CN114707138A - Method for realizing JS script virtual sandbox based on PE virtual sandbox - Google Patents
Method for realizing JS script virtual sandbox based on PE virtual sandbox Download PDFInfo
- Publication number
- CN114707138A CN114707138A CN202210196862.0A CN202210196862A CN114707138A CN 114707138 A CN114707138 A CN 114707138A CN 202210196862 A CN202210196862 A CN 202210196862A CN 114707138 A CN114707138 A CN 114707138A
- Authority
- CN
- China
- Prior art keywords
- sandbox
- virtual sandbox
- program
- jscript
- script
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013515 script Methods 0.000 title claims abstract description 47
- 238000000034 method Methods 0.000 title claims abstract description 30
- 244000035744 Hura crepitans Species 0.000 claims abstract description 13
- 230000008569 process Effects 0.000 claims abstract description 13
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 31
- 238000001514 detection method Methods 0.000 claims description 15
- 230000006399 behavior Effects 0.000 claims description 6
- 230000003993 interaction Effects 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000004088 simulation Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a method for realizing a JS script virtual sandbox based on a PE virtual sandbox, which comprises seven steps and has the advantages compared with the prior art that: the method and the system ensure the safety of the malicious program identification process by providing the PE-based virtual sandbox, and the sandbox provides a virtual simulation running environment for the executable program in the PE format of the Windows system, so that the program is ensured to be correctly executed, and is prevented from escaping and threatening the real running environment.
Description
Technical Field
The invention relates to the field of information security, in particular to a method for realizing a JS script virtual sandbox based on a PE virtual sandbox.
Background
Currently, in the field of information security, many malicious codes using JScript script as a carrier exist. JScript is a general scripting programming language developed by microsoft corporation. The script programming language is characterized in that: the method is convenient to use, and after the script is edited, the executor can directly execute the logic described by the script. ECMA-262(European Computer Manufacturers Association) is a standard in Computer programming languages that standardizes the ECMAScript programming language. The JScript scripting language is implemented as an ECMAScript programming language dialect (not fully compatible with ECMAScript) and is applied to Windows operating systems.
Disclosure of Invention
The invention aims to solve the technical problems that a JScript script is easy to confuse texts, poor in readability and difficult to analyze the execution logic of the JScript script, and further achieves the purpose of hiding the potential hazard of the JScript script.
In order to solve the technical problems, the technical scheme provided by the invention is as follows: a method for realizing a JS script virtual sandbox based on a PE virtual sandbox comprises the following steps:
the method comprises the following steps that firstly, a virtual sandbox based on PE is started, a closed and anti-escape running environment is constructed, so that the PE program in the running environment can not damage the real operating system environment, and the virtual sandbox provides running resource support (including but not limited to file system operation, memory management, registry service and the like) for the application program in the running environment through an analog simulation system API;
loading and initializing a JScript script virtual sandbox, wherein the sandbox provides a JScript script running environment which is a group of programs in an executable PE format, completely runs in the PE virtual sandbox, has no direct interaction with a real operating system, runs in the JScript program of the virtual sandbox, and modifies system resources by calling API access which is provided by the PE virtual sandbox in the first step and is compatible with a real Windows system;
loading and running a JScript script to be detected, wherein the script runs completely in a JScript script virtual sandbox and has no direct interaction with a PE virtual sandbox;
fourthly, monitoring and recording files and API calls generated in the JScript script operation process until the program exits;
and a fifth step of determining the detection result according to the output of the fourth step, wherein the determination is based on the following criteria: 1) which APIs were called during the operation process; 2) which system resources were requested and/or accessed; 3) which characteristics of the produced file, whether the produced file contains sensitive fields or not and whether the produced file is a known malicious program or not; 4) whether to delete/tamper with important files within a sandbox (consistent with a real system); 5) whether to visit a known malicious website and download a known malicious program; 6) (ii) a Whether to record the user input device; 7) other suspected system damage/leakage behavior;
sixthly, if the detection in the fifth step is judged to be the malicious program, the category of the malicious program is given, and the detection is finished;
and seventhly, if the fifth step of detection is judged to be the credible program, giving a judgment result, and finishing the detection.
Compared with the prior art, the invention has the advantages that: the method and the system ensure the safety of the malicious program identification process by providing the PE-based virtual sandbox, and the sandbox provides a virtual simulation running environment for the executable program in the PE format of the Windows system, so that the program is ensured to be correctly executed, and is prevented from escaping and threatening the real running environment.
Further, the JScript script execution process of the fourth step is as follows: 1) an operating system API called by the JScript program is recorded by the PE virtual sandbox; 2) the JScript program creating/accessing/modifying/deleting file functions are provided and executed by an operating system API, and the execution result exists in the PE virtual sandbox and can be acquired/accessed through the PE virtual sandbox API; 3) the access/modification of the system resources in the execution period of the JScript program is provided and executed by the API of the operating system, and the execution result exists in the PE virtual sandbox and can be obtained/accessed through the API of the PE virtual sandbox.
Drawings
FIG. 1 is a hierarchical structure diagram of a method for implementing a JS script virtual sandbox based on a PE virtual sandbox.
FIG. 2 is a schematic flow chart of a method for implementing a JS script virtual sandbox based on a PE virtual sandbox.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
In specific implementation, as shown in the embodiments shown in fig. 1 and fig. 2, the present invention provides a method for implementing a JS script virtual sandbox based on a PE virtual sandbox, which is characterized by including the following steps:
the method comprises the following steps that firstly, a virtual sandbox based on PE is started, a closed and anti-escape running environment is constructed, so that the PE program in the running environment can not damage the real operating system environment, and the virtual sandbox provides running resource support (including but not limited to file system operation, memory management, registry service and the like) for the application program in the running environment through an analog simulation system API;
loading and initializing a JScript script virtual sandbox, wherein the sandbox provides a JScript script running environment which is a group of programs in an executable PE format, completely runs in the PE virtual sandbox, has no direct interaction with a real operating system, runs in the JScript program of the virtual sandbox, and modifies system resources by calling API access which is provided by the PE virtual sandbox in the first step and is compatible with a real Windows system;
loading and running a JScript script to be detected, wherein the script runs completely in a JScript script virtual sandbox and has no direct interaction with a PE virtual sandbox;
fourthly, monitoring and recording files and API calls generated in the JScript script operation process until the program exits;
and a fifth step of determining the detection result according to the output of the fourth step, wherein the determination basis includes but is not limited to: 1) which APIs were called during the operation process; 2) which system resources were requested and/or accessed; 3) which characteristics of the produced file, whether the produced file contains sensitive fields or not and whether the produced file is a known malicious program or not; 4) whether to delete/tamper with important files within a sandbox (consistent with a real system); 5) whether to visit a known malicious website and download a known malicious program; 6) (ii) a Whether to record the user input device; 7) other suspected system damage/leakage behavior;
sixthly, if the detection in the fifth step is judged to be the malicious program, the category of the malicious program is given, and the detection is finished;
and seventhly, if the fifth step of detection is judged to be the credible program, giving a judgment result, and finishing the detection.
The invention firstly provides a format of an Executable file supported by a PE (Portable Executable, Windows system, the format Executable file usually takes exe as a file name suffix) based virtual sandbox to ensure the safety of the identification process of the malicious program. The sandbox provides a virtual simulation running environment for the executable program in the PE format of the Windows system. The method not only ensures the correct execution of the program, but also prevents the program from escaping and threatening the real operating environment. This sandbox also has: 1) recording the behavior of the PE program running in the system; 2) providing various system resources (file access, network connection, etc.) for the PE program running therein; 3) various outputs (files, text output, etc.) of the PE program running therein are saved.
Further, in the embodiment shown in fig. 2, the JScript script execution process of the fourth step is as follows: 1) an operating system API called by the JScript program is recorded by the PE virtual sandbox; 2) the JScript program creating/accessing/modifying/deleting file functions are provided and executed by an operating system API, and the execution result exists in the PE virtual sandbox and can be acquired/accessed through the PE virtual sandbox API; 3) the access/modification of the system resources in the execution period of the JScript program is provided and executed by the API of the operating system, and the execution result exists in the PE virtual sandbox and can be obtained/accessed through the API of the PE virtual sandbox. The invention provides a set of JScript script virtual sandbox which can run on the sandbox. A JScript script executor is arranged in the sandbox, and support is provided for the running of the detected potentially malicious JScript script. The executor is compatible with a JScript script executor built in a real Windows system, and can run JScript scripts indiscriminately. This sandbox also has: 1) recording the behavior of a JScript script running in the JScript script storage device; 2) providing various system resources for the JScript script operated in the system; 3) various outcomes of the JScript script running within it are saved.
An api (application Programming interface) is a set of Programming interfaces defined by the system and/or platform that can be called by the applications running thereon to provide related functions and services. Through recording, analyzing the call of the detected program to various APIs in the running process to obtain the behavior of the program, and saving the resources generated by the program, including but not limited to: 1) creating and/or modifying a file; 2) uploading and/or downloading files via a network; 3) the system configuration is modified.
Further, in the embodiment shown in fig. 2, JScript, which is integrated in the Windows operating system, implements management and utilization of the system by calling a specific system API. Whereas malicious JScript programs monitor or destroy the system by calling specific system APIs. The JScript interpreter provided by the invention is functionally compatible with the JScript built in the Windows operating system and completely runs in the PE virtual sandbox provided by the invention. By calling the API which is provided by the PE virtual sandbox and is compatible with the Windows system, the operation logic and the output result which are consistent with the real Windows are achieved.
While there have been shown and described the fundamental principles and principal features of the invention and advantages thereof, it will be understood by those skilled in the art that the invention is not limited by the embodiments described above, which are given by way of illustration of the principles of the invention, but is susceptible to various changes and modifications without departing from the spirit and scope of the invention as defined by the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (2)
1. A method for realizing a JS script virtual sandbox based on a PE virtual sandbox is characterized by comprising the following steps:
the method comprises the following steps that firstly, a virtual sandbox based on PE is started, a closed and anti-escape running environment is constructed, so that the PE program in the running environment can not damage the real operating system environment, and the virtual sandbox provides running resource support (including but not limited to file system operation, memory management, registry service and the like) for the application program in the running environment through an analog simulation system API;
loading and initializing a JScript script virtual sandbox, wherein the sandbox provides a JScript script running environment which is a group of programs in an executable PE format, completely runs in the PE virtual sandbox, has no direct interaction with a real operating system, runs in the JScript program of the virtual sandbox, and modifies system resources by calling API access which is provided by the PE virtual sandbox in the first step and is compatible with a real Windows system;
loading and running a JScript script to be detected, wherein the script runs completely in a JScript script virtual sandbox and has no direct interaction with a PE virtual sandbox;
fourthly, monitoring and recording files and API calls generated in the JScript script operation process until the program exits;
and a fifth step of determining the detection result according to the output of the fourth step, wherein the determination is based on the following criteria: 1) which APIs were called during the operation process; 2) which system resources were requested and/or accessed; 3) which characteristics of the produced file, whether the produced file contains sensitive fields or not and whether the produced file is a known malicious program or not; 4) whether to delete/tamper with important files within a sandbox (consistent with a real system); 5) whether to visit a known malicious website and download a known malicious program; 6) (ii) a Whether to record the user input device; 7) other suspected system damage/leakage behavior;
sixthly, if the detection in the fifth step is judged to be the malicious program, the category of the malicious program is given, and the detection is finished;
and seventhly, if the fifth step of detection is judged to be the credible program, giving a judgment result, and ending the detection.
2. The method for implementing the JS script virtual sandbox based on the PE virtual sandbox as recited in claim 1, wherein: the JScript script running process of the fourth step is as follows: 1) an operating system API called by the JScript program is recorded by the PE virtual sandbox; 2) the JScript program creating/accessing/modifying/deleting file functions are provided and executed by an operating system API, and the execution result exists in the PE virtual sandbox and can be acquired/accessed through the PE virtual sandbox API; 3) the access/modification of the system resources in the execution period of the JScript program is provided and executed by the API of the operating system, and the execution result exists in the PE virtual sandbox and can be obtained/accessed through the API of the PE virtual sandbox.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210196862.0A CN114707138A (en) | 2022-03-02 | 2022-03-02 | Method for realizing JS script virtual sandbox based on PE virtual sandbox |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210196862.0A CN114707138A (en) | 2022-03-02 | 2022-03-02 | Method for realizing JS script virtual sandbox based on PE virtual sandbox |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114707138A true CN114707138A (en) | 2022-07-05 |
Family
ID=82166063
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210196862.0A Pending CN114707138A (en) | 2022-03-02 | 2022-03-02 | Method for realizing JS script virtual sandbox based on PE virtual sandbox |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114707138A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117540381A (en) * | 2023-11-13 | 2024-02-09 | 中国人民解放军92493部队信息技术中心 | Detection method and system for anti-virtualization malicious program |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN103258163A (en) * | 2013-05-15 | 2013-08-21 | 腾讯科技(深圳)有限公司 | Script virus identifying method, script virus identifying device and script virus identifying system |
| CN106485148A (en) * | 2015-10-29 | 2017-03-08 | 远江盛邦(北京)网络安全科技股份有限公司 | The implementation method of the malicious code behavior analysiss sandbox being combined based on JS BOM |
| CN108009425A (en) * | 2017-11-29 | 2018-05-08 | 四川无声信息技术有限公司 | File detects and threat level decision method, apparatus and system |
| CN110135156A (en) * | 2019-04-03 | 2019-08-16 | 浙江工业大学 | A method of suspected attack code is identified based on sandbox dynamic behaviour |
-
2022
- 2022-03-02 CN CN202210196862.0A patent/CN114707138A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN103258163A (en) * | 2013-05-15 | 2013-08-21 | 腾讯科技(深圳)有限公司 | Script virus identifying method, script virus identifying device and script virus identifying system |
| CN106485148A (en) * | 2015-10-29 | 2017-03-08 | 远江盛邦(北京)网络安全科技股份有限公司 | The implementation method of the malicious code behavior analysiss sandbox being combined based on JS BOM |
| CN108009425A (en) * | 2017-11-29 | 2018-05-08 | 四川无声信息技术有限公司 | File detects and threat level decision method, apparatus and system |
| CN110135156A (en) * | 2019-04-03 | 2019-08-16 | 浙江工业大学 | A method of suspected attack code is identified based on sandbox dynamic behaviour |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117540381A (en) * | 2023-11-13 | 2024-02-09 | 中国人民解放军92493部队信息技术中心 | Detection method and system for anti-virtualization malicious program |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11216256B2 (en) | Determining based on static compiler analysis that execution of compiler code would result in unacceptable program behavior | |
| Brown et al. | Finding and preventing bugs in javascript bindings | |
| Kim et al. | ScanDal: Static analyzer for detecting privacy leaks in android applications | |
| US9684786B2 (en) | Monitoring an application in a process virtual machine | |
| US9645912B2 (en) | In-place function modification | |
| US20090094667A1 (en) | Method and Apparatus for Automatic Determination of Authorization Requirements While Editing or Generating Code | |
| Smyth | Android Studio 3.2 Development Essentials-Android 9 Edition: Developing Android 9 Apps Using Android Studio 3.2, Java and Android Jetpack | |
| US6834391B2 (en) | Method and apparatus for automated native code isolation | |
| US8776031B1 (en) | Manipulating resources embedded in a dynamic-link library | |
| CN111427782B (en) | Android dynamic link library operation method, device, equipment and storage medium | |
| CN114398673A (en) | Application compliance detection method and device, storage medium and electronic equipment | |
| CN111258752A (en) | Resource monitoring method and device, electronic equipment and storage medium | |
| WO2022017242A1 (en) | Method and apparatus for running second system application in first system, device, and medium | |
| CN114707138A (en) | Method for realizing JS script virtual sandbox based on PE virtual sandbox | |
| CN110045952B (en) | Code calling method and device | |
| EP1977342A1 (en) | Analyzing interpretable code for harm potential | |
| EP2511820A1 (en) | Bypassing user mode redirection | |
| Arzt et al. | Towards cross-platform cross-language analysis with soot | |
| CN113168320B (en) | Selective replacement of legacy load module programs with classes for execution in JAVA virtual machine | |
| US20230153109A1 (en) | System and method for analyzing and steering use of third-party libraries | |
| CN113791824B (en) | Peripheral driver loading method, system and medium of terminal equipment | |
| EP3195120A1 (en) | Selectively loading precompiled header(s) and/or portion(s) thereof | |
| Gasparis et al. | Droid M+ Developer Support for Imbibing Android's New Permission Model | |
| KR102367196B1 (en) | Security vulnerability analysis method based on intermediate language and electronic device including the same | |
| WO2015033221A2 (en) | Device and method for automating a process of defining a cloud computing resource |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |