[go: up one dir, main page]

CN101777102B - Security audit method and system for kernel - Google Patents

Security audit method and system for kernel Download PDF

Info

Publication number
CN101777102B
CN101777102B CN2010101049375A CN201010104937A CN101777102B CN 101777102 B CN101777102 B CN 101777102B CN 2010101049375 A CN2010101049375 A CN 2010101049375A CN 201010104937 A CN201010104937 A CN 201010104937A CN 101777102 B CN101777102 B CN 101777102B
Authority
CN
China
Prior art keywords
kernel
module
hooking
information group
hook
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2010101049375A
Other languages
Chinese (zh)
Other versions
CN101777102A (en
Inventor
柯宗贵
柯宗庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bluedon Information Security Technologies Co Ltd
Original Assignee
Bluedon Information Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bluedon Information Security Technologies Co Ltd filed Critical Bluedon Information Security Technologies Co Ltd
Priority to CN2010101049375A priority Critical patent/CN101777102B/en
Publication of CN101777102A publication Critical patent/CN101777102A/en
Application granted granted Critical
Publication of CN101777102B publication Critical patent/CN101777102B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method and a system for safety audit of a kernel, which mainly comprise the following steps: by integrating the kernel anti-hooking technology into the host security system and organically combining the host security audit technology with the kernel anti-hooking technology, each kernel module in the equipment is scanned, a kernel hook installed in each kernel module is determined, the kernel module with illegal software installed is determined, and the determined kernel module is uninstalled, so that the security and the reliability of the kernel system are improved.

Description

一种对内核的安全审计方法和系统A security audit method and system for the kernel

技术领域 technical field

本发明涉及计算机领域,尤其涉及一种利用安全审计技术对计算机内核进行安全审计的方法和系统。The invention relates to the field of computers, in particular to a method and a system for performing security audits on computer kernels using security audit technologies.

背景技术 Background technique

目前的计算机安全审计技术有多种,如主机安全审计技术等。主机安全审计技术的目的是提高系统主机的安全性,通过对计算机外设的控制和审计达到对计算机主机保护的目的。对计算机外设的控制和审计包括对计算机接口进行控制和对计算机设备类进行控制。具体地,主机安全审计技术包括以下技术内容:There are many kinds of computer security auditing techniques, such as host computer security auditing techniques. The purpose of host security audit technology is to improve the security of the system host, and to achieve the purpose of protecting the computer host through the control and audit of computer peripherals. Control and audit of computer peripherals includes control of computer interfaces and control of computer equipment classes. Specifically, the host security audit technology includes the following technical content:

拨号行为控制:允许/禁止内网用户通过MODEM或ADSL拨入外网;Dial-up behavior control: allow/prohibit internal network users to dial into the external network through MODEM or ADSL;

网络通信控制:允许/记录/禁止内网主机之间相互通信;Network communication control: allow/record/prohibit communication between intranet hosts;

主机特性控制:记录主机软件、硬件特征,能够实现计算机资产管理;Host characteristic control: record the host software and hardware characteristics, and realize computer asset management;

主机文件控制:允许/记录/禁止对主机指定文件的操作;Host file control: allow/record/prohibit operations on specified files on the host;

主机设备控制:允许/记录/禁止使用主机本地设备,如:U盘、软光驱、并口、串口、打印机等;Host device control: allow/record/prohibit the use of host local devices, such as: U disk, floppy drive, parallel port, serial port, printer, etc.;

操作行为控制:记录/查看主机操作者行为,包括:当前屏幕、键盘输入。Operation behavior control: record/view host operator behavior, including: current screen, keyboard input.

对内核的安全管理是指对运行于内核中的软件的安全管理,也就是对内核钩子的管理。钩子是WINDOWS中消息处理机制的一个要点,通过在计算机中安装各种钩子,应用程序能够设置相应的子例程来监视系统里的消息传递以及在这些消息到达目标窗口程序之前处理它们。钩子的种类很多,每种钩子可以截获并处理相应的消息类。如:键盘钩子可以截获键盘消息,鼠标钩子可以截获鼠标消息,外壳钩子可以截获启动和关闭应用程序的消息,日志钩子可以监视和记录输入事件等。The security management of the kernel refers to the security management of software running in the kernel, that is, the management of kernel hooks. Hooks are a key point of the message processing mechanism in WINDOWS. By installing various hooks in the computer, the application program can set up corresponding subroutines to monitor the message delivery in the system and process them before these messages reach the target window program. There are many types of hooks, each of which can intercept and process corresponding message classes. For example: keyboard hooks can intercept keyboard messages, mouse hooks can intercept mouse messages, shell hooks can intercept messages for starting and closing applications, log hooks can monitor and record input events, etc.

内核钩子就是在Windows的内核层实现类似钩子的行为,从而达到控制系统底层某些功能的目的。内核钩子的种类也较多,如:系统服务描述符表(systemservices descriptor table,SSDT)内核钩子、与图形界面相关的系统服务描述符表(Shadow SSDT)内核钩子、文件系统驱动(File system driver,FSD)内核钩子、中断描述符表(Interrupt Descriptor Table,IDT)内核钩子、内核内嵌钩子(Inline Hook)、I/O请求包(I/O Request package,IRP)过滤钩子、过滤驱动钩子和系统回调例程(CallBack)钩子等。Kernel hooking is to implement hook-like behavior at the kernel layer of Windows, so as to achieve the purpose of controlling some functions at the bottom of the system. There are also many types of kernel hooks, such as: system service descriptor table (systemservices descriptor table, SSDT) kernel hook, system service descriptor table (Shadow SSDT) kernel hook related to the graphical interface, file system driver (File system driver, FSD) kernel hook, interrupt descriptor table (Interrupt Descriptor Table, IDT) kernel hook, kernel embedded hook (Inline Hook), I/O request package (I/O Request package, IRP) filter hook, filter driver hook and system Callback routine (CallBack) hook, etc.

当前对反钩子技术主要应用在一些小型的专业安全检测工具中,对系统的内核钩子进行检测;而在现有的主机安全审计中,主要专注于桌面级的审计,只能通过对计算机外设的控制和审计达到实现计算机主机保护的目的,而无法审计计算机内核状态下的软件行为。现有的反钩子技术无法对内核状态下的软件行为合法性做出正确评估,同时,检测出的内核状态信息复杂,普通技术人员很难获知当前内核状态;进一步地,现有的反内核钩子技术没有数据库的支持,也就无法对内核状态下的软件行为进行记录分析。Currently, anti-hook technology is mainly used in some small professional security detection tools to detect system kernel hooks; while in the existing host security audits, it mainly focuses on desktop-level audits, which can only be performed by computer peripherals. The control and auditing of the computer can achieve the purpose of protecting the computer host, but the software behavior in the computer kernel state cannot be audited. The existing anti-hook technology cannot correctly evaluate the legality of software behavior in the kernel state. At the same time, the detected kernel state information is complex, and it is difficult for ordinary technicians to know the current kernel state; further, the existing anti-kernel hook Without the support of the database, the technology cannot record and analyze the software behavior in the kernel state.

发明内容 Contents of the invention

本发明实施例提供一种对内核的安全审计方法和系统,以解决现有的主机安全审计中无法对设备的内核进行安全审计的问题。Embodiments of the present invention provide a method and system for security auditing of the kernel, so as to solve the problem that the security audit of the kernel of the device cannot be performed in the existing host security audit.

一种对内核的安全审计方法,所述方法包括:内核扫描步骤:对设备内的每个内核模块进行扫描,确定每个内核模块中安装的内核钩子;比较步骤:利用预先设定的多个行为信息组,对每个内核模块中安装的内核钩子进行比较,其中,每个行为信息组中包含至少一个内核钩子标识;匹配步骤:比较步骤得出的比较结果为安装的内核钩子覆盖任一行为信息组中内核钩子标识,则判定相互匹配,进一步确定该内核钩子所属的内核模块;卸载步骤:卸载匹配步骤中确定的内核模块。。A method for security auditing of the kernel, said method comprising: a kernel scanning step: scanning each kernel module in the device to determine the kernel hooks installed in each kernel module; a comparison step: using a plurality of preset The behavior information group compares the kernel hooks installed in each kernel module, wherein each behavior information group contains at least one kernel hook identifier; matching step: the comparison result obtained in the comparison step is that the installed kernel hook covers any The kernel hook identifier in the behavior information group is determined to match each other, and the kernel module to which the kernel hook belongs is further determined; unloading step: unloading the kernel module determined in the matching step. .

一种对内核的安全审计系统,所述系统包括:内核扫描模块,用于对设备内的每个内核模块进行扫描,确定每个内核模块中安装的内核钩子;内核审计模块,用于利用预先设定的多个行为信息组,对每个内核模块中的内核钩子进行比较,比较结果为安装的内核钩子覆盖任一行为信息组中内核钩子标识,则判定相互匹配,进一步确定该内核钩子所属的内核模块,其中,每个行为信息组包含至少一个内核钩子标识;审计执行模块,用于卸载所述内核审计模块确定的内核模块。A security audit system for the kernel, said system comprising: a kernel scanning module, used to scan each kernel module in the device, to determine the kernel hooks installed in each kernel module; a kernel audit module, used to utilize pre-installed Multiple behavior information groups are set, and the kernel hooks in each kernel module are compared. If the comparison result shows that the installed kernel hook covers the kernel hook identifier in any behavior information group, it is determined that they match each other, and the kernel hook is further determined. The kernel module, wherein each behavior information group includes at least one kernel hook identifier; the audit execution module is used to unload the kernel module determined by the kernel audit module.

本发明实施例的有益效果:The beneficial effect of the embodiment of the present invention:

由于本发明实施例通过将内核反钩子技术集成于主机安全系统中,将主机安全审计技术与内核反钩子技术有机结合来,对设备内的每个内核模块进行扫描并确定每个内核模块中安装的内核钩子,确定出安装了非法软件的内核模块,并卸载确定的内核模块,以提高内核系统的安全性和可靠性。Since the embodiment of the present invention integrates the kernel anti-hook technology into the host security system, organically combines the host security audit technology and the kernel anti-hook technology, scans each kernel module in the device and determines the Kernel hooks to determine the kernel modules with illegal software installed, and uninstall the determined kernel modules, so as to improve the security and reliability of the kernel system.

附图说明 Description of drawings

图1为本发明实施例一中对内核的安全审计方法的示意图;FIG. 1 is a schematic diagram of a security audit method for a kernel in Embodiment 1 of the present invention;

图2为本发明实施例二中对内核的安全审系统的结构示意图;FIG. 2 is a schematic structural diagram of a security audit system for the kernel in Embodiment 2 of the present invention;

图3为本发明实施例二中对内核的安全审系统应用于场景示意图。FIG. 3 is a schematic diagram of a scenario in which the security audit system for the kernel is applied in Embodiment 2 of the present invention.

具体实施方式 Detailed ways

为了对计算机内核状态下的软件行为进行安全审核,本发明实施例将内核反钩子技术集成于主机安全系统中,将主机安全审计技术与内核反钩子技术有机结合来,以达到监控计算机从内核态到用户态所有软件的动作行为,以提高计算机的安全性和可靠性。In order to conduct a security audit of software behavior in the computer kernel state, the embodiment of the present invention integrates the kernel anti-hook technology into the host security system, and organically combines the host security audit technology and the kernel anti-hook technology to achieve monitoring of the computer from the kernel state. The action behavior of all software from user mode to improve the security and reliability of the computer.

下面结合说明书附图对本发明实施例进行详细描述。Embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings.

实施例一:Embodiment one:

本发明实施例一将内核反钧子技术应用于主机安全审计技术中,提出一种新的对内核的安全审计方法,如图1所示,所述方法包括以下步骤:Embodiment 1 of the present invention applies the kernel anti-junzi technology to the host security audit technology, and proposes a new kernel security audit method, as shown in Figure 1, the method includes the following steps:

步骤101:对设备内的每个内核模块进行扫描,确定每个内核模块中安装的内核钩子。Step 101: Scan each kernel module in the device, and determine the kernel hooks installed in each kernel module.

本步骤中涉及的设备可以是诸如计算机等终端设备,也可以是其他需要对设备的内核状态进行安全审计的其他终端。The devices involved in this step may be terminal devices such as computers, or other terminals that need to perform a security audit on the kernel state of the device.

待处理的设备中具有内核系统,该内核系统中安装了至少一个软件,每个软件可以对应一个内核模块,这里的内核模块是指驱动程序文件(相当于应用层一个exe文件),在每个内核模块中又可能安装了内核钩子。The device to be processed has a kernel system, and at least one software is installed in the kernel system, and each software can correspond to a kernel module, where the kernel module refers to a driver file (equivalent to an exe file in the application layer), in each Kernel hooks may in turn be installed in kernel modules.

为了对设备的内核态的软件行为进行安全审计,需要对设备内的内核模块进行扫描,其扫描方式可以是实时扫描,或是周期性地进行扫描,扫描周期可以根据经验值或是对安全性的要求确定,如果对设备内核的安全性要求较高,可以设置较短的扫描周期,以便于在内核的软件态出现异常时可以快速发现;如果对设备内核的安全性要求较低,可以设置较短的扫描周期,以便于节约设备资源。In order to conduct a security audit of the software behavior of the kernel state of the device, it is necessary to scan the kernel module in the device. The scanning method can be real-time scanning or periodic scanning. The scanning cycle can be based on experience values or security If the security requirements for the device kernel are high, you can set a shorter scan cycle so that you can quickly find out when the kernel software state is abnormal; if you have low security requirements for the device kernel, you can set Short scan cycle to save device resources.

在本步骤中确定出内核模块中安装的内核钩子后,可以记录每个内核模块对应的内核钩子标识。After the kernel hooks installed in the kernel module are determined in this step, the kernel hook identifier corresponding to each kernel module can be recorded.

步骤102:利用预先设定的多个行为信息组,对每个内核模块中的内核钩子进行比较。Step 102: Using multiple preset behavior information groups, compare the kernel hooks in each kernel module.

其中,每个行为信息组包含至少一个内核钩子标识,进一步地,每个行为信息组中包含的内核钩子标识之和表示内核钩子标识对应的内核钩子的集合为非法。Wherein, each behavior information group contains at least one kernel hook identifier, and further, the sum of the kernel hook identifiers contained in each behavior information group indicates that the set of kernel hooks corresponding to the kernel hook identifier is illegal.

在本步骤中,可以根据管理员的实际经验设定行为信息组,并将设定的行为信息组存储在数据库中,这里的数据库可以是设备应用层的存储部件,也可以是能够与设备进行通信的其他数据库设备。In this step, the behavior information group can be set according to the actual experience of the administrator, and the set behavior information group can be stored in the database. The database here can be a storage component of the application layer of the device, or can be a other database devices for communication.

步骤103:确定安装的内核钩子与所述至少一个行为信息组中内核钩子标识匹配的内核模块,并卸载确定的内核模块。Step 103: Determine the kernel module whose installed kernel hook matches the kernel hook identifier in the at least one behavior information group, and uninstall the determined kernel module.

利用行为信息组与内核模块中的内核钩子进行比较的具体方法是:The specific method of using the behavior information group to compare with the kernel hook in the kernel module is:

根据确定的内核模块中的内核钩子确定该内核模块对应的内核钩子标识,然后将该内核模块对应的内核钩子标识分别与每个行为信息组中的内核钩子标识进行比较,如果内核模块对应的内核钩子标识全部包含在某一行为信息组中的内核钩子标识中(包括内核模块对应的内核钩子标识与行为信息组中的内核钩子标识完全相同,或是内核模块对应的内核钩子标识包含行为信息组中的内核钩子标识),则表示该内核模块是与行为信息组中内核钩子标识匹配的内核模块,确定该内核模块中安装了非法软件(如:恶意软件或间谍软件);否则,则确定该内核模块中没有安装非法软件。Determine the kernel hook identifier corresponding to the kernel module according to the kernel hook in the determined kernel module, and then compare the kernel hook identifier corresponding to the kernel module with the kernel hook identifier in each behavior information group, if the kernel module corresponds to The hook identifiers are all contained in the kernel hook identifiers in a certain behavior information group (including the kernel hook identifier corresponding to the kernel module is exactly the same as the kernel hook identifier in the behavior information group, or the kernel hook identifier corresponding to the kernel module contains the behavior information group If the kernel hook identifier in the behavior information group matches the kernel hook identifier), it means that the kernel module is a kernel module that matches the kernel hook identifier in the behavior information group, and it is determined that illegal software (such as malware or spyware) is installed in the kernel module; otherwise, it is determined that the No illegal software is installed in the kernel module.

为了确保设备内核的安全性,本步骤确定出安装了非法软件的内核后可以先恢复内核模块中安装的非法内核钩子,即恢复从确定的内核模块中查找出的与匹配的行为信息组中内核钩子标识对应的内核钩子,然后再卸载确定的内核模块。In order to ensure the security of the device kernel, after the kernel with illegal software is determined to be installed in this step, the illegal kernel hook installed in the kernel module can be restored first, that is, the kernel in the matching behavior information group found from the determined kernel module can be restored The hook identifies the corresponding kernel hook, and then unloads the determined kernel module.

下面举例说明恢复内核模块中安装的非法内核钩子:若某一内核模块中运行A、B、C、D四种内核钩子,某一行为信息组中包含了A、B、C三种内核钩子标识,表示A、B、C三种内核钩子安装在一起是间谍软件行为,则恢复该内核模块中运行的A、B、C三种内核钩子。The following example illustrates the restoration of illegal kernel hooks installed in a kernel module: If four kernel hooks A, B, C, and D are running in a kernel module, a certain behavior information group contains three kernel hook identifiers of A, B, and C , indicating that the three kernel hooks A, B, and C are installed together as a spyware behavior, and then restore the three kernel hooks A, B, and C running in the kernel module.

恢复内核钩子的执行手段可以为:以来自磁盘文件的正常代码来覆盖钩子代码。例如:若恶意软件安装了IDT键盘钩子来读取用户通过键盘输入的密码,则通过钩子恢复之后,由于键盘钩子代码不存在,因此也就无法再读取用户通过键盘输入的密码。The execution means of resuming the kernel hook may be: overwrite the hook code with the normal code from the disk file. For example: if the malware installs an IDT keyboard hook to read the password entered by the user through the keyboard, after recovery through the hook, since the keyboard hook code does not exist, it will no longer be able to read the password entered by the user through the keyboard.

通过上述步骤101~步骤103的方案,使用主机安全审计技术对设备的内核模块进行安全审计,并利用预先设定的不安全策略查找出内核系统中哪些内核模块中安装了非法软件,以增加对恶意内核模块判定的准确性,使非专业技术人员也能够通过本发明实施例提供的方案对设备的内核态进行安全审计。Through the scheme of steps 101 to 103 above, use the host security audit technology to conduct a security audit on the kernel module of the device, and use the preset insecure strategy to find out which kernel modules in the kernel system have illegal software installed, so as to increase security The accuracy of the determination of the malicious kernel module enables non-professional technicians to conduct security audits on the kernel state of the device through the solution provided by the embodiment of the present invention.

在本发明实施例一进一步通过白名单的方式对安全审计方法进行优化,具体做法为:In Embodiment 1 of the present invention, the security audit method is further optimized by means of a white list, and the specific method is as follows:

在步骤101与步骤102之间还包括以下步骤:The following steps are also included between step 101 and step 102:

步骤A:根据预先设定的内核白名单信息,从多个内核模块中确定合法的内核模块。Step A: Determine a legal kernel module from multiple kernel modules according to preset kernel whitelist information.

本步骤中的内核白名单信息也可以与行为信息组存储在同一数据库中,也可以分别存储在不同的数据库中。The kernel whitelist information in this step can also be stored in the same database as the behavior information group, or can be stored in different databases respectively.

由于在步骤A中已经筛选出了合法的内核模块,因此,在步骤102中需要进行是否安装了非法内核钩子判定的内核模块是:内核系统中除了合法的内核模块之外的其他内核模块,而属于内核白名单信息中的内核模块,可以在判定是否安装了非法内核钩子时将其忽略。Since the legal kernel module has been screened out in step A, therefore, in step 102, the kernel module that needs to determine whether an illegal kernel hook is installed is: other kernel modules except the legal kernel module in the kernel system, and Kernel modules belonging to the kernel whitelist information can be ignored when determining whether an illegal kernel hook is installed.

实施例二:Embodiment two:

本发明实施例还提供一种与实施例一属于同一发明构思下对内核的安全审计系统,如图2所示,所述系统包括以下部件:内核扫描模块11、内核审计模块12和审计执行模块13,其中:内核扫描模块11用于对设备内的每个内核模块进行扫描,确定每个内核模块中安装的内核钩子;内核审计模块12用于利用预先设定的多个行为信息组,对每个内核模块中的内核钩子进行比较,并确定安装的内核钩子与所述至少一个行为信息组中内核钩子标识匹配的内核模块,其中,每个行为信息组包含至少一个内核钩子标识;审计执行模块13用于卸载所述内核审计模块确定的内核模块。The embodiment of the present invention also provides a security audit system for the kernel under the same inventive concept as Embodiment 1, as shown in Figure 2, the system includes the following components: a kernel scanning module 11, a kernel audit module 12 and an audit execution module 13, wherein: the kernel scanning module 11 is used to scan each kernel module in the device to determine the kernel hooks installed in each kernel module; the kernel audit module 12 is used to use a plurality of preset behavior information groups to Compare the kernel hooks in each kernel module, and determine the kernel module that the installed kernel hook matches the kernel hook identifier in the at least one behavior information group, wherein each behavior information group contains at least one kernel hook identifier; audit execution Module 13 is used to unload the kernel module determined by the kernel audit module.

在本实施例中的内核安全审计系统可以安装在设备中,进一步地,可以应用于设备的应用层。如图3所示,内核安全审计系统安装在用户计算机系统中,与内核系统交互通信完成对内核系统中的各内核模块进行安全审计。具体地,主机审计系统服务器进程和审计系统管理服务Web接口从数据库中读取预先设定的不安全策略(包括行为信息组和内核白名单信息),然后通过TCP/IP协议由LAN网络发送至对内核的安全审计系统。The kernel security audit system in this embodiment can be installed in the device, and further, can be applied to the application layer of the device. As shown in Figure 3, the kernel security audit system is installed in the user computer system, and communicates with the kernel system to complete the security audit of each kernel module in the kernel system. Specifically, the host audit system server process and the audit system management service web interface read the preset insecure policies (including behavior information group and kernel whitelist information) from the database, and then send them from the LAN network to A security audit system for the kernel.

内核扫描模块11需要对内核模块中安装的多种钩子进行扫描,其扫描内容可以为图2所示的内核驱动、过滤驱动、FSD钩子、SSDT钩子、Shadow SSDT钩子、IDT钩子、CallBack钩子和内核代码内嵌钩子。The kernel scanning module 11 needs to scan the various hooks installed in the kernel module, and its scanning content can be the kernel driver shown in Figure 2, filter driver, FSD hook, SSDT hook, Shadow SSDT hook, IDT hook, CallBack hook and kernel Code inline hooks.

如果当前审计的是非内核的常规行为,则直接按照目前的主机安全审计技术进行审核,如果当前审计的是内核是否安装软件非法软件的行为,则内核扫描模块11将扫描结果发送内核审计模块12。内核审计模块12根据来自服务器系统的不安全策略对各内核模块进行审计,最后由审计执行模块13恢复安装了非法软件的内核模块中的部分或全部内核钩子,并卸载所述内核审计模块12确定的内核模块。If what current audit is non-kernel routine behavior, then directly check according to present host computer security auditing technology, if what current audit is the behavior of whether kernel installs software illegal software, then kernel scanning module 11 sends the kernel auditing module 12 with scanning result. Kernel audit module 12 audits each kernel module according to the unsafe policy from server system, finally restores some or all kernel hooks in the kernel module that illegal software has been installed by audit execution module 13, and unloads described kernel audit module 12 to determine The kernel module.

所述内核审计模块12还用于从确定的所述内核模块中查找出与匹配的行为信息组中内核钩子标识对应的内核钩子;则所述审计执行模块13还用于恢复查找出的所述内核钩子。The kernel audit module 12 is also used to find the kernel hook corresponding to the kernel hook identifier in the matching behavior information group from the determined kernel module; then the audit execution module 13 is also used to restore the found Kernel hooks.

所述系统还包括合法确定模块14用于根据预先设定的内核白名单信息,从多个内核模块中确定合法的内核模块;所述内核审计模块12具体用于从多个内核模块中确定除合法的内核模块之外的其他内核模块,并利用行为信息组对所述其他内核模块中的内核钩子进行比较。The system also includes a legal determination module 14 for determining a legitimate kernel module from a plurality of kernel modules according to preset kernel whitelist information; Other kernel modules other than legitimate kernel modules, and compare the kernel hooks in the other kernel modules by using the behavior information group.

实施例三:Embodiment three:

下面通过一个具体的实例对本发明实施例一和实施例二的方案进行详细描述。The schemes of Embodiment 1 and Embodiment 2 of the present invention will be described in detail below through a specific example.

假设本实施例三中预先设定了两个行为信息组,其中:行为信息组1中包含的内核钩子标识为IDT键盘钩子标识+TDI网络通信钩子标识;行为信息组2中包含的内核钩子标识为IDT键盘钩子标识+NDIS网络通信钩子标识。Assume that two behavior information groups are preset in the third embodiment, wherein: the kernel hook identifier contained in behavior information group 1 is IDT keyboard hook identifier+TDI network communication hook identifier; the kernel hook identifier contained in behavior information group 2 IDT keyboard hook identifier + NDIS network communication hook identifier.

内核扫描模块11对计算机的各内核模块进行扫描,分别得到3个内核模块中安装钩子的行为,并将这3个内核模块的标识发送给合法确定模块14;合法确定模块14根据预先设定的内核白名单信息,确定内核模块3是合法的内核模块;合法确定模块14将内核模块1和内核模块2的扫描结果发送给内核审计模块12,其中:内核模块1中安装的钩子为:IDT键盘钩子+TDI网络通信钩子+FSD钩子;内核模块2中安装的钩子为:IDT键盘钩子+CallBack钩子。内核审计模块12确定内核模块1中安装的钩子对应的标识包含行为信息组1中包含的内核钩子标识,则内核模块1中安装了非法软件。审计执行模块13对内核模块1中的IDT键盘钩子标识和TDI网络通信钩子标识对应的内核钩子进行恢复,然后卸载内核模块1。Kernel scanning module 11 scans each kernel module of computer, obtains the behavior of installing hooks in 3 kernel modules respectively, and sends the identification of these 3 kernel modules to legal determination module 14; Legal determination module 14 according to preset Kernel whitelist information, determine that kernel module 3 is a legal kernel module; Legal determination module 14 sends the scan result of kernel module 1 and kernel module 2 to kernel audit module 12, wherein: the hook installed in kernel module 1 is: IDT keyboard Hook + TDI network communication hook + FSD hook; the hook installed in kernel module 2 is: IDT keyboard hook + CallBack hook. If the kernel audit module 12 determines that the identifier corresponding to the hook installed in the kernel module 1 includes the kernel hook identifier included in the behavior information group 1, then illegal software is installed in the kernel module 1 . The audit execution module 13 recovers the kernel hook corresponding to the IDT keyboard hook identifier and the TDI network communication hook identifier in the kernel module 1, and then uninstalls the kernel module 1.

通过本发明实施例一至实施例三的方案,将内核反钩子技术应用到主机安全审计系统中,形成具有反内核间谍软件功能的新一代主机安全审计系统;使用主机安全审计技术对设备的内核模块进行安全审计,并利用预先设定的不安全策略查找出内核系统中哪些内核模块中安装了非法软件,以增加对恶意内核模块判定的准确性,使非专业技术人员也能够通过本发明实施例提供的方案对设备的内核态进行安全审计。Through the schemes of Embodiment 1 to Embodiment 3 of the present invention, the kernel anti-hook technology is applied to the host security audit system to form a new generation of host security audit system with anti-kernel spyware functions; use the host security audit technology to check the kernel module of the device Carry out safety audit, and utilize pre-set unsafe policy to find out which kernel modules in the kernel system have installed illegal software, to increase the accuracy of judging malicious kernel modules, so that non-professional technicians can also pass through the embodiment of the present invention The provided solution performs security audit on the kernel state of the device.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (9)

1. the method for auditing safely to kernel is characterized in that, said method comprises:
The kernel scanning step: each kernel module in the equipment scans, and confirms the kernel hooking of installing in each kernel module;
Comparison step: utilize predefined a plurality of behavioural information group, the kernel hooking of installing in each kernel module is compared, wherein, comprise at least one kernel hooking sign in each behavioural information group;
The coupling step: kernel hooking identifies the comparative result that comparison step draws in arbitrary behavioural information group for the kernel hooking of installing covers, and then judges coupling each other, further confirms the kernel module that this kernel hooking is affiliated;
Unloading step: the kernel module of confirming in the unloading coupling step.
2. the method for claim 1 is characterized in that, the set that the kernel hooking sign sum that comprises in each behavioural information group is represented the kernel hooking that the kernel hooking sign is corresponding is for illegal.
3. the method for claim 1 is characterized in that, after the coupling step, before the unloading step, said method also comprises:
From the said kernel module of confirming, find out with the behavioural information group of mating in kernel hooking identify corresponding kernel hooking;
The said kernel hooking that recovery finds out.
4. the method for claim 1 is characterized in that, after the kernel scanning step, before the coupling step, said method also comprises:
According to predefined kernel white list information, from a plurality of kernel modules, confirm legal kernel module;
Utilize the behavioural information group that the kernel hooking in each kernel module is compared, comprising:
From a plurality of kernel modules, confirm other kernel modules except that legal kernel module, and utilize the behavioural information group that the kernel hooking in said other kernel modules is compared.
5. the safety auditing system to kernel is characterized in that, said system comprises:
The kernel scan module is used for each kernel module in the equipment is scanned, and confirms the kernel hooking of installing in each kernel module;
Kernel audit module; Be used to utilize predefined a plurality of behavioural information group, the kernel hooking in each kernel module is compared, comparative result covers kernel hooking sign in arbitrary behavioural information group for the kernel hooking of installing; Then judge coupling each other; Further confirm the kernel module that this kernel hooking is affiliated, wherein, each behavioural information group comprises at least one kernel hooking sign;
The audit execution module is used to unload the kernel module that said kernel audit module is confirmed.
6. system as claimed in claim 5 is characterized in that, the set that the kernel hooking sign sum that comprises in each behavioural information group is represented the kernel hooking that the kernel hooking sign is corresponding is for illegal.
7. system as claimed in claim 5 is characterized in that,
Said kernel audit module, also be used for from the said kernel module of confirming find out with the behavioural information group of mating kernel an ancient unit of weight identify corresponding kernel hooking;
Said audit execution module also is used to the said kernel hooking of recovering to find out.
8. system as claimed in claim 5 is characterized in that, said system also comprises:
Legal determination module is used for according to predefined kernel white list information, from a plurality of kernel modules, confirms legal kernel module;
Said kernel audit module specifically is used for confirming other kernel modules except that legal kernel module from a plurality of kernel modules, and utilizes the behavioural information group that the kernel hooking in said other kernel modules is compared.
9. like the arbitrary described system of claim 5~8, it is characterized in that said safety auditing system to kernel is applied to the application layer of equipment.
CN2010101049375A 2010-01-29 2010-01-29 Security audit method and system for kernel Active CN101777102B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010101049375A CN101777102B (en) 2010-01-29 2010-01-29 Security audit method and system for kernel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101049375A CN101777102B (en) 2010-01-29 2010-01-29 Security audit method and system for kernel

Publications (2)

Publication Number Publication Date
CN101777102A CN101777102A (en) 2010-07-14
CN101777102B true CN101777102B (en) 2012-05-09

Family

ID=42513563

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101049375A Active CN101777102B (en) 2010-01-29 2010-01-29 Security audit method and system for kernel

Country Status (1)

Country Link
CN (1) CN101777102B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106446678A (en) * 2016-09-22 2017-02-22 武汉斗鱼网络科技有限公司 Method and system for protecting network account based on handle function
CN116193001B (en) * 2023-02-16 2023-11-03 中国人民解放军61660部队 Method for realizing NDIS6-Hooking

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060282827A1 (en) * 2005-06-10 2006-12-14 Yuen-Pin Yeap Operating system loader modification
WO2006101549A3 (en) * 2004-12-03 2006-12-28 Whitecell Software Inc Secure system for allowing the execution of authorized computer program code
CN101620660A (en) * 2009-07-31 2010-01-06 北京大学 Method for defending hooks in Windows operating system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006101549A3 (en) * 2004-12-03 2006-12-28 Whitecell Software Inc Secure system for allowing the execution of authorized computer program code
US20060282827A1 (en) * 2005-06-10 2006-12-14 Yuen-Pin Yeap Operating system loader modification
CN101620660A (en) * 2009-07-31 2010-01-06 北京大学 Method for defending hooks in Windows operating system

Also Published As

Publication number Publication date
CN101777102A (en) 2010-07-14

Similar Documents

Publication Publication Date Title
US11687653B2 (en) Methods and apparatus for identifying and removing malicious applications
CN109831420B (en) Method and device for determining kernel process authority
RU2530210C2 (en) System and method for detecting malware preventing standard user interaction with operating system interface
US7669059B2 (en) Method and apparatus for detection of hostile software
US9547765B2 (en) Validating a type of a peripheral device
US8898775B2 (en) Method and apparatus for detecting the malicious behavior of computer program
CN103262087B (en) Signature-independent system behavior-based malware detection
US8839432B1 (en) Method and apparatus for performing a reputation based analysis on a malicious infection to secure a computer
US8667593B1 (en) Methods and apparatuses for protecting against malicious software
US9455994B1 (en) Techniques for intelligently executing a digital signature
EP3113059B1 (en) System and method of preventing installation and execution of undesirable programs
CN101098226A (en) A virus online real-time processing system and method thereof
US11281772B2 (en) Systems and methods to detect key loggers
CN107480528A (en) A kind of method of operating system anti-virus
CN102208002A (en) Novel computer virus scanning and killing device
CN109815701B (en) Software security detection method, client, system and storage medium
WO2015070376A1 (en) Method and system for realizing virtualization security
KR20110087826A (en) Malicious software detection method using virtual machine
CN101777102B (en) Security audit method and system for kernel
CN114861160A (en) Method and device, device, and storage medium for enhancing authority of non-administrator account
CN114386047A (en) Application vulnerability detection method, device, electronic device and storage medium
US20240119155A1 (en) Generating alerts for unexpected kernel modules
US8201253B1 (en) Performing security functions when a process is created
CN114595436A (en) Tool application authorization method, device, electronic device and storage medium
Huang et al. Identifying HID-based attacks through process event graph using guilt-by-association analysis

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
DD01 Delivery of document by public notice

Addressee: Wu Bingtang

Document name: Notification of Passing Preliminary Examination of the Application for Invention

C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
DD01 Delivery of document by public notice

Addressee: Wu Bingtang

Document name: Notification of Publication and of Entering the Substantive Examination Stage of the Application for Invention

DD01 Delivery of document by public notice

Addressee: Wu Bingtang

Document name: Notification of Passing Examination on Formalities

C14 Grant of patent or utility model
GR01 Patent grant
PP01 Preservation of patent right
PP01 Preservation of patent right

Effective date of registration: 20220422

Granted publication date: 20120509

PD01 Discharge of preservation of patent
PD01 Discharge of preservation of patent

Date of cancellation: 20250422

Granted publication date: 20120509

PP01 Preservation of patent right
PP01 Preservation of patent right

Effective date of registration: 20250422

Granted publication date: 20120509