Eureka AIR delivers breakthrough ideas for toughest innovation challenges, trusted by R&D personnel around the world.

Method for processing hidden process based on hardware simulator

A technology of hiding processes and emulators, applied in the field of network security, can solve problems such as low accuracy, low degree of virtualization of analysis technology, and dependence on the integrity of operating system kernel data, etc., to achieve the effect of ensuring transparency and improving transparency

Inactive Publication Date: 2010-07-07
INST OF SOFTWARE - CHINESE ACAD OF SCI
View PDF3 Cites 132 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0019] To sum up, the main flaws in the current detection of hidden processes are: hidden processes and malicious codes are at the same level, and are easy to be detected by malicious codes and generate corresponding countermeasures; excessive reliance on the integrity of operating system kernel data, virtualization-based analysis technology virtualization The degree of transformation is not high, and the accuracy rate is not high
And the method for analyzing malicious code in the hidden process is to use the method of Hook system API to monitor the process, malicious code can make it invalid by reading the system file on the hard disk and covering the code in the memory; the virtual machine that the virtual machine adjustment method adopts, Rely on local CPU, not simulate multiple CPUs

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for processing hidden process based on hardware simulator
  • Method for processing hidden process based on hardware simulator
  • Method for processing hidden process based on hardware simulator

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0035] The technical scheme of the present invention is described in detail below in conjunction with accompanying drawing:

[0036] like figure 1 As shown, a method for processing a hidden process based on a hardware simulator includes steps:

[0037] 1. Create the operating system image required for the target file to run

[0038] The present invention adopts a linear addressing method to read all the contents of the disk where the target sample suspected of having malicious code is located. According to the sorting of all data blocks on the hard disk partition, the blocks are read from the hard disk, and then according to the order of their serial numbers, the read data is added to a file in sequence, and the file is used as a virtual hard disk to obtain hardware The data image file recognized by the simulator.

[0039] 2. Configure and start the hardware emulator

[0040] Configure the image path to obtain the location of the actual running operating system image; conf...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention belongs to the technical field of network security and particularly relates to a method for processing a hidden process based on a hardware simulator. By establishing a running environment of malicious codes in hidden codes in a hardware simulating environment and operating and controlling instructions simulating a CPU and various accessing operations simulating a memory, marked by a CR3 value in a CR3 register, the hidden process is detected, the running process of the hidden process is monitored, and the running information of the malicious codes in the hidden process is recorded by a data acquisition module; and the invention also provides a mirror image which extracts the malicious codes directly from a virtual memory. All instructions of a virtual CPU and various hardware operations of a hardware simulating device are executed in simulation after translation and are not executed in a real machine by using code segments directly, and the running time of the instruction in the instruction running process can be accurately calculated, thus realizing fully transparent analysis of the malicious codes in the hidden process.

Description

technical field [0001] The invention belongs to the technical field of network security, and in particular relates to a method for processing hidden processes based on a hardware simulator. Background technique [0002] With the continuous development and progress of society, computers are more and more widely used in various fields of society. Due to the widespread existence of software vulnerabilities and the lack of security awareness of users, Trojan horses spread faster and faster, the scope of infection continues to expand, and the damage caused is becoming more and more serious. At the same time, due to the continuous deepening of the research on the underlying technology, more and more means of hiding the process are used by Trojan horses. Due to the limitations of analysis efficiency and implementation environment, traditional security protection methods are difficult to shorten the response cycle, and the response speed has gradually been unable to adapt to this n...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/00G06F9/455G06F21/56
Inventor 杨轶苏璞睿司端锋冯登国
Owner INST OF SOFTWARE - CHINESE ACAD OF SCI
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com