所述ShellCode指令序列特征库中的ShellCode特征序列进行对比,判断所述解析文件中是否包含ShellCode可以具体包括如下步骤:Preferably, carry out the simulated execution and analysis of instructions to the analysis file, record the suspicious instruction sequence and compare it with the ShellCode feature sequence in the ShellCode instruction sequence feature library, and determine whether ShellCode is included in the analysis file can specifically include the following step:

步骤S1:初始化可疑指令序列步长;Step S1: Initialize the step size of the suspicious instruction sequence;

步骤S2:将所述解析文件作为二进制串进行指令的模拟执行和分析,当检测到可疑指令时,执行步骤S3,否则,执行步骤S6;Step S2: Using the parsed file as a binary string to simulate execution and analysis of instructions, when a suspicious instruction is detected, execute step S3, otherwise, execute step S6;

步骤S3:将所述可疑指令序列步长加1;Step S3: adding 1 to the step size of the suspicious instruction sequence;

步骤S4:比较所述可疑指令序列步长是否达到所述ShellCode指令序列特征库中的ShellCode特征序列的阀值,如果达到阀值,执行步骤S5,否则,执行步骤S6;Step S4: compare whether the step size of the suspicious instruction sequence reaches the threshold value of the ShellCode feature sequence in the ShellCode instruction sequence feature library, if it reaches the threshold value, execute step S5, otherwise, execute step S6;

步骤S5:判定所述解析文件数据中包含ShellCode,记录告警信息;Step S5: Determine that the parsed file data contains ShellCode, and record the alarm information;

步骤S6:判断是否对所述解析文件中的所有数据完成检测,如果完成了所有数据检测,判定所述解析文件中不包含ShellCode,否则,回到步骤S2。Step S6: Judging whether the detection of all data in the analysis file is completed, if all data detection is completed, it is determined that the analysis file does not contain ShellCode, otherwise, return to step S2.

本发明实施例方法还可以及时对ShellCode指令序列特征库进行更新,并能够对其进行不断的调整和错误纠正,以避免下次误判,优选地,方法还可以包括:利用ShellCode检测结果对所述ShellCode指令序列特征库中的ShellCode特征序列进行更新。The method in the embodiment of the present invention can also update the ShellCode instruction sequence feature library in time, and can continuously adjust and correct errors to avoid misjudgment next time. Preferably, the method can also include: using the ShellCode detection result to update all Update the ShellCode feature sequence in the above ShellCode command sequence feature library.

下面以具体的ShellCode检测过程为例,以详细说明本发明实施例的具体实现过程,参见图2:Taking the specific ShellCode detection process as an example below, to describe the specific implementation process of the embodiment of the present invention in detail, see Figure 2:

步骤201:建立包含ShellCode特征序列的ShellCode指令序列特征库。Step 201: Establish a ShellCode instruction sequence feature library containing the ShellCode feature sequence.

本步骤中,首先需要建立一个ShellCode指令序列特征库,其中包含已知的ShellCode特征序列。In this step, first a ShellCode instruction sequence feature library needs to be established, which contains known ShellCode feature sequences.

步骤202:载入待检测文件,对所述待检测文件进行解析,形成解析文件。Step 202: Load the file to be detected, analyze the file to be detected, and form an analysis file.

本步骤中,首先载入待检测文件,然后对文件类型进行识别,根据识别结果进行解析,形成统一格式的解析文件。In this step, the file to be detected is first loaded, and then the type of the file is identified, and analyzed according to the identification result to form an analysis file in a unified format.

步骤203:对解析文件进行指令模拟执行和分析,判断其中是否包含ShellCode。Step 203: Carry out instruction simulation execution and analysis on the parsing file, and judge whether it contains ShellCode.

本步骤中,调用类似LibEmu的指令模拟器,通过模拟汇编指令的执行,记录可疑指令序列并与ShellCode指令序列特征库中的特征序列进行对比,分析文件中是否包含ShellCode。In this step, an instruction simulator similar to LibEmu is invoked, and by simulating the execution of assembly instructions, the suspicious instruction sequence is recorded and compared with the signature sequence in the ShellCode instruction sequence signature library, and whether the file contains ShellCode is analyzed.

具体步骤如图3所示,其中,初始化状态机时,将记录的可疑指令序列步长置为0;在判断是否为可疑指令时,将解析后的文档数据看作二进制串,用指令模拟器模拟寄存器、FPU等进行指令的模拟执行以分析指令,查找其中是否包含有可疑的ShellCode;当检测到可疑指令时,将状态机状态更新,状态机的可疑指令步长加1。The specific steps are shown in Figure 3, wherein, when initializing the state machine, set the step length of the recorded suspicious instruction sequence to 0; when judging whether it is a suspicious instruction, regard the parsed document data as a binary string, and use the instruction simulator Simulate registers, FPU, etc. to simulate the execution of instructions to analyze the instructions and find out whether they contain suspicious ShellCode; when suspicious instructions are detected, the status of the state machine is updated, and the step size of the suspicious instruction of the state machine is increased by 1.

步骤204:输出检测结果并对ShellCode指令序列特征库进行更新。Step 204: Output the detection result and update the ShellCode instruction sequence feature library.

本步骤中,输出最终检测结果,并根据结果对ShellCode指令序列特征库进行更新和调整,以避免下次误判。In this step, the final detection result is output, and the ShellCode instruction sequence feature library is updated and adjusted according to the result, so as to avoid misjudgment next time.

至此,则完成了本发明实施例ShellCode检测方法的全过程。So far, the whole process of the ShellCode detection method of the embodiment of the present invention is completed.

本发明实施例还提供一种ShellCode检测装置,参见图4,包括:特征库模块401、调度模块402、文件解析模块403、模拟分析模块404和结果输出模块405,其中:The embodiment of the present invention also provides a ShellCode detection device, referring to FIG. 4 , including: a feature library module 401, a scheduling module 402, a file parsing module 403, a simulation analysis module 404, and a result output module 405, wherein:

特征库模块401,用于建立包含ShellCode特征序列的ShellCode指令序列特征库;Feature library module 401, for setting up the ShellCode instruction sequence feature library that comprises ShellCode feature sequence;

调度模块402,用于载入待检测文件;Scheduling module 402, for loading the file to be detected;

文件解析模块403,用于对所述待检测文件进行解析,形成解析文件;A file analysis module 403, configured to analyze the file to be detected to form an analysis file;

模拟分析模块404,用于对所述解析文件进行指令的模拟执行和分析,记录可疑指令序列并与所述ShellCode指令序列特征库中的ShellCode特征序列进行对比,判断所述解析文件中是否包含ShellCode;The simulation analysis module 404 is used for the simulation execution and analysis of the instruction to the analysis file, records the suspicious instruction sequence and compares it with the ShellCode feature sequence in the ShellCode instruction sequence feature library, and judges whether the analysis file contains ShellCode ;

结果输出模块405,用于输出检测结果。The result output module 405 is configured to output the detection result.

优选地,文件解析模块403还可以用于根据待检测文件的类型进行解析,转换为统一格式的解析文件。Preferably, the file parsing module 403 can also be used for parsing according to the type of the file to be detected, and converting it into a parsing file in a unified format.

优选地,模拟分析模块404还用于执行以下步骤:Preferably, the simulation analysis module 404 is also configured to perform the following steps:

步骤S1:初始化可疑指令序列步长;Step S1: Initialize the step size of the suspicious instruction sequence;

步骤S2:将所述解析文件作为二进制串进行指令的模拟执行和分析,当检测到可疑指令时,执行步骤S3,否则,执行步骤S6;Step S2: Using the parsed file as a binary string to simulate execution and analysis of instructions, when a suspicious instruction is detected, execute step S3, otherwise, execute step S6;

步骤S3:将所述可疑指令序列步长加1;Step S3: adding 1 to the step size of the suspicious instruction sequence;

步骤S4:比较所述可疑指令序列步长是否达到所述ShellCode指令序列特征库中的ShellCode特征序列的阀值,如果是,执行步骤S5,否则,执行步骤S6;Step S4: compare whether the step size of the suspicious instruction sequence reaches the threshold value of the ShellCode feature sequence in the ShellCode instruction sequence feature library, if yes, perform step S5, otherwise, perform step S6;

步骤S5:判定所述解析文件数据中包含ShellCode,记录告警信息;Step S5: Determine that the parsed file data contains ShellCode, and record the alarm information;

步骤S6:判断是否对所述解析文件中的所有数据完成检测,如果完成了所有数据检测,判定所述解析文件中不包含ShellCode,否则,回到步骤S2。Step S6: Judging whether the detection of all data in the analysis file is completed, if all data detection is completed, it is determined that the analysis file does not contain ShellCode, otherwise, return to step S2.

优选地,模拟分析模块303可以为:可模拟寄存器、FPU等部件,并可模拟执行指定步长的指令模拟器。Preferably, the simulation analysis module 303 may be: an instruction simulator capable of simulating components such as registers and FPU, and executing a specified step size.

优选地,装置还可以包括:更新模块501,见图5,与特征库模块401和结果输出模块405分别相连,用于利用ShellCode检测结果对所述ShellCode指令序列特征库中的ShellCode特征序列进行更新。Preferably, the device can also include: an update module 501, see Figure 5, which is connected to the feature library module 401 and the result output module 405 respectively, for updating the ShellCode feature sequence in the ShellCode instruction sequence feature library using the ShellCode detection result .

可见,本发明实施例具有如下有益效果:It can be seen that the embodiments of the present invention have the following beneficial effects:

在本发明实施例提供的一种ShellCode检测方法和装置中,能够采用文档分析和指令模拟技术,对待检测文件进行解析,然后用模拟指令判断是否存在可疑指令序列,并与预先建立的指令序列特征库进行对比,以判断是否包含ShellCode。本发明实施例的ShellCode检测方法能够在ShellCode执行之前即进行检测,防止了ShellCode对系统造成的影响,及时阻止了其进行恶意篡改的可能性。并且,本发明实施例可针对指令序列,在无需部署完整的虚拟机的情况下解析指令,降低了部署的要求和成本。In a ShellCode detection method and device provided in the embodiments of the present invention, document analysis and command simulation technology can be used to analyze the document to be detected, and then use the simulated command to judge whether there is a suspicious command sequence, and compare it with the pre-established command sequence characteristics Libraries are compared to determine whether ShellCode is included. The ShellCode detection method in the embodiment of the present invention can detect the ShellCode before the execution of the ShellCode, which prevents the impact of the ShellCode on the system and prevents the possibility of malicious tampering in time. Moreover, the embodiment of the present invention can analyze the instruction sequence without deploying a complete virtual machine, which reduces deployment requirements and costs.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (10)

1.一种ShellCode检测方法,其特征在于,包括:1. A ShellCode detection method is characterized in that, comprising: 建立包含ShellCode特征序列的ShellCode指令序列特征库;Establish a ShellCode instruction sequence feature library containing the ShellCode feature sequence; 载入待检测文件,对所述待检测文件进行解析,形成解析文件;Loading the file to be detected, analyzing the file to be detected to form an analysis file; 对所述解析文件进行指令的模拟执行和分析,记录可疑指令序列并与所述ShellCode指令序列特征库中的ShellCode特征序列进行对比,判断所述解析文件中是否包含ShellCode;Carry out the simulated execution and analysis of instructions to the analysis file, record the suspicious instruction sequence and compare it with the ShellCode feature sequence in the ShellCode instruction sequence feature library, and judge whether ShellCode is included in the analysis file; 输出检测结果。Output the detection result. 2.根据权利要求1所述的ShellCode检测方法,其特征在于,所述对所述待检测文件进行解析,形成解析文件包括:2. the ShellCode detection method according to claim 1, is characterized in that, described described to-be-detected file is analyzed, and formation analysis file comprises: 根据待检测文件的类型进行解析,转换为统一格式的解析文件。Parse according to the type of the file to be detected, and convert it into a parsing file in a unified format. 3.根据权利要求2所述的ShellCode检测方法,其特征在于,所述文档类型包括:3. the ShellCode detection method according to claim 2, is characterized in that, described document type comprises: DOC、DOCX、XLS、XLSX、PPT、PPTX、PDF中的一种或多种。One or more of DOC, DOCX, XLS, XLSX, PPT, PPTX, PDF. 4.根据权利要求1所述的ShellCode检测方法,其特征在于,所述对所述解析文件进行指令的模拟执行和分析,记录可疑指令序列并与所述ShellCode指令序列特征库中的ShellCode特征序列进行对比,判断所述解析文件中是否包含ShellCode,包括:4. the ShellCode detection method according to claim 1, is characterized in that, described parsing file is carried out the simulated execution and the analysis of instruction, records suspicious instruction sequence and with the ShellCode characteristic sequence in the described ShellCode instruction sequence characteristic storehouse Compare and judge whether ShellCode is included in the parsing file, including: 步骤S1:初始化可疑指令序列步长;Step S1: Initialize the step size of the suspicious instruction sequence; 步骤S2:将所述解析文件作为二进制串进行指令的模拟执行和分析,当检测到可疑指令时,执行步骤S3,否则,执行步骤S6;Step S2: Using the parsed file as a binary string to simulate execution and analysis of instructions, when a suspicious instruction is detected, execute step S3, otherwise, execute step S6; 步骤S3:将所述可疑指令序列步长加1;Step S3: adding 1 to the step size of the suspicious instruction sequence; 步骤S4:比较所述可疑指令序列步长是否达到所述ShellCode指令序列特征库中的ShellCode特征序列的阀值,如果达到阀值,执行步骤S5,否则,执行步骤S6;Step S4: compare whether the step size of the suspicious instruction sequence reaches the threshold value of the ShellCode feature sequence in the ShellCode instruction sequence feature library, if it reaches the threshold value, execute step S5, otherwise, execute step S6; 步骤S5:判定所述解析文件数据中包含ShellCode,记录告警信息;Step S5: Determine that the parsed file data contains ShellCode, and record the alarm information; 步骤S6:判断是否对所述解析文件中的所有数据完成检测,如果完成了所有数据检测,判定所述解析文件中不包含ShellCode,否则,回到步骤S2。Step S6: Judging whether the detection of all data in the analysis file is completed, if all data detection is completed, it is determined that the analysis file does not contain ShellCode, otherwise, return to step S2. 5.根据权利要求1至4中任一项所述的ShellCode检测方法,其特征在于,所述方法还包括:5. according to the ShellCode detection method described in any one in claim 1 to 4, it is characterized in that, described method also comprises: 利用ShellCode检测结果对所述ShellCode指令序列特征库中的ShellCode特征序列进行更新。The ShellCode feature sequence in the ShellCode instruction sequence feature library is updated by using the ShellCode detection result. 6.一种ShellCode检测装置,其特征在于,包括:特征库模块、调度模块、文件解析模块、模拟分析模块和结果输出模块,所述调度模块与所述文件解析模块相连,所述模拟分析模块分别与所述特征库模块、文件解析模块和结果输出模块相连,其中:6. a ShellCode detection device, it is characterized in that, comprises: feature library module, scheduling module, file analysis module, simulation analysis module and result output module, described scheduling module links to each other with described file analysis module, and described simulation analysis module Link to the feature library module, file parsing module and result output module respectively, wherein: 特征库模块,用于建立包含ShellCode特征序列的ShellCode指令序列特征库;A feature library module, used to set up a ShellCode instruction sequence feature library that includes a ShellCode feature sequence; 调度模块,用于载入待检测文件;A scheduling module for loading the file to be detected; 文件解析模块,用于对所述待检测文件进行解析,形成解析文件;A file analysis module, configured to analyze the file to be detected to form an analysis file; 模拟分析模块,用于对所述解析文件进行指令的模拟执行和分析,记录可疑指令序列并与所述ShellCode指令序列特征库中的ShellCode特征序列进行对比,判断所述解析文件中是否包含ShellCode;The simulation analysis module is used to simulate execution and analysis of instructions to the analysis file, record suspicious instruction sequences and compare them with the ShellCode feature sequence in the ShellCode instruction sequence feature library, and determine whether ShellCode is included in the analysis file; 结果输出模块,用于输出检测结果。The result output module is used to output the detection result. 7.根据权利要求6所述的ShellCode检测装置,其特征在于,所述文件解析模块还用于:7. ShellCode detecting device according to claim 6, is characterized in that, described file parsing module is also used for: 根据待检测文件的类型进行解析,转换为统一格式的解析文件。Parse according to the type of the file to be detected, and convert it into a parsing file in a unified format. 8.根据权利要求6所述的ShellCode检测装置,其特征在于,所述模拟分析模块还用于执行以下步骤:8. ShellCode detection device according to claim 6, is characterized in that, described analog analysis module is also used for performing the following steps: 步骤S1:初始化可疑指令序列步长;Step S1: Initialize the step size of the suspicious instruction sequence; 步骤S2:将所述解析文件作为二进制串进行指令的模拟执行和分析,当检测到可疑指令时,执行步骤S3,否则,执行步骤S6;Step S2: Using the parsed file as a binary string to simulate execution and analysis of instructions, when a suspicious instruction is detected, execute step S3, otherwise, execute step S6; 步骤S3:将所述可疑指令序列步长加1;Step S3: adding 1 to the step size of the suspicious instruction sequence; 步骤S4:比较所述可疑指令序列步长是否达到所述ShellCode指令序列特征库中的ShellCode特征序列的阀值,如果是,执行步骤S5,否则,执行步骤S6;Step S4: compare whether the step size of the suspicious instruction sequence reaches the threshold value of the ShellCode feature sequence in the ShellCode instruction sequence feature library, if yes, perform step S5, otherwise, perform step S6; 步骤S5:判定所述解析文件数据中包含ShellCode,记录告警信息;Step S5: Determine that the parsed file data contains ShellCode, and record the alarm information; 步骤S6:判断是否对所述解析文件中的所有数据完成检测,如果完成了所有数据检测,判定所述解析文件中不包含ShellCode,否则,回到步骤S2。Step S6: Judging whether the detection of all data in the analysis file is completed, if all data detection is completed, it is determined that the analysis file does not contain ShellCode, otherwise, return to step S2. 9.根据权利要求8所述的ShellCode检测装置,其特征在于,所述模拟分析模块为:9. ShellCode detecting device according to claim 8, is characterized in that, described analog analysis module is: 一种可执行指定步长的指令模拟器,其可以模拟寄存器和/或FPU指令执行所需的关键部件。An instruction simulator capable of executing a specified step size, which can simulate registers and/or key components required for FPU instruction execution. 10.根据权利要求6至9中任一项所述的ShellCode检测装置,其特征在于,所述装置还包括:10. The ShellCode detection device according to any one of claims 6 to 9, wherein the device further comprises: 更新模块,与所述特征库模块和所述结果输出模块相连,用于利用ShellCode检测结果对所述ShellCode指令序列特征库中的ShellCode特征序列进行更新。An update module, connected with the feature library module and the result output module, is used to update the ShellCode feature sequence in the ShellCode instruction sequence feature library by using the ShellCode detection result.
CN201410191246.1A 2014-05-07 2014-05-07 ShellCode detecting method and device Active CN104008336B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410191246.1A CN104008336B (en) 2014-05-07 2014-05-07 ShellCode detecting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410191246.1A CN104008336B (en) 2014-05-07 2014-05-07 ShellCode detecting method and device

Publications (2)

Publication Number Publication Date
CN104008336A true CN104008336A (en) 2014-08-27
CN104008336B CN104008336B (en) 2017-04-12

Family

ID=51368986

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410191246.1A Active CN104008336B (en) 2014-05-07 2014-05-07 ShellCode detecting method and device

Country Status (1)

Country Link
CN (1) CN104008336B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105868630A (en) * 2016-03-24 2016-08-17 中国科学院信息工程研究所 Malicious PDF document detection method
CN106372507A (en) * 2016-08-30 2017-02-01 北京奇虎科技有限公司 Method and device for detecting malicious document
CN106874758A (en) * 2016-08-22 2017-06-20 阿里巴巴集团控股有限公司 A kind of method and apparatus for recognizing document code

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011102605A2 (en) * 2010-02-19 2011-08-25 Park Hee Jung Service system that diagnoses the vulnerability of a web service in real time mode and provides the result information thereof
CN102243699A (en) * 2011-06-09 2011-11-16 深圳市安之天信息技术有限公司 Malicious code detection method and system
CN102609649A (en) * 2012-02-06 2012-07-25 北京百度网讯科技有限公司 Method and device for collecting malicious software automatically
CN102622543A (en) * 2012-02-06 2012-08-01 北京百度网讯科技有限公司 Method and device for dynamically detecting malicious webpage scripts
US20120216046A1 (en) * 2011-02-22 2012-08-23 Raytheon Company System and Method for Decrypting Files
CN102955913A (en) * 2011-08-25 2013-03-06 腾讯科技(深圳)有限公司 Method and system for detecting hung Trojans of web page

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011102605A2 (en) * 2010-02-19 2011-08-25 Park Hee Jung Service system that diagnoses the vulnerability of a web service in real time mode and provides the result information thereof
US20120216046A1 (en) * 2011-02-22 2012-08-23 Raytheon Company System and Method for Decrypting Files
CN102243699A (en) * 2011-06-09 2011-11-16 深圳市安之天信息技术有限公司 Malicious code detection method and system
CN102955913A (en) * 2011-08-25 2013-03-06 腾讯科技(深圳)有限公司 Method and system for detecting hung Trojans of web page
CN102609649A (en) * 2012-02-06 2012-07-25 北京百度网讯科技有限公司 Method and device for collecting malicious software automatically
CN102622543A (en) * 2012-02-06 2012-08-01 北京百度网讯科技有限公司 Method and device for dynamically detecting malicious webpage scripts

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
武雪峰: "恶意PDF文档的分析", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105868630A (en) * 2016-03-24 2016-08-17 中国科学院信息工程研究所 Malicious PDF document detection method
CN106874758A (en) * 2016-08-22 2017-06-20 阿里巴巴集团控股有限公司 A kind of method and apparatus for recognizing document code
CN106372507A (en) * 2016-08-30 2017-02-01 北京奇虎科技有限公司 Method and device for detecting malicious document

Also Published As

Publication number Publication date
CN104008336B (en) 2017-04-12

Similar Documents

Publication Publication Date Title
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
Rathnayaka et al. An efficient approach for advanced malware analysis using memory forensic technique
CN103221960B (en) Malicious code detection method and device
EP2955658B1 (en) System and methods for detecting harmful files of different formats
KR102317833B1 (en) method for machine LEARNING of MALWARE DETECTING MODEL AND METHOD FOR detecting Malware USING THE SAME
US10867038B2 (en) System and method of detecting malicious files with the use of elements of static analysis
CN113935033B (en) Feature fusion malicious code family classification method, device and storage medium
JP7517585B2 (en) Analytical function providing device, analytical function providing program, and analytical function providing method
CN104115117B (en) Method, system and the storage medium of safety analysis are implemented to computer program
Lu et al. De-obfuscation and detection of malicious PDF files with high accuracy
US20210157909A1 (en) Sample data generation apparatus, sample data generation method, and computer readable medium
KR102151318B1 (en) Method and apparatus for malicious detection based on heterogeneous information network
KR101858620B1 (en) Device and method for analyzing javascript using machine learning
CN102567661A (en) Method and device for program recognition based on machine learning
CN111639337A (en) Unknown malicious code detection method and system for massive Windows software
CN106355092B (en) System and method for optimizing anti-virus measurement
CN106326737A (en) System and method for detecting harmful files executable on a virtual stack machine
US12505215B2 (en) Using artificial intelligence to generate test data to test malware scanner(s)
WO2017177003A1 (en) Extraction and comparison of hybrid program binary features
CN109558207A (en) The system and method for carrying out the log of the anti-virus scan of file are formed in virtual machine
CN119397533A (en) Malicious script detection method, device, equipment and storage medium
WO2023072002A1 (en) Security detection method and apparatus for open source component package
CN106778278A (en) A kind of malice document detection method and device
CN105468970B (en) A kind of Android application programs based on protection net are anti-to usurp method and system
CN104008336B (en) ShellCode detecting method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant