CN110059477B - Attack detection method and device - Google Patents

Abstract

The embodiment of the invention provides an attack detection method and device, and relates to the field of computer security. The method and the device can accurately detect the heap injection type attack which may exist when the application program runs. The method comprises the following steps: in response to the operation of loading a Dynamic Link Library (DLL) provided by an operating system in a target process, searching an address of a memory allocation function in an application program user mode memory corresponding to the target process; after the address of the memory allocation function is searched, modifying a first instruction of the memory allocation function into a second jump instruction; the second jump instruction is used for executing a second callback function when the target process executes the memory allocation function; responding to the operation of executing the second callback function, and recording the memory occupation information of the target process; and generating a detection result according to the parameter information of the memory occupied by the target process. The invention is applied to computer attack detection.

Description

Attack detection method and device

Technical Field

The invention relates to the field of computer security, in particular to an attack detection method and device.

Background

With the development of information technology, computer networks have become a main tool for people to acquire information, and the demand for computer data security technology is continuously increased. Among them, Heap Spray (Heap Spray) is a commonly used vulnerability exploitation (Exploit) technique for hackers, and is often used in an attack mode such as Advanced Persistent Threat (APT), so as to achieve the purpose of data theft.

Heap injection is a commonly used technology in vulnerability attack, scripts can be embedded in a plurality of documents (doc, pdf, swf and the like) or webpages (html and the like), when the documents or the webpages are opened, the scripts can be executed in corresponding application programs, such as word, adobe reader or browser processes, a hacker can construct malicious files or html webpages when the vulnerability attack is carried out, a section of script is executed first, a slider instruction (usually an NOP empty instruction) and a Shell Code are written into a default heap memory and the heap memory is filled as much as possible, the technology is also called heap injection technology, then the vulnerability is triggered, an EIP register (storing the next instruction address to be executed by a CPU) is hijacked, the slider instruction in the heap is stably jumped to the Shell Code, and the Shell Code is executed, as shown in FIG. 1.

Normally, when an application program (taking a 32-bit program as an example) just runs, only a small amount of memory of a low address space in a process default heap is used, a malicious script of a hacker can achieve the effect of nearly filling up the memory space of the whole default heap by constructing a sliding plate instruction with a proper size and adding a Shell Code memory block, and then repeatedly applying for allocating the memory block for proper times, and then directly jumping to a fixed address like 0x06060606, 0x07070707, …, 0x0c0c0c0c by triggering a vulnerability to stably jump to the sliding plate instruction (NOP empty instruction), and further executing the command to the following Shell Code.

At present, a common heap-spray detection method is as follows: the method comprises the steps of firstly analyzing a script of a webpage to be detected, monitoring a script variable in the webpage through a hook of a hanging function in the analyzing process, if the length of the script variable in the webpage is monitored to exceed a preset length threshold, performing disassembling detection on the content of the script variable with the length exceeding the preset length threshold, if disassembling cannot be performed smoothly, analyzing the script of the webpage to be detected continuously, if disassembling can be performed smoothly, considering that Shell Code stored in the script variable accords with the heap-spraying characteristic, and determining that a heap-spraying type webpage Trojan is detected.

However, the method is essentially only static detection, and is poor in universality because the heap-injection type attack is analyzed only by aiming at the webpage extraction script.

Disclosure of Invention

Embodiments of the present invention provide an attack detection method and apparatus, which can accurately detect a heap injection type attack that may exist when an application program runs.

In a first aspect, an embodiment of the present invention provides an attack detection method, including: in response to the operation of loading a Dynamic Link Library (DLL) provided by an operating system in a target process, searching an address of a memory allocation function in an application program user mode memory corresponding to the target process; after the address of the memory allocation function is searched, modifying a first instruction of the memory allocation function into a second jump instruction; the second jump instruction is used for executing a second callback function when the target process executes the memory allocation function; responding to the operation of executing the second callback function, and recording the memory occupation information of the target process; and generating a detection result according to the parameter information of the memory occupied by the target process.

In a second aspect, an embodiment of the present invention provides an attack detection apparatus, including: the searching unit is used for responding to the operation of loading the dynamic link library DLL provided by the operating system in the target process and searching the address of the memory allocation function in the application program user mode memory corresponding to the target process; the modifying unit is used for modifying a first instruction of the memory allocation function into a second jump instruction after the searching unit searches the address of the memory allocation function; the second jump instruction is used for executing a second callback function when the target process executes the memory allocation function; the result generating unit is used for responding to the operation of executing the second callback function after the modifying unit modifies the first instruction of the memory allocation function into the second jump instruction, and recording the memory occupation information of the target process; and generating a detection result according to the parameter information of the memory occupied by the target process.

In a third aspect, an embodiment of the present invention provides another attack detection apparatus, including: a processor, a memory, a bus, and a communication interface; the memory is used for storing computer execution instructions, the processor is connected with the memory through a bus, and when the attack detection device runs, the processor executes the computer execution instructions stored in the memory, so that the attack detection device executes the attack detection method provided by the first aspect.

In a fourth aspect, an embodiment of the present invention provides a computer storage medium, which includes instructions that, when run on an attack detection apparatus, cause the attack detection apparatus to execute the attack detection method provided in the first aspect.

According to the attack detection method and device provided by the embodiment of the invention, when the target process loads the DLL provided by the operating system, the address of the memory allocation function is searched in the user mode memory of the application program corresponding to the target process, the first instruction of the memory allocation function is modified into the second jump instruction, so that the second callback function can be automatically called when the target process of the application program runs, the parameter information of the memory required to be occupied by the target process is recorded, the memory use condition of the target process is detected according to the parameter information, the detection result is further generated, and whether the heap-injection type attack which abnormally occupies the memory exists or not can be determined when the application program runs.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.

FIG. 1 is a diagram illustrating a process default heap layout;

fig. 2 is a schematic diagram of a module composition of an electronic device according to an embodiment of the present invention;

fig. 3 is a schematic diagram illustrating a module composition of a monitoring driver loaded in a dynamic link library according to an embodiment of the present invention;

FIG. 4 is a schematic diagram of a module composition of a custom dynamic link library according to an embodiment of the present invention;

fig. 5 is a schematic flowchart of an attack detection method according to an embodiment of the present invention;

fig. 6 is a schematic flowchart of another attack detection method according to an embodiment of the present invention;

fig. 7 is a schematic flowchart of another attack detection method according to an embodiment of the present invention;

fig. 8 is a schematic flowchart of another attack detection method according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of an attack detection apparatus according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of another attack detection apparatus provided in the embodiment of the present invention;

fig. 11 is a schematic structural diagram of another attack detection apparatus according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items. The character "/" herein generally indicates that the former and latter associated objects are in an "or" relationship.

It should be understood that although the terms first, second, third, etc. may be used in embodiments of the present invention to describe various instructions, functions, threads, etc., these instructions, functions, and threads should not be limited by these terms. These terms are only used to distinguish instructions, functions, and threads from one another. For example, a first instruction may also be referred to as a second instruction, and similarly, a second instruction may also be referred to as a first instruction, without departing from the scope of embodiments of the present invention.

The word "if" or "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.

Technical terms related to the embodiments of the present invention are explained below:

APT: shall be an abbreviation for Advanced Persistent thread, also known as Advanced Persistent Threat. The attack form is that hacker organization or small group uses advanced attack means to carry out long-term continuous network attack on specific target, and aims at stealing core data to save the 'malicious commercial spy threat' for a long time. The attack technique of APT is to hide itself, and steal data for a specific object in a long-term, planned and organized manner, and usually employs a 0day bug. Heap-spray type attacks are also commonly used as a means of attack for a high level of persistent threat.

0day vulnerability: refers to a vulnerability which has been discovered but not disclosed, or is disclosed but has not released relevant patches yet by the official, and the vulnerability is usually very hidden after being exploited by hackers.

DEP: an abbreviation of english Data Execution Protection, also called Data Execution Protection, is a set of software and hardware technology, and can check whether a memory page where each instruction is located has an executable authority or not when an application program is executed by means of support of CPU hardware and an operating system, and terminate the program Execution if the memory page has no executable authority, so that the function can prevent a malicious code (shell code) from running in the application program with holes.

ASLR: the acronym of English Address space layout randomization, also called as Address space layout randomization, is a security protection technology for buffer overflow, and through the randomization of linear area Address layouts such as heap, stack and shared library mapping, the difficulty of predicting a destination Address by an attacker can be increased, the attacker can be prevented from directly using a loaded code or directly positioning an attack code position, and thus, the purpose of preventing overflow attack is achieved.

ROP: the acronym of english Return organized Programming, also known as Return-Oriented Programming, is a novel attack based on code multiplexing technology, and an attacker extracts instruction fragments from an existing library or an executable file to construct malicious codes.

Heap Spray: also known as heap spraying, is a technique often used by hackers in Exploit to repeatedly write the Shell Code into the memory of the process default heap until it is full, so that Exploit can easily predict the Shell Code location and jump into execution.

Shell Code: malicious code, typically written directly in assembly language.

Exploit: and (4) utilizing the vulnerability.

Slide Code: the sliding plate command, the command placed before the Shell Code in the stack injection, is usually a NOP null command, and the hacker control Code can be gradually executed to the Shell Code after being transferred into the sliding plate command.

The following introduces an application scenario of the embodiment of the present invention:

fig. 2 is a schematic diagram of a module composition of an electronic device according to an embodiment of the present invention. The electronic device 01 includes physical hardware, an operating system, and an application program. The physical hardware comprises hardware equipment such as a mainboard, a CPU (central processing unit), a physical memory and the like; the operating system is used as a computer program for managing hardware and software resources of the electronic equipment, wherein a dynamic link library loading monitoring driver is operated in the operating system, the driver is mainly used for monitoring the behavior of the application program for loading the dynamic link library, and controlling the application program to load the self-defined dynamic link library at a proper time so as to realize the injection of the dynamic link library. In addition, a custom dynamic link library is injected into an application program running on an operating system, and the custom dynamic link library realizes the detection of the heap injection behavior of the application program. The electronic device 01 may be a personal computer, a server, or various portable electronic devices (such as a mobile phone, a tablet computer, etc.), and the present invention is not limited thereto.

Further, as shown in fig. 3, a schematic diagram of module composition of the dynamic link library loading monitoring driver provided in the embodiment of the present invention is shown. The dynamic link library loading monitoring driver comprises a dynamic link library loading hook module, a dynamic link library loading callback module and a disassembling module.

The module has the main functions that after the driver is loaded, the address of a function loaded by the dynamic link library is searched in a kernel, after the address is found, a first instruction of the function is replaced by a jump instruction, and the jump is directly carried out to the dynamic link library loading callback module. The dynamic link library loads a callback module, which is a callback function, and any self-defined operation can be executed in the callback function, and finally, a first instruction of the dynamic link library loading function is executed, and then, a second instruction of the dynamic link library loading function is jumped to. And the disassembling module is used for providing a function of disassembling the binary code.

In addition, as shown in fig. 4, a schematic diagram of a module composition of the custom dynamic link library provided in the embodiment of the present invention is provided. The user-defined dynamic link library comprises a memory allocation hook module, a memory allocation callback module and a disassembling module.

The main function of the memory allocation hook module is to search the address of a memory allocation function in an application program after the dynamic link library is injected, replace a first instruction of the function with a jump instruction after the address is found, and directly jump to the memory allocation callback module. And the memory allocation callback module is a callback function, can detect whether the application program has heap injection, finally executes a first instruction of the memory allocation function, and then jumps to a second instruction of the memory allocation function. And the disassembling module is used for providing a function of disassembling the binary code.

The first embodiment is as follows:

based on the structure of the electronic device shown in fig. 2 or similar to fig. 2, an embodiment of the present invention provides an attack detection method, which specifically includes, as shown in fig. 5:

s101, in response to the operation of loading a Dynamic Link Library (Dynamic Link Library) provided by an operating system in the target process, searching the address of the memory allocation function in the user mode memory of the application program corresponding to the target process.

Specifically, in order to automatically search an address of a memory allocation function in a user-mode memory of an application program when the application program runs a certain target process and when the target process loads a DLL provided by an operating system, step S101 in the embodiment of the present invention specifically includes:

s1011, modifying a first instruction in the dynamic link library loading function of the operating system into a first jump instruction.

And the first jump instruction is used for executing the first callback function when the target process loads the DLL provided by the operating system according to the dynamic link library loading function.

When the electronic equipment is started, the driver automatically loads the entry function and starts to search the address of the dynamic link library loading function in the kernel module. After the address of the function loaded by the dynamic link library is obtained, the disassembling module can be used for disassembling the first n bits of the function loaded by the dynamic link library, so that the first instruction of the function loaded by the dynamic link library is obtained. Therefore, as shown in fig. 6, S1011 may specifically include:

s10111, obtaining the loading function address of the dynamic link library.

S10112, disassembling the first n bits of the dynamic link library loading function, and determining a first instruction of the dynamic link library loading function.

In addition, in order to ensure normal operation of the target process, the method provided by the embodiment of the invention further comprises the following steps: disassembling the first n bits of the dynamic link library loading function, determining the binary code length of the first instruction and the address of the second instruction of the dynamic link library loading function, and recording the content of the first instruction before modification.

S10113, modifying a first instruction in a dynamic link library loading function of the operating system into a first jump instruction.

Further, after jumping and executing the first callback function, the method further includes: and executing the first instruction before modification. And jumping to the address of the second instruction after the first instruction before modification is executed so as to execute the second instruction.

After modifying the first instruction in the dynamic link library loading function of the operating system into the first jump instruction in step S1011, the method further includes:

s1012, responding to the operation of executing the first callback function, and loading the custom DLL.

The user-defined DLL is used for generating a first preset thread; the first preset thread is used for searching the address of the memory allocation function in the application program user mode memory corresponding to the target process.

Specifically, after the dynamic link library loading function is modified, when the target process loads the DLL, the first callback function is executed first. When the target process executes the first callback function, a preset custom DLL is automatically loaded, so that a first preset thread for searching the address of the memory allocation function is generated.

In addition, considering that the same process may repeatedly call the dynamic link library, therefore, to avoid the problem of repeatedly detecting the same process, as shown in fig. 7, step S1012 in the embodiment of the present invention specifically includes:

s10121, in response to the operation of executing the first callback function, acquiring a PID (Process Identification, Process Identification number) of the target Process.

S10122, judging whether the PID of the target process is stored in the active process list.

Wherein the active process list is used for storing the PID of the process which is run before.

S10123, if the PID of the target process is not stored in the active process list, loading the custom DLL.

In addition, in order to determine whether the process is already run later, the method further includes: and updating the PID of the target process into an active process list.

In addition, considering that the dynamic link library in which the memory allocation function is located may be loaded after the custom DLL, which may occur that the first preset thread cannot search the memory allocation function. To solve this problem, the first preset thread is further configured to:

and when the address of the memory allocation function cannot be searched, after waiting for a preset interval time, searching the address of the memory allocation function in the application program user mode memory corresponding to the target process again.

S102, after the address of the memory allocation function is searched, a first instruction of the memory allocation function is modified into a second jump instruction.

And the second jump instruction is used for executing a second callback function when the target process executes the memory allocation function.

Specifically, similar to the process of loading the first instruction in the function to the dynamic link library of the operating system, in this step, after the address of the memory allocation function is searched, the first instruction may be disassembled by using the disassembling module, so as to determine the position of the first instruction and replace the first instruction.

In addition, in order to ensure the normal operation of the target process and facilitate the target process to re-execute the original instruction in the memory allocation function, the present invention further includes: recording the binary code length of the first instruction, the address of the second instruction and the content of the first instruction. So that the first instruction before modification is re-executed after the second callback function is executed, and the address of the second instruction is jumped to after the first instruction before modification is executed.

And S103, responding to the operation of executing the second callback function, and recording parameter information of the memory occupied by the target process. And generating a detection result according to the parameter information of the memory occupied by the target process.

Specifically, when the target process calls the memory allocation function, attribute parameters such as the total amount of memory occupied by the target process, the number of memory blocks occupied, and the size of each memory block can be monitored. In the embodiment of the invention, a first instruction of the memory allocation function is modified into a second jump instruction. Therefore, when the target process calls the memory allocation function, the second callback function can be automatically executed, and parameter information of the memory occupied by the target process is automatically recorded.

The parameter information may specifically include one or more of attribute parameters such as the total amount of memory occupied by the target process, the number of memory blocks occupied, and the size of each memory block.

Specifically, in order to record the memory usage information of the target process, as shown in fig. 8, step S103 specifically includes:

and S1031, responding to the operation of executing the second callback function, and recording the times of continuously requesting to allocate the memories with the same preset size when the target process requests to allocate the memories.

Specifically, when the second callback function is executed, the second callback function records the size of the memory requested to be allocated at this time, and counts the number of times of continuous requests for allocation of memory blocks of the same size.

It is considered that if the target process requests to allocate the memory, the number of times of allocating the same preset size memory is continuously requested is very small, and thus the condition of the heap injection attack is not usually met. Therefore, when the number of times of continuously requesting allocation of the same preset size memory is smaller than or equal to the first threshold, it is determined that the target process does not carry the heap injection attack, and therefore no alarm is needed.

S1032, if the number of times of continuously requesting allocation of the same preset size memory is greater than the first threshold, searching a preset size of adjacent memory blocks from a high address to a low address in the default heap memory, and recording a number N of types of instructions included in first L bytes of each memory block in the preset size of adjacent memory blocks.

In particular, considering that in a stack-jet attack, the high order bits in each memory block are typically used to store a sledge command. Therefore, in the embodiment of the invention, the first L bytes in each memory block are detected, the number of the types of the instructions in the first L bytes is judged, and then whether the stack injection attack exists is judged.

Specifically, the content of step S1032 may be completed by creating a new thread. Therefore, after determining that the number of times of allocating the same preset size of memory by consecutive requests is greater than the first threshold, the method further includes: creating a second preset thread; and the second preset thread is used for searching the adjacent memory blocks with the preset size from the high address to the low address in the default heap memory, and recording the type number N of the instructions respectively included in the first L bytes of each memory block in the adjacent memory blocks with the preset size. Wherein L is more than or equal to 1.

Specifically, in order to determine the number of types of instructions included in the first L bytes of the memory block, the first L bytes of each memory block in the adjacent memory blocks with the preset size may be disassembled, so as to obtain the instruction content and the number of instructions included in the first L bytes. If the first L bytes of the memory block cannot be disassembled or the disassembling fails, determining that the number of the instruction types of the first L bytes of the memory block is zero.

S1033, if the number N of the types of the instructions included in the first L bytes of each memory block in the adjacent memory blocks with the preset size is not zero and is less than the second threshold, generating an alarm signal.

For example, if there are m adjacent memory blocks with the same size, and the number of instruction types included in each of the m memory blocks is greater than 0 and smaller than the second threshold, it is determined that a heap injection attack exists in the currently running target process, and then an alarm signal is generated.

In addition, considering that there may be a delay in writing the sled command and the Shell Code in the heap memory, there is a possibility that the number N of the types of commands included in the first L bytes of each memory block in the adjacent memory blocks with the predetermined size is equal to zero or greater than the second threshold, and the contents of S1032 and S1033 may be re-executed after waiting for the predetermined interval time.

According to the attack detection method and device provided by the embodiment of the invention, when the target process loads the DLL provided by the operating system, the address of the memory allocation function is searched in the user mode memory of the application program corresponding to the target process, the first instruction of the memory allocation function is modified into the second jump instruction, so that the second callback function can be automatically called when the target process of the application program runs, the parameter information of the memory required to be occupied by the target process is recorded, the memory use condition of the target process is detected according to the parameter information, the detection result is further generated, and whether the heap-injection type attack which abnormally occupies the memory exists or not can be determined when the application program runs.

Example two:

the embodiment of the invention provides attack detection equipment, which is used for executing the attack detection method provided by the first embodiment. Fig. 9 is a schematic diagram of a possible structure of an attack detection device according to an embodiment of the present invention. Specifically, the attack detection device 20 includes: a search unit 201, a modification unit 202, and a result generation unit 203. Wherein,

a searching unit 201, configured to search, in response to an operation of loading a dynamic link library DLL provided by an operating system in a target process, an address of a memory allocation function in an application user-mode memory corresponding to the target process;

a modifying unit 202, configured to modify a first instruction of the memory allocation function into a second jump instruction after the searching unit 201 searches for the address of the memory allocation function; the second jump instruction is used for executing a second callback function when the target process executes the memory allocation function;

a result generating unit 203, configured to, after the modifying unit 202 modifies the first instruction of the memory allocation function into the second jump instruction, respond to an operation of executing the second callback function, and record memory occupation information of the target process; and generating a detection result according to the parameter information of the memory occupied by the target process.

Optionally, the searching unit 201 specifically includes: a modification subunit 2011; a load subcell 2012;

a modification subunit 2011, configured to modify a first instruction in a dynamic link library loading function of the operating system into a first jump instruction; the system comprises a first jump instruction, a second jump instruction and a third jump instruction, wherein the first jump instruction is used for executing a first callback function when a target process loads a DLL (dynamic link library) provided by an operating system according to a dynamic link library loading function;

a load subunit 2012, configured to load the custom DLL in response to an operation of executing the first callback function; the user-defined DLL is used for generating a first preset thread; the first preset thread is used for searching the address of the memory allocation function in the application program user mode memory corresponding to the target process.

The loading subcell 2012 is specifically configured to: responding to the operation of executing the first callback function, and acquiring a process identification number PID of a target process; judging whether the PID of the target process is stored in an active process list; an active process list for storing PIDs of previously run processes; and if the PID of the target process is not stored in the active process list, loading the custom DLL.

Optionally, the result generating unit 203 is specifically configured to: responding to the operation of executing the second callback function, and recording the times of continuously requesting to allocate the memories with the same preset size when the target process requests to allocate the memories; if the number of times of continuously requesting to allocate the memory with the same preset size is larger than a first threshold value, searching adjacent memory blocks with the preset size from a high address to a low address in the default heap memory, and recording the type number N of instructions respectively included in the first L bytes of each memory block in the adjacent memory blocks with the preset size; and if the type number N of the instructions respectively included in the first L bytes of each memory block in the adjacent memory blocks with the preset size is not zero and is less than the second threshold value, generating an alarm signal.

Optionally, after determining that the number of times that the same preset size of memory is allocated by the consecutive requests is greater than the first threshold, the result generating unit 203 is further configured to: creating a second preset thread; the second preset thread is used for searching adjacent memory blocks with preset sizes from a high address to a low address in the default heap memory, and recording the type number N of instructions respectively included in the first L bytes of each memory block in the adjacent memory blocks with the preset sizes; the second preset thread is further configured to generate an alarm signal if the number N of the types of instructions included in the first L bytes of each memory block in the adjacent memory blocks with the preset size is not zero and is less than the second threshold.

The functions and effects of the modules in the attack detection device provided in the embodiment of the present invention may refer to the corresponding description in the attack detection method of the embodiment described above, and are not described herein again.

It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.

In the case of an integrated unit, fig. 10 shows a schematic diagram of a possible structure of the attack detection device involved in the above-described embodiment. The attack detection device 30 includes: a processing module 301, a communication module 302 and a storage module 303. The processing module 301 is configured to control and manage the actions of the attack detection apparatus 30, for example, the processing module 301 is configured to support the attack detection apparatus 30 to execute the processes S101 to S103 in fig. 5. The communication module 302 is used to support communication of the attack detection device 30 with other entities. The storage module 303 is used to store program codes and data of the application server.

The processing module 301 may be a processor or a controller, such as a Central Processing Unit (CPU), a general-purpose processor, a Digital Signal Processor (DSP), an application-specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. A processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a DSP and a microprocessor, or the like. The communication module 302 may be a transceiver, a transceiving circuit or a communication interface, etc. The storage module 303 may be a memory.

When the processing module 301 is a processor as shown in fig. 11, the communication module 302 is a transceiver as shown in fig. 11, and the storage module 303 is a memory as shown in fig. 11, the attack detection device according to the embodiment of the present invention may be the following attack detection device 40.

Referring to fig. 11, the attack detection apparatus 40 includes: aprocessor 401, atransceiver 402, amemory 403, and abus 404.

Theprocessor 401, thetransceiver 402 and thememory 403 are connected to each other through abus 404; thebus 404 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

Processor 401 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an Application-Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to control the execution of programs in accordance with the present invention.

TheMemory 403 may be a Read-Only Memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an Electrically Erasable Programmable Read-Only Memory (EEPROM), a Compact Disc Read-Only Memory (CD-ROM) or other optical Disc storage, optical Disc storage (including Compact Disc, laser Disc, optical Disc, digital versatile Disc, blu-ray Disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these. The memory may be self-contained and coupled to the processor via a bus. The memory may also be integral to the processor.

Wherein thememory 403 is used for storing application program codes for executing the scheme of the present invention, and the execution is controlled by theprocessor 401. Thetransceiver 402 is configured to receive content input by an external device, and theprocessor 401 is configured to execute application program codes stored in thememory 403, thereby implementing the attack detection method provided in the embodiment of the present invention.

It should be understood that, in various embodiments of the present invention, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented using a software program, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the invention are all or partially effected when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optics, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or can comprise one or more data storage devices, such as a server, a data center, etc., that can be integrated with the medium. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1. An attack detection method, comprising:

in response to the operation of loading a Dynamic Link Library (DLL) provided by an operating system in a target process, searching an address of a memory allocation function in an application program user mode memory corresponding to the target process;

after the address of the memory allocation function is searched, modifying a first instruction of the memory allocation function into a second jump instruction; the second jump instruction is used for executing a second callback function when the target process executes the memory allocation function;

responding to the operation of executing the second callback function, and recording parameter information of a memory occupied by the target process; generating a detection result according to the parameter information of the memory occupied by the target process;

the memory occupation information of the target process is recorded in response to the operation of executing the second callback function; generating a detection result according to the parameter information of the memory occupied by the target process, specifically comprising:

responding to the operation of executing the second callback function, and recording the times of continuously requesting to allocate the memories with the same preset size when the target process requests to allocate the memories;

if the number of times of continuously requesting to allocate the memory with the same preset size is larger than a first threshold value, searching the adjacent memory blocks with the preset size from a high address to a low address in a default heap memory, and recording the type number N of instructions respectively included in the first L bytes of each memory block in the adjacent memory blocks with the preset size;

and if the number N of the types of the instructions included in the first L bytes of each memory block in the adjacent memory blocks with the preset size is not zero and is less than a second threshold, generating an alarm signal.

2. The attack detection method according to claim 1, wherein the searching for the address of the memory allocation function in the application user-mode memory corresponding to the target process in response to the operation of the target process loading the dynamic link library DLL provided by the operating system specifically includes:

modifying a first instruction in a dynamic link library loading function of an operating system into a first jump instruction; the first jump instruction is used for executing a first callback function when a target process loads a DLL (dynamic link library) provided by the operating system according to the dynamic link library loading function;

in response to executing the operation of the first callback function, loading a custom DLL; the user-defined DLL is used for generating a first preset thread; the first preset thread is used for searching the address of the memory allocation function in the application program user mode memory corresponding to the target process.

3. The attack detection method of claim 2, wherein the loading of the custom DLL in response to the execution of the first callback function comprises:

responding to the operation of executing the first callback function, and acquiring a process identification number PID of the target process;

judging whether the PID of the target process is stored in an active process list; the active process list is used for storing the PID of the process which is operated before;

and if the PID of the target process is not stored in the active process list, loading the custom DLL.

4. The attack detection method according to claim 1, wherein after determining that the number of times that the consecutive requests allocate the same preset size memory is greater than a first threshold, the method further comprises:

creating a second preset thread; the second preset thread is configured to search the preset-sized adjacent memory blocks from a high address to a low address in the default heap memory, and record the number N of types of instructions included in the first L bytes of each memory block in the preset-sized adjacent memory blocks; the second preset thread is further configured to generate an alarm signal if the number N of the types of the instructions included in the first L bytes of each memory block in the adjacent memory blocks of the preset size is not zero and is less than a second threshold.

5. An attack detection apparatus, comprising:

the searching unit is used for responding to the operation of loading a Dynamic Link Library (DLL) provided by an operating system in a target process and searching the address of a memory allocation function in an application program user mode memory corresponding to the target process;

the modifying unit is used for modifying a first instruction of the memory allocation function into a second jump instruction after the searching unit searches the address of the memory allocation function; the second jump instruction is used for executing a second callback function when the target process executes the memory allocation function;

a result generating unit, configured to, after the modifying unit modifies the first instruction of the memory allocation function into a second jump instruction, respond to an operation of executing the second callback function, and record memory occupation information of the target process; generating a detection result according to the parameter information of the memory occupied by the target process;

the result generation unit is specifically configured to:

responding to the operation of executing the second callback function, and recording the times of continuously requesting to allocate the memories with the same preset size when the target process requests to allocate the memories;

if the number of times of continuously requesting to allocate the memory with the same preset size is larger than a first threshold value, searching the adjacent memory blocks with the preset size from a high address to a low address in a default heap memory, and recording the type number N of instructions respectively included in the first L bytes of each memory block in the adjacent memory blocks with the preset size;

and if the number N of the types of the instructions included in the first L bytes of each memory block in the adjacent memory blocks with the preset size is not zero and is less than a second threshold, generating an alarm signal.

6. The attack detection device according to claim 5, wherein the search unit specifically includes: modifying the subunit; a load subunit;

the modifying subunit is used for modifying a first instruction in a dynamic link library loading function of the operating system into a first jump instruction; the first jump instruction is used for executing a first callback function when a target process loads a DLL (dynamic link library) provided by the operating system according to the dynamic link library loading function;

the loading subunit is configured to load a custom DLL in response to an operation of executing the first callback function; the user-defined DLL is used for generating a first preset thread; the first preset thread is used for searching the address of the memory allocation function in the application program user mode memory corresponding to the target process.

7. The attack detection device according to claim 6, wherein the loading subcell is specifically configured to:

responding to the operation of executing the first callback function, and acquiring a process identification number PID of the target process;

judging whether the PID of the target process is stored in an active process list; the active process list is used for storing the PID of the process which is operated before;

and if the PID of the target process is not stored in the active process list, loading the custom DLL.

8. The attack detection device according to claim 5, wherein after determining that the number of times that the consecutive requests allocate the same preset-size memory is greater than the first threshold, the result generation unit is further configured to:

creating a second preset thread; the second preset thread is configured to search the preset-sized adjacent memory blocks from a high address to a low address in the default heap memory, and record the number N of types of instructions included in the first L bytes of each memory block in the preset-sized adjacent memory blocks; the second preset thread is further configured to generate an alarm signal if the number N of the types of the instructions included in the first L bytes of each memory block in the adjacent memory blocks of the preset size is not zero and is less than a second threshold.

Images