[go: up one dir, main page]

CN110888771B - Method, device, electronic equipment and storage medium for monitoring and analyzing process - Google Patents

Method, device, electronic equipment and storage medium for monitoring and analyzing process Download PDF

Info

Publication number
CN110888771B
CN110888771B CN201811608344.5A CN201811608344A CN110888771B CN 110888771 B CN110888771 B CN 110888771B CN 201811608344 A CN201811608344 A CN 201811608344A CN 110888771 B CN110888771 B CN 110888771B
Authority
CN
China
Prior art keywords
sample process
virtual
sample
operating system
environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811608344.5A
Other languages
Chinese (zh)
Other versions
CN110888771A (en
Inventor
孙鹏
王小丰
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
Priority to CN201811608344.5A priority Critical patent/CN110888771B/en
Publication of CN110888771A publication Critical patent/CN110888771A/en
Application granted granted Critical
Publication of CN110888771B publication Critical patent/CN110888771B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention discloses a method, a device, electronic equipment and a storage medium for monitoring and analyzing a process, which relate to the technical field of computer security and are convenient for improving the analysis efficiency of a sample. The method for monitoring and analyzing the process comprises the following steps: monitoring loading of a sample process in a current operating system; when the first sample process is monitored to be loaded in the current operating system, a first virtual running environment is created for the first sample process; and when the second sample process is monitored to be loaded in the current operating system, creating a second virtual running environment for the second sample process, wherein the second virtual running environment is isolated from the first virtual running environment. The method is suitable for analyzing the operation behaviors of the sample process.

Description

Method, device, electronic equipment and storage medium for monitoring and analyzing process
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a method, an apparatus, an electronic device, and a storage medium for monitoring and analyzing a process.
Background
Currently, when analyzing each sample in a computer system, a virtual machine needs to be started, then the computer system waits for the analysis to finish, and logs are output.
In the existing sample analysis mode, since each sample corresponds to one virtual machine, when more samples are to be analyzed, a plurality of virtual machines are required to be started at the same time, so that a large amount of system resources are consumed, and the starting and ending of the virtual machines occupy more time, so that the analysis speed is slow, and the analysis efficiency is low.
Disclosure of Invention
In view of the above, embodiments of the present invention provide a method, an apparatus, an electronic device, and a storage medium for monitoring and analyzing a process, so as to improve the efficiency of analysis on a sample.
In a first aspect, an embodiment of the present invention provides a method for performing monitoring analysis on a process, including: monitoring loading of a sample process in a current operating system; when the first sample process is monitored to be loaded in the current operating system, a first virtual running environment is created for the first sample process; and when the second sample process is monitored to be loaded in the current operating system, creating a second virtual running environment for the second sample process, wherein the second virtual running environment is isolated from the first virtual running environment.
According to a specific implementation manner of the embodiment of the present invention, the monitoring the loading of the sample process in the current operating system includes: monitoring the loading of a sample process in a current operating system in the same virtual machine; or monitor the loading of a sample process in the current operating system running directly on the physical device.
According to a specific implementation manner of the embodiment of the present invention, the creating a first virtual running environment for a first sample process includes: creating a first common resource for a first sample process and a variable of the first sample process when the first sample process runs; the creating a second virtual running environment for a second sample process includes: a second common resource is created for the second sample process and variables of the second sample process run-time.
According to a specific implementation manner of the embodiment of the present invention, after creating the first virtual running environment for the first sample process, the method further includes: redirecting an operation object of the first sample process to the first virtual running environment; after creating the second virtual execution environment for the second sample process, the method further comprises: the operational object of the second sample process is redirected to the second virtual execution environment.
According to a specific implementation of an embodiment of the present invention, after redirecting the operation object of the second sample process to the second virtual running environment, the method further includes: and outputting the operation monitoring logs of the first sample process and the second sample process.
In a second aspect, an embodiment of the present invention provides an apparatus for performing monitoring analysis on a process, including: the monitoring module is used for monitoring the loading of the sample process in the current operating system; the first virtual environment creation module is used for monitoring that a first sample process is loaded in the current operating system, and creating a first virtual running environment for the first sample process; the second virtual environment creation module is used for monitoring that the second sample process is loaded in the current operating system and creating a second virtual running environment for the second sample process; wherein the second virtual operating environment is isolated from the first virtual operating environment.
According to a specific implementation manner of the embodiment of the present invention, the monitoring module is specifically configured to: monitoring the loading of a sample process in a current operating system in the same virtual machine; or monitor the loading of a sample process in the current operating system running directly on the physical device.
According to a specific implementation manner of the embodiment of the present invention, a first virtual environment creation module is specifically configured to monitor, when a first sample process is loaded in a current operating system, create a first common resource for the first sample process and a variable when the first sample process runs; the second virtual environment creating module is specifically configured to monitor, when the second sample process is loaded in the current operating system, create a second common resource for the second sample process and a variable when the second sample process runs.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes: the first redirection module is used for redirecting the operation object of the first sample process to the first virtual running environment; and the second redirecting module is used for redirecting the operation object of the second sample process to the second virtual running environment.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes: and the log output module is used for outputting the operation monitoring logs of the first sample process and the second sample process.
In a third aspect, an embodiment of the present invention provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any of the foregoing implementations.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium storing one or more programs executable by one or more processors to implement the method of any of the foregoing implementations.
According to the method, the device, the electronic equipment and the storage medium for monitoring and analyzing the processes, by monitoring the loading of the sample processes in the current operating system, when the first sample process is loaded in the current operating system, the first virtual operating environment is created for the first sample process, and when the second sample process is loaded in the current operating system, the second virtual operating environment is created for the second sample process, and the second virtual operating environment is isolated from the first virtual operating environment, so that different sample processes can be operated in parallel in the same operating system, and the different sample processes are operated in the respective independent virtual operating environments, so that the operation behaviors of a plurality of different sample processes can be monitored and analyzed simultaneously in the same operating system, and the analysis efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an embodiment of a method for monitoring and analyzing a process according to the present invention;
FIG. 2 is a schematic diagram of an embodiment of a device for monitoring and analyzing a process according to the present invention;
FIG. 3 is a schematic diagram of another embodiment of a device for monitoring and analyzing a process according to the present invention;
FIG. 4 is a schematic structural diagram of another embodiment of a device for monitoring and analyzing a process according to the present invention;
fig. 5 is a schematic structural diagram of an embodiment of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In a first aspect, an embodiment of the present invention provides a method for monitoring and analyzing a process, so as to improve efficiency of analysis on a sample.
Fig. 1 is a flow chart of an embodiment of a method for monitoring and analyzing a process according to the present invention, as shown in fig. 1, the method of the embodiment may include:
Step 101, monitoring loading of a sample process in a current operating system.
The current operating system may be an operating system installed on a virtual machine, or may be an operating system directly running on a physical hardware device, that is, an operating system of a real computer. The operating system may be a Windows operating system, a Linux operating system, or the like.
Step 102, when the first sample process is loaded in the current operating system, a first virtual running environment is created for the first sample process.
In order to run different sample processes in parallel in the same operating system and avoid the mutual influence between the different sample processes so as to ensure the accuracy of analysis results, in this embodiment, different virtual running environments need to be created for the different sample processes running in the same operating system, respectively, and the virtual running environments created for the sample processes are isolated from each other, that is, the virtual running environments of the sample processes are relatively independent, and one sample process can only perform related operations in the virtual running environment corresponding to the sample process.
Step 103, when the second sample process is loaded in the current operating system, a second virtual running environment is created for the second sample process, wherein the second virtual running environment is isolated from the first virtual running environment.
In this embodiment, a plurality of different sample processes may be run in parallel in the same operating system, after a first virtual running environment is created for a first sample process when the first sample process is monitored to be loaded in the current operating system, if a second virtual running environment is created for a second sample process when the second sample process is monitored to be loaded in the current operating system, as mentioned above, in order to avoid the interaction between the first sample process and the second sample process, so as to ensure accuracy of an analysis result, the second virtual running environment is isolated from the first virtual running environment.
In the embodiment of the invention, by monitoring the loading of the sample process in the current operating system, when the first sample process is loaded in the current operating system, the first virtual operating environment is created for the first sample process, and when the second sample process is loaded in the current operating system, the second virtual operating environment is created for the second sample process, and the second virtual operating environment is isolated from the first virtual operating environment, so that different sample processes can be operated in parallel in the same operating system, and the different sample processes are operated in independent virtual operating environments, thereby being capable of simultaneously monitoring and analyzing the operation behaviors of a plurality of different sample processes in the same operating system and being beneficial to improving the analysis efficiency.
In one embodiment of the present invention, the monitoring the loading of the sample process in the current operating system (step 101) may include: the loading of the sample process in the current operating system in the same virtual machine is monitored.
In this embodiment, the virtual machine is a complete computer system with complete hardware system functions, which is simulated by software and operates in a completely isolated environment. For example, VMware Workstation, virtual box under Windows operating system; or KVM under Linux operating system, etc. Multiple virtual machines may be installed under one operating system, with a respective operating system installed in each virtual machine. The operating system in the virtual machine may be a Windows operating system, a Linux operating system, or the like.
In this embodiment, only one virtual machine may be installed on the host machine, in which a plurality of monitoring samples may be run in parallel. By monitoring the loading of a sample process in the operating system of the virtual machine, when the first sample process is loaded in the current operating system, the operating system of the virtual machine creates a first virtual running environment for the first sample process, and when the second sample process is loaded in the current operating system, the operating system of the virtual machine creates a second virtual running environment for the second sample process, and the second virtual running environment is isolated from the first virtual running environment.
In this embodiment, a plurality of different sample processes run in parallel in the operating system of the same virtual machine, so as to monitor and analyze the plurality of different sample processes in parallel. Embodiments of the present invention are not limited thereto, and in another embodiment of the present invention, the monitoring the loading of the sample process in the current operating system (step 101) may include: the loading of the sample process in the current operating system running directly on the physical device, i.e. the loading of the sample process in the operating system of the real computer, is monitored.
In this embodiment, by monitoring the loading of a sample process in the operating system of the real computer, when the first sample process is monitored to be loaded in the current operating system, the operating system of the real computer creates a first virtual running environment for the first sample process, and when the second sample process is monitored to be loaded in the current operating system, the operating system of the real computer creates a second virtual running environment for the second sample process, where the second virtual running environment is isolated from the first virtual running environment.
The multiple sample processes are directly and parallelly operated in the operating system of the same real computer, and the operation behaviors of the multiple different sample processes can be parallelly monitored and analyzed, so that a virtual machine is not required to be installed, and the situation that the analysis result is inaccurate due to the fact that the behaviors of the sample processes of some anti-virtual machines are not triggered can be avoided.
In one embodiment of the present invention, when the first sample process is monitored to be loaded in the current operating system, creating a first virtual running environment for the first sample process (step 102) may include: a first common resource is created for a first sample process and variables of the first sample process run-time.
The first common resource may include a first file system, a first registry, a first cache, a first user directory, and the like.
The first file system may be created by virtualizing a memory hard disk through a memory, or may be created directly under a fixed directory under a physical hard disk.
With respect to the creation of the first registry, a database may be custom-defined and placed in memory in a tree structure, or may be recorded directly using text files, and may be deleted after use.
Regarding the creation of the first user directory, a corresponding complete set of user directories may be automatically created based on the sample process ID upon monitoring that the first sample process is loaded in the current operating system.
The user directory is used to store personal data of users. For example, in a Linux operating system, setting files, desktop files and personal data of other users except root users are all placed under respective user directories. Such as test users, whose personal data and desktop files are placed under the/home/test/directory.
The variables of a sample process run refer to PATH used by the process run, such as python script interpreter PATH, java virtual machine installation PATH, flash plug-in PATH, various sdk locations, temporary buffer PATH, and some default locations, such as c: program files, my documents, etc., as well as runtime libraries that need to be used when a process is started, thread stack default size, PEB (process context block), TEB (thread context block), access token (token), mutex (mutex), critical, atom (atom), various vector tables, etc.
Regarding the creation of variables at run-time of the first sample process, the environment variables are converted (translated, or replaced) by inserting an intermediate layer between the sample and the operating system environment, such that the sample is misinterpreted as the provided environment variable, i.e., the environment variable of the operating system itself.
In one embodiment of the present invention, when the second sample process is monitored to be loaded in the current operating system, a second virtual running environment is created for the second sample process (step 103), including: a second common resource is created for the second sample process and variables of the second sample process run-time.
The second common resource may include a second file system, a second registry, a second cache, a second user directory, and the like.
The creation process of the second common resource is similar to the creation process of the first common resource, and will not be described in detail herein.
The meaning of the variable and the creation thereof in the second sample process run are basically the same as the meaning of the variable and the creation process thereof in the first sample process run, and are not described in detail herein.
After the virtual execution environment is created, further, in order to monitor the operation process of the sample process in the virtual execution environment, the operation object of the sample process needs to be redirected to the created virtual execution environment, so that the sample process performs corresponding operations such as reading and writing in the created virtual execution environment, specifically, in an embodiment of the present invention, after the first virtual execution environment is created for the first sample process, the method may further include: the operational object of the first sample process is redirected to the first virtual execution environment.
After creating the second virtual execution environment for the second sample process, the method further comprises: the operational object of the second sample process is redirected to the second virtual execution environment.
There are various ways to redirect the operational objects of the sample process into the virtual execution environment, the following are several exemplary ways:
First, kernel layer based approach
1) The kernel of the operating system is modified, and preset functional codes are added through PatchGuard protection. Wherein PatchGuard is the kernel protection system of Windows Vista.
2) The hooking operating system kernel API (Application Programming Interface ) passes through the guard of PatchGuard so that the sample points to the pre-built virtual execution environment during execution through a pre-set hooking function.
3) Through the written filtering driver, the operation of the sample process is redirected to the constructed virtual running environment.
(II) application layer-based approach
1) The call to the API called by each process is injected at the application layer by APC (Asynchronous Procedure Call ) mode.
2) An API called by each process is injected by way of CRT (Create Remote Thread) to perform HOOK, and an object to be operated on a sample process (including: file path, registry, environment variables, etc.) are redirected to a virtual execution environment built in advance.
3) Instead of a DLL (dynamic link library) of a system call, the objects of the sample process operation are redirected to point to a virtual execution environment built in advance.
The kernel layer-based mode and the application layer-based mode can be used independently or in combination with each other to optimize performance to the greatest extent.
After redirecting the operational object of the first sample process to the first virtual execution environment, the execution process of the first sample process may be recorded and analyzed to form an execution monitoring log for the first sample process; similarly, after redirecting the operational object of the second sample process to the second virtual execution environment, the execution of the second sample process may be recorded and analyzed to form an execution monitoring log for the second sample process.
In an embodiment of the present invention, after redirecting the operation object of the second sample process to the second virtual running environment, the method may further comprise: and outputting operation monitoring logs of the first sample process and the second sample process so as to determine whether malicious behaviors exist according to the logs.
In a second aspect, an embodiment of the present invention provides an apparatus for monitoring and analyzing a process, so as to improve efficiency of analysis on a sample.
Fig. 2 is a schematic structural diagram of an embodiment of a device for monitoring and analyzing a process according to the present invention, where, as shown in fig. 2, the device in this embodiment may include: a monitor module 11, a first virtual environment creation module 12, and a second virtual environment creation module 13; the monitoring module 11 is configured to monitor loading of a sample process in a current operating system; the first virtual environment creating module 12 is configured to monitor that, when the first sample process is loaded in the current operating system, a first virtual running environment is created for the first sample process; the second virtual environment creating module 13 is configured to monitor that, when the second sample process is loaded in the current operating system, a second virtual running environment is created for the second sample process; wherein the second virtual operating environment is isolated from the first virtual operating environment.
The device of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and its implementation principle and technical effects are similar, and are not described here again.
In an embodiment of the present invention, the monitoring module 11 is specifically configured to: the loading of the sample process in the current operating system in the same virtual machine is monitored.
In this embodiment, the virtual machine is a complete computer system with complete hardware system functions, which is simulated by software and operates in a completely isolated environment. For example, VMware Workstation, virtual box under Windows operating system; or KVM under Linux operating system, etc. Multiple virtual machines may be installed under one operating system, with a respective operating system installed in each virtual machine. The operating system in the virtual machine may be a Windows operating system, a Linux operating system, or the like.
In this embodiment, only one virtual machine may be installed on the host machine, in which a plurality of monitoring samples may be run in parallel. By monitoring the loading of a sample process in the operating system of the virtual machine, when the first sample process is loaded in the current operating system, the operating system of the virtual machine creates a first virtual running environment for the first sample process, and when the second sample process is loaded in the current operating system, the operating system of the virtual machine creates a second virtual running environment for the second sample process, and the second virtual running environment is isolated from the first virtual running environment.
In this embodiment, a plurality of different sample processes run in parallel in the operating system of the same virtual machine, so as to monitor and analyze the plurality of different sample processes in parallel. The embodiment of the present invention is not limited thereto, and in another embodiment of the present invention, the monitoring module 11 may be specifically configured to: the loading of the sample process in the current operating system running directly on the physical device is monitored.
In this embodiment, by monitoring the loading of a sample process in the operating system of the real computer, when the first sample process is monitored to be loaded in the current operating system, the operating system of the real computer creates a first virtual running environment for the first sample process, and when the second sample process is monitored to be loaded in the current operating system, the operating system of the real computer creates a second virtual running environment for the second sample process, where the second virtual running environment is isolated from the first virtual running environment.
The multiple sample processes are directly and parallelly operated in the operating system of the same real computer, and the operation behaviors of the multiple different sample processes can be monitored and analyzed simultaneously, so that a virtual machine is not required to be installed, and the situation that the analysis result is inaccurate due to the fact that the sample process behaviors of some anti-virtual machines are not triggered is avoided.
In an embodiment of the present invention, the first virtual environment creating module 12 is specifically configured to monitor that, when a first sample process is loaded in a current operating system, a first common resource and variables of the first sample process when the first sample process runs are created for the first sample process; the second virtual environment creating module 13 is specifically configured to monitor, when the second sample process is loaded in the current operating system, create a second common resource for the second sample process and variables of the second sample process when the second sample process runs.
