CN114356366B - A method, device, equipment and medium for updating a sandbox engine of a virtual machine - Google Patents
A method, device, equipment and medium for updating a sandbox engine of a virtual machine Download PDFInfo
- Publication number
- CN114356366B CN114356366B CN202111559043.XA CN202111559043A CN114356366B CN 114356366 B CN114356366 B CN 114356366B CN 202111559043 A CN202111559043 A CN 202111559043A CN 114356366 B CN114356366 B CN 114356366B
- Authority
- CN
- China
- Prior art keywords
- code
- update
- updating
- bit value
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 244000035744 Hura crepitans Species 0.000 title claims abstract description 28
- 238000001514 detection method Methods 0.000 claims abstract description 91
- 230000006870 function Effects 0.000 claims description 135
- 230000008676 import Effects 0.000 claims description 20
- 238000004891 communication Methods 0.000 claims description 18
- 238000012545 processing Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 14
- 238000010586 diagram Methods 0.000 description 14
- 230000006399 behavior Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Landscapes
- Stored Programmes (AREA)
Abstract
The invention discloses a sandbox engine updating method, device, equipment and medium of a virtual machine, wherein after the virtual machine is restored to a state corresponding to a snapshot file, the sandbox engine can be updated through updating a global data pointer and a detection function, so that the snapshot file and the sandbox environment do not need to be re-manufactured, an update package which needs to be manufactured when the sandbox engine is updated is smaller, and the updating efficiency is high.
Description
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a method, an apparatus, a device, and a medium for updating a sandbox engine of a virtual machine.
Background
In recent years, various malicious software layers are endless, in order to detect malicious software, a sandbox detection technology is adopted in the prior art, and whether the software is malicious or not is judged by running the software in a virtual machine and observing the behavior of the software. Specifically, hook (Hook) technology is based on a driver running under a virtual machine kernel in a sandbox engine to realize Hook of a system sensitive function, so that malicious software behaviors are captured when malicious software runs.
When the existing sandboxes for running the software in the virtual machine detect the malicious software, various pre-customized sandboxed environments are restored by adopting a snapshot file restoring mode, and different malicious software is put into different sandboxed environments to be executed, so that the malicious software can be detected rapidly.
However, if the sandboxed engine has a problem, in the prior art, when the sandboxed engine is updated, the sandboxed engine is recompiled, and the sandboxed environment and the snapshot file are recompiled, so that the update package is larger, and the update efficiency is lower.
Disclosure of Invention
The invention provides a sandboxed engine updating method, device, equipment and medium of a virtual machine, which are used for solving the problems of larger updating package and lower updating efficiency in the prior art.
The invention provides a sandboxed engine updating method of a virtual machine, which comprises the following steps:
Restoring the virtual machine to a state corresponding to the snapshot file according to the pre-stored snapshot file, and carrying out polling detection on a pre-determined update code area based on an update thread of a first drive code in the virtual machine;
receiving an update package of a sandbox engine, and writing a precompiled second driving code carried in the update package into the update code area in the virtual machine, wherein the second driving code comprises a export table, a second global data pointer, a second detection function and corresponding identification information, and the export table comprises an update function;
If the second driving code in the updating code area is detected to be effective, analyzing the export table of the second driving code to obtain the exported updating function, calling the updating function to determine a first global data pointer in the first driving code and replace the second global data pointer in the second driving code, determining a first detection function identified by the identification information in a detection function table pointed by the first global data pointer according to the first global data pointer and the identification information, and replacing the first detection function by adopting the second detection function.
Further, writing the precompiled second driver code carried in the update package into the update code region in the virtual machine includes:
Determining a physical address of a host memory space corresponding to the virtual address according to the pre-stored virtual address of the client memory space of the updating code area;
And writing the second drive code which is carried in the update package and is compiled in advance into the update code area according to the physical address of the update code area.
Further, after writing the precompiled second driver code carried in the update package into the update code region in the virtual machine, if the second driver code in the update code region is detected to be valid, the method further includes:
Performing Application Programming Interface (API) import of other modules on the written second drive code according to an import table in the second drive code;
And repositioning the written second driving code according to a repositioning table in the second driving code.
Further, the polling detection of the predetermined update code area based on the update thread of the first drive code in the virtual machine includes:
Based on an updating thread of a first driving code in the virtual machine, acquiring a first zone bit value of the updating code area in a current time period, and judging whether the first zone bit value is the same as a target zone bit value stored in advance, wherein the first zone bit value is used for indicating whether a preset operation is executed in the updating code area, and the preset operation comprises code writing, API importing and repositioning;
If not, acquiring a first flag bit value of the updated code region in the next time period, and continuously executing the step of judging whether the first flag bit value is the same as a pre-stored target flag bit value;
if yes, determining that the second driving code in the updating code area is detected to be valid.
Further, the invoking the update function to determine a first global data pointer in the first driver code comprises:
And based on the updating thread of the first driving code, calling the updating function of the second driving code, and determining a first global data pointer of the first driving code which is transferred as a parameter.
Accordingly, the present invention provides a sandboxed engine updating device for a virtual machine, the device comprising:
the detection module is used for enabling the virtual machine to be restored to a state corresponding to the snapshot file according to the pre-stored snapshot file, and carrying out polling detection on a pre-determined update code area based on an update thread of a first driving code in the virtual machine;
the processing module is used for receiving an update package of the sandbox engine, writing a second drive code which is carried in the update package and is compiled in advance into the update code area in the virtual machine, wherein the second drive code comprises an export table, a second global data pointer, a second detection function and corresponding identification information, and the export table comprises the update function;
And the updating module is used for analyzing the export table of the second drive code to obtain the exported updating function if the second drive code in the updating code area is detected to be valid, calling the updating function to determine a first global data pointer in the first drive code and replacing the second global data pointer in the second drive code, determining a first detection function identified by the identification information in a detection function table pointed by the first global data pointer according to the first global data pointer and the identification information, and replacing the first detection function by adopting the second detection function.
Further, the processing module is specifically configured to determine a physical address of a host memory space corresponding to the virtual address according to a pre-saved virtual address of a client memory space of the update code area, and write a pre-compiled second driving code carried in the update package into the update code area according to the physical address of the update code area.
Further, the processing module is further configured to write a precompiled second driving code carried in the update package into the update code area in the virtual machine, perform application programming interface API import of other modules on the written second driving code according to an import table in the second driving code, and relocate the written second driving code according to a relocation table in the second driving code.
The detection module is specifically configured to obtain a first flag bit value of the updated code region in a current time period based on an update thread of a first driving code in the virtual machine, determine whether the first flag bit value is the same as a target flag bit value stored in advance, wherein the first flag bit value is used to indicate whether a preset operation has been performed in the updated code region, the preset operation includes code writing, API importing and repositioning, obtain the first flag bit value of the updated code region in a next time period if the first flag bit value is different from the target flag bit value stored in advance, trigger the determination module to continue to perform a step of determining whether the first flag bit value is the same as the target flag bit value stored in advance, and determine that the second driving code in the updated code region is valid if the first flag bit value is the same as the target flag bit value stored in advance.
Further, the updating module is specifically configured to call the updating function of the second driving code based on the updating thread of the first driving code, and determine a first global data pointer of the first driving code that is passed as a parameter.
Correspondingly, the invention provides electronic equipment, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus, the memory is stored with a computer program, and when the program is executed by the processor, the processor is caused to execute any step of the method of updating the sandbox engine of the virtual machine.
Accordingly, the present invention provides a computer readable storage medium storing a computer program which when executed by a processor implements the steps of any of the above-described method of sandboxed engine updating of a virtual machine.
The invention provides a sandbox engine updating method, device and medium of a virtual machine, which is characterized in that the virtual machine is restored to a state corresponding to a snapshot file according to the snapshot file stored in advance, a predetermined update code area is subjected to polling detection based on an update thread of a first drive code in the virtual machine, an update package of the sandbox engine is received, a second drive code carried in the update package and compiled in advance is written into the update code area in the virtual machine, wherein the second drive code comprises a export table, a second global data pointer, a second detection function and corresponding identification information, the export table comprises the update function, if the second drive code in the update code area is detected to be effective, the export table of the second drive code is analyzed, the exported update function is obtained, the update function is called to determine a first global data pointer in the first drive code, the second global data pointer in the second drive code is replaced, the second global data pointer in the second drive code is determined according to the first global data pointer and the identification information, and the first global data pointer in the first detection function is determined, and the first identification information is adopted for the first global data pointer. After the virtual machine is restored to the state corresponding to the snapshot file, the sandbox engine can be updated through updating the global data pointer and the detection function, so that the snapshot file and the sandbox environment do not need to be manufactured again, and an update package required to be manufactured when the sandbox engine is updated is small, and the update efficiency is high.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic process diagram of a sandboxed engine update method for a virtual machine according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a sandboxed engine updating device for a virtual machine according to an embodiment of the present invention;
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In order to improve update efficiency of a sandboxed engine of a virtual machine, the embodiment of the invention provides a sandboxed engine update method, device, equipment and medium of the virtual machine.
Example 1:
Fig. 1 is a schematic process diagram of a sandboxed engine updating method of a virtual machine according to an embodiment of the present invention, where the process includes the following steps:
S101, restoring the virtual machine to a state corresponding to the snapshot file according to the pre-stored snapshot file, and carrying out polling detection on a pre-determined update code area based on an update thread of a first drive code in the virtual machine.
The sandbox engine updating method of the virtual machine is applied to electronic equipment, wherein the electronic equipment can be a PC, a tablet personal computer, an intelligent terminal, a server and the like, and the server can be a local server or a cloud server.
In order to improve the update efficiency of the sandbox engine, in the embodiment of the invention, the electronic device stores a snapshot file in advance, and a virtual machine Guest terminal in the electronic device can be restored to a state corresponding to the snapshot file according to the snapshot file. The method for restoring the virtual machine to the state corresponding to the snapshot file according to the snapshot file belongs to the prior art, and the embodiment of the invention is not repeated.
And carrying out polling detection on a predetermined updated code area based on an updating thread of a first driving code in the virtual machine, namely detecting the updated code area according to a determined time period, and detecting whether codes exist in the updated code area and are valid. The update code area is a fixed-size and relatively large enough area applied during the initialization of the drive, and is used for storing the second drive code written by the Host.
S102, receiving an update package of a sandbox engine, and writing a precompiled second driving code carried in the update package into the update code area in the virtual machine, wherein the second driving code comprises an export table, a second global data pointer, a second detection function and corresponding identification information, and the export table comprises the update function.
In order to improve the update efficiency of the sandboxed engine of the virtual machine, in the embodiment of the invention, the electronic device receives an update package of the sandboxed engine, the update package is prefabricated, and after receiving the update package, the electronic device starts to update the sandboxed engine.
Specifically, a Host (Host) of the electronic device receives the update packet, and obtains the second driving code from the update packet.
In order to update the sandboxed engine of the virtual machine, the update package carries a second drive code which is compiled in advance, wherein the second drive code is a code of a new drive program of the sandboxed engine, and partial functions of the sandboxed engine, which are problematic, can be corrected based on the second drive code.
The second driving code comprises a export table, a second global data pointer, a second detection function and corresponding identification information, wherein the export table comprises an update function used for exporting the update function for the electronic equipment.
The second global data pointer is used for accessing all global data, the region where the global data is located is dynamically applied according to all data sizes during drive initialization, and the global data comprises a global function table where the detection function is located.
The second detection function is used for detecting malicious behaviors when the malicious software runs, the identification information corresponding to the second detection function can be a sequence number corresponding to the second detection function in the global function table, the second detection function is stored in the global function table, the second detection function corresponding to each sequence number is fixed, and the second detection function with the hooked function head can directly jump to the second detection function in the corresponding global function table.
After the virtual machine is restored to the state corresponding to the snapshot file, the Host end of the electronic device writes the acquired second driving code into a predetermined updating code area in the Guest end.
And S103, if the second driving code in the updating code area is detected to be effective, analyzing the export table of the second driving code to obtain the exported updating function, calling the updating function to determine a first global data pointer in the first driving code and replace the second global data pointer in the second driving code, determining a first detecting function identified by the identification information in a detecting function table pointed by the first global data pointer according to the first global data pointer and the identification information, and replacing the first detecting function by adopting the second detecting function.
In order to update the sandboxed engine, in the embodiment of the invention, because some functions of the old driver in the sandboxed engine are problematic and other functions are normal, the first driver code of the old driver is not required to be deleted, and the function of the old driver which is problematic can be replaced after the second driver code is operated according to the second driver code written in the update code area after the second driver code in the update code area is detected to be valid.
In order to replace the function of the old driver with a problem based on the second driver, in the embodiment of the invention, the export table in the second driver is parsed to obtain an update function in the exported export table, and the update function is called to determine the first global data pointer in the first driver.
After the first global data pointer is obtained, the first global data pointer is used for replacing a second global data pointer in the second driving code, so that a detection function table in the global function can be determined based on the first global data pointer when the second driving code runs.
And determining a detection function table in the Guest end according to the first global data pointer, and determining a first detection function identified by the identification information in the detection function table according to the received identification information corresponding to the second detection function in the second driving code, wherein the first detection function is the cause of causing problems of some functions of the old driving program, so that the electronic equipment replaces the first detection function with the same identification information by adopting the second detection function.
In the embodiment of the invention, after the virtual machine is restored to the state corresponding to the snapshot file, the sandbox engine can be updated through updating the global data pointer and the detection function, so that the snapshot file and the sandbox environment do not need to be manufactured again, the update package which needs to be manufactured when the sandbox engine is updated is smaller, and the update efficiency is high.
Example 2:
In order to write the second driving code into the updated code region, in the embodiment of the present invention, writing the precompiled second driving code carried in the update package into the updated code region in the virtual machine includes:
Determining a physical address of a host memory space corresponding to the virtual address according to the pre-stored virtual address of the client memory space of the updating code area;
And writing the second drive code which is carried in the update package and is compiled in advance into the update code area according to the physical address of the update code area.
In order to write the second drive code to the update code area, in an embodiment of the invention, the electronic device first determines the physical address of the update code area.
The electronic device pre-stores a virtual address of a guest memory space of the update code region, the virtual address being an address of the update code region in a memory space of the virtual machine.
And determining the physical address of the memory space of the host corresponding to the virtual address according to the pre-stored virtual address, wherein the physical address is an address in the real physical space, so that the electronic equipment writes the second driving code into the updating code area according to the physical address.
Specifically, the Guest end of the electronic device stores a virtual address of the update code area, and the virtual address is sent to the Host end of the electronic device through the internal and external communication technology of the virtual machine, so that a physical address at the Host end is determined according to the virtual address, and a second driving code is written into the update code area according to the physical address.
Example 3:
In order to achieve the subsequent operation of the second driver, in the embodiments of the present invention, after writing the precompiled second driver carried in the update package into the update code area in the virtual machine, if the second driver in the update code area is detected to be valid, the method further includes:
Performing Application Programming Interface (API) import of other modules on the written second drive code according to an import table in the second drive code;
And repositioning the written second driving code according to a repositioning table in the second driving code.
In order to implement subsequent operation of the second driver code, in an embodiment of the present invention, after the second driver code is written into the updated code region of the virtual machine, an application programming interface (Application Programming Interface, API) is also imported and relocated to the second driver code.
Specifically, the second driving code further includes an import table, where the import table includes identification information of API interfaces of other modules to be imported, and the written second driving code is imported according to the identification information of the API interfaces of the other modules in the import table.
The second driving code also comprises a relocation table, wherein the relocation table comprises a corrected memory address, and the relocation table is used for correcting the memory address when the second driving code is loaded into the memory.
And repositioning the second driving code according to the corrected memory address in the repositioning table to realize the correction of the memory address.
Example 4:
In order to timely determine whether the written first driving code is valid, in the embodiments of the present invention, the polling detection on the predetermined update code area based on the update thread of the first driving code in the virtual machine includes:
Based on an updating thread of a first driving code in the virtual machine, acquiring a first zone bit value of the updating code area in a current time period, and judging whether the first zone bit value is the same as a target zone bit value stored in advance, wherein the first zone bit value is used for indicating whether a preset operation is executed in the updating code area, and the preset operation comprises code writing, API importing and repositioning;
If not, acquiring a first flag bit value of the updated code region in the next time period, and continuously executing the step of judging whether the first flag bit value is the same as a pre-stored target flag bit value;
if yes, determining that the second driving code in the updating code area is detected to be valid.
In order to timely determine whether the written second drive code is valid, in the embodiment of the present invention, based on the update thread of the first drive code in the virtual machine, polling detection is performed on the second drive code in the update code area, where the duration of each polling is the same fixed time period, the time period is preset, if it is desired to improve the timeliness of determining whether the second drive code is valid, the time period may be set smaller, and if it is desired to reduce the resource consumption, the time period may be set larger.
And acquiring a first flag bit value of the updated code region in the current time period, wherein the first flag bit value is used for indicating whether preset operations such as code writing, API importing and repositioning are executed in the updated code region, if the preset operations are executed in the updated code region, the second driving code of the updated code region is valid, and if the preset operations are not executed in the updated code region, the second driving code of the updated code region is invalid.
In order to determine whether the second driving code is valid, the electronic device stores a target flag bit value in advance, where the target flag bit value is a flag bit value after the preset operation has been performed in the update code area. After the first zone bit value of the current time period is obtained, judging whether the first zone bit value is the same as the target zone bit value.
If the first zone bit value is different from the target zone bit value, the fact that the preset operation is completed in the updating code area is not executed is indicated, so that the first zone bit value of the updating code area in the next time period is continuously obtained and compared with the target zone bit value until the obtained first zone bit value is identical to the target zone bit value, if the first zone bit value is identical to the target zone bit value, the fact that the preset operation is completed in the updating code area is indicated, and the second driving code of the updating code area is effective.
Example 5:
in order for the second driver code to determine the first global data pointer of the first driver code, in the embodiments of the present invention, the calling the update function to determine the first global data pointer in the first driver code includes:
And based on the updating thread of the first driving code, calling the updating function of the second driving code, and determining a first global data pointer of the first driving code which is transferred as a parameter.
In order to enable the second driving code to determine the first global data pointer of the first driving code, in the embodiment of the invention, the first driving code of the original virtual machine of the electronic device comprises an updating thread and the first global data pointer.
The electronic equipment calls an updating function of the second driving code based on the updating thread of the first driving code, and when the updating function is called, a first global data pointer of the first driving code is obtained and stored in the updating function to serve as a parameter to be transferred, so that the first global data pointer in the updating function is determined.
Example 6:
the following describes a sandboxed engine updating method of a virtual machine according to an embodiment of the present invention, and fig. 2 is a schematic diagram provided by the embodiment of the present invention, as shown in fig. 2:
The method comprises the steps that a Host end and a Guest end exist in electronic equipment, a second driving code is written into the Guest end by the Host end of the electronic equipment, and a global data pointer, a detection function table and an update code area are included in the Guest end.
The Guest end of the electronic equipment firstly initializes, including global data pointer initialization, detection function table initialization and application update code area.
The Host end of the electronic equipment restores the Guest end to a state corresponding to the snapshot file according to the pre-stored snapshot file, and the Guest end of the electronic equipment carries out polling detection on a pre-determined update code area based on an update thread of the first drive code.
Receiving an update package of a sandboxed engine in a Guest end, acquiring a precompiled second driving code carried in the update package, determining a physical address of a Host end according to a virtual address of an update code area sent by the Guest end, writing the second driving code according to the physical address, and carrying out API interface import and relocation on the second driving code of the update code area by the Host end of the electronic equipment according to kernel information when the Guest end runs.
The method comprises the steps of acquiring a first zone bit value of an update code area in a current time period by a Guest end of electronic equipment, judging whether the first zone bit value is identical to a pre-stored target zone bit value, wherein the first zone bit value is used for indicating whether a preset operation is executed in the update code area, the preset operation comprises code writing, API importing and repositioning, if not, continuing to execute the step of judging whether the first zone bit value is identical to the pre-stored target zone bit value in the next time period, and if so, determining that the first driving code in the update code area is effective, analyzing the export table of the first driving code and obtaining the exported update function.
The Guest end of the electronic equipment calls an updating function, determines a first global data pointer of a first driving code which is transmitted as a parameter, replaces a second global data pointer in a second driving code, determines a detection function table according to the first global data pointer, determines a first detection function identified by identification information in the detection function table according to the identification information in the second driving code, and replaces the first detection function by a second detection function. The second driving code is the code of the patch driving program and is used for correcting the function of the part of the sandboxed engine, which is problematic. The first driving code is the code of the detection driving program and is used for detecting the malicious software behaviors.
Example 7:
Fig. 3 is a schematic structural diagram of a sandboxed engine updating device for a virtual machine according to an embodiment of the present invention, where on the basis of the foregoing embodiments, the sandboxed engine updating device for a virtual machine according to an embodiment of the present invention further includes:
The detection module 301 is configured to restore, according to a pre-saved snapshot file, a virtual machine to a state corresponding to the snapshot file, and perform polling detection on a predetermined update code area based on an update thread of a first driving code in the virtual machine;
The processing module 302 is configured to receive an update package of a sandboxed engine, and write a second driving code that is carried in the update package and is compiled in advance into the update code area in the virtual machine, where the second driving code includes an export table, a second global data pointer, a second detection function and corresponding identification information, and the export table includes an update function;
And the updating module 303 is configured to, if the second driving code in the updated code region is detected to be valid, parse the export table of the second driving code to obtain the exported updated function, call the updated function to determine a first global data pointer in the first driving code, replace the second global data pointer in the second driving code, determine, according to the first global data pointer and the identification information, a first detection function identified by the identification information in a detection function table pointed by the first global data pointer, and replace the first detection function with the second detection function.
Further, the processing module is specifically configured to determine a physical address of a host memory space corresponding to the virtual address according to a pre-saved virtual address of a client memory space of the update code area, and write a pre-compiled second driving code carried in the update package into the update code area according to the physical address of the update code area.
Further, the processing module is further configured to write a precompiled second driving code carried in the update package into the update code area in the virtual machine, perform application programming interface API import of other modules on the written second driving code according to an import table in the second driving code, and relocate the written second driving code according to a relocation table in the second driving code.
The detection module is specifically configured to obtain a first flag bit value of the updated code region in a current time period based on an update thread of a first driving code in the virtual machine, determine whether the first flag bit value is the same as a target flag bit value stored in advance, wherein the first flag bit value is used to indicate whether a preset operation has been performed in the updated code region, the preset operation includes code writing, API importing and repositioning, obtain the first flag bit value of the updated code region in a next time period if the first flag bit value is different from the target flag bit value stored in advance, trigger the determination module to continue to perform a step of determining whether the first flag bit value is the same as the target flag bit value stored in advance, and determine that the second driving code in the updated code region is valid if the first flag bit value is the same as the target flag bit value stored in advance.
Further, the updating module is specifically configured to call the updating function of the second driving code based on the updating thread of the first driving code, and determine a first global data pointer of the first driving code that is passed as a parameter.
Example 8:
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and on the basis of the foregoing embodiments, the embodiment of the present invention further provides an electronic device, which includes a processor 401, a communication interface 402, a memory 403, and a communication bus 404, where the processor 401, the communication interface 402, and the memory 403 complete communication with each other through the communication bus 404;
The memory 403 has stored therein a computer program which, when executed by the processor 401, causes the processor 401 to perform the steps of:
Restoring the virtual machine to a state corresponding to the snapshot file according to the pre-stored snapshot file, and carrying out polling detection on a pre-determined update code area based on an update thread of a first drive code in the virtual machine;
receiving an update package of a sandbox engine, and writing a precompiled second driving code carried in the update package into the update code area in the virtual machine, wherein the second driving code comprises a export table, a second global data pointer, a second detection function and corresponding identification information, and the export table comprises an update function;
If the second driving code in the updating code area is detected to be effective, analyzing the export table of the second driving code to obtain the exported updating function, calling the updating function to determine a first global data pointer in the first driving code and replace the second global data pointer in the second driving code, determining a first detection function identified by the identification information in a detection function table pointed by the first global data pointer according to the first global data pointer and the identification information, and replacing the first detection function by adopting the second detection function.
Further, the writing, by the processor 401, the updated code region in the virtual machine, of the precompiled second driver code carried in the update package includes:
Determining a physical address of a host memory space corresponding to the virtual address according to the pre-stored virtual address of the client memory space of the updating code area;
And writing the second drive code which is carried in the update package and is compiled in advance into the update code area according to the physical address of the update code area.
Further, the processor 401 is further configured to, after the writing of the precompiled second driver code carried in the update package into the update code region in the virtual machine, if the second driver code in the update code region is detected to be valid, further include:
Performing Application Programming Interface (API) import of other modules on the written second drive code according to an import table in the second drive code;
And repositioning the written second driving code according to a repositioning table in the second driving code.
Further, the processor 401 is specifically configured to perform polling detection on a predetermined update code region based on the update thread of the first drive code in the virtual machine, where the polling detection includes:
Based on an updating thread of a first driving code in the virtual machine, acquiring a first zone bit value of the updating code area in a current time period, and judging whether the first zone bit value is the same as a target zone bit value stored in advance, wherein the first zone bit value is used for indicating whether a preset operation is executed in the updating code area, and the preset operation comprises code writing, API importing and repositioning;
If not, acquiring a first flag bit value of the updated code region in the next time period, and continuously executing the step of judging whether the first flag bit value is the same as a pre-stored target flag bit value;
if yes, determining that the second driving code in the updating code area is detected to be valid.
Further, the processor 401 specifically configured to determine a first global data pointer in the first driving code by calling the update function includes:
And based on the updating thread of the first driving code, calling the updating function of the second driving code, and determining a first global data pointer of the first driving code which is transferred as a parameter.
The communication bus mentioned above for the electronic device may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface 402 is used for communication between the electronic device and other devices described above.
The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor including a central Processing unit (cpu), a network processor (Network Processor, NP), etc., or may be a digital instruction processor (DIGITAL SIGNAL Processing, DSP), an application specific integrated circuit (asic), a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, etc.
Example 9:
On the basis of the above embodiments, the embodiments of the present invention also provide a computer-readable storage medium storing a computer program, the computer program being executed by a processor to:
Restoring the virtual machine to a state corresponding to the snapshot file according to the pre-stored snapshot file, and carrying out polling detection on a pre-determined update code area based on an update thread of a first drive code in the virtual machine;
receiving an update package of a sandbox engine, and writing a precompiled second driving code carried in the update package into the update code area in the virtual machine, wherein the second driving code comprises a export table, a second global data pointer, a second detection function and corresponding identification information, and the export table comprises an update function;
If the second driving code in the updating code area is detected to be effective, analyzing the export table of the second driving code to obtain the exported updating function, calling the updating function to determine a first global data pointer in the first driving code and replace the second global data pointer in the second driving code, determining a first detection function identified by the identification information in a detection function table pointed by the first global data pointer according to the first global data pointer and the identification information, and replacing the first detection function by adopting the second detection function.
Further, writing the precompiled second driver code carried in the update package into the update code region in the virtual machine includes:
Determining a physical address of a host memory space corresponding to the virtual address according to the pre-stored virtual address of the client memory space of the updating code area;
And writing the second drive code which is carried in the update package and is compiled in advance into the update code area according to the physical address of the update code area.
Further, after writing the precompiled second driver code carried in the update package into the update code region in the virtual machine, if the second driver code in the update code region is detected to be valid, the method further includes:
Performing Application Programming Interface (API) import of other modules on the written second drive code according to an import table in the second drive code;
And repositioning the written second driving code according to a repositioning table in the second driving code.
Further, the polling detection of the predetermined update code area based on the update thread of the first drive code in the virtual machine includes:
Based on an updating thread of a first driving code in the virtual machine, acquiring a first zone bit value of the updating code area in a current time period, and judging whether the first zone bit value is the same as a target zone bit value stored in advance, wherein the first zone bit value is used for indicating whether a preset operation is executed in the updating code area, and the preset operation comprises code writing, API importing and repositioning;
If not, acquiring a first flag bit value of the updated code region in the next time period, and continuously executing the step of judging whether the first flag bit value is the same as a pre-stored target flag bit value;
if yes, determining that the second driving code in the updating code area is detected to be valid.
Further, the invoking the update function to determine a first global data pointer in the first driver code comprises:
And based on the updating thread of the first driving code, calling the updating function of the second driving code, and determining a first global data pointer of the first driving code which is transferred as a parameter.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (9)
1. A method for updating a sandboxed engine of a virtual machine, the method comprising:
Restoring the virtual machine to a state corresponding to the snapshot file according to the pre-stored snapshot file, and carrying out polling detection on a pre-determined update code area based on an update thread of a first drive code in the virtual machine;
receiving an update package of a sandbox engine, and writing a precompiled second driving code carried in the update package into the update code area in the virtual machine, wherein the second driving code comprises a export table, a second global data pointer, a second detection function and corresponding identification information, and the export table comprises an update function;
If the second driving code in the updating code area is detected to be effective, analyzing the export table of the second driving code to obtain the exported updating function, calling the updating function to determine a first global data pointer in the first driving code and replace the second global data pointer in the second driving code, determining a first detection function identified by the identification information in a detection function table pointed by the first global data pointer according to the first global data pointer and the identification information, and replacing the first detection function by adopting the second detection function;
The polling detection of the predetermined update code area based on the update thread of the first drive code in the virtual machine comprises the following steps:
Based on an updating thread of a first driving code in the virtual machine, acquiring a first zone bit value of the updating code area in a current time period, and judging whether the first zone bit value is the same as a target zone bit value stored in advance, wherein the first zone bit value is used for indicating whether a preset operation is executed in the updating code area, and the preset operation comprises code writing, API importing and repositioning;
If not, acquiring a first flag bit value of the updated code region in the next time period, and continuously executing the step of judging whether the first flag bit value is the same as a pre-stored target flag bit value;
if yes, determining that the second driving code in the updating code area is detected to be valid.
2. The method of claim 1, wherein writing the precompiled second driver code carried in the update package into the update code region in the virtual machine comprises:
Determining a physical address of a host memory space corresponding to the virtual address according to the pre-stored virtual address of the client memory space of the updating code area;
And writing the second drive code which is carried in the update package and is compiled in advance into the update code area according to the physical address of the update code area.
3. The method of claim 1, wherein after writing the precompiled second driver code carried in the update package to the update code region in the virtual machine, if the second driver code in the update code region is detected to be valid, the method further comprises:
Performing Application Programming Interface (API) import of other modules on the written second drive code according to an import table in the second drive code;
And repositioning the written second driving code according to a repositioning table in the second driving code.
4. The method of claim 1, wherein said invoking the update function to determine a first global data pointer in the first driver code comprises:
And based on the updating thread of the first driving code, calling the updating function of the second driving code, and determining a first global data pointer of the first driving code which is transferred as a parameter.
5. A sandboxed engine updating apparatus of a virtual machine, the apparatus comprising:
the detection module is used for enabling the virtual machine to be restored to a state corresponding to the snapshot file according to the pre-stored snapshot file, and carrying out polling detection on a pre-determined update code area based on an update thread of a first driving code in the virtual machine;
the processing module is used for receiving an update package of the sandbox engine, writing a second drive code which is carried in the update package and is compiled in advance into the update code area in the virtual machine, wherein the second drive code comprises an export table, a second global data pointer, a second detection function and corresponding identification information, and the export table comprises the update function;
The updating module is used for analyzing the export table of the second drive code to obtain the exported updating function if the second drive code in the updating code area is detected to be valid, calling the updating function to determine a first global data pointer in the first drive code and replacing the second global data pointer in the second drive code, determining a first detection function identified by the identification information in a detection function table pointed by the first global data pointer according to the first global data pointer and the identification information, and replacing the first detection function by adopting the second detection function;
The detection module is specifically configured to obtain a first flag bit value of the updated code region in a current time period based on an update thread of a first driving code in the virtual machine, determine whether the first flag bit value is the same as a pre-stored target flag bit value, wherein the first flag bit value is used to indicate whether a preset operation has been performed in the updated code region, the preset operation includes code writing, API importing and repositioning, obtain the first flag bit value of the updated code region in a next time period if the first flag bit value is different from the pre-stored target flag bit value, trigger the determination module to continue to perform the step of determining whether the first flag bit value is the same as the pre-stored target flag bit value, and determine that the second driving code in the updated code region is valid if the first flag bit value is the same as the pre-stored target flag bit value.
6. The apparatus of claim 5, wherein the processing module is specifically configured to determine a physical address of a host memory space corresponding to a virtual address according to a pre-saved virtual address of a client memory space of the update code area, and write a pre-compiled second driver code carried in the update package into the update code area according to the physical address of the update code area.
7. The apparatus of claim 5, wherein the processing module is further configured to write a precompiled second driver code carried in the update package into the update code region in the virtual machine, then perform an API import of other modules on the written second driver code according to an import table in the second driver code, and then relocate the written second driver code according to a relocation table in the second driver code.
8. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
The memory has stored therein a computer program which, when executed by the processor, causes the processor to perform the method of any of claims 1-4.
9. A computer readable storage medium, characterized in that it stores a computer program executable by a processor, which when run on the processor causes the processor to perform the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111559043.XA CN114356366B (en) | 2021-12-20 | 2021-12-20 | A method, device, equipment and medium for updating a sandbox engine of a virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111559043.XA CN114356366B (en) | 2021-12-20 | 2021-12-20 | A method, device, equipment and medium for updating a sandbox engine of a virtual machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114356366A CN114356366A (en) | 2022-04-15 |
| CN114356366B true CN114356366B (en) | 2025-02-14 |
Family
ID=81101203
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111559043.XA Active CN114356366B (en) | 2021-12-20 | 2021-12-20 | A method, device, equipment and medium for updating a sandbox engine of a virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114356366B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108319850A (en) * | 2017-01-16 | 2018-07-24 | 华为技术有限公司 | Method, sandbox system and the sandbox equipment of sandbox detection |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
| CN104111843A (en) * | 2013-04-17 | 2014-10-22 | 苏州墨提斯信息科技有限公司 | Sandbox based script updating method and system |
| US9996374B2 (en) * | 2015-06-16 | 2018-06-12 | Assured Information Security, Inc. | Deployment and installation of updates in a virtual environment |
| US20170124464A1 (en) * | 2015-10-28 | 2017-05-04 | Fractal Industries, Inc. | Rapid predictive analysis of very large data sets using the distributed computational graph |
| CN106778246A (en) * | 2016-12-01 | 2017-05-31 | 北京奇虎科技有限公司 | The detection method and detection means of sandbox virtualization |
| US11243758B2 (en) * | 2020-02-13 | 2022-02-08 | International Business Machines Corporation | Cognitively determining updates for container based solutions |
| CN111352647B (en) * | 2020-02-26 | 2025-07-18 | 平安科技(深圳)有限公司 | Virtual machine upgrading method, device, equipment and storage medium |
| CN112835679A (en) * | 2021-01-29 | 2021-05-25 | 郑州信大捷安信息技术股份有限公司 | Hot patching method and system based on sandbox |
-
2021
- 2021-12-20 CN CN202111559043.XA patent/CN114356366B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108319850A (en) * | 2017-01-16 | 2018-07-24 | 华为技术有限公司 | Method, sandbox system and the sandbox equipment of sandbox detection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114356366A (en) | 2022-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6984710B2 (en) | Computer equipment and memory management method | |
| US10089474B2 (en) | Virtual machine introspection | |
| CN104932972B (en) | A kind of method and device of reaction state debugging utility | |
| WO2020019482A1 (en) | Function hook detection method, function hook detection device, and computer-readable medium | |
| CN108197476B (en) | A kind of vulnerability detection method and device for intelligent terminal equipment | |
| US20080016415A1 (en) | Evaluation system and method | |
| CN112634973A (en) | Data rereading method and system of storage medium, terminal device and storage medium | |
| CN113508381A (en) | Machine learning based anomaly detection for embedded software applications | |
| CN111597553A (en) | Process processing method, device, equipment and storage medium in virus searching and killing | |
| CN113569246A (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| WO2019237239A1 (en) | Data test method and apparatus, device/terminal/server and computer readable storage medium | |
| US10318731B2 (en) | Detection system and detection method | |
| CN110209520B (en) | Method and device for improving SSD (solid State disk) testing efficiency, computer equipment and storage medium | |
| US20160092313A1 (en) | Application Copy Counting Using Snapshot Backups For Licensing | |
| IL318447A (en) | Integrated computing system with real-time software package monitoring | |
| CN112199642B (en) | Detection method for anti-debugging of android system, mobile terminal and storage medium | |
| CN114356366B (en) | A method, device, equipment and medium for updating a sandbox engine of a virtual machine | |
| CN114153759B (en) | Memory evidence acquisition method, device and electronic device | |
| CN115688106A (en) | Method and device for detecting Java agent non-file-injection memory horse | |
| US11556645B2 (en) | Monitoring control-flow integrity | |
| CN112965789B (en) | Virtual machine memory space processing method, device, equipment and medium | |
| CN115576766A (en) | Flash memory management algorithm debugging method, system, device and readable storage medium | |
| CN107209815B (en) | Method for code obfuscation using return-oriented programming | |
| CN116909823A (en) | GPU pressure testing method and device, electronic equipment and storage medium | |
| CN112100622B (en) | A data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |