[go: up one dir, main page]

CN112231198B - Malicious process debugging method and device, electronic equipment and medium - Google Patents

Malicious process debugging method and device, electronic equipment and medium Download PDF

Info

Publication number
CN112231198B
CN112231198B CN201910636199.XA CN201910636199A CN112231198B CN 112231198 B CN112231198 B CN 112231198B CN 201910636199 A CN201910636199 A CN 201910636199A CN 112231198 B CN112231198 B CN 112231198B
Authority
CN
China
Prior art keywords
debugging
debugger
kernel
user
user state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910636199.XA
Other languages
Chinese (zh)
Other versions
CN112231198A (en
Inventor
周凌林
邹泉
甘雄
唐志兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910636199.XA priority Critical patent/CN112231198B/en
Publication of CN112231198A publication Critical patent/CN112231198A/en
Application granted granted Critical
Publication of CN112231198B publication Critical patent/CN112231198B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/362Debugging of software
    • G06F11/3624Debugging of software by performing operations on the source code, e.g. via a compiler
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/362Debugging of software
    • G06F11/3636Debugging of software by tracing the execution of the program
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/362Debugging of software
    • G06F11/3644Debugging of software by instrumenting at runtime
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a malicious process debugging method, a malicious process debugging device, electronic equipment and a medium, wherein the method comprises the following steps: responding to the received debugging instruction, sending a breakpoint setting instruction to a kernel-state debugger so as to enable the kernel-state debugger to set a breakpoint pointing to a target position, wherein the target position is a position for obtaining debugging authentication information in the process that the user-state debugger executes a debugging task for debugging a malicious process; sending an execution instruction to the user state debugger to trigger the user state debugger to execute the debugging task; responding to the received breakpoint trigger message, sending a modification instruction to the kernel-mode debugger so as to enable the kernel-mode debugger to modify the debugging authentication information and feed back a modification result; and sending a continuous execution instruction to the user state debugger according to the modification result so as to enable the user state debugger to continuously execute the debugging task. The efficiency and the accuracy of debugging analysis aiming at malicious processes can be improved.

Description

Malicious process debugging method and device, electronic equipment and medium
Technical Field
The present invention relates to the field of internet communications technologies, and in particular, to a malicious process debugging method, a malicious process debugging device, an electronic device, and a medium.
Background
A malicious process designer inserts into a computer program, either corrupt computer functionality or corrupt data, a set of computer instructions or program code that affects computer usage and is capable of self-replication. Malicious processes have a great hazard to information security.
A malicious process analyst needs to perform behavioral profile analysis on a malicious process (virus). Many malicious processes are shelled to prevent static analysis or to increase the cost of static analysis by analysts. Analysts typically choose to dynamically debug malicious processes to analyze their behavior characteristics, however many malicious processes also do many anti-debug measures against dynamic debugging, which can be set against the kernel. When an analyst directly modifies some global data structures of the operating system or hives some APIs (Application Programming Interface, application programming interfaces) of the operating system to debug malicious processes, stability of the system is affected, and difficulty is also brought to analysis. Thus, there is a need to provide a more efficient debugging scheme for malicious processes.
Disclosure of Invention
In order to solve the problems of poor debugging effect, low analysis accuracy and the like when the prior art is applied to debugging a malicious process, the invention provides a malicious process debugging method, a malicious process debugging device, electronic equipment and a malicious process medium, wherein the malicious process debugging method comprises the steps of:
in one aspect, the present invention provides a malicious process debugging method, where the method includes:
responding to the received debugging instruction, sending a breakpoint setting instruction to a kernel-state debugger so as to enable the kernel-state debugger to set a breakpoint pointing to a target position, wherein the target position is a position for obtaining debugging authentication information in the process that the user-state debugger executes a debugging task for debugging a malicious process;
sending an execution instruction to the user state debugger to trigger the user state debugger to execute the debugging task;
responding to the received breakpoint trigger message, sending a modification instruction to the kernel-mode debugger so as to enable the kernel-mode debugger to modify the debugging authentication information and feed back a modification result;
according to the modification result, sending a continuous execution instruction to the user state debugger so that the user state debugger can continuously execute the debugging task;
the user state debugger is used for debugging a process running in a user state, and the kernel state debugger is used for debugging a process running in a kernel state.
Another aspect provides a malicious process debugging apparatus, the apparatus comprising:
breakpoint setting module: the method comprises the steps of responding to a received debugging instruction, sending a breakpoint setting instruction to a kernel-state debugger, so that the kernel-state debugger sets a breakpoint pointing to a target position, wherein the target position is a position for obtaining debugging authentication information in the process that the user-state debugger executes a debugging task for debugging a malicious process;
and the debugging execution module: the user state debugger is used for sending an execution instruction to the user state debugger so as to trigger the user state debugger to execute the debugging task;
and the permission modification module is used for: the method comprises the steps that a modification instruction is sent to the kernel-mode debugger in response to a received breakpoint trigger message, so that the kernel-mode debugger modifies the debugging authentication information, and a modification result is fed back;
and (5) continuing to execute a module: the user state debugger is used for sending a continuous execution instruction to the user state debugger according to the modification result so as to enable the user state debugger to continuously execute the debugging task;
the user state debugger is used for debugging a process running in a user state, and the kernel state debugger is used for debugging a process running in a kernel state.
Another aspect provides an electronic device comprising a processor and a memory having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions loaded and executed by the processor to implement a malicious process debugging method as described above.
Another aspect provides a computer readable storage medium having stored therein at least one instruction, at least one program, code set, or instruction set loaded and executed by a processor to implement a malicious process debugging method as described above.
The malicious process debugging method, the malicious process debugging device, the electronic equipment and the medium provided by the invention have the following technical effects:
according to the invention, the kernel-mode debugger is used for setting the breakpoint aiming at the user-mode debugger, and the corresponding debugging authentication information is modified for the user-mode debugger, so that the user-mode debugger can perform user-mode debugging aiming at a malicious process. Therefore, the anti-debugging measures for the kernel attached to the malicious process can be effectively bypassed, the stability of the system is ensured, and meanwhile, the efficiency and the accuracy of debugging analysis for the malicious process are improved.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions and advantages of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an application environment provided by an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a malicious process debugging method according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of a malicious process debugging method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a UI that the user-mode debugger provided by the embodiment of the present invention is denied when the malicious process is opened;
FIG. 5 is a schematic flow chart of a malicious process debugging method according to an embodiment of the present invention;
FIG. 6 is a schematic flow chart of a user state debugger executing the process add-on function and related internal call function according to an embodiment of the present invention;
FIG. 7 is a schematic flow chart of a malicious process debugging method according to an embodiment of the present invention;
FIG. 8 is a block diagram of a malicious process debugging device according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It is noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of the present invention and in the foregoing figures, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server comprising a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, fig. 1 is a schematic diagram of an application environment provided by an embodiment of the present invention, as shown in fig. 1, in the application environment, a breakpoint for the user state debugger is set by using the kernel state debugger, and a right obtained at a target location (corresponding to the breakpoint) is modified for the user state debugger, so that the user state debugger can perform user state debugging for a malicious process. It should be noted that fig. 1 is only an example.
Fig. 2 and 3 are schematic flow diagrams of a malicious process debugging method according to an embodiment of the present invention, where the method operation steps described in the examples or the flow diagrams are provided in the present specification, but more or fewer operation steps may be included based on conventional or non-creative labor. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When implemented in a real system or server product, the methods illustrated in the embodiments or figures may be performed sequentially or in parallel (e.g., in a parallel processor or multithreaded environment). As shown in fig. 2, the method may include:
s201: responding to the received debugging instruction, sending a breakpoint setting instruction to a kernel-state debugger so as to enable the kernel-state debugger to set a breakpoint pointing to a target position, wherein the target position is a position for obtaining debugging authentication information in the process that the user-state debugger executes a debugging task for debugging a malicious process;
as shown in fig. 3, the malicious process debugging method provided by the embodiment of the invention can be applied to a debugging platform, wherein the debugging platform comprises a user-mode debugger and a kernel-mode debugger. The user state debugger is used for debugging the process running in the user state, and the kernel state debugger is used for debugging the process running in the kernel state.
In the embodiment of the invention, the kernel mode and the user mode are two operation levels of an operating system, a device driver related to the operating system operates in the kernel mode, and a user application program operates in the user mode. The program corresponding to the user mode runs on the non-privileged processor mode, and other protected subsystem codes also run on the mode. The program corresponding to the user mode cannot obtain the access right of the system data unless the corresponding application programming interface or the system service is called. The kernel mode corresponding program is executed as a component of the operating system to support the operating system underlying components of one or more protected subsystems. The user state debugger can be used for debugging programs and processes running in the user state. The kernel-mode debugger can track and debug programs and processes running in the kernel mode. Further, the user mode debugger debugs the user mode portion of the malicious process. The kernel-mode debugger helps the user-mode debugger bypass the anti-debugging measures for the kernel attached to the malicious process through the steps of downloading the breakpoint, modifying the authority and the like which are recorded later, and ensures that the user-mode debugger can effectively perform user-mode debugging for the malicious process.
The operating system may be Microsoft Windows operating system (microsoft windows operating system), mac OS (apple operating system), linux (an operating system), iOS (apple mobile operating system), android (Android), etc.
The kernel-mode debugger sets a breakpoint pointing to a target position, wherein the target position is a position where debugging authentication information is obtained in the process that the user-mode debugger executes a debugging task for debugging a malicious process. The debug task may include at least one call function, and the user mode debugger executes the debug task to implement attach, debug, and analyze the malicious process. Of course, the debug task may correspond to a finer granularity of partitioning, such as the debug task implementing at least one calling function for the user-mode debugger that appends the malicious process. The kernel-mode debugger sets a breakpoint pointing to a target position for the user-mode debugger, wherein the target position is a return position of a result of the user-mode debugger executing a calling function for obtaining the debugging authentication information, so that in the process of executing a debugging task by the user-mode debugger, interruption occurs when the user-mode debugger executes the result to the return position of the result corresponding to the calling function, and further the kernel-mode debugger can be provided with a successful opportunity for assisting the user-mode debugger in attaching a malicious process.
In practical applications, the target location is a location where the user-state debugger executes a result returned by the calling function for obtaining the debug authentication information, where the result returned by the calling function is a location where the execution of the process idtotandle () function (process open function) is completed, which may be further a location where the execution of the process open function is completed by the internal calling function NtOpenProcess () function (a function for opening a process specified by a handle) (see step S603 in fig. 6 and 7).
In another specific embodiment, the user-mode debugger and the kernel-mode debugger can be triggered and started by a set target program, or can be triggered and started by a user through an interactive interface provided by the debugging platform (for example, the user can trigger through a corresponding button, can trigger by sound (a microphone collects sound and triggers by extracting voice with a specific meaning), and can trigger an image (a camera collects image data and triggers by extracting expression and gesture with a specific meaning)).
S202: sending an execution instruction to the user state debugger to trigger the user state debugger to execute the debugging task;
in the embodiment of the invention, after the preparation work such as starting the debugger and setting the breakpoint is performed based on the above description, the user state debugger executes the debug task. The malicious process may be a virus with only anti-debugging measures for the kernel, may be a virus with both anti-debugging measures for the kernel and the application layer, may be a virus with only anti-debugging measures for the application layer, or may be a virus without anti-debugging measures.
In a specific embodiment, the user state debugger may call a DebugActiveProcess () function (process attach function) to debug the malicious process based on the incoming identification (PID) corresponding to the malicious process. Further, according to the internal call information of the DebugActiveProcess () function, the DebugActiveProcess () function calls a processidtotandle () function (process open function) to open the malicious process. The call to the process open function may be based on an identification (PID) corresponding to the malicious process.
Then, the call function (NtOpenProcess () function) is executed according to the internal call information of the process open function. Specifically, the input parameters of the calling function can be obtained, wherein the input parameters comprise request information of legal debugging permission of the user state debugger; and executing the calling function based on the incoming parameters. Of course, the request information that the user mode debugger has legal debugging rights can be characterized by a parameter Desiredaccess (required access rights).
In another specific embodiment, the user state debugger may call a debug active process () function to debug the malicious process based on an identification (PID) corresponding to the incoming malicious process. Further, according to the internal call information of the debugactiglovprocess () function, a debug object for the malicious process may be created before the call of the processidtothandle () function (refer to the above for the call of the process open function, which is not repeated here), the call of the dbgguiconnecttodbg () (object creation function), and the debug object may be stored in the current thread of the user state debugger.
In particular, according to the internal call information of the object creation function, a ZwCreateDebugObject () function (an internal call function of the object creation function) is executed to create a debug object, and a debug object handle is stored in a field DbgSsReserve (an array) of the current thread TEB structure of the user state debugger, and the debug object can be stored in a DebugPort (debug port) field of the malicious process.
S203: responding to the received breakpoint trigger message, sending a modification instruction to the kernel-mode debugger so as to enable the kernel-mode debugger to modify the debugging authentication information and feed back a modification result;
in the embodiment of the invention, the kernel-mode debugger sets the breakpoint pointing to the target position for the user-mode debugger, and the target position is the return position of the result of the user-mode debugger executing the calling function for obtaining the debugging authentication information. According to the reverse assembly code, when the malicious process is a virus attached with anti-debugging measures for a kernel, an operating system can set the debugging authentication information corresponding to the kernel-mode debugger as illegal debugging permission, even if the user-mode debugger calls the calling function with the input parameters corresponding to legal debugging permission (the virus can be regarded as that the virus filters in the kernel and modifies the input Desiredaccess, so that the user-mode debugger is provided with illegal debugging permission based on the debugging authentication information returned by the calling function through an OS). When the debugging authentication information points to that the user state debugger has illegal debugging authority, the user state debugger cannot be successfully attached to the malicious process, and further the user state debugger cannot debug and analyze the malicious process. Thus, the kernel mode debugger is required to modify the debug authentication information so that the debug authentication information points to the user mode debugger as having legal debug rights, so that the user mode debugger can continue to execute the debug task.
Modifying the debug authentication information using a kernel mode debugger may break the self-protection of viruses with anti-debug measures against the kernel. The method can also reduce the side effect possibly caused to the system to the minimum, and only the debugging authentication information returned by the calling function through the OS is modified by the kernel-mode debugger, so that the probability of influencing the stability of the system is reduced, and the problems of blue screen triggering and the like can be avoided. Furthermore, modifying the debugging authentication information can reduce interference to subsequent analysis of malicious codes and ensure analysis accuracy.
As shown in fig. 5, in a specific embodiment, the debug authentication information includes a target handle pointing to the user mode debugger having illegal debug rights, and the kernel mode debugger modifies the debug authentication information, including:
s501: searching a corresponding handle table according to the target handle;
for example, when the malicious process is a virus with anti-debugging measures for a kernel, the user state debugger calls the call function with an incoming parameter corresponding to legal debugging authority, and at this time, the GrantedAccessBits (granted access flag bits) of the target handle requested by the Desiredaccess are 0x1FFFFF (corresponding to the legal debugging authority of the user state debugger). However, the debug authentication information includes a target handle to the user-mode debugger that has illegal debug rights, the GrantedAccessBits bit of the target handle being 0x0C3A (corresponding to the user-mode debugger illegal debug rights).
The target handle may correspond to an index, and a corresponding handle table may be looked up according to the target handle. The GrantedAccesBits bit may indicate that the target handle is an entry in the handle table that indicates that the user-mode debugger has illegal/legal debug rights.
Wherein, the rights corresponding to the GrantedAccesBits bit of the target handle can be obtained by querying MSDN (Microsoft Developer Network, a database document of Microsoft). For example, query 0x0C3A knows that the value is:
process_query_information |process_speed_result|process_vm_read PROCESS VM WRITE PROCESS VM OPERATION PROCESS CREATE READ, indicating that the user-mode debugger fails to open when the malicious PROCESS is opened because of rejection of anti-debugging measures for the kernel attached to the malicious PROCESS. As shown in fig. 4, a dialog box is presented to prompt the malicious process to deny access to the user debugger.
S502: and modifying an entry pointing to the user state debugger with illegal debugging permission in the handle table.
In connection with step S501, the kernel-mode debugger modifies the illegal debug permission corresponding to the handle to legal debug permission, that is, modifies 0x0C3A in the entry corresponding to the GrantedAccessBits in the handle table to 0x1FFFFF.
Specifically, the kernel mode debugger debugs the user mode debugger, and the kernel mode debugger sets a breakpoint for the user mode debugger. During execution, the CPU (Central Processing Unit ) finds the current instruction as 0xcc (this is known as a breakpoint), and then looks up the idt table (Interrupt Descriptor Table ). In the initialization stage of the OS (operating system), an address of a processing function (which may correspond to a return position of a result of a calling function) is placed in the idt table, and when the CPU executes the function, the OS takes over the interrupt exception, so that the OS may determine a process that currently triggers the interrupt exception. Then, if the current process triggering the interrupt exception is in a debugged state, notifying the interrupt exception to a debugger, and at the moment, the user state debugger is debugged by the kernel state debugger, the kernel state debugger is notified of the interrupt exception, and then the debugging authentication information is modified.
In another specific embodiment, as shown in fig. 6 and 7, the user mode debugger may call a DebugActiveProcess () function to debug the malicious process based on an identification (PID) corresponding to the malicious process. According to the internal call information of the debugactigrating () function, the dbgconnecttodbg () function, the processidtodandle () function and the dbgcuidebugactigrating () function (the debug function can perform some internal logic initialization processing) can be called successively, and finally the NtClose () function (a function for closing any object type) is called to close the handle, and the function returns. Reference may be made to the description of the process attach function, the object creation function, and the process open function in step S203, which are not described here.
As shown in fig. 6 and 7, in general, the process of executing the process additional function and the related internal calling function by the user-mode debugger will be executed along the sequence of steps S601-S605, however, when the user-mode debugger does not receive the debug authentication information returned by the calling function at the result return position, that is, the step after step S603 is changed from S604 to S607 (return failure), in order to ensure that the debug authentication information is obtained (even if the step includes a step-down handle), the user-mode debugger may be used to adjust the incoming parameters of the user-mode debugger for executing the calling function, so as to prevent the return failure. The incoming parameters to be modified here include, but are not limited to, desiretacaress.
On the Win10 system, for kernel objects such as processes, threads, etc., the operating system provides a mechanism called object callback, so that when the kernel objects such as processes, threads, etc. are opened, these callback functions will be called, and the anti-debugging measures of many viruses include the content of registering the appropriate callback functions therein. As shown in fig. 6, the callback function included in the anti-debug measure of the virus is the basesetlastntirror () function in step S606, and the NtClose () function and basesetlastntirror () function in step S608.
S204: and sending a continuous execution instruction to the user state debugger according to the modification result so as to enable the user state debugger to continuously execute the debugging task.
In a specific embodiment, the user mode debugger may invoke a process attach function to debug the malicious process based on an identification (PID) corresponding to the incoming malicious process. According to the internal calling information of the process additional function, before the process opening function is called, an object creating function is called to create a debugging object aiming at the malicious process, and the debugging object is stored in the current thread of the user state debugger. The user state debugger continues to execute the debugging task, including: and debugging the malicious process based on the debugging object.
Further, the malicious process may be attached with anti-debugging measures for an application layer, and the user state debugger performs user state debugging on the malicious process in the following manner:
1) When the anti-debugging measures for the application layer attached to the malicious process are as follows: invoking an IsDebuggerPresent () function (a function used to determine whether the invoking process was debugged by the user state debugger) to detect the value of PEB.Beingdebugged;
correspondingly, the user state debugger has the following debugging modes: manually modifying the value, bypassing the detection;
2) When the anti-debugging measures for the application layer attached to the malicious process are as follows: invoking an unlearned API or an inline assembly to obtain the value of PEB.NtGlobal flag;
correspondingly, the user state debugger has the following debugging modes: manually modifying the value to be a normal value, and bypassing detection;
3) When the anti-debugging measures for the application layer attached to the malicious process are as follows: invoking an unlearned API or an inline assembly to obtain values of PEB.ProcessHeap.flags (a flag bit) and ForceFlags (a flag bit);
correspondingly, the user state debugger has the following debugging modes: manually modifying the value to be a normal value, and bypassing detection;
4) When the anti-debugging measures for the application layer attached to the malicious process are as follows: the process chain detection is that the process of the malicious software is explorer.exe (file resource manager) under normal conditions, and if the process chain detection is not (explorer.exe), the process chain detection indicates that the debugging is performed;
correspondingly, the user state debugger has the following debugging modes: the API of the hook detection point is manually modified to return value or set as nop instruction (null instruction);
5) When the anti-debugging measures for the application layer attached to the malicious process are as follows: detecting whether SeDebugPrivilege rights (a right of any running application program used for acquiring a process handle) exist in a token of the token;
correspondingly, the user state debugger has the following debugging modes: the hook acquires the API of the token or sets the detected logic code as a nop instruction;
6) When the anti-debugging measures for the application layer attached to the malicious process are as follows: detecting a time interval from the triggering of the anomaly to the receipt of the anomaly by deliberately triggering the anomaly;
correspondingly, the user state debugger has the following debugging modes: setting the detected logic code as a nop instruction;
7) When the anti-debugging measures for the application layer attached to the malicious process are as follows: window enumeration, judging whether a debugger window exists or not or scanning a process to judge whether a debugger process exists or not;
correspondingly, the user state debugger has the following debugging modes: a hook detection point or a return value of a modified detection function;
8) When the anti-debugging measures for the application layer attached to the malicious process are as follows: traversing the "DebugObject" kernel object;
correspondingly, the user state debugger has the following debugging modes: changing the "DebugObject" string to 0 or detecting the return value of the modification function;
9) When the anti-debugging measures for the application layer attached to the malicious process are as follows: detection of virtual machine environments such as port scan, certain special items of the registry;
correspondingly, the user state debugger has the following debugging modes: the logic of the detection is modified so that the detection is bypassed.
By combining the debugging modes, the malicious process with anti-debugging measures aiming at the application layer can be debugged in a user mode in the form of plug-in units and the like.
As can be seen from the technical solutions provided in the embodiments of the present disclosure, the kernel-mode debugger is used to set a breakpoint for the user-mode debugger, and modify the corresponding debug authentication information for the user-mode debugger, so as to ensure that the user-mode debugger can perform user-mode debugging for a malicious process. Therefore, the anti-debugging measures for the kernel attached to the malicious process can be effectively bypassed, the anti-debugging measures are not easy to be found by the malicious process, and the efficiency and the accuracy of debugging analysis for the malicious process are improved while the stability of the system is ensured.
The embodiment of the invention also provides a malicious process debugging device, as shown in fig. 8, which comprises:
breakpoint setting module 810: the method comprises the steps of responding to a received debugging instruction, sending a breakpoint setting instruction to a kernel-state debugger, so that the kernel-state debugger sets a breakpoint pointing to a target position, wherein the target position is a position for obtaining debugging authentication information in the process that the user-state debugger executes a debugging task for debugging a malicious process;
debug execution module 820: the user state debugger is used for sending an execution instruction to the user state debugger so as to trigger the user state debugger to execute the debugging task;
rights modification module 830: the method comprises the steps that a modification instruction is sent to the kernel-mode debugger in response to a received breakpoint trigger message, so that the kernel-mode debugger modifies the debugging authentication information, and a modification result is fed back;
continuing with the execution module 840: the user state debugger is used for sending a continuous execution instruction to the user state debugger according to the modification result so as to enable the user state debugger to continuously execute the debugging task;
the user state debugger is used for debugging a process running in a user state, and the kernel state debugger is used for debugging a process running in a kernel state.
In a specific embodiment, the debug authentication information includes a target handle pointing to the user mode debugger having illegal debug rights, and the kernel mode debugger modifies the debug authentication information, including:
searching a corresponding handle table according to the target handle;
modifying an entry in the handle table pointing to the user mode debugger with illegal debugging permission
It should be noted that the apparatus and method embodiments in the apparatus embodiments are based on the same inventive concept.
The embodiment of the invention also provides a debugging platform which comprises a user state debugger, a kernel state debugger and the malicious process debugging device provided by the embodiment of the device.
The embodiment of the invention provides electronic equipment, which comprises a processor and a memory, wherein at least one instruction, at least one section of program, a code set or an instruction set is stored in the memory, and the at least one instruction, the at least one section of program, the code set or the instruction set is loaded and executed by the processor to realize the malicious process debugging method provided by the embodiment of the method.
Further, fig. 9 shows a schematic hardware structure of an electronic device for implementing the method provided by the embodiment of the present invention, where the device may participate in forming or including the apparatus provided by the embodiment of the present invention. As shown in fig. 9, the apparatus 90 may include one or more processors 902 (shown in the figures as 902a, 902b, … …,902 n) (the processor 902 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA), a memory 904 for storing data, and a transmission device 906 for communication functions. In addition, the method may further include: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power supply, and/or a camera. It will be appreciated by those skilled in the art that the configuration shown in fig. 9 is merely illustrative and is not intended to limit the configuration of the electronic device. For example, the electronic device 90 may also include more or fewer components than shown in FIG. 9, or have a different configuration than shown in FIG. 9.
It should be noted that the one or more processors 902 and/or other data processing circuitry described above may be referred to herein generally as "data processing circuitry. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Further, the data processing circuitry may be a single stand-alone processing module, or incorporated, in whole or in part, into any of the other elements in the electronic device 90 (or mobile device). As referred to in the embodiments of the present application, the data processing circuit acts as a processor control (e.g., selection of the path of the variable resistor termination to interface).
The memory 904 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the methods described in the embodiments of the present invention, and the processor 902 executes the software programs and modules stored in the memory 94 to perform various functional applications and data processing, i.e., implement a malicious process debugging method as described above. The memory 904 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 904 may further include memory remotely located relative to the processor 902, which may be connected to the electronic device 90 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 906 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communications provider of the electronic device 90. In one example, the transmission means 906 includes a network adapter (NetworkInterfaceController, NIC) that can be connected to other network devices through a base station to communicate with the internet. In one example, the transmission device 906 may be a radio frequency (RadioFrequency, RF) module for communicating wirelessly with the internet.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the electronic device 90 (or mobile device).
Embodiments of the present invention further provide a storage medium that may be disposed in an electronic device to store at least one instruction, at least one program, a code set, or an instruction set related to implementing a malicious process debugging method in a method embodiment, where the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by the processor to implement the malicious process debugging method provided in the method embodiment.
Alternatively, in this embodiment, the storage medium may be located in at least one network server among a plurality of network servers of the computer network. Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should be noted that: the sequence of the embodiments of the present invention is only for description, and does not represent the advantages and disadvantages of the embodiments. And the foregoing description has been directed to specific embodiments of this specification. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the apparatus and electronic device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and references to the parts of the description of the method embodiments are only required.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (10)

1. A method for debugging a malicious process, the method comprising:
responding to the received debugging instruction, sending a breakpoint setting instruction to a kernel-state debugger so as to enable the kernel-state debugger to set a breakpoint pointing to a target position, wherein the target position is a position for obtaining debugging authentication information in the process that the user-state debugger executes a debugging task for debugging a malicious process;
sending an execution instruction to the user state debugger to trigger the user state debugger to execute the debugging task;
responding to the received breakpoint trigger message, sending a modification instruction to the kernel-mode debugger so as to enable the kernel-mode debugger to modify the debugging authentication information and feed back a modification result;
according to the modification result, sending a continuous execution instruction to the user state debugger so that the user state debugger can continuously execute the debugging task;
the user state debugger is used for debugging a process running in a user state, and the kernel state debugger is used for debugging a process running in a kernel state.
2. The method of claim 1, wherein the debug authentication information includes a target handle to the user-mode debugger having illegal debug rights, the kernel-mode debugger modifying the debug authentication information comprising:
searching a corresponding handle table according to the target handle;
and modifying an entry pointing to the user state debugger with illegal debugging permission in the handle table.
3. The method of claim 1, wherein the target location is a result return location of the user-mode debugger executing a call function for obtaining the debug authentication information, the kernel-mode debugger modifying the debug authentication information, further comprising:
and when the user state debugger does not receive the debugging authentication information returned by the calling function at the result return position, adjusting the input parameters of the user state debugger for executing the calling function.
4. The method of claim 1, wherein the target location is a result return location of the user state debugger executing a calling function for obtaining the debug authentication information;
the user state debugger executes the debugging task, including:
calling a process opening function based on the identification corresponding to the malicious process to open the malicious process;
the calling process opens a function to open the malicious process, comprising:
executing the calling function according to the internal calling information of the process opening function.
5. The method of claim 4, wherein the executing the calling function according to the internal calling information of the process open function comprises:
acquiring the input parameters of the calling function, wherein the input parameters comprise request information of legal debugging permission of the user state debugger;
and executing the calling function based on the incoming parameters.
6. The method according to claim 4, wherein:
the calling process opens a function to open the malicious process, previously including:
calling an object creation function to create a debugging object aiming at the malicious process, and storing the debugging object in a current thread of the user state debugger;
the user state debugger continues to execute the debugging task, including:
and debugging the malicious process based on the debugging object.
7. A malicious process debugging apparatus, the apparatus comprising:
breakpoint setting module: the method comprises the steps of responding to a received debugging instruction, sending a breakpoint setting instruction to a kernel-state debugger, so that the kernel-state debugger sets a breakpoint pointing to a target position, wherein the target position is a position for obtaining debugging authentication information in the process that the user-state debugger executes a debugging task for debugging a malicious process;
and the debugging execution module: the user state debugger is used for sending an execution instruction to the user state debugger so as to trigger the user state debugger to execute the debugging task;
and the permission modification module is used for: the method comprises the steps that a modification instruction is sent to the kernel-mode debugger in response to a received breakpoint trigger message, so that the kernel-mode debugger modifies the debugging authentication information, and a modification result is fed back;
and (5) continuing to execute a module: the user state debugger is used for sending a continuous execution instruction to the user state debugger according to the modification result so as to enable the user state debugger to continuously execute the debugging task;
the user state debugger is used for debugging a process running in a user state, and the kernel state debugger is used for debugging a process running in a kernel state.
8. The apparatus of claim 7, wherein the debug authentication information includes a target handle to the user-mode debugger having illegal debug rights, the kernel-mode debugger modifying the debug authentication information comprising:
searching a corresponding handle table according to the target handle;
and modifying an entry pointing to the user state debugger with illegal debugging permission in the handle table.
9. An electronic device comprising a processor and a memory, wherein the memory stores at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the malicious process debugging method of any of claims 1-6.
10. A computer readable storage medium having stored therein at least one instruction, at least one program, code set, or instruction set, the at least one instruction, the at least one program, the code set, or instruction set being loaded and executed by a processor to implement the malicious process debugging method of any of claims 1-6.
CN201910636199.XA 2019-07-15 2019-07-15 Malicious process debugging method and device, electronic equipment and medium Active CN112231198B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910636199.XA CN112231198B (en) 2019-07-15 2019-07-15 Malicious process debugging method and device, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910636199.XA CN112231198B (en) 2019-07-15 2019-07-15 Malicious process debugging method and device, electronic equipment and medium

Publications (2)

Publication Number Publication Date
CN112231198A CN112231198A (en) 2021-01-15
CN112231198B true CN112231198B (en) 2024-04-12

Family

ID=74111481

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910636199.XA Active CN112231198B (en) 2019-07-15 2019-07-15 Malicious process debugging method and device, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN112231198B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111639312B (en) * 2020-06-02 2023-04-14 腾讯科技(成都)有限公司 Anti-debugging method, anti-debugging device, storage medium and electronic device
CN114035855B (en) * 2021-09-30 2023-10-27 鸣芯信息科技(上海)有限公司 Firmware debugging method, device, terminal and storage medium
CN115617496B (en) * 2022-12-06 2023-04-07 摩尔线程智能科技(北京)有限责任公司 Method, device, electronic equipment and medium for communication between user mode and kernel mode
CN120337209A (en) * 2025-03-28 2025-07-18 北京智游网安科技有限公司 Anti-reverse debugging method and device for iOS system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373501A (en) * 2008-05-12 2009-02-25 公安部第三研究所 Dynamic Behavior Capturing Method for Computer Viruses
CN101650688A (en) * 2009-08-31 2010-02-17 中兴通讯股份有限公司 Method for accessing VM_IO address space and user mode debugger
CN102346708A (en) * 2010-08-03 2012-02-08 中兴通讯股份有限公司 Debugger and debugging method thereof
CN107590388A (en) * 2017-09-12 2018-01-16 南方电网科学研究院有限责任公司 Malicious code detection method and device
CN109471800A (en) * 2018-10-31 2019-03-15 中国航天系统科学与工程研究院 A kind of unlimited breakpoint setting method of software based on Windows operating system
CN109726115A (en) * 2018-11-06 2019-05-07 北京大学 An automatic bypass method of anti-debugging based on Intel processor trace

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8677321B2 (en) * 2011-06-13 2014-03-18 Red Hat, Inc. User-space probe based debugging

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373501A (en) * 2008-05-12 2009-02-25 公安部第三研究所 Dynamic Behavior Capturing Method for Computer Viruses
CN101650688A (en) * 2009-08-31 2010-02-17 中兴通讯股份有限公司 Method for accessing VM_IO address space and user mode debugger
CN102346708A (en) * 2010-08-03 2012-02-08 中兴通讯股份有限公司 Debugger and debugging method thereof
CN107590388A (en) * 2017-09-12 2018-01-16 南方电网科学研究院有限责任公司 Malicious code detection method and device
CN109471800A (en) * 2018-10-31 2019-03-15 中国航天系统科学与工程研究院 A kind of unlimited breakpoint setting method of software based on Windows operating system
CN109726115A (en) * 2018-11-06 2019-05-07 北京大学 An automatic bypass method of anti-debugging based on Intel processor trace

Also Published As

Publication number Publication date
CN112231198A (en) 2021-01-15

Similar Documents

Publication Publication Date Title
US10949247B2 (en) Systems and methods for auditing a virtual machine
US11687645B2 (en) Security control method and computer system
EP3123311B1 (en) Malicious code protection for computer systems based on process modification
US10984096B2 (en) Systems, methods, and apparatus for detecting control flow attacks
US10460099B2 (en) System and method of detecting malicious code in files
US10402563B2 (en) Automated classification of exploits based on runtime environmental features
EP3039608B1 (en) Hardware and software execution profiling
CN112231198B (en) Malicious process debugging method and device, electronic equipment and medium
CN107690645B (en) Behavioral malware detection using interpreter virtual machines
Lopez et al. A survey on function and system call hooking approaches
US11163645B2 (en) Apparatus and method of control flow integrity enforcement utilizing boundary checking
US10013553B2 (en) Protecting software application
US8429648B2 (en) Method and apparatus to service a software generated trap received by a virtual machine monitor
US20190102279A1 (en) Generating an instrumented software package and executing an instance thereof
Filho et al. Evasion and countermeasures techniques to detect dynamic binary instrumentation frameworks
US10339305B2 (en) Sub-execution environment controller
CN107368738B (en) Anti-Root method and device for smart device
US8510719B2 (en) Real-time user configurable debugging framework
CN105809027B (en) Permission control method and device for application program
US10460108B1 (en) Method and system to identify and rectify input dependency based evasion in dynamic analysis
Shamshirsaz et al. An Improved Process Supervision and Control Method for Malware Detection.
Johnson et al. Why software dos is hard to fix: Denying access in embedded android platforms
KR20210006882A (en) Debugger blocking method and system for program protection
Zaheri et al. Preventing reflective DLL injection on UWP apps
Fattori Hardware-Assisted Virtualization and its Applications to Systems Security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant