技术领域Technical Field
本公开涉及计算机技术领域,具体而言,涉及一种漏洞检测方法及漏洞检测装置。The present disclosure relates to the field of computer technology, and in particular to a vulnerability detection method and a vulnerability detection device.
背景技术Background Art
随着互联网技术的不断发展,网络安全问题也越来越受到关注,如何及时发现浏览器中存在的官方尚未发现但是黑客已经设计恶意代码并嵌入网页的漏洞是急需解决的问题。With the continuous development of Internet technology, network security issues have received more and more attention. How to timely discover vulnerabilities in browsers that have not yet been discovered by officials but have been designed by hackers and embedded in malicious codes in web pages is an issue that needs to be addressed urgently.
相关技术中,为了及时发现该类漏洞,可以通过获取浏览器进程对应的关联启动进程信息,检测关联启动进程信息是否符合预设异常条件来判断。但是该方法具有滞后性和局限性,很可能在黑客攻击完成后才发现;另外黑客也很容易针对这种检测方法进行躲避,即不采用创建新进程的方式进行攻击,因此不能准确地检测到漏洞。In the related art, in order to timely discover such vulnerabilities, the browser process can be obtained by obtaining the associated startup process information corresponding to the browser process, and then detecting whether the associated startup process information meets the preset abnormal conditions. However, this method has lags and limitations, and it is likely to be discovered only after the hacker attack is completed; in addition, hackers can easily evade this detection method, that is, they do not use the method of creating a new process to attack, so the vulnerability cannot be accurately detected.
鉴于此,本领域亟需开发一种新的漏洞检测方法。In view of this, there is an urgent need to develop a new vulnerability detection method in this field.
需要说明的是,在上述背景技术部分公开的信息仅用于加强对本申请的背景的理解,因此可以包括不构成对本领域普通技术人员已知的现有技术的信息。It should be noted that the information disclosed in the above background technology section is only used to enhance the understanding of the background of the present application, and therefore may include information that does not constitute the prior art known to ordinary technicians in the field.
发明内容Summary of the invention
本公开实施例提供了一种漏洞检测方法及漏洞检测装置,进而至少在一定程度上可以及时准确地检测到当前页面是否存在漏洞的问题,提高了漏洞检测的效率和准确性。The embodiments of the present disclosure provide a vulnerability detection method and a vulnerability detection device, which can timely and accurately detect whether a current page has a vulnerability, at least to a certain extent, thereby improving the efficiency and accuracy of vulnerability detection.
本公开的其他特性和优点将通过下面的详细描述变得显然,或部分地通过本公开的实践而习得。Other features and advantages of the present disclosure will become apparent from the following detailed description, or may be learned in part by the practice of the present disclosure.
根据本公开实施例的一个方面,提供了一种漏洞检测方法,包括:获取漏洞运行所需的内存关联信息;若检测到目标应用对当前页面的访问操作,则根据所述内存关联信息对所述当前页面的预设信息进行检测,以获取检测结果;若确定所述检测结果为不合法,则确定所述当前页面存在所述漏洞。According to one aspect of an embodiment of the present disclosure, a vulnerability detection method is provided, including: obtaining memory-related information required for vulnerability operation; if an access operation of a target application to a current page is detected, detecting preset information of the current page according to the memory-related information to obtain a detection result; if it is determined that the detection result is illegal, determining that the vulnerability exists in the current page.
根据本公开的一个方面,提供一种漏洞检测装置,包括:信息获取模块,用于获取漏洞运行所需的内存关联信息;检测结果确定模块,用于若检测到目标应用对当前页面的访问操作,则根据所述内存关联信息对所述当前页面的预设信息进行检测,以获取检测结果;漏洞确定模块,用于若确定所述检测结果为不合法,则确定所述当前页面存在所述漏洞。According to one aspect of the present disclosure, a vulnerability detection device is provided, including: an information acquisition module, used to obtain memory-related information required for vulnerability operation; a detection result determination module, used to detect preset information of the current page according to the memory-related information to obtain a detection result if an access operation of a target application to a current page is detected, and a vulnerability determination module, used to determine that the current page has the vulnerability if the detection result is determined to be illegal.
在本公开的一种示例性实施例中,所述预设信息包括调用者;基于前述方案,检测结果确定模块包括:调用者检测模块,用于根据所述内存关联信息对所述调用者进行检测,以得到用于表示所述调用者是否合法的第一检测结果;第一确定模块,用于若所述第一检测结果为所述调用者不合法,则确定所述检测结果为不合法。In an exemplary embodiment of the present disclosure, the preset information includes a caller; based on the aforementioned scheme, the detection result determination module includes: a caller detection module, used to detect the caller according to the memory association information to obtain a first detection result indicating whether the caller is legal; a first determination module, used to determine that the detection result is illegal if the first detection result is that the caller is illegal.
在本公开的一种示例性实施例中,基于前述方案,调用者检测模块包括:返回地址确定模块,用于通过栈帧获取返回地址;第一检测结果确定模块,用于获取所述返回地址的上一条指令,并判断所述上一条指令是否为调用指令,以确定所述第一检测结果。In an exemplary embodiment of the present disclosure, based on the aforementioned scheme, the caller detection module includes: a return address determination module, used to obtain the return address through a stack frame; a first detection result determination module, used to obtain the previous instruction of the return address and determine whether the previous instruction is a call instruction to determine the first detection result.
在本公开的一种示例性实施例中,所述预设信息包括调用栈;基于前述方案,检测结果确定模块包括:调用栈检测模块,用于若所述第一检测结果为所述调用者合法,则根据所述内存关联信息对所述调用栈进行检测,以得到用于表示所述调用栈是否合法的第二检测结果;第二确定模块,用于若所述第二检测结果为所述调用栈不合法,则确定所述检测结果为不合法。In an exemplary embodiment of the present disclosure, the preset information includes a call stack; based on the aforementioned scheme, the detection result determination module includes: a call stack detection module, which is used to detect the call stack according to the memory association information if the first detection result is that the caller is legal, so as to obtain a second detection result indicating whether the call stack is legal; and a second determination module, which is used to determine that the detection result is illegal if the second detection result is that the call stack is illegal.
在本公开的一种示例性实施例中,基于前述方案,调用栈检测模块包括:历史栈帧获取模块,用于通过当前栈帧获取历史栈帧;第二检测结果确定模块,用于若检测到每个历史栈帧均处于当前线程的限制范围内,则确定所述第二检测结果为所述调用栈合法;第二检测结果生成模块,用于若检测到所有历史栈帧中存在未处于当前线程的限制范围内的历史栈帧,则确定所述第二检测结果为所述调用栈不合法。In an exemplary embodiment of the present disclosure, based on the aforementioned scheme, the call stack detection module includes: a historical stack frame acquisition module, which is used to acquire historical stack frames through the current stack frame; a second detection result determination module, which is used to determine that the second detection result is that the call stack is legal if it is detected that each historical stack frame is within the restriction range of the current thread; and a second detection result generation module, which is used to determine that the second detection result is that the call stack is illegal if it is detected that there is a historical stack frame in all historical stack frames that is not within the restriction range of the current thread.
在本公开的一种示例性实施例中,基于前述方案,调用栈检测模块包括:历史返回地址获取模块,用于通过当前栈帧获取历史返回地址;属性判断模块,用于对每个历史返回地址进行检测,并在确定存在所在内存页的属性为不可执行的历史返回地址时,确定所述第二检测结果为所述调用栈不合法。In an exemplary embodiment of the present disclosure, based on the aforementioned scheme, the call stack detection module includes: a historical return address acquisition module, used to obtain the historical return address through the current stack frame; an attribute judgment module, used to detect each historical return address, and when it is determined that there is a historical return address whose attribute is a non-executable memory page, determine that the second detection result is that the call stack is illegal.
在本公开的一种示例性实施例中,基于前述方案,在确定所述当前页面存在所述漏洞后,所述装置还包括:禁止执行模块,用于将所述当前页面的信息以及所述目标应用的信息发送至服务器,并将所述当前页面的信息存储至用于表示禁止执行的列表,以禁止执行所述当前页面。In an exemplary embodiment of the present disclosure, based on the aforementioned scheme, after determining that the vulnerability exists in the current page, the device also includes: a prohibition execution module, which is used to send the information of the current page and the information of the target application to the server, and store the information of the current page in a list used to indicate prohibited execution, so as to prohibit the execution of the current page.
在本公开的一种示例性实施例中,基于前述方案,所述装置还包括:继续执行模块,用于若确定所述检测结果为合法,则继续执行所述当前页面。In an exemplary embodiment of the present disclosure, based on the above-mentioned solution, the device further includes: a continuing execution module, configured to continue executing the current page if it is determined that the detection result is legal.
在本公开的一种示例性实施例中,基于前述方案,所述装置还包括:信息预警模块,用于若确定所述检测结果为不合法,则提供一个用于提醒所述检测结果的提示信息,以进行预警。In an exemplary embodiment of the present disclosure, based on the aforementioned solution, the device further includes: an information warning module, which is used to provide a prompt information for reminding the detection result if it is determined that the detection result is illegal, so as to issue a warning.
在本公开的一些实施例所提供的技术方案中,在检测到目标应用对当前页面的访问操作时,可以根据获取的漏洞运行所需的内存关联信息来对当前页面的预设信息进行检测,从而根据检测结果是否合法确定当前页面是否存在漏洞。一方面,由于直接根据漏洞运行所需的内存关联信息对当前页面的预设信息来进行判断,避免了相关技术中对漏洞进行检测的滞后性,能够从执行的原理上进行检测和拦截,因此能够及时快速地发现漏洞,使得漏洞攻击失败,因此提高了漏洞检测的效率,且减少了局限性。另一方面,由于通过内存关联信息对当前页面进行检测,能够及时检测漏洞,进而能够及时发现和阻止黑客的漏洞攻击,保护信息的安全。In the technical solutions provided by some embodiments of the present disclosure, when the target application's access operation to the current page is detected, the preset information of the current page can be detected based on the acquired memory-related information required for the vulnerability operation, so as to determine whether the current page has a vulnerability based on whether the detection result is legal. On the one hand, since the preset information of the current page is judged directly based on the memory-related information required for the vulnerability operation, the lag in vulnerability detection in the related technology is avoided, and detection and interception can be performed based on the execution principle, so that the vulnerability can be discovered in a timely and rapid manner, causing the vulnerability attack to fail, thereby improving the efficiency of vulnerability detection and reducing limitations. On the other hand, since the current page is detected through memory-related information, the vulnerability can be detected in a timely manner, and then the vulnerability attack of the hacker can be discovered and prevented in a timely manner to protect the security of information.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本公开。It is to be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present disclosure.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本公开的实施例,并与说明书一起用于解释本公开的原理。显而易见地,下面描述中的附图仅仅是本公开的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。在附图中:The drawings herein are incorporated into the specification and constitute a part of the specification, showing embodiments consistent with the present disclosure, and together with the specification, are used to explain the principles of the present disclosure. Obviously, the drawings described below are only some embodiments of the present disclosure, and for ordinary technicians in this field, other drawings can be obtained based on these drawings without creative work. In the drawings:
图1示出了可以应用本公开实施例的技术方案的示例性系统架构的示意图;FIG1 is a schematic diagram showing an exemplary system architecture to which the technical solution of an embodiment of the present disclosure can be applied;
图2示意性示出了根据本公开的一个实施例的漏洞检测方法的流程示意图;FIG2 schematically shows a flow chart of a vulnerability detection method according to an embodiment of the present disclosure;
图3示意性示出了根据本公开的一个实施例的黑客执行漏洞攻击的示意图;FIG3 schematically shows a schematic diagram of a hacker executing a vulnerability attack according to an embodiment of the present disclosure;
图4示意性示出了根据本公开的一个实施例对当前页面进行第一种检测的示意图;FIG4 schematically shows a schematic diagram of performing a first detection on a current page according to an embodiment of the present disclosure;
图5示意性示出了根据本公开的一个实施例对当前页面进行第二种检测的示意图;FIG5 schematically shows a schematic diagram of performing a second detection on the current page according to an embodiment of the present disclosure;
图6示意性示出了根据本公开的一个实施例根据历史栈帧确定第二检测结果的示意图;FIG6 schematically shows a schematic diagram of determining a second detection result according to a historical stack frame according to an embodiment of the present disclosure;
图7示意性示出了根据本公开的一个实施例的漏洞检测的架构的示意图;FIG7 schematically shows a schematic diagram of a vulnerability detection architecture according to an embodiment of the present disclosure;
图8示意性示出了根据本公开的一个实施例的进行漏洞检测的流程示意图;FIG8 schematically shows a flow chart of vulnerability detection according to an embodiment of the present disclosure;
图9示意性示出了根据本公开的一个实施例的漏洞检测装置的框图;FIG9 schematically shows a block diagram of a vulnerability detection device according to an embodiment of the present disclosure;
图10示出了适于用来实现本公开实施例的电子设备的计算机系统的结构示意图。FIG. 10 is a schematic diagram showing the structure of a computer system suitable for implementing an electronic device of an embodiment of the present disclosure.
具体实施方式DETAILED DESCRIPTION
现在将参考附图更全面地描述示例实施方式。然而,示例实施方式能够以多种形式实施,且不应被理解为限于在此阐述的范例;相反,提供这些实施方式使得本公开将更加全面和完整,并将示例实施方式的构思全面地传达给本领域的技术人员。Example embodiments will now be described more fully with reference to the accompanying drawings. However, example embodiments can be implemented in a variety of forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be more comprehensive and complete and will fully convey the concept of the example embodiments to those skilled in the art.
此外,所描述的特征、结构或特性可以以任何合适的方式结合在一个或更多实施例中。在下面的描述中,提供许多具体细节从而给出对本公开的实施例的充分理解。然而,本领域技术人员将意识到,可以实践本公开的技术方案而没有特定细节中的一个或更多,或者可以采用其它的方法、组元、装置、步骤等。在其它情况下,不详细示出或描述公知方法、装置、实现或者操作以避免模糊本公开的各方面。In addition, the described features, structures or characteristics may be combined in one or more embodiments in any suitable manner. In the following description, many specific details are provided to provide a full understanding of the embodiments of the present disclosure. However, those skilled in the art will appreciate that the technical solutions of the present disclosure may be practiced without one or more of the specific details, or other methods, components, devices, steps, etc. may be adopted. In other cases, known methods, devices, implementations or operations are not shown or described in detail to avoid blurring the various aspects of the present disclosure.
附图中所示的方框图仅仅是功能实体,不一定必须与物理上独立的实体相对应。即,可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。The block diagrams shown in the accompanying drawings are merely functional entities and do not necessarily correspond to physically independent entities. That is, these functional entities may be implemented in software form, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
附图中所示的流程图仅是示例性说明,不是必须包括所有的内容和操作/步骤,也不是必须按所描述的顺序执行。例如,有的操作/步骤还可以分解,而有的操作/步骤可以合并或部分合并,因此实际执行的顺序有可能根据实际情况改变。The flowcharts shown in the accompanying drawings are only exemplary and do not necessarily include all the contents and operations/steps, nor must they be executed in the order described. For example, some operations/steps can be decomposed, and some operations/steps can be combined or partially combined, so the actual execution order may change according to actual conditions.
鉴于相关技术中存在的问题,本公开实施例首先提出了一种漏洞检测方法,本公开实施例中的漏洞检测方法可以用于任意的漏洞检测场景,例如某一个浏览器或者是某一个应用程序运行黑客服务器提供的恶意页面时的漏洞检测场景等等。In view of the problems existing in the related technology, the embodiment of the present disclosure first proposes a vulnerability detection method. The vulnerability detection method in the embodiment of the present disclosure can be used in any vulnerability detection scenario, such as the vulnerability detection scenario when a browser or an application runs a malicious page provided by a hacker server, etc.
图1示出了可以应用本公开实施例的技术方案的示例性系统架构的示意图。FIG1 shows a schematic diagram of an exemplary system architecture to which the technical solution of an embodiment of the present disclosure can be applied.
如图1所示,系统架构100可以包括客户端101、网络102、服务器103、服务器104以及服务器105。其中,客户端101可以是便携式计算机、台式计算机、智能手机等具有显示屏幕以及能够连接网络访问页面或者是应用程序的终端设备;且客户端101上安装有浏览器,浏览器上安装有浏览器插件,以便于通过浏览器插件来进行漏洞检测;网络102用以在客户端101和服务器103之间提供通信链路的介质,或者是在客户端101和服务器105之间提供通信链路的介质。网络102可以包括各种连接类型,例如有线通信链路、无线通信链路等等,在本公开实施例中,客户端101和服务器103以及客户端101和服务器105之间的网络102可以是有线通信链路,例如可以通过串口连接线提供通信链路,也可以是无线通信链路,通过无线网络提供通信链路。As shown in FIG1 , the system architecture 100 may include a client 101, a network 102, a server 103, a server 104, and a server 105. The client 101 may be a terminal device such as a portable computer, a desktop computer, a smart phone, etc., which has a display screen and can connect to a network to access a page or an application; and a browser is installed on the client 101, and a browser plug-in is installed on the browser to facilitate vulnerability detection through the browser plug-in; the network 102 is used to provide a medium for a communication link between the client 101 and the server 103, or a medium for providing a communication link between the client 101 and the server 105. The network 102 may include various connection types, such as a wired communication link, a wireless communication link, etc. In the embodiment of the present disclosure, the network 102 between the client 101 and the server 103 and the client 101 and the server 105 may be a wired communication link, such as a communication link provided by a serial port connection line, or a wireless communication link, providing a communication link through a wireless network.
应该理解,图1中的客户端、网络和服务器的数目仅仅是示意性的。根据实现需要,可以具有任意数目的客户端、网络和服务器。比如服务器103以及服务器105可以是多个服务器组成的服务器集群等。It should be understood that the number of clients, networks and servers in FIG. 1 is merely illustrative. Any number of clients, networks and servers may be provided as required. For example, server 103 and server 105 may be a server cluster composed of multiple servers.
在本公开的一个实施例中,客户端101上运行浏览器或者是运行应用程序,浏览器或者是应用程序运行时会访问页面。客户端上的浏览器中还安装有插件,该插件在浏览器运行的同时进行漏洞检测,且不同浏览器的插件可以相同,也可以不同。服务器103可以为执行浏览器输入的网址或者是链接对应的服务器。服务器104可以为黑客服务器,黑客服务器可以攻击服务器软件,例如存放恶意页面以进行攻击。服务器105可以为安全服务器,在检测到存在漏洞时,客户端101可以将其访问的页面信息以及浏览器信息通过网络102发送至服务器105,以使服务器105进行后续处理。In one embodiment of the present disclosure, a browser or an application is run on the client 101, and a page is accessed when the browser or application is run. A plug-in is also installed in the browser on the client, and the plug-in performs vulnerability detection while the browser is running, and the plug-ins of different browsers can be the same or different. Server 103 can be a server corresponding to the URL or link input by the execution browser. Server 104 can be a hacker server, and the hacker server can attack the server software, for example, store malicious pages for attack. Server 105 can be a security server, and when a vulnerability is detected, the client 101 can send the page information and browser information it has accessed to the server 105 through the network 102, so that the server 105 can perform subsequent processing.
需要说明的是,本公开实施例所提供的漏洞检测方法一般由客户端101中的浏览器上安装的插件执行,相应地,漏洞检测装置一般设置于客户端101中。但是,在本公开的其它实施例中,服务器也可以与客户端具有相似的功能,从而执行本公开实施例所提供的漏洞检测方法。It should be noted that the vulnerability detection method provided in the embodiment of the present disclosure is generally executed by a plug-in installed on the browser in the client 101, and accordingly, the vulnerability detection device is generally set in the client 101. However, in other embodiments of the present disclosure, the server may also have similar functions as the client, thereby executing the vulnerability detection method provided in the embodiment of the present disclosure.
图2示意性示出了根据本公开的一个实施例的漏洞检测方法的流程图,该漏洞检测方法可以由客户端中浏览器上安装地具有漏洞检测功能的插件来执行。参照图2所示,该漏洞检测方法至少包括步骤S210至步骤S230,其中:FIG2 schematically shows a flow chart of a vulnerability detection method according to an embodiment of the present disclosure, and the vulnerability detection method can be executed by a plug-in with vulnerability detection function installed on a browser in a client. Referring to FIG2 , the vulnerability detection method at least includes steps S210 to S230, wherein:
在步骤S210中,获取漏洞运行所需的内存关联信息;In step S210, memory association information required for vulnerability execution is obtained;
在步骤S220中,若检测到目标应用对当前页面的访问操作,则根据所述内存关联信息对所述当前页面的预设信息进行检测,以获取检测结果;In step S220, if an access operation of the target application to the current page is detected, the preset information of the current page is detected according to the memory association information to obtain a detection result;
在步骤S230中,若确定所述检测结果为不合法,则确定所述当前页面存在所述漏洞。In step S230, if the detection result is determined to be illegal, it is determined that the vulnerability exists in the current page.
本公开实施例的技术方案,一方面,由于直接根据漏洞运行所需的内存关联信息来进行判断,避免了相关技术中漏洞检测的滞后性,能够从执行的原理上进行检测和拦截,因此能够及时快速地发现漏洞,提高了检测的效率,且减少了局限性。另一方面,由于通过内存关联信息对当前页面进行检测,能够及时检测漏洞,进而能够及时发现和阻止黑客的漏洞攻击,保护信息的安全。The technical solution of the disclosed embodiment, on the one hand, directly judges based on the memory-related information required for the vulnerability to run, thus avoiding the lag of vulnerability detection in related technologies, and can detect and intercept based on the execution principle, so that vulnerabilities can be discovered in a timely and rapid manner, improving the efficiency of detection and reducing limitations. On the other hand, since the current page is detected through memory-related information, vulnerabilities can be detected in a timely manner, and then vulnerability attacks by hackers can be discovered and prevented in a timely manner, protecting information security.
接下来,结合附图对本公开实施例中的漏洞检测方法进行详细介绍。Next, the vulnerability detection method in the embodiment of the present disclosure is described in detail with reference to the accompanying drawings.
在步骤S210中,获取漏洞运行所需的内存关联信息。In step S210, memory association information required for vulnerability execution is obtained.
本公开实施例中,漏洞是在硬件、软件、协议的具体实现或系统安全策略上存在的缺陷,从而可以使攻击者能够在未授权的情况下访问或破坏系统。本公开实施例中的漏洞指的是浏览器0day漏洞,浏览器0day漏洞指的是在浏览器的漏洞未被官方发现前(即在官方还未下发相应补丁前),黑客针对这些官方未发现的漏洞,设计恶意代码并嵌入到网页中,当用户在不知情的情况下打开该网页时,通过用户的浏览器进行攻击。In the disclosed embodiments, a vulnerability is a defect in the specific implementation of hardware, software, or a protocol, or in the system security policy, which may allow an attacker to access or damage the system without authorization. The vulnerability in the disclosed embodiments refers to a browser 0day vulnerability, which means that before the browser vulnerability is officially discovered (i.e., before the official patch is issued), hackers design malicious code and embed it into a web page for these officially undiscovered vulnerabilities, and when the user opens the web page without knowing it, the attack is carried out through the user's browser.
内存关联信息可以包括内存相关函数,此处用于描述漏洞运行所必不可少或者是必须经过的内存相关函数。具体地,可以利用Hook技术,将内存相关函数进行拦截,这些内存相关函数是黑客利用漏洞的必经之地,即属于漏洞运行所必需的函数。具体的内存相关函数包括但不限于:VirtualAlloc,VirtualAllocEx,VirtualProtect,VirtualProtectEx,VirtualAlloc,Virtual AllocEx,VirtualProtect,VirtualProtectEx等。Memory-related information may include memory-related functions, which are used here to describe memory-related functions that are essential or must be passed for the vulnerability to run. Specifically, Hook technology can be used to intercept memory-related functions, which are the only way for hackers to exploit vulnerabilities, that is, functions necessary for the vulnerability to run. Specific memory-related functions include but are not limited to: VirtualAlloc, VirtualAllocEx, VirtualProtect, VirtualProtectEx, VirtualAlloc, Virtual AllocEx, VirtualProtect, VirtualProtectEx, etc.
获取内存相关函数的Hook技术有多种,例如可以包括但不限于Inline Hook技术和IAT Hook技术。其中,Inline Hook技术具体为:修改函数头部的指令为jmp xxx,并在xxx位置执行自己的代码,最后需要返回到原函数jmp xxx下方代码继续执行。IAT Hook技术具体为:直接修改浏览器的导入表函数表,将目标函数修改为自己的函数地址,当浏览器调用该导入函数时,首先会跳转到自己的函数中。There are many Hook technologies for obtaining memory-related functions, such as but not limited to Inline Hook technology and IAT Hook technology. Among them, Inline Hook technology is specifically: modify the instruction in the function header to jmp xxx, and execute your own code at the xxx position, and finally return to the code below the original function jmp xxx to continue execution. IAT Hook technology is specifically: directly modify the browser's import table function table, modify the target function to your own function address, and when the browser calls the imported function, it will first jump to your own function.
在步骤S220中,若检测到目标应用对当前页面的访问操作,则根据所述内存关联信息对所述当前页面的预设信息进行检测,以获取检测结果。In step S220, if an access operation of the target application to the current page is detected, the preset information of the current page is detected according to the memory association information to obtain a detection result.
本公开实施例中,目标应用指的是用户用于浏览网页的客户端软件,例如可以包括浏览器或者是其他应用程序,只要能够实现浏览网页的功能即可。当用户通过目标应用访问黑客服务器时,就会受到攻击。本公开实施例中以目标应用为浏览器为例进行说明。当前页面指的是目标应用正在访问的网页页面,该当前页面的类型可以为恶意页面或者是其他类型的异常页面等等,本公开实施例中以当前页面为恶意页面为例进行说明。恶意页面包含了0day漏洞利用恶意代码的网页文件,且恶意页面可以为黑客通过黑客服务器事先布置好的,以供浏览器运行的页面。其中,黑客服务器指的是黑客用于攻击用户的服务器软件,其中存放了恶意页面。In the disclosed embodiments, the target application refers to the client software used by the user to browse the web, for example, it may include a browser or other application programs, as long as the function of browsing the web can be realized. When the user accesses the hacker server through the target application, it will be attacked. In the disclosed embodiments, the target application is a browser as an example for explanation. The current page refers to the web page that the target application is accessing. The type of the current page can be a malicious page or other types of abnormal pages, etc. In the disclosed embodiments, the current page is a malicious page as an example for explanation. The malicious page contains a web page file that exploits the malicious code of the 0day vulnerability, and the malicious page can be a page that the hacker has pre-arranged through the hacker server for the browser to run. Among them, the hacker server refers to the server software used by the hacker to attack the user, in which the malicious page is stored.
在检测到浏览器运行该恶意页面时,黑客可以通过恶意页面执行ROP(Return-Oriented Programming)攻击。ROP攻击就是对栈上的返回地址进行利用的一种攻击方式。ROP是黑客的漏洞利用技术,它的主要目标是绕过浏览器的DEP(Data ExecutionPrevention,数据执行保护)和CFG防护,通过构建一个ROP链,利用ret指令,来达到调用任意函数的目的。When the browser is detected to be running the malicious page, the hacker can perform a ROP (Return-Oriented Programming) attack through the malicious page. A ROP attack is an attack method that exploits the return address on the stack. ROP is a vulnerability exploitation technology used by hackers. Its main goal is to bypass the browser's DEP (Data Execution Prevention) and CFG protections by building a ROP chain and using the ret instruction to call any function.
DEP是一套软硬件技术,能够在内存上执行额外检查以帮助防止在系统上运行恶意代码,是可以帮助防止数据页执行代码。通常情况下,不从默认堆和堆栈执行代码。硬件实施DEP检测从这些位置运行的代码,并在发现执行情况时引发异常。软件实施DEP可帮助阻止恶意代码利用Windows中的异常处理机制进行破坏。DEP is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on the system. It can help prevent code from executing from data pages. Typically, code is not executed from the default heap and stack. Hardware-enforced DEP detects code running from these locations and throws an exception if execution is found. Software-enforced DEP helps prevent malicious code from exploiting the exception handling mechanism in Windows to cause damage.
图3中示意性示出了执行漏洞攻击的流程示意图,参考图3中所示,浏览器运行恶意页面的过程中,黑客执行ROP漏洞攻击的流程具体包括以下步骤:FIG3 schematically shows a flow chart of executing a vulnerability attack. Referring to FIG3 , when a browser runs a malicious page, the process of a hacker executing a ROP vulnerability attack specifically includes the following steps:
步骤S310,构造漏洞ROP链:通过Heap Spray技术,即批量创建可控数据对象,比如Array,TypedArray等,在内存中构建一段连续可控的内存,将需要数据填入其中,作为一个ROP链使用。ROP链通常包含了一系列的代码地址,这些地址所指向的并不是某一个函数,而是一些指令片段,它存在于浏览器本身,都是黑客精心挑选的,比如pop xxx,push xxx,jmpxxx,ret等,通过这些指令片段组合,黑客能够绕过DEP和CFG的防护,达到执行自己shellcode的目的。其中,shellcode是一段用于利用软件漏洞而执行的代码,shellcode为16进制的机器码。shellcode可在暂存器eip溢出后,塞入一段可让CPU执行的shellcode机器码,让电脑可以执行攻击者的任意指令。Step S310, constructing a vulnerability ROP chain: through the Heap Spray technology, that is, batch creation of controllable data objects, such as Array, TypedArray, etc., a continuous and controllable memory is constructed in the memory, and the required data is filled in it, which is used as a ROP chain. The ROP chain usually contains a series of code addresses. These addresses do not point to a certain function, but to some instruction fragments. It exists in the browser itself and is carefully selected by hackers, such as pop xxx, push xxx, jmpxxx, ret, etc. Through the combination of these instruction fragments, hackers can bypass the protection of DEP and CFG and achieve the purpose of executing their own shellcode. Among them, shellcode is a section of code used to exploit software vulnerabilities and is executed in hexadecimal machine code. After the temporary register eip overflows, the shellcode can be inserted into a section of shellcode machine code that can be executed by the CPU, so that the computer can execute any instruction of the attacker.
步骤S320,触发漏洞:不同的0day漏洞有不同的触发方法,其目的是造成内存的破坏,达到修改任意地址内存的目标。Step S320, triggering the vulnerability: Different 0day vulnerabilities have different triggering methods, the purpose of which is to cause memory damage and achieve the goal of modifying memory at any address.
步骤S330,控制EIP寄存器:通过上一步触发的漏洞后,黑客进行控制EIP到ROP链上来,此步骤通常是通过栈翻转,伪造虚函数表等方法进行,达到一个call[eax+0xX]或ret的指令目标。Step S330, control the EIP register: After the vulnerability is triggered in the previous step, the hacker controls the EIP to the ROP chain. This step is usually performed by stack flipping, forging virtual function tables, etc. to achieve a call [eax + 0xX] or ret instruction target.
EIP寄存器,用来存储CPU要读取指令的地址,CPU通过EIP寄存器读取即将要执行的指令。每次CPU执行完相应的汇编指令之后,EIP寄存器的值就会增加。The EIP register is used to store the address of the instruction that the CPU wants to read. The CPU reads the instruction to be executed through the EIP register. Every time the CPU executes the corresponding assembly instruction, the value of the EIP register will increase.
步骤S340,执行漏洞ROP链:这一步是进行ROP,此刻浏览器已经进入黑客构造的ROP链,会进一步跟随ROP的指令片段执行,不会按照浏览器正常的逻辑运行,目前黑客已经初步达到了控制程序流程的目的。Step S340, execute the vulnerable ROP chain: This step is to perform ROP. At this moment, the browser has entered the ROP chain constructed by the hacker and will further follow the ROP instruction fragment to execute. It will not run according to the normal logic of the browser. At present, the hacker has initially achieved the purpose of controlling the program flow.
步骤S350,ROP跳转:这是ROP的执行过程,由于浏览器中符合黑客ROP链需要的指令片段并不会连续的存在于一个地址,而是分散在不同函数中,这就需要黑客利用ret指令来不断的跳转,这里不使用call指令的原因是CFG的存在。Step S350, ROP jump: This is the execution process of ROP. Since the instruction fragments in the browser that meet the hacker's ROP chain requirements do not exist continuously at one address, but are scattered in different functions, the hacker needs to use the ret instruction to jump continuously. The reason why the call instruction is not used here is the existence of CFG.
黑客服务器在进行ROP跳转后已完成ROP攻击后,必然会执行预定的操作来绕过数据执行保护DEP。预定的操作可以为修改内存属性,而修改内存属性可以通过执行内存相关函数而执行。此处的修改内存属性例如可以为:将原本的内存属性“不可执行”修改为内存属性“可执行”;或者是将原本的内存属性“可写”修改为内存属性为“不可写”,此处的“不可写”可以具体为“可读”或者“可执行”等。After the hacker server has completed the ROP attack after the ROP jump, it will inevitably perform a predetermined operation to bypass the data execution protection DEP. The predetermined operation can be to modify the memory attribute, and the modification of the memory attribute can be performed by executing memory-related functions. The modification of the memory attribute here can be, for example: modifying the original memory attribute "non-executable" to the memory attribute "executable"; or modifying the original memory attribute "writable" to the memory attribute "non-writable", where "non-writable" can be specifically "readable" or "executable", etc.
基于此,黑客在绕过数据执行保护DEP的过程中,可以进入通过Hook技术截取的内存相关函数中,以便于将利用Hook技术将检测模块挂载在浏览器的关键函数上,通过截取的内存相关函数来执行漏洞检测过程。Based on this, hackers can enter the memory-related functions intercepted by Hook technology in the process of bypassing Data Execution Protection DEP, so as to use Hook technology to mount the detection module on the key functions of the browser and execute the vulnerability detection process through the intercepted memory-related functions.
预设信息可以包括调用者或者是调用栈中的任意一种,根据预设信息的不同,此处的漏洞检测过程可以划分为第一类型检测和第二类型检测两种过程。对应的,第一类型检测包括但不限于调用者检测,第二类型检测包括但不限于调用栈检测。在进行漏洞检测时,可以只执行第一类型检测和第二类型检测中的一种,也可以依次执行第一类型检测和第二类型检测中的两种,此处可以根据实际需求条件进行选择,以提高漏洞检测准确率。检测结果可以只根据第一检测结果来确定,也可以由第一检测结果和第二检测结果共同确定,此处不作特殊限定。The preset information may include either the caller or the call stack. Depending on the preset information, the vulnerability detection process here can be divided into two processes: the first type of detection and the second type of detection. Correspondingly, the first type of detection includes but is not limited to caller detection, and the second type of detection includes but is not limited to call stack detection. When performing vulnerability detection, only one of the first type of detection and the second type of detection may be performed, or both of the first type of detection and the second type of detection may be performed in sequence. Here, a selection may be made based on actual demand conditions to improve the accuracy of vulnerability detection. The detection result may be determined only based on the first detection result, or may be determined jointly by the first detection result and the second detection result, which is not specifically limited here.
图4中示意性示出了对当前页面进行第一种检测的示意图,参考图4中所示,主要包括步骤410和步骤S420,其中:FIG4 schematically shows a schematic diagram of performing a first detection on the current page. Referring to FIG4 , the process mainly includes step 410 and step S420, wherein:
在步骤S410中,根据所述内存关联信息对所述调用者进行检测,以得到用于表示所述调用者是否合法的第一检测结果。In step S410, the caller is detected according to the memory association information to obtain a first detection result indicating whether the caller is legitimate.
本公开实施例中,调用者指的是函数被调用的域,可以理解为函数本身。例如,函数A调用函数B,则函数A就是调用者。可以利用帧返回地址来对调用者进行检测,以判断调用者是否合法,从而得到第一检测结果。具体而言,利用帧返回地址得到第一检测结果的步骤可以包括:第一步,通过栈帧获取返回地址。返回地址指的是从子程序返回后,主程序继续执行的指令地址称为,因此返回地址就是主程序中call指令后面一条指令的地址。具体而言,可以通过栈帧得到栈的返回地址。栈帧就是存储在用户栈上的每一次函数调用涉及的相关信息的记录单元。栈帧表示程序的函数调用记录,且不是所有的栈帧的大小都相同。基于此,可以通过栈帧[ESP]或[EBP+4]得到栈的返回地址。其中,栈帧[ESP]为ESP寄存器,专门用于存储栈顶地址,以指向当前的栈帧的顶部,即当前函数的栈顶指针。栈顶所代表的函数帧(当前帧),就是当前正在调用的函数。栈帧[EBP+4]为寄存器EBP+4,EBP寄存器用于存储帧指针,即存放各帧首地址的指针。此处的栈帧[EBP+4]用于表示返回地址。因此,可以通过当前栈帧的顶部寄存器或者是返回地址寄存器得到栈的返回地址。In the disclosed embodiment, the caller refers to the domain where the function is called, which can be understood as the function itself. For example, if function A calls function B, then function A is the caller. The frame return address can be used to detect the caller to determine whether the caller is legal, thereby obtaining a first detection result. Specifically, the step of obtaining the first detection result using the frame return address may include: the first step, obtaining the return address through the stack frame. The return address refers to the instruction address that the main program continues to execute after returning from the subroutine, so the return address is the address of the instruction following the call instruction in the main program. Specifically, the return address of the stack can be obtained through the stack frame. The stack frame is a recording unit of the relevant information involved in each function call stored on the user stack. The stack frame represents the function call record of the program, and not all stack frames have the same size. Based on this, the return address of the stack can be obtained through the stack frame [ESP] or [EBP+4]. Among them, the stack frame [ESP] is the ESP register, which is specifically used to store the stack top address to point to the top of the current stack frame, that is, the stack top pointer of the current function. The function frame (current frame) represented by the top of the stack is the function currently being called. The stack frame [EBP+4] is the register EBP+4. The EBP register is used to store the frame pointer, that is, the pointer to the first address of each frame. Here, the stack frame [EBP+4] is used to represent the return address. Therefore, the return address of the stack can be obtained through the top register of the current stack frame or the return address register.
第二步,获取所述返回地址的上一条指令,并判断所述上一条指令是否为调用指令,以确定所述第一检测结果。由于返回地址就是call指令后面一条指令的地址,如果浏览器处于正常调用调用流程,则返回地址的上一条指令则为call指令。基于此,调用指令则可以为call指令。call指令的每一句,实际上都将其下一句压栈。可以通过指令对比或者是根据指令的编号确定返回地址的上一条指令是否为call指令。如果确定上一条指令为调用指令,则可以认为调用过程未出现异常,第一检测结果可以为调用者合法。如果确定上一条指令不是调用指令,则可以认为使用了RET跳,被执行了ROP攻击。RET跳是直接返回最后一次的call指令的下一句,而不是第一次call调用的下一句。例如在一个函数中调了另一个函数,执行完要回到原函数,此时就用RET跳。而黑客在执行漏洞的过程中,需要利用RET跳不停得跳转,以执行符合黑客ROP链需要位于不连续的地址中的指令片段。由于确定执行了RET跳,因此可以认为是黑客执行的,而不是函数本身进行调用。因此,此时的第一检测结果可以为调用者不合法。The second step is to obtain the previous instruction of the return address and determine whether the previous instruction is a call instruction to determine the first detection result. Since the return address is the address of the instruction after the call instruction, if the browser is in a normal call flow, the previous instruction of the return address is the call instruction. Based on this, the call instruction can be a call instruction. Each sentence of the call instruction actually pushes its next sentence onto the stack. Whether the previous instruction of the return address is a call instruction can be determined by comparing instructions or according to the instruction number. If it is determined that the previous instruction is a call instruction, it can be considered that there is no abnormality in the call process, and the first detection result can be that the caller is legal. If it is determined that the previous instruction is not a call instruction, it can be considered that a RET jump is used and a ROP attack is executed. The RET jump directly returns to the next sentence of the last call instruction, rather than the next sentence of the first call call. For example, if another function is called in a function and it is necessary to return to the original function after execution, a RET jump is used at this time. In the process of executing the vulnerability, hackers need to use RET jumps to jump continuously to execute instruction fragments that meet the needs of the hacker's ROP chain and are located in discontinuous addresses. Since it is determined that a RET jump is executed, it can be considered that it is executed by a hacker, rather than the function itself. Therefore, the first detection result at this time may be that the caller is illegal.
在步骤S420中,若所述第一检测结果为所述调用者不合法,则确定所述检测结果为不合法。In step S420, if the first detection result is that the caller is illegal, the detection result is determined to be illegal.
本公开实施例中,如果确定了返回地址的上一条指令不是调用指令,则认为第一检测结果为调用者不合法,例如,调用者为黑客,则认为调用者不合法。由于已经确定了调用者是不合法的,因此无需进一步判断其他参数和操作是否合法,直接根据调用者不合法的结果就可以确定最终对预设信息的检测结果为不合法。In the disclosed embodiment, if it is determined that the previous instruction of the return address is not a call instruction, the first detection result is considered to be that the caller is illegal. For example, if the caller is a hacker, the caller is considered to be illegal. Since the caller has been determined to be illegal, there is no need to further determine whether other parameters and operations are legal. The final detection result of the preset information can be determined to be illegal directly based on the result that the caller is illegal.
本公开实施例中,通过将调用者检测挂载在内存相关函数上,实现了通过内存相关函数进行调用者检测以得到第一检测结果,进而确定检测结果是否合法的功能,能够更准确更及时地进行漏洞检测。In the disclosed embodiment, by mounting caller detection on memory-related functions, caller detection is performed through memory-related functions to obtain a first detection result, and then the function of determining whether the detection result is legal is implemented, which can perform vulnerability detection more accurately and timely.
图5中示意性示出了对当前页面进行第二种检测的示意图,参考图5中所示,主要包括步骤S510和步骤S520,其中:FIG5 schematically shows a schematic diagram of performing a second detection on the current page. Referring to FIG5 , the process mainly includes step S510 and step S520, wherein:
在步骤S510中,若所述第一检测结果为所述调用者合法,则根据所述内存关联信息对所述调用栈进行检测,以得到用于表示所述调用栈是否合法的第二检测结果。In step S510, if the first detection result is that the caller is legal, the call stack is detected according to the memory association information to obtain a second detection result indicating whether the call stack is legal.
本公开实施例中,当前页面的预设信息除了调用者之外,还可以包括调用栈。并且可以只通过调用者进行检测,或者是在调用者检测正常时再通过调用栈共同进行检测。即,调用栈的使用条件是在调用者未检测到的情况下进行的。如果通过返回地址以及返回地址的上一条指令确定调用者合法,则可以继续将调用栈的检测过程挂载在内存关联信息中,以基于内存关联信息继续对调用栈进行检测,得到用于描述调用栈是否合法的第二检测结果。在确定第二检测结果时,可以根据历史信息来确定调用栈是否合法,以提高准确性。其中,历史信息可以包括历史栈帧以及返回地址(历史返回地址)中的至少一种。In the disclosed embodiment, the preset information of the current page may include a call stack in addition to the caller. And detection may be performed only through the caller, or detection may be performed together through the call stack when the caller detection is normal. That is, the use condition of the call stack is performed when the caller is not detected. If the caller is determined to be legal through the return address and the previous instruction of the return address, the detection process of the call stack may continue to be mounted in the memory association information, so as to continue to detect the call stack based on the memory association information, and obtain a second detection result for describing whether the call stack is legal. When determining the second detection result, whether the call stack is legal may be determined based on historical information to improve accuracy. Among them, the historical information may include at least one of a historical stack frame and a return address (historical return address).
图6中示意性示出根据历史栈帧确定第二检测结果的流程图,参考图6中所示,主要是通过历史栈帧判断调用栈是否合法,具体包括步骤S610至步骤S630,其中:FIG6 schematically shows a flow chart of determining the second detection result according to the historical stack frame. Referring to FIG6 , whether the call stack is legal is mainly determined by the historical stack frame, which specifically includes steps S610 to S630, wherein:
在步骤S610中,通过当前栈帧获取历史栈帧。In step S610, a historical stack frame is obtained through the current stack frame.
本公开实施例中,栈帧用于表示程序的函数调用记录,就是存储在用户栈上的每一次函数调用涉及的相关信息的记录单元。当前栈帧指的是当前的函数调用记录,历史栈帧指的是历史的函数调用记录。具体可以通过栈回溯得到历史栈帧。栈回溯的原理在于:通过EBP加函数返回的指令地址可以一步一步的回溯整个过程的函数调用关系。例如,在函数A调用函数B的过程中,被调用的函数B的EBP值就是存放主调函数即函数A的EBP值的内存首地址。假设从函数B开始回溯,通过函数B的EBP得到函数A的EBP,另外取出内存上紧挨的返回地址,通过返回地址就可以得到位于哪个主调函数中。通过栈回溯可以快速定位。In the disclosed embodiment, the stack frame is used to represent the function call record of the program, that is, the recording unit of the relevant information involved in each function call stored on the user stack. The current stack frame refers to the current function call record, and the historical stack frame refers to the historical function call record. Specifically, the historical stack frame can be obtained through stack backtracking. The principle of stack backtracking is that the function call relationship of the entire process can be backtracked step by step by adding the instruction address returned by the function to EBP. For example, in the process of function A calling function B, the EBP value of the called function B is the first memory address of the EBP value of the calling function, i.e., function A. Assuming that backtracking starts from function B, the EBP of function A is obtained through the EBP of function B, and the return address next to it in the memory is taken out. The return address can be used to determine which calling function is located. Stack backtracking can be used to quickly locate.
本公开实施例中,由于编译器的规范,[EBP]保存了上一层调用的EBP,[EBP+4]保存了返回地址,因此可以通过当前栈帧EBP回溯出历史的所有栈帧(EBP)和返回地址,以快速准确地得到当前栈帧对应的历史栈帧。In the disclosed embodiment, due to the compiler specifications, [EBP] saves the EBP of the previous layer call, and [EBP+4] saves the return address. Therefore, all historical stack frames (EBP) and return addresses can be traced back through the current stack frame EBP to quickly and accurately obtain the historical stack frame corresponding to the current stack frame.
在步骤S620中,若检测到每个历史栈帧均处于当前线程的限制范围内,则确定所述第二检测结果为所述调用栈合法。In step S620, if it is detected that each historical stack frame is within the restriction range of the current thread, it is determined that the second detection result is that the call stack is legal.
本公开实施例中,可以对每个历史栈帧所处的线程进行判断,以根据所处线程来确定调用栈是否合法。具体地,可以获取每个历史栈帧所处的线程,并且判断该线程是否为是否在当前线程的限制范围内。当前线程指的是正在执行的线程,当前线程可以包括多个栈帧。因此当前进程的限制范围指的是当前进程对应的栈帧的限制范围,具体可以用StackBase到StackLimit来表示。其中,StackBase用于表示堆栈基址,StackLimit用于表示堆栈界限,StackBase和StackLimit共同表示当前线程的堆栈在内存中的范围。如果某一个历史栈帧均与当前线程所对应的栈帧其中之一匹配,则可以认为该历史栈帧处于当前线程的限制范围内。可以通过同样的匹配方法,逐一或者是同时判断所有历史栈帧是否处于当前线程的限制范围内。需要说明的是,当所有历史栈帧均处于当前线程的限制范围内时,说明没有使用限制范围之外的调用栈,因此可以确定调用栈合法。举例而言,历史栈帧A、B、C均处于当前进程所包含的栈帧的限制范围内,则可以确定用于描述调用栈的第二检测结果为调用栈合法。In the disclosed embodiment, the thread where each historical stack frame is located can be judged to determine whether the call stack is legal according to the thread where it is located. Specifically, the thread where each historical stack frame is located can be obtained, and it can be judged whether the thread is within the restriction range of the current thread. The current thread refers to the thread being executed, and the current thread can include multiple stack frames. Therefore, the restriction range of the current process refers to the restriction range of the stack frame corresponding to the current process, which can be specifically represented by StackBase to StackLimit. Among them, StackBase is used to represent the stack base address, StackLimit is used to represent the stack limit, and StackBase and StackLimit together represent the range of the stack of the current thread in the memory. If a certain historical stack frame matches one of the stack frames corresponding to the current thread, it can be considered that the historical stack frame is within the restriction range of the current thread. The same matching method can be used to determine whether all historical stack frames are within the restriction range of the current thread one by one or at the same time. It should be noted that when all historical stack frames are within the restriction range of the current thread, it means that the call stack outside the restriction range is not used, so it can be determined that the call stack is legal. For example, if the historical stack frames A, B, and C are all within the restricted range of the stack frames included in the current process, it can be determined that the second detection result used to describe the call stack is that the call stack is legal.
在步骤S630中,若检测到所有历史栈帧中存在未处于当前线程的限制范围内的历史栈帧,则确定所述第二检测结果为所述调用栈不合法。In step S630, if it is detected that there is a historical stack frame in all historical stack frames that is not within the restriction range of the current thread, it is determined that the second detection result is that the call stack is illegal.
本公开实施例中,存在未处于当前线程的限制范围内的历史栈帧可以理解为:不是所有的历史栈帧都处于当前线程的限制范围内。与步骤S620中类似地,可以获取每个历史栈帧所处的线程,并且判断该线程是否为是否在当前线程对应的栈帧的限制范围内。如果某一个历史栈帧均与当前线程所对应的栈帧其中之一匹配,则可以认为该历史栈帧处于当前线程的限制范围内。如果某一个历史栈帧均与当前线程所对应的所有栈帧均不匹配,则可以认为该历史栈帧未处于当前线程的限制范围内。如果确定出所有历史栈帧中存在至少一个历史栈帧与当前线程所对应的所有栈帧均不匹配,则可以认为存在使用限制范围之外的调用栈,因此可以确定调用栈不合法。举例而言,历史栈帧A、B、C均处于当前进程所包含的栈帧的限制范围内,但是历史栈帧D未处于当前进程所包含的栈帧的限制范围内,则可以确定用于描述调用栈的第二检测结果为调用栈不合法。In the embodiment of the present disclosure, the existence of a historical stack frame that is not within the restricted range of the current thread can be understood as: not all historical stack frames are within the restricted range of the current thread. Similar to step S620, the thread in which each historical stack frame is located can be obtained, and it is determined whether the thread is within the restricted range of the stack frame corresponding to the current thread. If a certain historical stack frame matches one of the stack frames corresponding to the current thread, it can be considered that the historical stack frame is within the restricted range of the current thread. If a certain historical stack frame does not match all the stack frames corresponding to the current thread, it can be considered that the historical stack frame is not within the restricted range of the current thread. If it is determined that at least one historical stack frame in all historical stack frames does not match all the stack frames corresponding to the current thread, it can be considered that there is a call stack outside the restricted range, so it can be determined that the call stack is illegal. For example, historical stack frames A, B, and C are all within the restricted range of the stack frames included in the current process, but historical stack frame D is not within the restricted range of the stack frames included in the current process, then it can be determined that the second detection result used to describe the call stack is that the call stack is illegal.
继续参考图5所示,在步骤S520中,若所述第二检测结果为所述调用栈不合法,则确定所述检测结果为不合法。Continuing to refer to FIG. 5 , in step S520 , if the second detection result is that the call stack is illegal, the detection result is determined to be illegal.
本公开实施例中,由于检测结果可以根据调用者或者是结合调用者和调用栈来描述,如果在第一检测结果合法的基础上确定用于描述调用栈的第二检测结果为调用栈不合法,则可以直接确定检测结果不合法。如果在第一检测结果合法的基础上确定用于描述调用栈的第二检测结果为调用栈合法,则可以确定检测结果合法。In the disclosed embodiment, since the detection result can be described according to the caller or in combination with the caller and the call stack, if the second detection result used to describe the call stack is determined to be illegal based on the first detection result being legal, the detection result can be directly determined to be illegal. If the second detection result used to describe the call stack is determined to be legal based on the first detection result being legal, the detection result can be determined to be legal.
除此之外,还可以根据历史信息中的返回地址来确定第二检测结果。具体可以包括:通过当前栈帧获取历史返回地址;对每个历史返回地址进行检测,并在确定存在所在内存页的属性为不可执行的历史返回地址时,确定所述第二检测结果为所述调用栈不合法。其中,历史返回地址可以为历史调用过程中的返回地址,返回地址可以用[EBP+4]来表示。可以通过当前栈帧进行栈回溯得到历史返回地址,进一步确定历史返回地址所在的内存页,并确定历史返回地址所在内存页的属性的执行状态,执行状态可以包括可执行和不可执行。在确定内存页的属性的执行状态之后,可以根据执行状态得到第二检测结果。具体而言,确定所有的历史返回地址所在内存页的属性的执行状态,判断每一个历史返回地址是否为可执行。如果所有的历史返回地址所在内存页的属性均为可执行,则确定第二检测结果为调用栈合法。如果所有的历史返回地址所在内存页的属性既有可执行,也有不可执行(即存在至少一个历史返回地址所在内存页的属性为不可执行),不可执行说明调用过程异常,因此确定第二检测结果为调用栈不合法。需要说明的是,通过历史返回地址进行检测时也需要在调用者合法的基础上进行,如果调用者不合法,则无需对历史返回地址进行检测。本公开实施例中,通过历史返回地址的内存页的属性,可以更准确更快速地确定第二检测结果。In addition, the second detection result can also be determined according to the return address in the historical information. Specifically, it can include: obtaining the historical return address through the current stack frame; detecting each historical return address, and when it is determined that there is a historical return address whose attribute of the memory page is not executable, determining that the second detection result is that the call stack is illegal. Among them, the historical return address can be the return address in the historical call process, and the return address can be represented by [EBP+4]. The historical return address can be obtained by stack backtracking through the current stack frame, and the memory page where the historical return address is located is further determined, and the execution state of the attribute of the memory page where the historical return address is located is determined, and the execution state may include executable and non-executable. After determining the execution state of the attribute of the memory page, the second detection result can be obtained according to the execution state. Specifically, the execution state of the attribute of the memory page where all historical return addresses are located is determined, and it is judged whether each historical return address is executable. If the attributes of the memory page where all historical return addresses are located are executable, the second detection result is determined to be that the call stack is legal. If the attributes of the memory pages where all historical return addresses are located are both executable and non-executable (that is, there is at least one memory page where the attribute of the historical return address is non-executable), the non-executable state indicates that the calling process is abnormal, so the second detection result is determined to be that the call stack is illegal. It should be noted that when detecting through historical return addresses, it is also necessary to perform the detection on the basis of the legality of the caller. If the caller is illegal, there is no need to detect the historical return addresses. In the disclosed embodiment, the second detection result can be determined more accurately and quickly through the attributes of the memory pages of the historical return addresses.
本公开实施例中的技术方案,能够通过调用者和调用栈中的至少一个来确定检测结果。并且能在调用者不合法,或者是调用者合法而调用栈不合法的情况下,将检测结果确定为不合法。由于是基于漏洞运行所需的内存相关信息来对当前页面的调用者和调用栈进行检测得到检测结果,提高了确定检测结果的准确性和及时性。The technical solution in the disclosed embodiment can determine the detection result through at least one of the caller and the call stack. And the detection result can be determined as illegal when the caller is illegal, or when the caller is legal but the call stack is illegal. Since the detection result is obtained by detecting the caller and the call stack of the current page based on the memory-related information required for the vulnerability to run, the accuracy and timeliness of determining the detection result are improved.
继续参考图2中所示,在步骤S230中,若确定所述检测结果为不合法,则确定所述当前页面存在所述漏洞。Continuing to refer to FIG. 2 , in step S230 , if it is determined that the detection result is illegal, it is determined that the vulnerability exists in the current page.
本公开实施例中,在通过第一检测结果和第二检测结果中的至少一种确定检测结果为不合法时,可以直接确定当前页面中存在漏洞,此处的漏洞即为检测的浏览器0day漏洞。通过本公开实施例中的方法,基于漏洞运行所需的内存相关信息,能够从执行的原理上对当前页面的调用者和调用栈进行检测,从而在检测结果为不合法时确定存在浏览器0day漏洞。此时由于是在原理维度检测,能够在漏洞执行之前及时准确地识别出漏洞,从而阻止漏洞的执行,因此能够提高漏洞检测的准确性和及时性,避免了局限性,减少了漏洞运行之后才能进行补救而导致的不必要的损失,提高了安全性。In the embodiment of the present disclosure, when the detection result is determined to be illegal through at least one of the first detection result and the second detection result, it can be directly determined that there is a vulnerability in the current page, and the vulnerability here is the detected browser 0day vulnerability. Through the method in the embodiment of the present disclosure, based on the memory-related information required for the vulnerability to run, the caller and call stack of the current page can be detected from the principle of execution, so as to determine the existence of a browser 0day vulnerability when the detection result is illegal. At this time, since it is detected in the principle dimension, the vulnerability can be identified in a timely and accurate manner before the vulnerability is executed, thereby preventing the execution of the vulnerability. Therefore, the accuracy and timeliness of vulnerability detection can be improved, limitations are avoided, and unnecessary losses caused by remediation after the vulnerability is run are reduced, thereby improving security.
在确定当前页面存在漏洞之后,可以向浏览器发送停止执行指令,以便于浏览器响应于该停止执行指令,停止对当前页面的访问操作。通过停止执行当前页面,可避免导致的安全问题,提高安全性。进一步地,在确定当前页面存在漏洞之后,可以将所述当前页面的信息以及所述目标应用的信息发送至服务器,并将所述当前页面的信息加入用于表示禁止执行的列表,以禁止执行所述当前页面。当前页面的信息可以包括:当前页面的URL(Uniform Resource Locator,统一资源定位符)信息、内容片段、页面的refer信息、IP及其变动时间、变动频率等。其中,refer信息是用来获取用户来路URL,进而告诉从哪个页面过来的,可以用于统计访问本网站的用户来源。目标应用指的是浏览器或者是应用程序,当目标应用为浏览器时,目标应用的信息包括浏览器的类型、版本、接入网络的方式、浏览器内核信息以及浏览器语种中的至少一种,具体可以通过打开网页时发送的请求报头信息来获得。After determining that the current page has a vulnerability, a stop execution instruction can be sent to the browser so that the browser responds to the stop execution instruction and stops accessing the current page. By stopping the execution of the current page, the security issues caused can be avoided and the security can be improved. Further, after determining that the current page has a vulnerability, the information of the current page and the information of the target application can be sent to the server, and the information of the current page can be added to the list used to indicate the prohibition of execution to prohibit the execution of the current page. The information of the current page can include: the URL (Uniform Resource Locator) information of the current page, the content fragment, the referral information of the page, the IP and its change time, the change frequency, etc. Among them, the referral information is used to obtain the user's source URL, and then tell which page it comes from, which can be used to count the source of users visiting this website. The target application refers to a browser or an application. When the target application is a browser, the information of the target application includes at least one of the type, version, network access method, browser kernel information and browser language of the browser, which can be obtained through the request header information sent when opening the web page.
在得到当前页面的信息和目标应用的信息之后,可以将这些信息发送至服务器。此处的服务器指的是安全服务器,安全服务器用于对浏览器和当前页面的安全性进行后续分析。与此同时,在确定存在漏洞时,还可以将当前页面的信息存储至用于表示禁止执行的列表。该用于表示禁止执行的列表可以为黑名单,位于该黑名单列表中的当前页面将无法执行。通过将存在漏洞的当前页面的信息存储至用于表示禁止执行的列表中,能够避免对该当前页面的误执行而导致受到漏洞攻击的问题,提高了用户操作的安全性。当然,如果确定检测结果合法,即确定不存在漏洞,因此可以继续执行当前页面。After obtaining the information of the current page and the information of the target application, this information can be sent to the server. The server here refers to a security server, which is used to perform subsequent analysis on the security of the browser and the current page. At the same time, when it is determined that there is a vulnerability, the information of the current page can also be stored in a list used to indicate that execution is prohibited. The list used to indicate that execution is prohibited can be a blacklist, and the current page in the blacklist will not be able to be executed. By storing the information of the current page with a vulnerability in a list used to indicate that execution is prohibited, the problem of being attacked by the vulnerability due to the erroneous execution of the current page can be avoided, thereby improving the security of user operations. Of course, if it is determined that the detection result is legal, that is, it is determined that there is no vulnerability, the current page can continue to be executed.
为了使用户提前停止执行当前页面,以避免受到漏洞攻击,可以在通过第一检测结果以及第二检测结果,或者是第一检测结果确定检测结果为不合法时,提供一个用于提醒检测结果的提示信息,以进行预警。提示信息可以为任意形式的信息,例如文字类型、符号类型、语音类型或者是其他类型等等。本公开实施例中,提示信息可以为一个对话框的形式,用于提示用户受到漏洞攻击。通过该提示信息,可以及时且方便地对当前页面存在漏洞进行预警,以便于及时停止当前页面,避免了滞后性,增加了漏洞检测的及时性和准确性。In order to enable the user to stop executing the current page in advance to avoid being attacked by a vulnerability, a prompt message for reminding the detection result can be provided when the detection result is determined to be illegal through the first detection result and the second detection result, or the first detection result, for early warning. The prompt message can be any form of information, such as text type, symbol type, voice type or other types, etc. In the disclosed embodiment, the prompt message can be in the form of a dialog box to prompt the user that a vulnerability attack has occurred. Through this prompt message, it is possible to promptly and conveniently warn of the existence of a vulnerability in the current page, so as to stop the current page in time, avoid lag, and increase the timeliness and accuracy of vulnerability detection.
基于此,本公开实施例中提供了一种用于实现漏洞检测方法的架构,参考图7中所示,该架构可以包括:黑客服务器701、恶意页面702、浏览器703以漏洞检测插件704,其中:Based on this, an architecture for implementing a vulnerability detection method is provided in an embodiment of the present disclosure. Referring to FIG. 7 , the architecture may include: a hacker server 701, a malicious page 702, a browser 703, and a vulnerability detection plug-in 704, wherein:
黑客服务器701是黑客用于攻击用户的服务器软件,存放了恶意页面。恶意页面702包含了0day漏洞利用恶意代码的网页文件。浏览器703是用户使用浏览网页的客户端软件,当访问黑客服务器时,就会受到攻击。漏洞检测插件704是用于检测0day漏洞的浏览器插件,如果检测出有漏洞,则会阻止浏览器继续执行,并进行报警。漏洞检测插件中包含:Hook模块7041:利用Hook,将检测模块挂载到浏览器的关键函数上。ROP检测模块7042:通过对ROP进行检测,用来判断是否存在漏洞攻击。中断和报警模块7043:在确定受到漏洞攻击后,通知浏览器中断该页面的继续执行,并将恶意页面信息和浏览器信息传送给安全服务器。The hacker server 701 is the server software used by hackers to attack users, and stores malicious pages. The malicious page 702 contains a web page file that uses malicious code to exploit a 0day vulnerability. The browser 703 is the client software used by users to browse the web. When accessing the hacker server, it will be attacked. The vulnerability detection plug-in 704 is a browser plug-in used to detect 0day vulnerabilities. If a vulnerability is detected, the browser will be prevented from continuing to execute and an alarm will be issued. The vulnerability detection plug-in includes: Hook module 7041: Using Hook, the detection module is mounted on the key function of the browser. ROP detection module 7042: By detecting ROP, it is used to determine whether there is a vulnerability attack. Interruption and alarm module 7043: After determining that a vulnerability attack has been made, the browser is notified to interrupt the continued execution of the page, and the malicious page information and browser information are transmitted to the security server.
图8中示意性示出了漏洞检测的流程图,参考图8中所示,主要包括以下步骤:FIG8 schematically shows a flowchart of vulnerability detection. Referring to FIG8 , the flowchart mainly includes the following steps:
在步骤S801中,漏洞检测插件开启。在步骤S802中,Hook浏览器的内存相关函数。在步骤S803中,检测到对恶意页面的访问和执行操作。在步骤S804中,黑客进行漏洞攻击。在步骤S805中,返回地址调用者检查。在步骤S806中,判断调用者是否合法;若是,则转至步骤S807;若否,则转至步骤S808。在步骤S807中,进行调用栈检查并转至步骤S809。在步骤S808中,确定存在ROP漏洞攻击并转至步骤S811。在步骤S809中,判断调用栈是否合法;若是,则转至步骤S810;若否,则转至步骤S808。在步骤S810中,正常执行当前页面。在步骤S811中,中断执行当前页面并进行预警。In step S801, the vulnerability detection plug-in is turned on. In step S802, the memory-related functions of the browser are hooked. In step S803, the access and execution of malicious pages are detected. In step S804, the hacker performs a vulnerability attack. In step S805, the return address caller is checked. In step S806, it is determined whether the caller is legal; if so, it goes to step S807; if not, it goes to step S808. In step S807, a call stack check is performed and the process goes to step S809. In step S808, it is determined that there is a ROP vulnerability attack and the process goes to step S811. In step S809, it is determined whether the call stack is legal; if so, it goes to step S810; if not, it goes to step S808. In step S810, the current page is executed normally. In step S811, the execution of the current page is interrupted and an early warning is issued.
图7以及图8中的技术方案,由于是通过浏览器插件在漏洞执行的原理维度(内存相关函数)检测,能够在漏洞执行之前及时准确地识别出漏洞,从而阻止漏洞的执行,因此能够提高漏洞检测的准确性和及时性,避免了局限性,减少了漏洞运行之后才能进行补救而导致的不必要的损失,提高了安全性。The technical solutions in FIG. 7 and FIG. 8 can detect vulnerabilities in the principle dimension (memory-related functions) of vulnerability execution through browser plug-ins, and can timely and accurately identify vulnerabilities before they are executed, thereby preventing the execution of the vulnerabilities. Therefore, the accuracy and timeliness of vulnerability detection can be improved, limitations can be avoided, unnecessary losses caused by remediation after the vulnerability is running can be reduced, and security can be improved.
以下介绍本公开的装置实施例,可以用于执行本公开上述实施例中的漏洞检测方法。对于本公开装置实施例中未披露的细节,请参照本公开上述的漏洞检测方法的实施例。The following describes an apparatus embodiment of the present disclosure, which can be used to execute the vulnerability detection method in the above-mentioned embodiment of the present disclosure. For details not disclosed in the apparatus embodiment of the present disclosure, please refer to the above-mentioned embodiment of the vulnerability detection method of the present disclosure.
图9示意性示出了根据本公开的一个实施例的漏洞检测装置的框图。FIG9 schematically shows a block diagram of a vulnerability detection device according to an embodiment of the present disclosure.
参照图9所示,根据本公开的一个实施例的漏洞检测装置900,包括:信息获取模块901、检测结果确定模块902以及漏洞确定模块903。其中:As shown in FIG. 9 , a vulnerability detection device 900 according to an embodiment of the present disclosure includes: an information acquisition module 901, a detection result determination module 902, and a vulnerability determination module 903. Among them:
信息获取模块901,用于获取漏洞运行所需的内存关联信息;检测结果确定模块902,用于若检测到目标应用对当前页面的访问操作,则根据所述内存关联信息对所述当前页面的预设信息进行检测,以获取检测结果;漏洞确定模块903,用于若确定所述检测结果为不合法,则确定所述当前页面存在所述漏洞。The information acquisition module 901 is used to obtain the memory-related information required for the vulnerability to run; the detection result determination module 902 is used to detect the preset information of the current page according to the memory-related information if the target application detects an access operation to the current page to obtain the detection result; the vulnerability determination module 903 is used to determine that the current page has the vulnerability if the detection result is determined to be illegal.
在本公开的一种示例性实施例中,所述预设信息包括调用者;检测结果确定模块包括:调用者检测模块,用于根据所述内存关联信息对所述调用者进行检测,以得到用于表示所述调用者是否合法的第一检测结果;第一确定模块,用于若所述第一检测结果为所述调用者不合法,则确定所述检测结果为不合法。In an exemplary embodiment of the present disclosure, the preset information includes the caller; the detection result determination module includes: a caller detection module, used to detect the caller according to the memory association information to obtain a first detection result indicating whether the caller is legal; a first determination module, used to determine that the detection result is illegal if the first detection result is that the caller is illegal.
在本公开的一种示例性实施例中,调用者检测模块包括:返回地址确定模块,用于通过栈帧获取返回地址;第一检测结果确定模块,用于获取所述返回地址的上一条指令,并判断所述上一条指令是否为调用指令,以确定所述第一检测结果。In an exemplary embodiment of the present disclosure, the caller detection module includes: a return address determination module, which is used to obtain the return address through a stack frame; a first detection result determination module, which is used to obtain the previous instruction of the return address and determine whether the previous instruction is a call instruction to determine the first detection result.
在本公开的一种示例性实施例中,所述预设信息包括调用栈;检测结果确定模块包括:调用栈检测模块,用于若所述第一检测结果为所述调用者合法,则根据所述内存关联信息对所述调用栈进行检测,以得到用于表示所述调用栈是否合法的第二检测结果;第二确定模块,用于若所述第二检测结果为所述调用栈不合法,则确定所述检测结果为不合法。In an exemplary embodiment of the present disclosure, the preset information includes a call stack; the detection result determination module includes: a call stack detection module, which is used to detect the call stack according to the memory association information if the first detection result is that the caller is legal, so as to obtain a second detection result indicating whether the call stack is legal; and a second determination module, which is used to determine that the detection result is illegal if the second detection result is that the call stack is illegal.
在本公开的一种示例性实施例中,调用栈检测模块包括:历史栈帧获取模块,用于通过当前栈帧获取历史栈帧;第二检测结果确定模块,用于若检测到每个历史栈帧均处于当前线程的限制范围内,则确定所述第二检测结果为所述调用栈合法;第二检测结果生成模块,用于若检测到所有历史栈帧中存在未处于当前线程的限制范围内的历史栈帧,则确定所述第二检测结果为所述调用栈不合法。In an exemplary embodiment of the present disclosure, the call stack detection module includes: a historical stack frame acquisition module, which is used to acquire historical stack frames through the current stack frame; a second detection result determination module, which is used to determine that the second detection result is that the call stack is legal if it is detected that each historical stack frame is within the restriction range of the current thread; and a second detection result generation module, which is used to determine that the second detection result is that the call stack is illegal if it is detected that there is a historical stack frame in all historical stack frames that is not within the restriction range of the current thread.
在本公开的一种示例性实施例中,调用栈检测模块包括:历史返回地址获取模块,用于通过当前栈帧获取历史返回地址;属性判断模块,用于对每个历史返回地址进行检测,并在确定存在所在内存页的属性为不可执行的历史返回地址时,确定所述第二检测结果为所述调用栈不合法。In an exemplary embodiment of the present disclosure, the call stack detection module includes: a historical return address acquisition module, which is used to acquire the historical return address through the current stack frame; and an attribute judgment module, which is used to detect each historical return address, and when it is determined that there is a historical return address whose attribute is a non-executable memory page, determine that the second detection result is that the call stack is illegal.
在本公开的一种示例性实施例中,在确定所述当前页面存在所述漏洞后,所述装置还包括:禁止执行模块,用于将所述当前页面的信息以及所述目标应用的信息发送至服务器,并将所述当前页面的信息存储至用于表示禁止执行的列表,以禁止执行所述当前页面。In an exemplary embodiment of the present disclosure, after determining that the vulnerability exists in the current page, the device also includes: a prohibition execution module, which is used to send information about the current page and information about the target application to a server, and store the information of the current page in a list used to indicate prohibition execution, so as to prohibit the execution of the current page.
在本公开的一种示例性实施例中,所述装置还包括:继续执行模块,用于若确定所述检测结果为合法,则继续执行所述当前页面。In an exemplary embodiment of the present disclosure, the device further includes: a continuing execution module, configured to continue executing the current page if it is determined that the detection result is legal.
在本公开的一种示例性实施例中,所述装置还包括:信息预警模块,用于若确定所述检测结果为不合法,则提供一个用于提醒所述检测结果的提示信息,以进行预警。In an exemplary embodiment of the present disclosure, the device further includes: an information warning module, which is used to provide a prompt information for reminding the detection result if it is determined that the detection result is illegal, so as to issue a warning.
图10示出了适于用来实现本公开实施例的电子设备的计算机系统的结构示意图。FIG. 10 is a schematic diagram showing the structure of a computer system suitable for implementing an electronic device of an embodiment of the present disclosure.
需要说明的是,图10示出的电子设备的计算机系统1000仅是一个示例,不应对本公开实施例的功能和使用范围带来任何限制。It should be noted that the computer system 1000 of the electronic device shown in FIG. 10 is only an example and should not bring any limitation to the functions and scope of use of the embodiments of the present disclosure.
如图10所示,计算机系统1000包括中央处理单元(Central Processing Unit,CPU)1001,其可以根据存储在只读存储器(Read-Only Memory,ROM)1002中的程序或者从储存部分1008加载到随机访问存储器(Random Access Memory,RAM)1003中的程序而执行各种适当的动作和处理。在RAM 1003中,还存储有系统操作所需的各种程序和数据。CPU1001、ROM 1002以及RAM 1003通过总线1004彼此相连。输入/输出(Input/Output,I/O)接口1005也连接至总线1004。As shown in FIG10 , a computer system 1000 includes a central processing unit (CPU) 1001, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 1002 or a program loaded from a storage part 1008 to a random access memory (RAM) 1003. Various programs and data required for system operation are also stored in the RAM 1003. The CPU 1001, the ROM 1002, and the RAM 1003 are connected to each other via a bus 1004. An input/output (I/O) interface 1005 is also connected to the bus 1004.
以下部件连接至I/O接口1005:包括键盘、鼠标等的输入部分1006;包括诸如阴极射线管(Cathode Ray Tube,CRT)、液晶显示器(Liquid Crystal Display,LCD)等以及扬声器等的输出部分1007;包括硬盘等的储存部分1008;以及包括诸如LAN(Local AreaNetwork,局域网)卡、调制解调器等的网络接口卡的通信部分1009。通信部分1009经由诸如因特网的网络执行通信处理。驱动器1010也根据需要连接至I/O接口1005。可拆卸介质1011,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器1010上,以便于从其上读出的计算机程序根据需要被安装入储存部分1008。The following components are connected to the I/O interface 1005: an input section 1006 including a keyboard, a mouse, etc.; an output section 1007 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 1008 including a hard disk, etc.; and a communication section 1009 including a network interface card such as a LAN (Local Area Network) card, a modem, etc. The communication section 1009 performs communication processing via a network such as the Internet. A drive 1010 is also connected to the I/O interface 1005 as needed. A removable medium 1011, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is installed on the drive 1010 as needed, so that a computer program read therefrom is installed into the storage section 1008 as needed.
特别地,根据本公开的实施例,下文参考流程图描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分1009从网络上被下载和安装,和/或从可拆卸介质1011被安装。在该计算机程序被中央处理单元(CPU)1001执行时,执行本申请的系统中限定的各种功能。In particular, according to an embodiment of the present disclosure, the process described below with reference to the flowchart can be implemented as a computer software program. For example, an embodiment of the present disclosure includes a computer program product, which includes a computer program carried on a computer-readable medium, and the computer program includes a program code for executing the method shown in the flowchart. In such an embodiment, the computer program can be downloaded and installed from a network through a communication part 1009, and/or installed from a removable medium 1011. When the computer program is executed by a central processing unit (CPU) 1001, various functions defined in the system of the present application are executed.
需要说明的是,本公开实施例所示的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(Erasable Programmable Read Only Memory,EPROM)、闪存、光纤、便携式紧凑磁盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本公开中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本公开中,计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:无线、有线等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium shown in the embodiment of the present disclosure may be a computer-readable signal medium or a computer-readable storage medium or any combination of the above two. The computer-readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination of the above. More specific examples of computer-readable storage media may include, but are not limited to: an electrical connection with one or more wires, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), a flash memory, an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the above. In the present disclosure, a computer-readable storage medium may be any tangible medium containing or storing a program, which may be used by an instruction execution system, device or device or used in combination with it. In the present disclosure, a computer-readable signal medium may include a data signal propagated in a baseband or as part of a carrier wave, wherein a computer-readable program code is carried. Such propagated data signals may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above. Computer-readable signal media may also be any computer-readable medium other than computer-readable storage media, which may send, propagate, or transmit programs for use by or in conjunction with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the above.
附图中的流程图和框图,图示了按照本公开各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flow chart and block diagram in the accompanying drawings illustrate the possible architecture, function and operation of the system, method and computer program product according to various embodiments of the present disclosure. In this regard, each box in the flow chart or block diagram can represent a module, a program segment, or a part of a code, and the above-mentioned module, program segment, or a part of a code contains one or more executable instructions for realizing the specified logical function. It should also be noted that in some implementations as replacements, the functions marked in the box can also occur in a different order from the order marked in the accompanying drawings. For example, two boxes represented in succession can actually be executed substantially in parallel, and they can sometimes be executed in the opposite order, depending on the functions involved. It should also be noted that each box in the block diagram or flow chart, and the combination of the boxes in the block diagram or flow chart can be implemented with a dedicated hardware-based system that performs a specified function or operation, or can be implemented with a combination of dedicated hardware and computer instructions.
描述于本公开实施例中所涉及到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现,所描述的单元也可以设置在处理器中。其中,这些单元的名称在某种情况下并不构成对该单元本身的限定。The units involved in the embodiments described in the present disclosure may be implemented by software or hardware, and the units described may also be arranged in a processor. The names of these units do not constitute limitations on the units themselves in some cases.
作为另一方面,本公开还提供了一种计算机可读介质,该计算机可读介质可以是上述实施例中描述的电子设备中所包含的;也可以是单独存在,而未装配入该电子设备中。上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被一个该电子设备执行时,使得该电子设备实现上述实施例中所述的方法。As another aspect, the present disclosure further provides a computer-readable medium, which may be included in the electronic device described in the above embodiment; or may exist independently without being assembled into the electronic device. The above computer-readable medium carries one or more programs, and when the above one or more programs are executed by an electronic device, the electronic device implements the method described in the above embodiment.
应当注意,尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元,但是这种划分并非强制性的。实际上,根据本公开的实施方式,上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之,上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。It should be noted that, although several modules or units of the device for action execution are mentioned in the above detailed description, this division is not mandatory. In fact, according to the embodiments of the present disclosure, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided into multiple modules or units to be embodied.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、触控终端、或者网络设备等)执行根据本公开实施方式的方法。Through the description of the above implementation, it is easy for those skilled in the art to understand that the example implementation described here can be implemented by software, or by software combined with necessary hardware. Therefore, the technical solution according to the implementation of the present disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.) or on a network, including several instructions to enable a computing device (which can be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the implementation of the present disclosure.
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本公开的其它实施方案。本申请旨在涵盖本公开的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本公开的一般性原理并包括本公开未公开的本技术领域中的公知常识或惯用技术手段。Those skilled in the art will readily appreciate other embodiments of the present disclosure after considering the specification and practicing the invention disclosed herein. This application is intended to cover any modifications, uses or adaptations of the present disclosure, which follow the general principles of the present disclosure and include common knowledge or customary technical means in the art that are not disclosed in the present disclosure.
应当理解的是,本公开并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本公开的范围仅由所附的权利要求来限制。It should be understood that the present disclosure is not limited to the exact structures that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910900010.3ACN111177727B (en) | 2019-09-23 | 2019-09-23 | Vulnerability detection method and device |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910900010.3ACN111177727B (en) | 2019-09-23 | 2019-09-23 | Vulnerability detection method and device |
| Publication Number | Publication Date |
|---|---|
| CN111177727A CN111177727A (en) | 2020-05-19 |
| CN111177727Btrue CN111177727B (en) | 2024-08-16 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910900010.3AActiveCN111177727B (en) | 2019-09-23 | 2019-09-23 | Vulnerability detection method and device |
| Country | Link |
|---|---|
| CN (1) | CN111177727B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112422553A (en)* | 2020-11-17 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for detecting VBScript vulnerability exploitation |
| CN112507342B (en)* | 2020-12-01 | 2025-01-21 | 中国人寿保险股份有限公司 | Vulnerability detection method, device, electronic device and storage medium |
| CN113885958B (en)* | 2021-09-30 | 2023-10-31 | 杭州默安科技有限公司 | A method and system for intercepting dirty data |
| CN114398192B (en)* | 2021-12-29 | 2023-05-05 | 安芯网盾(北京)科技有限公司 | Method and device for detecting and bypassing Windows control flow protection CFG |
| CN114741694B (en)* | 2022-03-07 | 2023-03-10 | 安芯网盾(北京)科技有限公司 | Method, device and equipment for detecting execution of shellcode and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105678168A (en)* | 2015-12-29 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102043919B (en)* | 2010-12-27 | 2012-11-21 | 北京安天电子设备有限公司 | Universal vulnerability detection method and system based on script virtual machine |
| CN104239801B (en)* | 2014-09-28 | 2017-10-24 | 北京奇虎科技有限公司 | The recognition methods of 0day leaks and device |
| CN106407815B (en)* | 2016-09-30 | 2020-02-14 | 北京奇虎科技有限公司 | Vulnerability detection method and device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105678168A (en)* | 2015-12-29 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
| Publication number | Publication date |
|---|---|
| CN111177727A (en) | 2020-05-19 |
| Publication | Publication Date | Title |
|---|---|---|
| CN111177727B (en) | Vulnerability detection method and device | |
| CN102932329B (en) | A kind of method, device and client device that the behavior of program is tackled | |
| KR102271545B1 (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| KR101122646B1 (en) | Method and device against intelligent bots by masquerading virtual machine information | |
| US8719935B2 (en) | Mitigating false positives in malware detection | |
| CN109155774B (en) | System and method for detecting security threats | |
| US8776196B1 (en) | Systems and methods for automatically detecting and preventing phishing attacks | |
| JP6223458B2 (en) | Method, processing system, and computer program for identifying whether an application is malicious | |
| US20100037317A1 (en) | Mehtod and system for security monitoring of the interface between a browser and an external browser module | |
| WO2014121713A1 (en) | Url interception processing method, device and system | |
| US20170353434A1 (en) | Methods for detection of reflected cross site scripting attacks | |
| CN104239577A (en) | Method and device for detecting authenticity of webpage data | |
| CN111177726A (en) | A system vulnerability detection method, device, equipment and medium | |
| US20120222116A1 (en) | System and method for detecting web browser attacks | |
| JP2022104878A (en) | Systems and methods to prevent the injection of malicious processes into software | |
| US11003746B1 (en) | Systems and methods for preventing electronic form data from being electronically transmitted to untrusted domains | |
| KR101558054B1 (en) | Anti-malware system and packet processing method in same | |
| US8978139B1 (en) | Method and apparatus for detecting malicious software activity based on an internet resource information database | |
| CN108028843B (en) | Method, system and computing device for securing delivery of computer-implemented functionality | |
| JP2007047884A (en) | Information processing system | |
| JP2016181208A (en) | Fraud monitoring device and fraud monitoring program | |
| EP3535681B1 (en) | System and method for detecting and for alerting of exploits in computerized systems | |
| CN118946885A (en) | System and method for detecting exploit comprising shell code | |
| US11425162B2 (en) | Detection of malicious C2 channels abusing social media sites |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TG01 | Patent term adjustment | ||
| TG01 | Patent term adjustment |