Search

CN-119760706-B - Automatic conversion test method, device, equipment and medium for checking and killing rules

CN119760706BCN 119760706 BCN119760706 BCN 119760706BCN-119760706-B

Abstract

The disclosure relates to an automatic conversion test method, device, equipment and medium for checking and killing rules. The automatic conversion testing method of the checking rule comprises the steps of analyzing and converting a target static file to obtain corresponding internal memory state data, modifying the static checking rule to obtain the corresponding internal memory checking rule, carrying out matching detection on mirror image data of the internal memory state data based on the internal memory checking rule to obtain a corresponding matching result, and determining a final rule optimization result under the condition that the matching result is successful. According to the existing static checking and killing rule, automatic conversion test is realized, the cost is reduced, and the detection efficiency is improved.

Inventors

  • XU XIANG

Assignees

  • 中电云计算技术有限公司

Dates

Publication Date
20260512
Application Date
20241211

Claims (6)

  1. 1. An automatic conversion testing method for checking and killing rules is characterized by comprising the following steps: analyzing and converting the target static file to obtain corresponding internal memory state data; Modifying the static checking and killing rule to obtain a corresponding memory checking and killing rule; Performing matching detection processing on the mirror image data of the memory state data based on the memory searching and killing rule to obtain a corresponding matching result; Under the condition that the matching result is successful, determining a final rule optimization result; the analyzing and converting the target static file to obtain corresponding memory state data includes: Carrying out file analysis processing on the target static file to obtain a plurality of segment data; identifying the architecture type of the target static file, and performing cross-architecture compatibility on the plurality of segment data based on the architecture type; The plurality of segment data are arranged according to the internal memory state layout, and the internal memory state data are generated; the modification treatment of the static checking rule to obtain a corresponding memory checking rule comprises the following steps: identifying conditions depending on file structures in the static searching and killing rule by using a large model to obtain corresponding file header characteristics; Removing the file header characteristics to generate the memory searching and killing rule; Wherein the method further comprises: Analyzing and processing the unmatched reasons and the corresponding sub-rules by using a large model to obtain a corresponding optimization strategy; performing optimization treatment on the memory searching and killing rule based on the optimization strategy to obtain an optimized memory searching and killing rule; Wherein the method further comprises: performing matching detection processing on the mirror image data of the memory state data based on the optimized memory searching and killing rule to obtain a corresponding matching result; If the matching result is unsuccessful, continuing to perform iterative optimization on the optimized memory searching and killing rule until the matching result is successful or exceeds preset iterative times; Under the condition that the matching result is successful, determining a final rule optimization result; and under the condition that the preset iteration times are exceeded, responding to manual adjustment operation of a user, and adjusting the optimized memory searching and killing rule until the matching result is successful.
  2. 2. The method of claim 1, wherein the performing a matching detection process on the mirrored data of the memory state data based on the memory killing rule to obtain a corresponding matching result includes: Performing matching detection processing on the mirror image data of the memory state data based on the memory searching and killing rule; and enabling a log to record the matching result in the matching detection processing process.
  3. 3. The method according to claim 2, wherein the method further comprises: And under the condition that the matching result is unsuccessful, analyzing the reasons and the corresponding sub-rules which are not matched in the matching result.
  4. 4. An automatic conversion testing device for checking and killing rules is characterized by comprising: the first processing module is used for analyzing and converting the target static file to obtain corresponding internal memory state data; The second processing module is used for carrying out transformation processing on the static checking and killing rule to obtain a corresponding memory checking and killing rule; the third processing module is used for carrying out matching detection processing on the mirror image data of the memory state data based on the memory searching and killing rule to obtain a corresponding matching result; The first determining module is used for determining a final rule optimization result under the condition that the matching result is successful; wherein the first processing module comprises: the first processing unit is used for carrying out file analysis processing on the target static file to obtain a plurality of pieces of segment data; The first identification unit is used for identifying the architecture type of the target static file and performing cross-architecture compatibility on the plurality of segment data based on the architecture type; The data arrangement unit is used for arranging the plurality of segment data according to the internal memory state layout to generate the internal memory state data; wherein the second processing module comprises: the second identification unit is used for identifying conditions depending on file structures in the static searching and killing rule by using a large model to obtain corresponding file header characteristics; The rule generating unit is used for removing the file header characteristics and generating the memory searching and killing rule; wherein the apparatus further comprises: The fourth processing module is used for analyzing and processing the unmatched reasons and the corresponding sub-rules by using the large model to obtain a corresponding optimization strategy; The fifth processing module is used for optimizing the memory searching and killing rule based on the optimizing strategy to obtain an optimized memory searching and killing rule; wherein the apparatus further comprises: the sixth processing module is used for carrying out matching detection processing on the mirror image data of the memory state data based on the optimized memory searching and killing rule to obtain a corresponding matching result; the iterative optimization module is used for continuing to iteratively optimize the optimized memory searching and killing rule if the matching result is unsuccessful, until the matching result is successful or exceeds the preset iteration times; The second determining module is used for determining a final rule optimization result under the condition that the matching result is successful; And the rule adjustment module is used for responding to the manual adjustment operation of the user under the condition that the preset iteration times are exceeded, and adjusting the optimized memory searching and killing rule until the matching result is successful.
  5. 5. An automatic conversion test equipment for checking and killing rules, which is characterized by comprising the following components: A processor; a memory for storing executable instructions; wherein the processor is configured to read the executable instructions from the memory and execute the executable instructions to implement the method of automatic transition testing of the kill rules of any of the preceding claims 1-3.
  6. 6. A non-transitory computer readable storage medium, characterized in that the storage medium stores a computer program, which when executed by a processor causes the processor to implement the method of automatic conversion testing of a kill rule according to any one of the preceding claims 1-3.

Description

Automatic conversion test method, device, equipment and medium for checking and killing rules Technical Field The disclosure relates to the application field of malware searching and killing technology, in particular to an automatic conversion testing method, device, equipment and medium for searching and killing rules. Background In the field of malware investigation and killing, file-based static investigation and killing techniques are very mature. For example YARA malicious file detection tools in open source communities are widely used due to their flexible rule definition capabilities and powerful feature matching effects. Depending on a large number of open source rule bases of YARA communities, security personnel can quickly create and apply file searching and killing rules to match file characteristics and efficiently identify malicious programs. However, with the evolution of the modern memory back-gate technology, the conventional file searching and killing method is gradually exposed in the memory detection scene. Meanwhile, the memory backdoor execution technology is also rapidly developed, so that any traditional malicious program can be directly changed into the memory backdoor without modification, and typical tools such as libreflect and ulexecve can easily bypass file system dependence and directly load and execute ELF files into the memory. The tool can enable malicious programs to run in the memory, so that files are prevented from falling to the ground on a disk, the capability of avoiding file detection is greatly improved, and even if corresponding static files can be detected by the Yara static file searching and killing rule, the memory loading after the tool is processed can not be detected at all. Disclosure of Invention In order to solve the technical problems, the present disclosure provides an automatic conversion testing method, device, equipment and medium for checking and killing rules. In a first aspect, the present disclosure provides an automatic conversion testing method for checking and killing rules, including: analyzing and converting the target static file to obtain corresponding internal memory state data; Modifying the static checking and killing rule to obtain a corresponding memory checking and killing rule; Performing matching detection processing on the mirror image data of the memory state data based on the memory searching and killing rule to obtain a corresponding matching result; and under the condition that the matching result is successful, determining a final rule optimization result. In a second aspect, the present disclosure provides an automatic conversion testing device for checking and killing rules, including: the first processing module is used for analyzing and converting the target static file to obtain corresponding internal memory state data; The second processing module is used for carrying out transformation processing on the static checking and killing rule to obtain a corresponding memory checking and killing rule; the third processing module is used for carrying out matching detection processing on the mirror image data of the memory state data based on the memory searching and killing rule to obtain a corresponding matching result; and the first determining module is used for determining a final rule optimization result under the condition that the matching result is successful. In a third aspect, the present disclosure provides an automatic conversion test apparatus for checking a rule, including: A processor; a memory for storing executable instructions; The processor is used for reading the executable instructions from the memory and executing the executable instructions to realize the automatic conversion testing method of the searching and killing rule of the first aspect. In a fourth aspect, the present disclosure provides a computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to implement the method of automatic transition testing of a kill rule of the first aspect. Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages: According to the automatic conversion test method, device, equipment and medium for the checking and killing rule, analysis and conversion processing can be carried out on a target static file to obtain corresponding internal memory state data, then transformation processing is carried out on the static checking and killing rule to obtain the corresponding internal memory checking and killing rule, then matching detection processing is carried out on mirror image data of the internal memory state data based on the internal memory checking and killing rule to obtain a corresponding matching result, and finally a final rule optimization result is determined under the condition that the matching result is successful. Therefore, the static file is converted into the internal memory stat