[go: up one dir, main page]

CN114499928B - Remote registry monitoring method and device - Google Patents

Remote registry monitoring method and device Download PDF

Info

Publication number
CN114499928B
CN114499928B CN202111520073.XA CN202111520073A CN114499928B CN 114499928 B CN114499928 B CN 114499928B CN 202111520073 A CN202111520073 A CN 202111520073A CN 114499928 B CN114499928 B CN 114499928B
Authority
CN
China
Prior art keywords
remote registry
function
remote
registry
registry operation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111520073.XA
Other languages
Chinese (zh)
Other versions
CN114499928A (en
Inventor
林岳川
孙诚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Original Assignee
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Secworld Information Technology Beijing Co Ltd, Qax Technology Group Inc filed Critical Secworld Information Technology Beijing Co Ltd
Priority to CN202111520073.XA priority Critical patent/CN114499928B/en
Publication of CN114499928A publication Critical patent/CN114499928A/en
Application granted granted Critical
Publication of CN114499928B publication Critical patent/CN114499928B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4482Procedural
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明实施例提供一种远程注册表监测方法及装置。其中监测方法应用于内网中的设备,包括:响应于操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作,获取所述远程注册表操作的数据;基于所获取的所述远程注册表操作的数据,获取发起所述远程注册表操作的所述内网中的目标设备的地址;根据所获取的所述内网中的目标设备的地址和所述远程注册表操作的数据,对所述远程注册表操作进行安全鉴定。本发明实施例可以解决对网络攻击的监测缺乏有效精确的识别内网远程注册表操作的行为,提高设备对安全威胁的检测能力。

The embodiment of the present invention provides a remote registry monitoring method and device. The monitoring method is applied to a device in an intranet, and includes: in response to the remote registry service process of the operating system calling a remote registry operation function, performing a remote registry operation, and obtaining data of the remote registry operation; based on the obtained data of the remote registry operation, obtaining the address of the target device in the intranet that initiated the remote registry operation; and performing a security identification of the remote registry operation based on the obtained address of the target device in the intranet and the data of the remote registry operation. The embodiment of the present invention can solve the problem of lack of effective and accurate identification of the behavior of the intranet remote registry operation in monitoring network attacks, and improve the device's ability to detect security threats.

Description

远程注册表监测方法及装置Remote registry monitoring method and device

技术领域Technical Field

本发明涉及网络安全技术领域,尤其涉及一种远程注册表监测方法及装置。The present invention relates to the technical field of network security, and in particular to a remote registry monitoring method and device.

背景技术Background technique

在网络渗透完整攻击链中,内网远程横向渗透阶段是攻击者在一台已经被攻陷的设备上,以这台设备作为跳板,尝试去攻击同一网络内的其他设备,获取更多有价值的凭据,更高级的权限,以此扩大攻击面,进而达到控制整个内网网络。In the complete attack chain of network penetration, the intranet remote lateral penetration stage is that the attacker uses a compromised device as a springboard to try to attack other devices in the same network, obtain more valuable credentials and higher-level permissions, thereby expanding the attack surface and controlling the entire intranet.

注册表在windows系统中具有重要的作用,其中存放着各种参数,直接控制着windows操作系统的启动、硬件驱动程序的装载以及一些windows应用程序的运行,远程注册表(Remote Registry)服务是windows系统为远程修改和查看本地设备的注册表信息提供的一项功能。通过远程注册表进行远程攻击是攻击者进行内网横向渗透的一个常用攻击手段,它是一种利用操作系统自身机制的能力。The registry plays an important role in the Windows system. It stores various parameters and directly controls the startup of the Windows operating system, the loading of hardware drivers, and the operation of some Windows applications. The Remote Registry service is a function provided by the Windows system for remotely modifying and viewing the registry information of local devices. Remote attacks through the remote registry are a common attack method for attackers to penetrate the intranet horizontally. It is a capability that exploits the operating system's own mechanism.

现有的注册表监测方法,只能识别本地发起的注册表操作,对于攻击者利用内网已经被攻陷的设备作为跳板,对内网的其他设备发起远程注册表操作的行为,缺乏有效精确识别的防护机制,使得作为防御方的设备处于监测失效状态,现有的网络攻击检测手段也无法有效精确的覆盖此类攻击手段。The existing registry monitoring method can only identify registry operations initiated locally. There is a lack of effective and accurate identification protection mechanism for attackers who use compromised devices in the intranet as a springboard to initiate remote registry operations on other devices in the intranet, which makes the devices on the defender in a state of monitoring failure. Existing network attack detection methods cannot effectively and accurately cover such attack methods.

发明内容Summary of the invention

针对现有技术中的问题,本发明实施例提供一种远程注册表监测方法及装置。In view of the problems in the prior art, an embodiment of the present invention provides a remote registry monitoring method and device.

具体地,本发明实施例提供了以下技术方案:Specifically, the embodiment of the present invention provides the following technical solutions:

第一方面,本发明实施例提供了一种远程注册表监测方法,应用于内网中的设备,包括:In a first aspect, an embodiment of the present invention provides a remote registry monitoring method, which is applied to a device in an intranet, including:

响应于操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作,获取所述远程注册表操作的数据;In response to the remote registry service process of the operating system calling the remote registry operation function, performing the remote registry operation and obtaining the data of the remote registry operation;

基于所获取的所述远程注册表操作的数据,获取发起所述远程注册表操作的所述内网中的目标设备的地址;Based on the acquired data of the remote registry operation, acquiring an address of a target device in the intranet that initiates the remote registry operation;

根据所获取的所述内网中的目标设备的地址和所述远程注册表操作的数据,对所述远程注册表操作进行安全鉴定。The remote registry operation is security authenticated according to the acquired address of the target device in the intranet and the data of the remote registry operation.

进一步地,所述监测方法由在所述内网中的设备的所述远程注册表操作函数中设置HOOK函数执行;Further, the monitoring method is executed by setting a HOOK function in the remote registry operation function of the device in the intranet;

在所述远程注册表操作函数中设置所述HOOK函数,包括:The HOOK function is set in the remote registry operation function, including:

查找所述操作系统的所述远程注册表服务进程,在所述远程注册表服务进程中安装监控模块;Find the remote registry service process of the operating system, and install a monitoring module in the remote registry service process;

通过所述监控模块在所述远程注册表服务进程的所述远程注册表操作函数中设置所述HOOK函数。The HOOK function is set in the remote registry operation function of the remote registry service process through the monitoring module.

进一步地,在所述远程注册表服务进程的所述远程注册表操作函数中设置所述HOOK函数,包括:Further, setting the HOOK function in the remote registry operation function of the remote registry service process includes:

确定所述远程注册表服务进程调用的远程注册表核心功能文件;Determining a remote registry core function file called by the remote registry service process;

基于远程注册表接口的标识符,在所述远程注册表核心功能文件中确定所述远程注册表接口;Determining the remote registry interface in the remote registry core function file based on an identifier of the remote registry interface;

在所确定的远程注册表接口的所述远程注册表操作函数中设置所述HOOK函数。The HOOK function is set in the remote registry operation function of the determined remote registry interface.

进一步地,所述远程注册表服务进程进行所述远程注册表操作,调用的所述远程注册表操作函数包括修改注册表键值函数、删除注册表键函数、删除注册表键值函数、查询注册表键值函数和还原注册表数据函数中的至少一种。Furthermore, the remote registry service process performs the remote registry operation, and the remote registry operation function called includes at least one of a registry key modification function, a registry key deletion function, a registry key query function, and a registry data restoration function.

进一步地,所述确定所述远程注册表服务进程调用的远程注册表核心功能文件,包括:Further, the determining of the remote registry core function file called by the remote registry service process includes:

确定所述远程注册表服务进程调用的regsvc.dll文件的内存地址;Determine the memory address of the regsvc.dll file called by the remote registry service process;

所述基于远程注册表接口的标识符,在所述远程注册表核心功能文件中确定所述远程注册表接口,包括:The identifier based on the remote registry interface, determining the remote registry interface in the remote registry core function file, comprises:

基于IRemoteRegistry接口的标识符,在所述regsvc.dll文件中确定IRemoteRegistry接口的地址;Based on the identifier of the IRemoteRegistry interface, determining the address of the IRemoteRegistry interface in the regsvc.dll file;

所述在所确定的远程注册表接口的所述远程注册表操作函数中设置所述HOOK函数,包括:The step of setting the HOOK function in the remote registry operation function of the determined remote registry interface comprises:

基于所述IRemoteRegistry接口的内存地址,在所述IRemoteRegistry接口的BaseRegSetValue函数、BaseRegDeleteKe函数、BaseRegDeleteValue函数、BaseRegQueryValue函数和BaseRegRestoreKey函数中设置所述HOOK函数。Based on the memory address of the IRemoteRegistry interface, the HOOK function is set in the BaseRegSetValue function, BaseRegDeleteKe function, BaseRegDeleteValue function, BaseRegQueryValue function and BaseRegRestoreKey function of the IRemoteRegistry interface.

进一步地,获取所述远程注册表操作的数据,包括:Further, obtaining the data of the remote registry operation includes:

调用应用程序接口函数获取所述远程注册表操作的返回数据;Calling an application program interface function to obtain the return data of the remote registry operation;

所述基于所获取的所述远程注册表操作的数据,获取发起所述远程注册表操作的所述内网中的目标设备的地址,包括:The step of acquiring the address of the target device in the intranet that initiates the remote registry operation based on the acquired data of the remote registry operation includes:

从所获取的所述远程注册表操作的返回数据中,获取发起所述远程注册表操作的所述内网中的目标设备的地址。The address of the target device in the intranet that initiates the remote registry operation is obtained from the returned data of the remote registry operation.

进一步地,所述根据所获取的所述内网中的目标设备的地址和所述远程注册表操作的数据,对所述远程注册表操作进行安全鉴定之后,还包括:Furthermore, after performing security authentication on the remote registry operation according to the acquired address of the target device in the intranet and the data of the remote registry operation, the method further includes:

判断所述安全鉴定结果是否为所述远程注册表操作为攻击行为;Determining whether the security identification result indicates that the remote registry operation is an attack behavior;

若所述安全鉴定结果为所述远程注册表操作为攻击行为,对所述远程注册表操作进行防护拦截;If the security identification result is that the remote registry operation is an attack behavior, the remote registry operation is protected and intercepted;

若所述安全鉴定结果为所述远程注册表操作为非攻击行为,返回所述远程注册表操作函数继续执行。If the security identification result is that the remote registry operation is a non-attack behavior, the remote registry operation function is returned to continue execution.

第二方面,本发明实施例还提供了一种远程注册表监测装置,应用于内网中的设备,包括:In a second aspect, an embodiment of the present invention further provides a remote registry monitoring device, which is applied to a device in an intranet, including:

数据获取模块,用于响应于操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作,获取所述远程注册表操作的数据;A data acquisition module, used for performing remote registry operation in response to the remote registry service process of the operating system calling the remote registry operation function, and acquiring the data of the remote registry operation;

地址获取模块,用于基于所获取的所述远程注册表操作的数据,获取发起所述远程注册表操作的所述内网中的目标设备的地址;An address acquisition module, configured to acquire an address of a target device in the intranet that initiates the remote registry operation based on the acquired data of the remote registry operation;

信息发送模块,用于根据所获取的所述内网中的目标设备的地址和所述远程注册表操作的数据,对所述远程注册表操作进行安全鉴定。The information sending module is used to perform security authentication on the remote registry operation according to the acquired address of the target device in the intranet and the data of the remote registry operation.

第三方面,本发明实施例还提供了一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如第一方面所述远程注册表监测方法的步骤。In a third aspect, an embodiment of the present invention further provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the steps of the remote registry monitoring method described in the first aspect are implemented.

第四方面,本发明实施例还提供了一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如第一方面所述远程注册表监测方法的步骤。In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the remote registry monitoring method described in the first aspect.

第五方面,本发明实施例还提供了一种计算机程序产品,其上存储有可执行指令,该指令被处理器执行时使处理器实现如第一方面所述远程注册表监测方法的步骤。In a fifth aspect, an embodiment of the present invention further provides a computer program product having executable instructions stored thereon, which, when executed by a processor, enables the processor to implement the steps of the remote registry monitoring method as described in the first aspect.

本发明实施例提供的远程注册表监测方法及装置,通过在操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作时,获取远程注册表操作的数据,对远程注册表操作进行监测,可以精确识别来自内网的远程注册表操作的行为,并获取发起远程注册表操作的内网设备的地址,可以根据所获取的数据和地址进一步对远程注册表操作的行为进行安全鉴定,在内网远程横向渗透攻击时可以实时掌握攻击者的信息,并且通过获取攻击者的地址可以进一步追踪溯源,从而有效提高设备的安全防御能力,解决对网络攻击的监测缺乏有效精确的识别内网远程注册表操作的行为,可以提高设备对安全威胁的检测能力。The remote registry monitoring method and device provided by the embodiment of the present invention can obtain the data of the remote registry operation and monitor the remote registry operation by calling the remote registry operation function in the remote registry service process of the operating system when performing the remote registry operation. The behavior of the remote registry operation from the intranet can be accurately identified, and the address of the intranet device that initiates the remote registry operation can be obtained. The behavior of the remote registry operation can be further security identified based on the obtained data and address. In the event of a remote lateral penetration attack on the intranet, the attacker's information can be obtained in real time, and the attacker's address can be obtained to further track and trace the source, thereby effectively improving the security defense capability of the device, solving the problem of lack of effective and accurate identification of the behavior of the intranet remote registry operation in monitoring network attacks, and improving the device's detection capability of security threats.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following briefly introduces the drawings required for use in the embodiments or the description of the prior art. Obviously, the drawings described below are some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

图1是本发明提供的远程注册表监测方法的流程示意图;FIG1 is a schematic diagram of a flow chart of a remote registry monitoring method provided by the present invention;

图2是本发明提供的在远程注册表操作函数中设置HOOK函数的流程示意图;2 is a schematic diagram of a flow chart of setting a HOOK function in a remote registry operation function provided by the present invention;

图3是本发明提供的通过监控模块设置HOOK函数的流程示意图;3 is a schematic diagram of a flow chart of setting a HOOK function through a monitoring module provided by the present invention;

图4是本发明提供的另一监控模块设置HOOK函数的流程示意图;4 is a schematic diagram of a flow chart of another monitoring module setting a HOOK function provided by the present invention;

图5是本发明提供的获取远程注册表操作的数据的流程示意图;5 is a schematic diagram of a flow chart of obtaining data of a remote registry operation provided by the present invention;

图6是本发明提供的远程注册表监测方法的一种应用场景的流程示意图;6 is a flow chart of an application scenario of the remote registry monitoring method provided by the present invention;

图7是本发明提供的远程注册表监测装置的组成结构示意图;7 is a schematic diagram of the composition structure of the remote registry monitoring device provided by the present invention;

图8是本发明提供的电子设备的实体结构示意图。FIG8 is a schematic diagram of the physical structure of the electronic device provided by the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solution and advantages of the embodiments of the present invention clearer, the technical solution in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

下面结合图1-图6描述本发明的远程注册表监测方法。The remote registry monitoring method of the present invention is described below in conjunction with FIG. 1 to FIG. 6 .

请参阅图1,图1是本发明提供的远程注册表监测方法的流程示意图,图1所示的远程注册表监测方法应用于内网中的设备,如图1所示,该远程注册表监测方法至少包括:Please refer to FIG. 1 , which is a flow chart of a remote registry monitoring method provided by the present invention. The remote registry monitoring method shown in FIG. 1 is applied to a device in an intranet. As shown in FIG. 1 , the remote registry monitoring method at least includes:

101,响应于操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作,获取远程注册表操作的数据。101. In response to the remote registry service process of the operating system calling a remote registry operation function, a remote registry operation is performed to obtain remote registry operation data.

在本发明实施例中,内网可以为企业局域网、校园局域网、商场局域网等,本发明实施例对内网的应用场景不作限定,内网可以包括有线网和/或无线网。内网中的设备可以为个人计算机、服务器、工作站等,本发明实施例对内网中的设备的类型不作限定。在内网中的设备中运行的管理计算机硬件与软件资源的操作系统为Windows系统,例如Windows10,本发明实施例对内网中的设备中运行Windows系统的版本不作限定。远程注册表服务可以由在操作系统启动时启动并在后台运行的远程注册表服务进程执行。远程注册表操作函数是用于进行远程注册表操作的函数,远程注册表服务进程可以通过远程注册表操作函数对注册表进行远程操作,例如通过远程过程调用(Remote Procedure Call,简称RPC)对注册表进行远程查询键值、远程修改键值、远程还原数据等操作,本发明实施例对远程注册表操作函数的类型不作限定。In the embodiment of the present invention, the intranet may be an enterprise LAN, a campus LAN, a shopping mall LAN, etc. The embodiment of the present invention does not limit the application scenario of the intranet, and the intranet may include a wired network and/or a wireless network. The devices in the intranet may be personal computers, servers, workstations, etc., and the embodiment of the present invention does not limit the types of devices in the intranet. The operating system for managing computer hardware and software resources running in the devices in the intranet is a Windows system, such as Windows 10. The embodiment of the present invention does not limit the version of the Windows system running in the devices in the intranet. The remote registry service can be executed by a remote registry service process that is started when the operating system is started and runs in the background. The remote registry operation function is a function for performing remote registry operations. The remote registry service process can remotely operate the registry through the remote registry operation function, such as remotely querying key values, remotely modifying key values, and remotely restoring data through a remote procedure call (RPC). The embodiment of the present invention does not limit the type of the remote registry operation function.

在本发明实施例中,当操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作时,可以通过捕获该远程注册表操作函数进行远程注册表操作时的数据,即远程注册表操作的数据,通过所获取的远程注册表操作的数据可以反映远程注册表操作的行为特征,例如所获取的远程注册表操作的数据可以包括远程注册表操作的返回数据,本发明实施例对所捕获的远程注册表操作的数据的类型不作限定。In an embodiment of the present invention, when the remote registry service process of the operating system calls a remote registry operation function to perform a remote registry operation, the data of the remote registry operation performed by the remote registry operation function, i.e., the remote registry operation data, can be captured. The behavioral characteristics of the remote registry operation can be reflected through the acquired remote registry operation data. For example, the acquired remote registry operation data can include the return data of the remote registry operation. The embodiment of the present invention does not limit the type of the captured remote registry operation data.

102,基于所获取的远程注册表操作的数据,获取发起远程注册表操作的内网中的目标设备的地址。102. Based on the acquired data of the remote registry operation, acquire the address of the target device in the intranet that initiates the remote registry operation.

在本发明实施例中,在获取远程注册表操作的数据之后,可以根据所获取的远程注册表操作的数据,获取发起远程注册表操作的内网中的目标设备的地址。可选地,可以根据所获取的远程注册表操作的数据的类型,确定获取发起远程注册表操作的内网中的目标设备的地址的方法,从而根据所获取的远程注册表操作的数据获取发起远程注册表操作的内网中的目标设备的地址,本发明实施例对此不作限定。例如,所获取的远程注册表操作的数据包括远程注册表操作的返回数据,可以直接从远程注册表操作的返回数据中获取发起远程注册表操作的内网中的目标设备的IP地址。In an embodiment of the present invention, after obtaining the data of the remote registry operation, the address of the target device in the intranet that initiated the remote registry operation can be obtained based on the obtained data of the remote registry operation. Optionally, the method for obtaining the address of the target device in the intranet that initiated the remote registry operation can be determined based on the type of the remote registry operation data obtained, so as to obtain the address of the target device in the intranet that initiated the remote registry operation based on the obtained data of the remote registry operation, which is not limited in the embodiment of the present invention. For example, the obtained data of the remote registry operation includes the return data of the remote registry operation, and the IP address of the target device in the intranet that initiated the remote registry operation can be directly obtained from the return data of the remote registry operation.

103,根据所获取的内网中的目标设备的地址和远程注册表操作的数据,对远程注册表操作进行安全鉴定。103 , performing security authentication on the remote registry operation according to the acquired address of the target device in the intranet and the data of the remote registry operation.

在本发明实施例中,在获得远程注册表操作的数据和内网中的目标设备的地址之后,可以根据所获得的远程注册表操作的数据和内网中的目标设备的地址,对远程注册表操作进行安全鉴定。可选地,还可以根据安全鉴定结果,确定是否对远程注册表操作进行防护拦截,例如可以通过判断安全鉴定结果是否为远程注册表操作为攻击行为,若安全鉴定结果为远程注册表操作为攻击行为,则可以对远程注册表操作进行防护拦截,以阻止攻击者进一步扩大攻击面,提升设备的安全防护能力,若安全鉴定结果为远程注册表操作为非攻击行为,则可以返回远程注册表操作函数继续执行。例如可以将所获得的远程注册表操作的数据和内网中的目标设备的地址发送到威胁行为识别引擎,进行安全鉴定,并接收威胁行为识别引擎反馈的安全鉴定结果。威胁行为识别引擎是一个基于云端的行为识别系统,它通过安全运营专家的积累经验形成的一套对行为数据进行匹配的规则,可以检测出操作行为是否为攻击行为。In an embodiment of the present invention, after obtaining the data of the remote registry operation and the address of the target device in the intranet, the remote registry operation can be security-identified based on the obtained data of the remote registry operation and the address of the target device in the intranet. Optionally, it can also be determined whether to perform protection interception on the remote registry operation based on the security identification result. For example, it can be determined whether the security identification result shows that the remote registry operation is an attack behavior. If the security identification result shows that the remote registry operation is an attack behavior, the remote registry operation can be protected and intercepted to prevent the attacker from further expanding the attack surface and improve the security protection capability of the device. If the security identification result shows that the remote registry operation is a non-attack behavior, the remote registry operation function can be returned to continue execution. For example, the obtained data of the remote registry operation and the address of the target device in the intranet can be sent to the threat behavior identification engine for security identification, and the security identification result fed back by the threat behavior identification engine can be received. The threat behavior identification engine is a cloud-based behavior identification system. It can detect whether the operation behavior is an attack behavior by forming a set of rules for matching behavior data based on the accumulated experience of security operation experts.

本发明实施例提供的远程注册表监测方法,通过在操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作时,获取远程注册表操作的数据,对远程注册表操作进行监测,可以精确识别来自内网的远程注册表操作的行为,并获取发起远程注册表操作的内网设备的地址,可以根据所获取的数据和地址进一步对远程注册表操作的行为进行安全鉴定,在内网远程横向渗透攻击时可以实时掌握攻击者的信息,并且通过获取攻击者的地址可以进一步追踪溯源,从而有效提高设备的安全防御能力,解决对网络攻击的监测缺乏有效精确的识别内网远程注册表操作的行为,可以提高设备对安全威胁的检测能力。The remote registry monitoring method provided by the embodiment of the present invention obtains the data of the remote registry operation and monitors the remote registry operation by calling the remote registry operation function in the remote registry service process of the operating system when performing the remote registry operation. The behavior of the remote registry operation from the intranet can be accurately identified, and the address of the intranet device that initiates the remote registry operation can be obtained. The behavior of the remote registry operation can be further security identified based on the obtained data and address. In the event of a remote lateral penetration attack on the intranet, the attacker's information can be obtained in real time, and the attacker's address can be obtained to further track and trace the source, thereby effectively improving the security defense capability of the device, solving the problem of lack of effective and accurate identification of the behavior of the intranet remote registry operation in monitoring network attacks, and improving the device's detection capability of security threats.

Hook函数也称为钩子函数,用于在系统调用一个函数时优先捕获该函数调用,获得该函数的控制权,对该函数进行额外的处理。可以通过在远程注册表操作函数中预先设置HOOK函数,通过HOOK函数对远程注册表操作进行监测。请参阅图2,图2是本发明提供的在远程注册表操作函数中设置HOOK函数的流程示意图,如图2所示,在远程注册表操作函数中设置HOOK函数至少包括:The Hook function is also called a hook function, which is used to capture the function call first when the system calls a function, obtain the control of the function, and perform additional processing on the function. The HOOK function can be pre-set in the remote registry operation function, and the remote registry operation can be monitored through the HOOK function. Please refer to Figure 2, which is a flow chart of setting the HOOK function in the remote registry operation function provided by the present invention. As shown in Figure 2, setting the HOOK function in the remote registry operation function at least includes:

201,查找操作系统的远程注册表服务进程,在远程注册表服务进程中安装监控模块。201, find the remote registry service process of the operating system, and install the monitoring module in the remote registry service process.

在本发明实施例中,可以通过调用操作系统提供的应用程序接口函数(Application Programming Interface,简称API),查找操作系统的远程注册表服务进程,获得远程注册表服务进程的进程标识符((Process Identification,简称PID),例如应用程序接口函数为QueryServiceStatusEx,然后可以根据所获得的远程注册表服务进程的进程标识符,在远程注册表服务进程中注入监控模块,其中,在远程注册表服务进程中注入监控模块的方法可以采用现有的进程注入的方法,本发明实施对此不作限定。In the embodiment of the present invention, the remote registry service process of the operating system can be found by calling an application programming interface (API) function provided by the operating system to obtain a process identifier (PID) of the remote registry service process. For example, the application programming interface function is QueryServiceStatusEx. Then, according to the obtained process identifier of the remote registry service process, a monitoring module can be injected into the remote registry service process. The method of injecting the monitoring module into the remote registry service process can adopt an existing process injection method, which is not limited in the embodiment of the present invention.

202,通过监控模块在远程注册表服务进程的远程注册表操作函数中设置HOOK函数。202, setting a HOOK function in a remote registry operation function of a remote registry service process through a monitoring module.

在本发明实施例中,在操作系统的远程注册表服务进程中安装监控模块之后,可以通过监控模块根据远程注册表服务进程确定远程注册表操作函数,并在远程注册表操作函数中设置HOOK函数。本发明实施例对监控模块根据远程注册表服务进程确定远程注册表操作函数的方法不作限定,例如可以根据远程注册表服务进程确定远程注册表服务进程调用的远程注册表核心功能文件,在远程注册表核心功能文件中确定远程注册表操作函数。本发明实施例对监控模块在远程注册表操作函数中设置HOOK函数的方法不作限定,例如可以通过修改远程注册表操作函数的代码在远程注册表操作函数中设置HOOK函数。In an embodiment of the present invention, after installing a monitoring module in a remote registry service process of an operating system, the monitoring module can determine a remote registry operation function according to the remote registry service process, and set a HOOK function in the remote registry operation function. The embodiment of the present invention does not limit the method by which the monitoring module determines the remote registry operation function according to the remote registry service process. For example, the remote registry core function file called by the remote registry service process can be determined according to the remote registry service process, and the remote registry operation function can be determined in the remote registry core function file. The embodiment of the present invention does not limit the method by which the monitoring module sets the HOOK function in the remote registry operation function. For example, the HOOK function can be set in the remote registry operation function by modifying the code of the remote registry operation function.

请参阅图3,图3是本发明提供的通过监控模块设置HOOK函数的流程示意图,如图3所示,监控模块设置HOOK函数至少包括:Please refer to FIG. 3 , which is a flow chart of setting a HOOK function through a monitoring module provided by the present invention. As shown in FIG. 3 , the monitoring module setting a HOOK function at least includes:

301,确定远程注册表服务进程调用的远程注册表核心功能文件。301, determine the remote registry core function file called by the remote registry service process.

在本发明实施例中,监控模块可以根据远程注册表服务进程,获得远程注册表服务进程所调用的文件,并根据远程注册表服务进程所调用的文件确定远程注册表核心功能文件,远程注册表核心功能文件是用于提供远程注册表功能的文件,例如远程注册表核心功能文件可以为动态链接文件(Dynamic Link Library,简称DLL)。其中,获得远程注册表服务进程所调用的文件的方法可以采用现有技术的方法来实现,本发明实施例对此不作限定。在获得远程注册表服务进程所调用的文件之后,可以根据远程注册表核心功能文件的名称,确定远程注册表服务进程调用的远程注册表核心功能文件在内存中的地址。In an embodiment of the present invention, the monitoring module can obtain the file called by the remote registry service process according to the remote registry service process, and determine the remote registry core function file according to the file called by the remote registry service process. The remote registry core function file is a file used to provide the remote registry function. For example, the remote registry core function file can be a dynamic link file (Dynamic Link Library, referred to as DLL). Among them, the method for obtaining the file called by the remote registry service process can be implemented by the method of the prior art, and the embodiment of the present invention does not limit this. After obtaining the file called by the remote registry service process, the address of the remote registry core function file called by the remote registry service process in the memory can be determined according to the name of the remote registry core function file.

302,基于远程注册表接口的标识符,在远程注册表核心功能文件中确定远程注册表接口。302. Determine the remote registry interface in the remote registry core function file based on the identifier of the remote registry interface.

在本发明实施例中,在确定远程注册表服务进程调用的远程注册表核心功能文件之后,监控模块可以根据在远程注册表接口的数据结构中具有唯一性的标识符(GloballyUnique Identifier,简称GUID),在远程注册表核心功能文件中进行搜索,在远程注册表核心功能文件中定位对应的远程注册表接口。其中,根据GUID在远程注册表核心功能文件中进行搜索定位远程注册表接口的方法可以采用现有技术的方法来实现,本发明实施例对此不作限定。根据GUID在远程注册表核心功能文件中进行搜索,可以在远程注册表核心功能文件中定位对应的远程注册表接口在内存中的地址。In an embodiment of the present invention, after determining the remote registry core function file called by the remote registry service process, the monitoring module can search the remote registry core function file according to the unique identifier (Globally Unique Identifier, GUID) in the data structure of the remote registry interface, and locate the corresponding remote registry interface in the remote registry core function file. Among them, the method of searching and locating the remote registry interface in the remote registry core function file according to the GUID can be implemented by the method of the prior art, and the embodiment of the present invention does not limit this. By searching in the remote registry core function file according to the GUID, the address of the corresponding remote registry interface in the memory can be located in the remote registry core function file.

303,在所确定的远程注册表接口的远程注册表操作函数中设置HOOK函数。303, setting a HOOK function in the remote registry operation function of the determined remote registry interface.

在本发明实施例中,在远程注册表核心功能文件中确定远程注册表接口之后,监控模块可以根据所确定的远程注册表接口,在远程注册表接口的远程注册表操作函数中设置HOOK函数。其中,可以根据所确定的远程注册表接口在内存中的地址,在远程注册表接口的远程注册表操作函数中设置HOOK函数,例如,可以根据远程注册表接口在内存中的地址,在内存中修改远程注册表操作函数的代码,将HOOK函数设置于远程注册表操作函数中,使得当远程注册表操作函数被调用时,可以进入到HOOK函数中,在HOOK函数执行完成之后,可以再次回到远程注册表操作函数中继续执行。In an embodiment of the present invention, after determining the remote registry interface in the remote registry core function file, the monitoring module can set the HOOK function in the remote registry operation function of the remote registry interface according to the determined remote registry interface. Among them, the HOOK function can be set in the remote registry operation function of the remote registry interface according to the address of the determined remote registry interface in the memory. For example, the code of the remote registry operation function can be modified in the memory according to the address of the remote registry interface in the memory, and the HOOK function can be set in the remote registry operation function, so that when the remote registry operation function is called, it can enter the HOOK function, and after the HOOK function is executed, it can return to the remote registry operation function to continue execution.

在一些可选的例子中,远程注册表服务进程进行远程注册表操作,调用的远程注册表操作函数可以包括修改注册表键值函数、删除注册表键函数、删除注册表键值函数、查询注册表键值函数和还原注册表数据函数中的至少一种。例如,监控模块在远程注册表接口的修改注册表键值函数、删除注册表键函数、删除注册表键值函数、查询注册表键值函数和还原注册表数据函数中均设置HOOK函数;当操作系统的远程注册表服务进程调用修改注册表键值函数进行远程注册表键值的修改时,设置于修改注册表键值函数中的HOOK函数,响应于远程注册表服务进程对修改注册表键值函数的调用,会获取远程修改注册表键值的数据;当操作系统的远程注册表服务进程调用查询注册表键值函数和删除注册表键值函数,进行远程注册表键值的查询并对查询到的注册表键值进行远程删除时,设置于调用查询注册表键值函数中的HOOK函数,响应于远程注册表服务进程对查询注册表键值函数的调用,会获取远程查询注册表键值的数据,设置于删除注册表键值函数中的HOOK函数,响应于远程注册表服务进程对删除注册表键值函数的调用,会获取远程删除注册表键值的数据。In some optional examples, the remote registry service process performs remote registry operations, and the remote registry operation functions called may include at least one of modifying registry key value functions, deleting registry key functions, deleting registry key value functions, querying registry key value functions, and restoring registry data functions. For example, the monitoring module sets HOOK functions in the modify registry key value function, delete registry key value function, delete registry key value function, query registry key value function and restore registry data function of the remote registry interface; when the remote registry service process of the operating system calls the modify registry key value function to modify the remote registry key value, the HOOK function set in the modify registry key value function will obtain the data of remote modification of the registry key value in response to the call of the modify registry key value function by the remote registry service process; when the remote registry service process of the operating system calls the query registry key value function and the delete registry key value function to query the remote registry key value and remotely delete the queried registry key value, the HOOK function set in the call query registry key value function will obtain the data of remote query registry key value in response to the call of the query registry key value function by the remote registry service process, and the HOOK function set in the delete registry key value function will obtain the data of remote deletion of the registry key value in response to the call of the delete registry key value function by the remote registry service process.

请参阅图4,图4是本发明提供的另一监控模块设置HOOK函数的流程示意图,如图4所示,监控模块设置HOOK函数至少包括:Please refer to FIG. 4 , which is a flow chart of another monitoring module setting HOOK function provided by the present invention. As shown in FIG. 4 , the monitoring module setting HOOK function at least includes:

401,确定远程注册表服务进程调用的regsvc.dll文件的内存地址。401, determine the memory address of the regsvc.dll file called by the remote registry service process.

402,基于IRemoteRegistry接口的标识符,在regsvc.dll文件中确定IRemoteRegistry接口的地址。402. Based on the identifier of the IRemoteRegistry interface, determine the address of the IRemoteRegistry interface in the regsvc.dll file.

403,基于IRemoteRegistry接口的内存地址,在IRemoteRegistry接口的BaseRegSetValue函数、BaseRegDeleteKe函数、BaseRegDeleteValue函数、BaseRegQueryValue函数和BaseRegRestoreKey函数中设置HOOK函数。403, based on the memory address of the IRemoteRegistry interface, set the HOOK function in the BaseRegSetValue function, BaseRegDeleteKe function, BaseRegDeleteValue function, BaseRegQueryValue function and BaseRegRestoreKey function of the IRemoteRegistry interface.

在本发明实施例中,监控模块首先确定Windows系统远程注册表服务进程调用的远程注册表核心功能文件regsvc.dll的内存地址,然后根据远程注册表接口IRemoteRegistry的数据结构中的GUID,在regsvc.dll的内存地址中进行搜索,并在regsvc.dll的内存地址中定位IRemoteRegistry接口的内存地址,之后在IRemoteRegistry接口的修改注册表键值函数BaseRegSetValue、删除注册表键函数BaseRegDeleteKe、删除注册表键值函数BaseRegDeleteValue、查询注册表键值函数BaseRegQueryValue和还原注册表数据函数BaseRegRestoreKey中,分别通过修改函数的代码设置HOOK函数。In an embodiment of the present invention, the monitoring module first determines the memory address of the remote registry core function file regsvc.dll called by the Windows system remote registry service process, and then searches in the memory address of regsvc.dll according to the GUID in the data structure of the remote registry interface IRemoteRegistry, and locates the memory address of the IRemoteRegistry interface in the memory address of regsvc.dll, and then sets the HOOK function by modifying the code of the function in the registry key value modification function BaseRegSetValue, the registry key deletion function BaseRegDeleteKe, the registry key value deletion function BaseRegDeleteValue, the registry key value query function BaseRegQueryValue and the registry data restoration function BaseRegRestoreKey of the IRemoteRegistry interface.

请参阅图5,图5是本发明提供的获取远程注册表操作的数据的流程示意图,如图5所示,获取远程注册表操作的数据至少包括:Please refer to FIG. 5 , which is a schematic diagram of a flow chart of obtaining data of a remote registry operation provided by the present invention. As shown in FIG. 5 , obtaining data of a remote registry operation at least includes:

501,调用应用程序接口函数获取远程注册表操作的返回数据。501, call the application program interface function to obtain the return data of the remote registry operation.

在本发明实施例中,HOOK函数可以通过调用应用程序接口函数RpcServerInqCallAttributes,获取远程注册表操作的返回数据,远程注册表操作的返回数据中记载了远程注册表操作名称、远程注册表操作执行数据、发起远程注册表操作的设备的IP地址等信息。In an embodiment of the present invention, the HOOK function can obtain the return data of the remote registry operation by calling the application interface function RpcServerInqCallAttributes. The return data of the remote registry operation records information such as the remote registry operation name, remote registry operation execution data, and the IP address of the device that initiated the remote registry operation.

502,从所获取的远程注册表操作的返回数据中,获取发起远程注册表操作的内网中的目标设备的地址。502. Obtain the address of the target device in the intranet that initiates the remote registry operation from the returned data of the remote registry operation.

在本发明实施例中,在获取远程注册表操作的返回数据之后,HOOK函数可以直接从所获取的远程注册表操作的返回数据中,获取发起远程注册表操作的内网中的目标设备的IP地址。例如远程注册表操作为远程注册表操作名称:删除注册表键值,远程注册表操作执行数据:KeyPath:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,KeyValueName:AntiVirus,IP:192.168.44.138,可以直接获取发起远程删除注册表键的内网中的目标设备的IP地址为192.168.44.138。In an embodiment of the present invention, after obtaining the return data of the remote registry operation, the HOOK function can directly obtain the IP address of the target device in the intranet that initiated the remote registry operation from the return data of the remote registry operation. For example, if the remote registry operation is the remote registry operation name: delete registry key value, and the remote registry operation execution data: KeyPath: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, KeyValueName: AntiVirus, IP: 192.168.44.138, the IP address of the target device in the intranet that initiated the remote deletion of the registry key can be directly obtained as 192.168.44.138.

请参阅图6,图6是本发明提供的远程注册表监测方法的一种应用场景的流程示意图,如图6所示,在本发明实施例中,首先查找操作系统的远程注册表(RemoteRegistry)服务进程,在远程注册表服务进程中安装监控模块;然后通过监控模块调用GetModuleHandle函数获取远程注册表服务进程的regsvc.dll文件的内存地址,并根据IRemoteRegistry接口的GUID在regsvc.dll文件中进行搜索定位IRemoteRegistry接口的内存地址,在IRemoteRegistry接口的RPC远程注册表操作函数中设置HOOK函数;IRemoteRegistry接口的RPC服务函数包括BaseRegSetValue(修改注册表键值)函数、BaseRegDeleteKey(删除注册表键)函数、BaseRegDeleteValue((删除注册表键值)函数、BaseRegQueryValue(查询注册表键值)函数、BaseRegRestoreKey(还原注册表数据)函数;之后通过HOOK函数对远程注册表操作进行监测,在远程注册表服务进程调用远程注册表操作函数进行远程注册表操作时,HOOK函数可以获取远程注册表操作的数据,并从远程注册表操作的数据获取发起该远程注册表操作行为的内网中的设备的IP地址;最后将获取的远程注册表操作的数据和IP地址发送至威胁行为识别引擎进行安全鉴定,可以根据最终鉴定的结果对远程注册表操作的行为进行拦截。Please refer to FIG. 6, which is a flow chart of an application scenario of the remote registry monitoring method provided by the present invention. As shown in FIG. 6, in an embodiment of the present invention, firstly, the remote registry (RemoteRegistry) service process of the operating system is searched, and a monitoring module is installed in the remote registry service process; then, the GetModuleHandle function is called by the monitoring module to obtain the memory address of the regsvc.dll file of the remote registry service process, and the memory address of the IRemoteRegistry interface is searched and located in the regsvc.dll file according to the GUID of the IRemoteRegistry interface, and the HOOK function is set in the RPC remote registry operation function of the IRemoteRegistry interface; the RPC service function of the IRemoteRegistry interface includes BaseRegSetVa lue (modify registry key value) function, BaseRegDeleteKey (delete registry key) function, BaseRegDeleteValue (delete registry key value) function, BaseRegQueryValue (query registry key value) function, BaseRegRestoreKey (restore registry data) function; then monitor the remote registry operation through the HOOK function. When the remote registry service process calls the remote registry operation function to perform remote registry operation, the HOOK function can obtain the data of the remote registry operation, and obtain the IP address of the device in the intranet that initiated the remote registry operation from the data of the remote registry operation; finally, send the obtained remote registry operation data and IP address to the threat behavior recognition engine for security identification, and intercept the remote registry operation behavior according to the final identification result.

下面对本发明提供的远程注册表监测装置进行描述,下文描述的远程注册表监测装置与上文描述的远程注册表监测方法可相互对应参照。The remote registry monitoring device provided by the present invention is described below. The remote registry monitoring device described below and the remote registry monitoring method described above can be referred to each other.

请参阅图7,图7是本发明提供的远程注册表监测装置的组成结构示意图,图7所示的远程注册表监测装置应用于内网中的设备,如图7所示,该远程注册表监测装置至少包括:Please refer to FIG. 7, which is a schematic diagram of the composition structure of the remote registry monitoring device provided by the present invention. The remote registry monitoring device shown in FIG. 7 is applied to a device in an intranet. As shown in FIG. 7, the remote registry monitoring device at least includes:

数据获取模块710,用于响应于操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作,获取远程注册表操作的数据。The data acquisition module 710 is used to perform remote registry operations and acquire remote registry operation data in response to the remote registry service process of the operating system calling the remote registry operation function.

地址获取模块720,用于基于所获取的远程注册表操作的数据,获取发起远程注册表操作的内网中的目标设备的地址。The address acquisition module 720 is used to acquire the address of the target device in the intranet that initiates the remote registry operation based on the acquired data of the remote registry operation.

信息发送模块730,用于根据所获取的内网中的目标设备的地址和远程注册表操作的数据,对远程注册表操作进行安全鉴定。The information sending module 730 is used to perform security authentication on the remote registry operation according to the acquired address of the target device in the intranet and the data of the remote registry operation.

可选地,该远程注册表监测装置设置于在内网中的设备的远程注册表操作函数中设置的HOOK函数,该远程注册表监测装置,还包括:Optionally, the remote registry monitoring device is set in a HOOK function set in a remote registry operation function of a device in the intranet, and the remote registry monitoring device further includes:

监控安装模块,用于查找操作系统的远程注册表服务进程,在远程注册表服务进程中安装监控模块。The monitoring installation module is used to find the remote registry service process of the operating system and install the monitoring module in the remote registry service process.

HOOK函数设置模块,用于通过监控模块在远程注册表服务进程的远程注册表操作函数中设置HOOK函数。The HOOK function setting module is used to set the HOOK function in the remote registry operation function of the remote registry service process through the monitoring module.

可选地,HOOK函数设置模块,包括:Optionally, the HOOK function setting module includes:

核心文件确定单元,用于确定远程注册表服务进程调用的远程注册表核心功能文件。The core file determination unit is used to determine the remote registry core function file called by the remote registry service process.

服务接口确定单元,用于基于远程注册表接口的标识符,在远程注册表核心功能文件中确定远程注册表接口。The service interface determining unit is used to determine the remote registry interface in the remote registry core function file based on the identifier of the remote registry interface.

HOOK函数设置单元,用于在所确定的远程注册表接口的远程注册表操作函数中设置HOOK函数。The HOOK function setting unit is used to set the HOOK function in the remote registry operation function of the determined remote registry interface.

可选地,远程注册表服务进程进行远程注册表操作,调用的远程注册表操作函数包括修改注册表键值函数、删除注册表键函数、删除注册表键值函数、查询注册表键值函数和还原注册表数据函数中的至少一种。Optionally, the remote registry service process performs remote registry operations, and the remote registry operation function called includes at least one of a registry key modification function, a registry key deletion function, a registry key value deletion function, a registry key value query function, and a registry data restoration function.

可选地,核心文件确定单元,用于确定远程注册表服务进程调用的regsvc.dll文件的内存地址。Optionally, the core file determination unit is used to determine the memory address of the regsvc.dll file called by the remote registry service process.

服务接口确定单元,用于基于IRemoteRegistry接口的标识符,在regsvc.dll文件中确定IRemoteRegistry接口的地址。The service interface determination unit is used to determine the address of the IRemoteRegistry interface in the regsvc.dll file based on the identifier of the IRemoteRegistry interface.

HOOK函数设置单元,用于基于IRemoteRegistry接口的内存地址,在IRemoteRegistry接口的BaseRegSetValue函数、BaseRegDeleteKe函数、BaseRegDeleteValue函数、BaseRegQueryValue函数和BaseRegRestoreKey函数中设置HOOK函数。The HOOK function setting unit is used to set the HOOK function in the BaseRegSetValue function, BaseRegDeleteKe function, BaseRegDeleteValue function, BaseRegQueryValue function and BaseRegRestoreKey function of the IRemoteRegistry interface based on the memory address of the IRemoteRegistry interface.

可选地,数据获取模块710,用于调用应用程序接口函数获取远程注册表操作的返回数据。Optionally, the data acquisition module 710 is used to call an application program interface function to acquire return data of a remote registry operation.

地址获取模块720,用于从所获取的远程注册表操作的返回数据中,获取发起远程注册表操作的内网中的目标设备的地址。The address acquisition module 720 is used to acquire the address of the target device in the intranet that initiates the remote registry operation from the returned data of the acquired remote registry operation.

可选地,该远程注册表监测装置,还包括:Optionally, the remote registry monitoring device further includes:

结果判断模块,用于判断安全鉴定结果是否为远程注册表操作为攻击行为。The result judgment module is used to judge whether the security identification result shows that the remote registry operation is an attack behavior.

防护拦截模块,用于根据结果判断模块的判断结果,若安全鉴定结果为远程注册表操作为攻击行为,对远程注册表操作进行防护拦截。The protection interception module is used to perform protection interception on the remote registry operation according to the judgment result of the result judgment module, if the security identification result is that the remote registry operation is an attack behavior.

结束返回模块,用于根据结果判断模块的判断结果,若安全鉴定结果为远程注册表操作为非攻击行为,返回远程注册表操作函数继续执行。The end return module is used to return to the remote registry operation function to continue execution according to the judgment result of the result judgment module. If the security identification result is that the remote registry operation is not an attack behavior, the remote registry operation function is returned to continue execution.

图8示例了一种电子设备的实体结构示意图,如图8所示,该电子设备可以包括:处理器(processor)810、通信接口(Communications Interface)820、存储器(memory)830和通信总线840,其中,处理器810,通信接口820,存储器830通过通信总线840完成相互间的通信。处理器810可以调用存储器830中的逻辑指令,以执行如下方法:响应于操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作,获取所述远程注册表操作的数据;基于所获取的所述远程注册表操作的数据,获取发起所述远程注册表操作的所述内网中的目标设备的地址;根据所获取的所述内网中的目标设备的地址和所述远程注册表操作的数据,对所述远程注册表操作进行安全鉴定。FIG8 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG8 , the electronic device may include: a processor 810, a communication interface 820, a memory 830 and a communication bus 840, wherein the processor 810, the communication interface 820 and the memory 830 communicate with each other through the communication bus 840. The processor 810 may call the logic instructions in the memory 830 to execute the following method: in response to the remote registry service process of the operating system calling the remote registry operation function, perform a remote registry operation, and obtain the data of the remote registry operation; based on the obtained data of the remote registry operation, obtain the address of the target device in the intranet that initiates the remote registry operation; and perform security authentication on the remote registry operation according to the obtained address of the target device in the intranet and the data of the remote registry operation.

此外,上述的存储器830中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the logic instructions in the above-mentioned memory 830 can be implemented in the form of a software functional unit and can be stored in a computer-readable storage medium when it is sold or used as an independent product. Based on such an understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art or the part of the technical solution, can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), disk or optical disk and other media that can store program codes.

另一方面,本发明实施例还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各实施例提供的方法,例如包括:响应于操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作,获取所述远程注册表操作的数据;基于所获取的所述远程注册表操作的数据,获取发起所述远程注册表操作的所述内网中的目标设备的地址;根据所获取的所述内网中的目标设备的地址和所述远程注册表操作的数据,对所述远程注册表操作进行安全鉴定。On the other hand, an embodiment of the present invention further provides a non-transitory computer-readable storage medium having a computer program stored thereon. When the computer program is executed by a processor, it is implemented to execute the methods provided in the above embodiments, for example including: in response to the remote registry service process of the operating system calling a remote registry operation function, performing a remote registry operation, and obtaining data of the remote registry operation; based on the obtained data of the remote registry operation, obtaining the address of the target device in the intranet that initiated the remote registry operation; and performing a security authentication on the remote registry operation based on the obtained address of the target device in the intranet and the data of the remote registry operation.

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the scheme of this embodiment. Those of ordinary skill in the art may understand and implement it without creative work.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the description of the above implementation methods, those skilled in the art can clearly understand that each implementation method can be implemented by means of software plus a necessary general hardware platform, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solution is essentially or the part that contributes to the prior art can be embodied in the form of a software product, and the computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, a disk, an optical disk, etc., including a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods described in each embodiment or some parts of the embodiments.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit it. Although the present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or make equivalent replacements for some of the technical features therein. However, these modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1.一种远程注册表监测方法,其特征在于,应用于内网中的设备,包括:1. A remote registry monitoring method, characterized in that it is applied to a device in an intranet, comprising: 响应于操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作,获取所述远程注册表操作的数据;In response to the remote registry service process of the operating system calling the remote registry operation function, performing the remote registry operation and obtaining the data of the remote registry operation; 基于所获取的所述远程注册表操作的数据,获取发起所述远程注册表操作的所述内网中的目标设备的地址;Based on the acquired data of the remote registry operation, acquiring an address of a target device in the intranet that initiates the remote registry operation; 根据所获取的所述内网中的目标设备的地址和所述远程注册表操作的数据,对所述远程注册表操作进行安全鉴定;Performing security authentication on the remote registry operation according to the acquired address of the target device in the intranet and the data of the remote registry operation; 所述监测方法由在所述内网中的设备的所述远程注册表操作函数中设置HOOK函数执行;The monitoring method is executed by setting a HOOK function in the remote registry operation function of the device in the intranet; 在所述远程注册表操作函数中设置所述HOOK函数,包括:The HOOK function is set in the remote registry operation function, including: 查找所述操作系统的所述远程注册表服务进程,在所述远程注册表服务进程中安装监控模块;Find the remote registry service process of the operating system, and install a monitoring module in the remote registry service process; 通过所述监控模块在所述远程注册表服务进程的所述远程注册表操作函数中设置所述HOOK函数;Setting the HOOK function in the remote registry operation function of the remote registry service process through the monitoring module; 在所述远程注册表服务进程的所述远程注册表操作函数中设置所述HOOK函数,包括:Setting the HOOK function in the remote registry operation function of the remote registry service process includes: 确定所述远程注册表服务进程调用的远程注册表核心功能文件;Determining a remote registry core function file called by the remote registry service process; 基于远程注册表接口的标识符,在所述远程注册表核心功能文件中确定所述远程注册表接口;Determining the remote registry interface in the remote registry core function file based on an identifier of the remote registry interface; 在所确定的远程注册表接口的所述远程注册表操作函数中设置所述HOOK函数。The HOOK function is set in the remote registry operation function of the determined remote registry interface. 2.根据权利要求1所述的远程注册表监测方法,其特征在于,所述远程注册表服务进程进行所述远程注册表操作,调用的所述远程注册表操作函数包括修改注册表键值函数、删除注册表键函数、删除注册表键值函数、查询注册表键值函数和还原注册表数据函数中的至少一种。2. The remote registry monitoring method according to claim 1 is characterized in that the remote registry service process performs the remote registry operation, and the remote registry operation function called includes at least one of a registry key value modification function, a registry key deletion function, a registry key value deletion function, a registry key value query function and a registry data restoration function. 3.根据权利要求2所述的远程注册表监测方法,其特征在于,所述确定所述远程注册表服务进程调用的远程注册表核心功能文件,包括:3. The remote registry monitoring method according to claim 2, wherein determining the remote registry core function file called by the remote registry service process comprises: 确定所述远程注册表服务进程调用的regsvc.dll文件的内存地址;Determine the memory address of the regsvc.dll file called by the remote registry service process; 所述基于远程注册表接口的标识符,在所述远程注册表核心功能文件中确定所述远程注册表接口,包括:The identifier based on the remote registry interface, determining the remote registry interface in the remote registry core function file, comprises: 基于IRemoteRegistry接口的标识符,在所述regsvc.dll文件中确定IRemoteRegistry接口的地址;Based on the identifier of the IRemoteRegistry interface, determining the address of the IRemoteRegistry interface in the regsvc.dll file; 所述在所确定的远程注册表接口的所述远程注册表操作函数中设置所述HOOK函数,包括:The step of setting the HOOK function in the remote registry operation function of the determined remote registry interface comprises: 基于所述IRemoteRegistry接口的内存地址,在所述IRemoteRegistry接口的BaseRegSetValue函数、BaseRegDeleteKe函数、BaseRegDeleteValue函数、BaseRegQueryValue函数和BaseRegRestoreKey函数中设置所述HOOK函数。Based on the memory address of the IRemoteRegistry interface, the HOOK function is set in the BaseRegSetValue function, BaseRegDeleteKe function, BaseRegDeleteValue function, BaseRegQueryValue function and BaseRegRestoreKey function of the IRemoteRegistry interface. 4.根据权利要求1至3任一项所述的远程注册表监测方法,其特征在于,获取所述远程注册表操作的数据,包括:4. The remote registry monitoring method according to any one of claims 1 to 3, characterized in that obtaining the data of the remote registry operation comprises: 调用应用程序接口函数获取所述远程注册表操作的返回数据;Calling an application program interface function to obtain the return data of the remote registry operation; 所述基于所获取的所述远程注册表操作的数据,获取发起所述远程注册表操作的所述内网中的目标设备的地址,包括:The step of acquiring the address of the target device in the intranet that initiates the remote registry operation based on the acquired data of the remote registry operation includes: 从所获取的所述远程注册表操作的返回数据中,获取发起所述远程注册表操作的所述内网中的目标设备的地址。The address of the target device in the intranet that initiates the remote registry operation is obtained from the returned data of the remote registry operation. 5.根据权利要求4所述的远程注册表监测方法,其特征在于,所述根据所获取的所述内网中的目标设备的地址和所述远程注册表操作的数据,对所述远程注册表操作进行安全鉴定之后,还包括:5. The remote registry monitoring method according to claim 4, characterized in that after performing security authentication on the remote registry operation based on the acquired address of the target device in the intranet and the data of the remote registry operation, it further comprises: 判断所述安全鉴定结果是否为所述远程注册表操作为攻击行为;Determining whether the security identification result indicates that the remote registry operation is an attack behavior; 若所述安全鉴定结果为所述远程注册表操作为攻击行为,对所述远程注册表操作进行防护拦截;If the security identification result is that the remote registry operation is an attack behavior, the remote registry operation is protected and intercepted; 若所述安全鉴定结果为所述远程注册表操作为非攻击行为,返回所述远程注册表操作函数继续执行。If the security identification result is that the remote registry operation is a non-attack behavior, the remote registry operation function is returned to continue execution. 6.一种远程注册表监测装置,其特征在于,应用于内网中的设备,包括:6. A remote registry monitoring device, characterized in that it is applied to a device in an intranet, comprising: 数据获取模块,用于响应于操作系统的远程注册表服务进程调用远程注册表操作函数,进行远程注册表操作,获取所述远程注册表操作的数据;A data acquisition module, used for performing remote registry operation in response to the remote registry service process of the operating system calling the remote registry operation function, and acquiring the data of the remote registry operation; 地址获取模块,用于基于所获取的所述远程注册表操作的数据,获取发起所述远程注册表操作的所述内网中的目标设备的地址;An address acquisition module, configured to acquire an address of a target device in the intranet that initiates the remote registry operation based on the acquired data of the remote registry operation; 信息发送模块,用于根据所获取的所述内网中的目标设备的地址和所述远程注册表操作的数据,对所述远程注册表操作进行安全鉴定;An information sending module, used for performing security authentication on the remote registry operation according to the acquired address of the target device in the intranet and the data of the remote registry operation; 所述监测装置由在所述内网中的设备的所述远程注册表操作函数中设置HOOK函数执行;The monitoring device is executed by setting a HOOK function in the remote registry operation function of the device in the intranet; 所述装置还包括:The device also includes: 监控安装模块,用于查找操作系统的远程注册表服务进程,在远程注册表服务进程中安装监控模块;A monitoring installation module is used to find the remote registry service process of the operating system and install the monitoring module in the remote registry service process; HOOK函数设置模块,用于通过监控模块在远程注册表服务进程的远程注册表操作函数中设置HOOK函数;A HOOK function setting module is used to set a HOOK function in a remote registry operation function of a remote registry service process through a monitoring module; 所述HOOK函数设置模块,包括:The HOOK function setting module includes: 核心文件确定单元,用于确定远程注册表服务进程调用的远程注册表核心功能文件;A core file determination unit, used for determining a remote registry core function file called by a remote registry service process; 服务接口确定单元,用于基于远程注册表接口的标识符,在远程注册表核心功能文件中确定远程注册表接口;A service interface determination unit, configured to determine a remote registry interface in a remote registry core function file based on an identifier of the remote registry interface; HOOK函数设置单元,用于在所确定的远程注册表接口的远程注册表操作函数中设置HOOK函数。The HOOK function setting unit is used to set the HOOK function in the remote registry operation function of the determined remote registry interface. 7.一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现如权利要求1至5任一项所述远程注册表监测方法的步骤。7. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the steps of the remote registry monitoring method according to any one of claims 1 to 5 are implemented. 8.一种非暂态计算机可读存储介质,其上存储有计算机程序,其特征在于,该计算机程序被处理器执行时实现如权利要求1至5任一项所述远程注册表监测方法的步骤。8. A non-transitory computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the steps of the remote registry monitoring method according to any one of claims 1 to 5 are implemented.
CN202111520073.XA 2021-12-13 2021-12-13 Remote registry monitoring method and device Active CN114499928B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111520073.XA CN114499928B (en) 2021-12-13 2021-12-13 Remote registry monitoring method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111520073.XA CN114499928B (en) 2021-12-13 2021-12-13 Remote registry monitoring method and device

Publications (2)

Publication Number Publication Date
CN114499928A CN114499928A (en) 2022-05-13
CN114499928B true CN114499928B (en) 2024-06-28

Family

ID=81492213

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111520073.XA Active CN114499928B (en) 2021-12-13 2021-12-13 Remote registry monitoring method and device

Country Status (1)

Country Link
CN (1) CN114499928B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105354498A (en) * 2015-10-30 2016-02-24 珠海市君天电子科技有限公司 Operation method of registry, related device and equipment
CN112351017A (en) * 2020-10-28 2021-02-09 北京奇虎科技有限公司 Transverse penetration protection method, device, equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7096326B1 (en) * 2000-09-29 2006-08-22 Pinion Software, Inc. Registry monitoring system and method
US8302198B2 (en) * 2010-01-28 2012-10-30 Tenable Network Security, Inc. System and method for enabling remote registry service security audits
US10887337B1 (en) * 2020-06-17 2021-01-05 Confluera, Inc. Detecting and trail-continuation for attacks through remote desktop protocol lateral movement
CN113364799B (en) * 2021-06-22 2022-10-28 北京安天网络安全技术有限公司 Method and system for processing network threat behaviors

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105354498A (en) * 2015-10-30 2016-02-24 珠海市君天电子科技有限公司 Operation method of registry, related device and equipment
CN112351017A (en) * 2020-10-28 2021-02-09 北京奇虎科技有限公司 Transverse penetration protection method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN114499928A (en) 2022-05-13

Similar Documents

Publication Publication Date Title
US11489855B2 (en) System and method of adding tags for use in detecting computer attacks
CN109684832B (en) System and method for detecting malicious files
US10057284B2 (en) Security threat detection
US7480683B2 (en) System and method for heuristic analysis to identify pestware
US9256739B1 (en) Systems and methods for using event-correlation graphs to generate remediation procedures
US7533131B2 (en) System and method for pestware detection and removal
EP2839406B1 (en) Detection and prevention of installation of malicious mobile applications
CN103595732B (en) A kind of method and device of network attack evidence obtaining
US20120102569A1 (en) Computer system analysis method and apparatus
CN112351017B (en) Transverse penetration protection method, device, equipment and storage medium
CN109800577B (en) A method and device for identifying escaping security monitoring behavior
CN112910895B (en) Network attack behavior detection method and device, computer equipment and system
CN110855698B (en) Terminal information obtaining method, device, server and storage medium
US8862730B1 (en) Enabling NAC reassessment based on fingerprint change
Yamada et al. RAT-based malicious activities detection on enterprise internal networks
CN114499928B (en) Remote registry monitoring method and device
CN112241529B (en) Malicious code detection method, device, storage medium and computer equipment
CN106856478A (en) A kind of safety detection method and device based on LAN
CN114465752B (en) Remote call detection method, device, electronic device and storage medium
CN106856477B (en) Threat processing method and device based on local area network
CN114499929B (en) Method and device for monitoring remote transverse penetration of planned task intranet
CN112039895B (en) Network cooperative attack method, device, system, equipment and medium
CN109558730B (en) Browser security protection method and device
CN114466074B (en) A WMI-based attack behavior detection method and device
US20240430296A1 (en) Remediation responsive to a pattern of alerts

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Country or region after: China

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: QAX Technology Group Inc.

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant before: QAX Technology Group Inc.

Country or region before: China

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

GR01 Patent grant
GR01 Patent grant