In this embodiment, the process of creating the first common resource and the variable when the first sample process runs for the first sample process, and the process of creating the second common resource and the variable when the second sample process runs for the second sample process are substantially the same as the above-mentioned method embodiment, and are not described herein again.
After the virtual execution environment is created, further, in order to monitor the operation process of the sample process in the virtual execution environment, it is necessary to redirect the operation object of the sample process to the created virtual execution environment, so that the sample process performs corresponding operations such as reading and writing in the created virtual execution environment, specifically, referring to fig. 3, in another embodiment of the present invention, the apparatus further includes: a first redirecting module 14 and a second redirecting module 15; wherein the first redirecting module 14 is configured to redirect the operation object of the first sample process to the first virtual running environment; the second redirecting module 15 is configured to redirect the operation object of the second sample process to the second virtual running environment.
The manner of redirecting the operation object of the sample process into the virtual running environment is the same as the corresponding manner in the above-mentioned method embodiment, and will not be described herein again.
After redirecting the operational object of the first sample process to the first virtual execution environment, the execution process of the first sample process may be recorded and analyzed to form an execution monitoring log for the first sample process; similarly, after redirecting the operational object of the second sample process to the second virtual execution environment, the execution of the second sample process may be recorded and analyzed to form an execution monitoring log for the second sample process.
Referring to fig. 4, in a further embodiment of the present invention, the apparatus further includes: the log output module 15 is configured to output the running monitoring logs of the first sample process and the second sample process, so as to determine whether the log has malicious behavior according to the log.
In a third aspect, the embodiment of the invention further provides electronic equipment. Fig. 5 is a schematic structural diagram of an embodiment of an electronic device according to an embodiment of the present invention, where a flow of the embodiment of fig. 1 of the present invention may be implemented, as shown in fig. 5, where the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged in a space surrounded by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 43 is for storing executable program code; the processor 42 runs a program corresponding to the executable program code by reading the executable program code stored in the memory 43 for executing the method described in any of the foregoing embodiments.
The specific implementation of the above steps by the processor 42 and the further implementation of the steps by the processor 42 through the execution of the executable program code may be referred to in the description of the embodiment of fig. 1 of the present invention, which is not repeated herein.
The electronic device exists in a variety of forms including, but not limited to, a desktop computer having computing and processing capabilities, a server, or other electronic device having computing and processing capabilities.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing one or more programs executable by one or more processors for performing the method of any of the preceding embodiments.
According to the method, the device, the electronic equipment and the storage medium for monitoring and analyzing the processes, the loading of the sample processes in the current operating system is monitored, the first virtual operating environment is created for the first sample process when the first sample process is loaded in the current operating system, the second virtual operating environment is created for the second sample process when the second sample process is loaded in the current operating system, and the second virtual operating environment is isolated from the first virtual operating environment, so that different sample processes can be operated in parallel in the same operating system, and the different sample processes are operated in the virtual operating environments which are independent of each other, and therefore the operation behaviors of a plurality of different sample processes can be monitored and analyzed simultaneously in the same operating system, and the analysis efficiency is improved.
When a plurality of sample processes are directly and parallelly operated in the operating system of the same real computer, the situation that the analysis result is inaccurate due to the fact that the behaviors of the sample processes of some anti-virtual machines are not triggered can be avoided.
In redirecting the operation object of the sample process, the kernel-layer-based manner and the application-layer-based manner may be used in combination with each other, so that performance can be optimized to the greatest extent. After monitoring the operation behaviors of the first and second sample processes in the virtual operation environment to form a monitoring log, the operation monitoring log of the first and second sample processes may be output to determine whether there is malicious behavior according to the log.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
For convenience of description, the above apparatus is described as being functionally divided into various units/modules, respectively. Of course, the functions of the various elements/modules may be implemented in the same piece or pieces of software and/or hardware when implementing the present invention.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random-access Memory (Random Access Memory, RAM), or the like.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (4)

1. A method of monitoring and analyzing a process, comprising:
monitoring loading of a sample process in a current operating system;
When the first sample process is monitored to be loaded in the current operating system, a first virtual running environment is created for the first sample process;
when the second sample process is monitored to be loaded in the current operating system, a second virtual running environment is created for the second sample process, wherein the second virtual running environment is isolated from the first virtual running environment;
The monitoring of loading of the sample process in the current operating system includes: monitoring the loading of a sample process in a current operating system in the same virtual machine; or monitor the loading of the sample process in the current operating system running directly on the physical device;
The creating a first virtual running environment for a first sample process includes: creating a first common resource for a first sample process and a variable of the first sample process when the first sample process runs;
The creating a second virtual running environment for a second sample process includes: creating a second common resource for the second sample process and a variable of the second sample process when the second sample process runs;
The public resource comprises a file system, a registry, a cache area and a user directory;
The creating a first common resource for a first sample process includes:
Creating a first file system, wherein the first file system is created by virtually creating a memory hard disk through a memory, or the first file system is directly created under a certain fixed directory under a physical hard disk;
Creating a first registry, customizing a database, and placing the database in a memory in a tree structure, or directly recording by using a text file, and deleting after the database is used up;
Creating a first user directory, and automatically creating a corresponding whole set of user directories according to the sample process ID when the first sample process is monitored to be loaded in the current operating system;
Variables at the time of the sample process run include: PATH used in running process, run-time library used in starting process, default size of thread stack, PEB, TEB, access token, mutex, critical, atomic, various vector tables;
The creation of variables at the time of sample process run includes:
By inserting an intermediate layer between the sample and the operating system environment, the environment variable is translated or replaced so that the sample is misidentified as the provided environment variable which is the environment variable of the operating system itself;
After creating the first virtual execution environment for the first sample process, the method further comprises: redirecting an operation object of the first sample process to the first virtual running environment;
after creating the second virtual execution environment for the second sample process, the method further comprises: redirecting the operation object of the second sample process to the second virtual running environment;
After redirecting the operational object of the first sample process to the first virtual execution environment, the method further comprises: recording and analyzing the running process of the first sample process to form a running monitoring log about the first sample process;
After redirecting the operational object of the second sample process to the second virtual execution environment, the method further comprises: recording and analyzing the running process of the second sample process to form a running monitoring log for the second sample process;
After redirecting the operational object of the second sample process to the second virtual execution environment, the method further comprises:
Outputting operation monitoring logs of the first sample process and the second sample process;
The redirecting the operation object of the first sample process to the first virtual running environment or the operation object of the second sample process to the second virtual running environment comprises:
Injecting an API called by each process to perform HOOK in an application layer in an APC mode;
injecting an API called by each process in a CRT mode to perform HOOK, and redirecting an object operated by a sample process to point to a virtual running environment constructed in advance, wherein the object comprises: file path, registry, and environment variables;
Replacing a DLL (dynamic link library) called by the system, and redirecting an object operated by a sample process to point to a virtual running environment constructed in advance; and, a step of, in the first embodiment,
The redirecting the operation object of the first sample process to the first virtual running environment or the operation object of the second sample process to the second virtual running environment further comprises:
modifying an operating system kernel, penetrating through the protection of PatchGuard, and adding a preset functional code; wherein PatchGuard is the kernel protection system of Windows Vista;
Hooking an operating system kernel API, passing through the protection of PatchGuard, so that a sample points to a virtual running environment constructed in advance through a preset hook function during running;
through the written filtering driver, the operation of the sample process is redirected to the constructed virtual running environment.
2. An apparatus for monitoring and analyzing a process, comprising:
the monitoring module is used for monitoring the loading of the sample process in the current operating system;
the first virtual environment creation module is used for monitoring that a first sample process is loaded in the current operating system, and creating a first virtual running environment for the first sample process;
the second virtual environment creation module is used for monitoring that the second sample process is loaded in the current operating system and creating a second virtual running environment for the second sample process; wherein the second virtual operating environment is isolated from the first virtual operating environment;
the monitoring module is specifically configured to: monitoring the loading of a sample process in a current operating system in the same virtual machine; or monitor the loading of the sample process in the current operating system running directly on the physical device;
The first virtual environment creation module is specifically configured to monitor that when a first sample process is loaded in a current operating system, create a first common resource for the first sample process and variables of the first sample process when the first sample process runs;
the second virtual environment creation module is specifically configured to monitor, when the second sample process is loaded in the current operating system, create a second common resource for the second sample process and a variable when the second sample process runs;
The public resource comprises a file system, a registry, a cache area and a user directory;
The first virtual environment creation module is specifically configured to:
Creating a first file system, wherein the first file system is created by virtually creating a memory hard disk through a memory, or the first file system is directly created under a certain fixed directory under a physical hard disk;
Creating a first registry, customizing a database, and placing the database in a memory in a tree structure, or directly recording by using a text file, and deleting after the database is used up;
Creating a first user directory, and automatically creating a corresponding whole set of user directories according to the sample process ID when the first sample process is monitored to be loaded in the current operating system;
the first redirection module is used for redirecting the operation object of the first sample process to the first virtual running environment;
The second redirecting module is used for redirecting the operation object of the second sample process to a second virtual running environment;
The first sample monitoring module is used for recording and analyzing the running process of the first sample process to form a running monitoring log of the first sample process;
the second sample monitoring module is used for recording and analyzing the running process of the second sample process to form a running monitoring log of the second sample process;
further comprises:
the log output module is used for outputting operation monitoring logs of the first sample process and the second sample process;
the first redirecting module, and the second redirecting module,
The method is specifically used for injecting an API called by each process to perform HOOK in an application layer in an APC mode;
injecting an API called by each process in a CRT mode to perform HOOK, and redirecting an object operated by a sample process to point to a virtual running environment constructed in advance, wherein the object comprises: file path, registry, and environment variables;
Replacing a DLL (dynamic link library) called by the system, and redirecting an object operated by a sample process to point to a virtual running environment constructed in advance; and, a step of, in the first embodiment,
Modifying an operating system kernel, penetrating through the protection of PatchGuard, and adding a preset functional code; wherein PatchGuard is the kernel protection system of Windows Vista;
Hooking an operating system kernel API, passing through the protection of PatchGuard, so that a sample points to a virtual running environment constructed in advance through a preset hook function during running;
through the written filtering driver, the operation of the sample process is redirected to the constructed virtual running environment.
3. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method as claimed in claim 1.
4. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs, the one or more programs are executable by one or more processors to implement the method of claim 1.
CN201811608344.5A 2018-12-26 2018-12-26 Method, device, electronic equipment and storage medium for monitoring and analyzing process Active CN110888771B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811608344.5A CN110888771B (en) 2018-12-26 2018-12-26 Method, device, electronic equipment and storage medium for monitoring and analyzing process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811608344.5A CN110888771B (en) 2018-12-26 2018-12-26 Method, device, electronic equipment and storage medium for monitoring and analyzing process

Publications (2)

Publication Number Publication Date
CN110888771A CN110888771A (en) 2020-03-17
CN110888771B true CN110888771B (en) 2024-09-10

Family

ID=69745737

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811608344.5A Active CN110888771B (en) 2018-12-26 2018-12-26 Method, device, electronic equipment and storage medium for monitoring and analyzing process

Country Status (1)

Country Link
CN (1) CN110888771B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111783094B (en) * 2020-07-21 2025-10-14 腾讯科技(深圳)有限公司 Data analysis method, device, server and readable storage medium
CN114817907A (en) * 2022-04-06 2022-07-29 安天科技集团股份有限公司 Test method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101561769A (en) * 2009-05-25 2009-10-21 北京航空航天大学 Process migration tracking method based on multi-core platform virtual machine
CN103778368A (en) * 2014-01-23 2014-05-07 重庆邮电大学 Safe progress isolating method based on system virtualization technology
CN104766007A (en) * 2015-03-27 2015-07-08 杭州安恒信息技术有限公司 Method for quickly recovering sandbox based on file system filter driver

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7574709B2 (en) * 2004-04-30 2009-08-11 Microsoft Corporation VEX-virtual extension framework
US8826269B2 (en) * 2009-06-15 2014-09-02 Microsoft Corporation Annotating virtual application processes
CN102736944B (en) * 2012-06-25 2016-01-20 腾讯科技(深圳)有限公司 A kind of method of application program pattern detection and device
CN107741877A (en) * 2017-11-06 2018-02-27 湖南红手指信息技术有限公司 A kind of method, storage medium and the processor of cloud handset starting virtual opetrating system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101561769A (en) * 2009-05-25 2009-10-21 北京航空航天大学 Process migration tracking method based on multi-core platform virtual machine
CN103778368A (en) * 2014-01-23 2014-05-07 重庆邮电大学 Safe progress isolating method based on system virtualization technology
CN104766007A (en) * 2015-03-27 2015-07-08 杭州安恒信息技术有限公司 Method for quickly recovering sandbox based on file system filter driver

Also Published As

Publication number Publication date
CN110888771A (en) 2020-03-17

Similar Documents

Publication Publication Date Title
Bhatia et al. Malware detection in android based on dynamic analysis
US9684786B2 (en) Monitoring an application in a process virtual machine
Dolan-Gavitt et al. Virtuoso: Narrowing the semantic gap in virtual machine introspection
KR101740604B1 (en) Generic unpacking of applications for malware detection
US10318479B2 (en) Method and device for automatically identifying junk file
CN109471697B (en) Method, device and storage medium for monitoring system call in virtual machine
CN109388946B (en) Malicious process detection method and device, electronic equipment and storage medium
JP2005534092A (en) Method and apparatus for automatic determination of potentially worm-like behavior of a program
CN107766130B (en) Method and device for migrating virtual machine to container
CN107015841B (en) Preprocessing method for program compiling and program compiling device
US11436131B2 (en) Systems and methods for software testing using a disposable code
US20170286081A1 (en) Silent Installation of Software with Dependencies
CN108399124A (en) Application testing method, device, computer equipment and storage medium
US20110231455A1 (en) Detailed Inventory Discovery on Dormant Systems
KR20230073320A (en) Share pre-deployment and post-deployment insights to strengthen cloud workload security
CN109271789B (en) Malicious process detection method and device, electronic equipment and storage medium
CN113391874A (en) Virtual machine detection countermeasure method and device, electronic equipment and storage medium
CN110888771B (en) Method, device, electronic equipment and storage medium for monitoring and analyzing process
KR20210045122A (en) Apparatus and method for generating test input a software using symbolic execution
JP5952218B2 (en) Information processing apparatus and information processing method
US9672020B2 (en) Selectively loading precompiled header(s) and/or portion(s) thereof
KR101995176B1 (en) Method and system for reverse engineering using big data based on dynamic context
CN118916070A (en) Software dependency relation detection method and related equipment
KR102421394B1 (en) Apparatus and method for detecting malicious code using tracing based on hardware and software
Herczeg et al. Towards the efficient use of dynamic call graph generators of node. js applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant