Search

CN-120850258-B - Detection method, device, equipment and storage medium of terminal security product

CN120850258BCN 120850258 BCN120850258 BCN 120850258BCN-120850258-B

Abstract

The embodiment of the disclosure provides a detection method, a detection device, detection equipment and detection storage media for a terminal security product. The method comprises the steps of loading a system library by calling a system level interface, obtaining a memory address of a target function after success and verifying validity, reading instruction data at the memory address of the target function when the memory address is valid, analyzing and judging whether a jump instruction is contained, analyzing the target address and jumping to the target address if the jump instruction is contained, re-reading the instruction data, judging whether the jump instruction is contained again, taking the instruction data as actual entry point code data if the jump instruction is not contained, converting the instruction data into a matchable format, matching with An Fangte sign marks in a preset terminal security product feature library, and outputting a detection result according to a matching result. The method and the device realize high-efficiency identification of the security product of the terminal, avoid detection risks caused by file or registry operation, improve detection precision and instantaneity, have low-trace operation characteristics, and effectively avoid a reverse detection mechanism of the security product.

Inventors

  • YANG TIANCHANG
  • ZHANG PENG
  • BAO ZIYANG
  • ZHANG JIAHAO
  • WANG KAI
  • LI SHIZE
  • ZHANG HAI
  • ZHANG BINGZI

Assignees

  • 中国电子科技集团公司第十五研究所

Dates

Publication Date
20260512
Application Date
20250708

Claims (9)

  1. 1. The detection method of the terminal security product is characterized by comprising the following steps: loading a system library by calling a system level interface; when the system library is loaded successfully, acquiring a memory address of an objective function, and verifying the validity of the memory address; When the memory address is valid, reading instruction data at the memory address, and analyzing the instruction data to judge whether a jump instruction is included, wherein the jump instruction comprises an instruction for realizing code execution flow hijacking; If the instruction data contains the jump instruction, the following substep is executed, namely, the target address of the jump instruction is analyzed, and the jump is carried out to the target address; if the second judging result is that the jump instruction is not contained, recording the instruction data as the actual entry point code data of the objective function; Converting the actual entry point code data into code data in a matchable format, and matching the code data with An Fangte sign identifiers in a preset terminal security product feature library to obtain a matching result, wherein the terminal security product feature library stores binary signatures of various terminal security products or other security tools; and outputting a detection result of the terminal security product according to the matching result.
  2. 2. The method of claim 1, wherein the step of fetching instruction data at the memory address comprises: And reading the memory data with the preset length at the memory address by utilizing the objective function.
  3. 3. The method of claim 1, further comprising, after the step of again determining whether the jump instruction is included: And if the second judging result is that the jump instruction is included, analyzing the target address of the jump instruction again, and jumping to the target address.
  4. 4. The method of claim 1, wherein the step of matching the signature with the An Fangte signature in the preset terminal security product feature library to obtain a matching result comprises the steps of: And (3) adopting a sliding window matching mechanism to compare the code data in the matchable format with An Fangte sign identifiers in the terminal security product feature library bit by bit until matching is successful or traversal is completed.
  5. 5. The method of claim 4, wherein the step of employing a sliding window matching mechanism specifically comprises: step a, starting from the first address of the code data in the matchable format, reading continuous memory data with a preset length as a comparison buffer area; Step b, extracting an N-byte data block of the current window from the comparison buffer area, and performing binary comparison with feature data in the preset terminal security product feature library; C, when the N-byte data block is completely matched with the characteristic data, judging that the matching is successful and terminating the comparison flow; step d, when the matching is unsuccessful, sliding the comparison window backwards by M bytes, and repeatedly executing the step b and the step c until the comparison buffer area is traversed or the maximum matching times are reached; wherein N and M are preset positive integers, and M is less than or equal to N.
  6. 6. The method of claim 1, wherein the step of outputting the detection result of the terminal security product according to the matching result comprises: When the matching is successful, the output detection result comprises at least one of a detected security product name, product version identification information and a memory address of a Hook position; and when the matching fails, outputting prompt information that the terminal security product is not detected.
  7. 7. Detection device of terminal security protection product, its characterized in that includes: The loading module is used for loading the system library by calling the system level interface; The acquisition and verification module is used for acquiring the memory address of the objective function and verifying the validity of the memory address when the system library is successfully loaded; The analysis and detection module is used for reading instruction data at the memory address of the target function when the memory address is effective, and analyzing the instruction data to judge whether a jump instruction is included or not, wherein the jump instruction comprises an instruction for realizing code execution flow hijacking; The processing module is used for analyzing the target address of the jump instruction and jumping to the target address if the instruction data contains the jump instruction, re-reading the instruction data at the memory address, and judging whether the instruction data contains the jump instruction again or not; The feature matching module is used for converting the actual entry point code data into code data in a matchable format, and matching the code data with An Fangte sign identifiers in a preset terminal security product feature library to obtain a matching result, wherein the terminal security product feature library stores binary signatures of various terminal security products or other security tools; and the result output module is used for outputting the detection result of the terminal security product according to the matching result.
  8. 8. A computer device, comprising: one or more processors; storage means for storing one or more programs, When executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-6.
  9. 9. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any one of claims 1-6.

Description

Detection method, device, equipment and storage medium of terminal security product Technical Field The embodiment of the disclosure relates to the technical field of terminal security detection and related technical fields, in particular to a detection method, a detection device, detection equipment and a storage medium applicable to a terminal security product. Background With the rapid development of information technology, terminal security technology is also continuously upgraded. Nowadays, more and more enterprises and organizations are beginning to employ advanced anti-virus (AV) software and terminal detection and response (EDR) systems to protect their terminal devices. These techniques are not only effective in identifying and blocking known malware, but also detect unknown threats through behavioral analysis and machine learning algorithms. For red team penetration testers, this means that their attack is more easily discovered and intercepted. Traditional means of attack, such as with known vulnerabilities or simple socioeconomic attacks, tend to be difficult to work with, as these behaviors are likely to be recognized by the AV/EDR system as abnormal activities and alert in time. The red team has to invest more time and effort to study new attack methods to bypass these powerful protection mechanisms. However, in the prior art, in order to avoid the AV/EDR system on the terminal, the target terminal environment needs to be detected in detail to identify the security protection system, but common terminal sensing technologies (such as process service matching, registry matching, hook detection, etc.) have the problems of obvious operation trace and easy capture by the monitoring system. For example, process service matching techniques rely on system commands or API call enumeration processes, which may leave records in the system log, registry matching techniques read registry entries, which may produce explicit access records, and Hook detection techniques, which may expose traces in the system log or memory scan, by detecting the behavior of API functions being hijacked. In addition, the manner of acquiring the application information through the system command or the API call can be easily identified by the security monitoring system due to the log record or the call record. Therefore, a detection method of a terminal security product is urgently needed to solve the above problems. Disclosure of Invention The embodiments described herein provide a method, an apparatus, a device and a storage medium for detecting a terminal security product, which solve the problems existing in the prior art. According to a first aspect of the present disclosure, there is provided a method for detecting a terminal security product, including: loading a system library by calling a system level interface; when the system library is loaded successfully, acquiring a memory address of an objective function, and verifying the validity of the memory address; When the memory address is valid, reading instruction data at the memory address, and analyzing the instruction data to judge whether a jump instruction is included or not; If the instruction data contains the jump instruction, the following substep is executed, namely, the target address of the jump instruction is analyzed, and the jump is carried out to the target address; if the second judging result is that the jump instruction is not contained, recording the instruction data as the actual entry point code data of the objective function; Converting the actual entry point code data into code data in a matchable format, and matching the code data with An Fangte sign identifiers in a preset terminal security product feature library to obtain a matching result; and outputting a detection result of the terminal security product according to the matching result. In some embodiments of the disclosure, the step of obtaining instruction data at the memory address includes: And reading the memory data with the preset length at the memory address by utilizing the objective function. In some embodiments of the present disclosure, after the step of again determining whether the jump instruction is included, further comprising: And if the second judging result is that the jump instruction is included, analyzing the target address of the jump instruction again, and jumping to the target address. In some embodiments of the present disclosure, the jump instruction includes instructions for implementing code execution flow hijacking. In some embodiments of the present disclosure, the step of matching the signature with the An Fangte sign identifier in the preset terminal security product feature library to obtain a matching result includes: And (3) adopting a sliding window matching mechanism to compare the code data in the matchable format with An Fangte sign identifiers in the terminal security product feature library bit by bit until matching is successful or traversal is c