[go: up one dir, main page]

CN108197041B - Method, device and storage medium for determining parent process of child process - Google Patents

Method, device and storage medium for determining parent process of child process Download PDF

Info

Publication number
CN108197041B
CN108197041B CN201711464927.0A CN201711464927A CN108197041B CN 108197041 B CN108197041 B CN 108197041B CN 201711464927 A CN201711464927 A CN 201711464927A CN 108197041 B CN108197041 B CN 108197041B
Authority
CN
China
Prior art keywords
information
memory
parent
value
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711464927.0A
Other languages
Chinese (zh)
Other versions
CN108197041A (en
Inventor
何孟东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201711464927.0A priority Critical patent/CN108197041B/en
Publication of CN108197041A publication Critical patent/CN108197041A/en
Application granted granted Critical
Publication of CN108197041B publication Critical patent/CN108197041B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1483Protection against unauthorised use of memory or access to memory by checking the subject access rights using an access-table, e.g. matrix or list
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the invention provides a method, equipment and a computer storage medium for determining a parent process of a child process, wherein the method comprises the following steps: acquiring memory address information corresponding to the subprocess; searching an information list according to the memory address information, wherein the information list comprises a plurality of memory detailed information; and traversing the information list based on a specific screening condition to screen out the process path information of the parent process corresponding to the child process.

Description

Method, device and storage medium for determining parent process of child process
Technical Field
The present invention relates to the field of system security technologies, and in particular, to a method and an apparatus for determining a parent process of a child process, and a computer storage medium thereof.
Background
A complete program will consist of a multi-level chain of processes. Wherein the multi-level process chain generally comprises a child process, a parent-parent process, a process at a higher level, and the like. After the parent of a child process is shut down (or for other reasons) during program execution, the parent process will be in an exit state. Therefore, after the parent process exits, the terminal can only acquire the process information of the child process, but cannot acquire the process information of the parent process of the child process, so that the operation behavior of the program cannot be finally identified according to the acquired process information of all the processes on the process chain.
In chinese patent application publication CN105608375A, a process information obtaining method is disclosed, which monitors and records a process creation process by creating a process data table, for example, a driver is used to set a pssetcreateprocessnotifyroroutine callback, obtain a create sub-process operation, and record process information of the sub-process at this time for subsequent query. Therefore, when a process exits, the process information of all processes in the process chain can be acquired from the process data table created in advance.
However, the above process information acquisition method has the following drawbacks: 1) the terminal adds a real-time monitoring process creating process in the process of program operation of the processor, so that the processing speed of the processor is reduced; 2) the terminal needs to continuously record the whole process creation process in a process data table creation mode on the basis of monitoring the process creation process in real time, and inevitably occupies a large storage space, so that the problems of insufficient storage space and the like are caused.
Disclosure of Invention
The present invention has been made in view of the above problems, and aims to provide a method, apparatus and computer storage medium for determining a parent process of a child process that overcomes or at least partially solves the above problems.
According to a first aspect of the present invention, there is provided a method of determining a parent process of a child process, comprising: acquiring memory address information corresponding to the subprocess; searching an information list according to the memory address information, wherein the information list comprises a plurality of memory detailed information; and traversing the information list based on a specific screening condition to screen out the process path information of the parent process corresponding to the child process.
Optionally, in the method for determining a parent process of a child process according to the embodiment of the present invention, traversing the information list based on a specific filtering condition to filter out process path information of the parent process corresponding to the child process, where the method includes: traversing the information list based on specific screening conditions to screen out target detailed information; acquiring the memory content of the target detailed information according to a specific offset address, and determining the memory content as the process path information of a parent process corresponding to the child process; the value of the specific offset address is the sum of a start address of the target detailed information and a specific offset, and the specific offset is used for indicating the position of the process path information in the target detailed information.
Optionally, in the method for determining a parent process of a child process according to the embodiment of the present invention, a value of the specific offset is different according to different versions of the operating system.
Optionally, in the method for determining a parent process of a child process according to an embodiment of the present invention, the specific filtering condition includes at least one of the following conditions: size, type, status, protection and usage of the memory details.
Optionally, in the method for determining a parent process of a child process according to the embodiment of the present invention, the size is 4 kbytes; the value of the type is private; the value of the state is submission; the value of protection is read and write; and/or the value of the usage mode is a Process Environment Block (PEB).
Optionally, in the method for determining a parent process of a child process according to the embodiment of the present invention, traversing the information list based on a specific filtering condition to filter out target detailed information, where the method includes: traversing the information list for screening based on at least one of the size, type, state, protection and using mode of the memory detailed information to obtain the memory detailed information uniquely determined by the using mode with the value being PEB; and taking the next piece of memory detailed information which is next to the memory detailed information uniquely determined by the use mode taking the value as the PEB in the information list as the target detailed information.
Optionally, in the method for determining a parent process of a child process according to an embodiment of the present invention, the method further includes: and after the process path information of the parent process corresponding to the child process is screened out, checking the legality of the parent process according to the process path information of the parent process.
Optionally, in the method for determining a parent process of a child process according to the embodiment of the present invention, checking the validity of the parent process according to the process path information of the parent process includes: searching a process file list according to the process path information of the parent process to obtain a parent process file; checking the parent process file; if the verification is successful, determining that the parent process is legal; and if the verification fails, determining that the parent process is illegal.
Optionally, in the method for determining a parent process of a child process according to the embodiment of the present invention, verifying the parent process file includes: calculating the hash value of the parent process file; and carrying out consistency check on the hash value of the parent process file and the hash value of the parent process file stored in advance.
According to a second aspect of the present invention, there is provided an apparatus for determining a parent process of a child process, comprising: the acquiring device is used for acquiring the memory address information corresponding to the subprocess; the searching device is used for searching an information list according to the memory address information, and the information list comprises a plurality of memory detailed information; and the screening device is used for traversing the information list based on a specific screening condition and screening out the process path information of the parent process corresponding to the child process.
Optionally, in the apparatus for determining a parent process of a child process according to the embodiment of the present invention, the screening device is further configured to filter out the target detailed information by traversing the information list based on a specific screening condition; acquiring the memory content of the target detailed information according to a specific offset address, and determining the memory content as the process path information of a parent process corresponding to the child process; the value of the specific offset address is the sum of a start address of the target detailed information and a specific offset, and the specific offset is used for indicating the position of the process path information in the target detailed information.
Optionally, in the device for determining the parent process of the child process according to the embodiment of the present invention, a value of the specific offset is different according to different versions of the operating system.
Optionally, in the apparatus for determining a parent process of a child process according to an embodiment of the present invention, the specific filtering condition includes one of the following conditions: size, type, status, protection and usage of the memory details.
Optionally, in the apparatus for determining a parent process of a child process according to the embodiment of the present invention, the size is 4 kbytes; the value of the type is private; the value of the state is submission; the value of protection is read and write; and/or the value of the use mode is PEB.
Optionally, in the apparatus for determining a parent process of a child process according to the embodiment of the present invention, the screening device is further configured to traverse the information list for screening based on at least one of a size, a type, a state, protection, and a usage mode of the detailed memory information, so as to obtain the detailed memory information uniquely determined by the usage mode whose value is PEB; and taking the next piece of memory detailed information which is next to the memory detailed information uniquely determined by the use mode taking the value as the PEB in the information list as the target detailed information.
Optionally, in the apparatus for determining a parent process of a child process according to an embodiment of the present invention, the apparatus further includes: and the checking device is used for checking the legality of the parent process according to the process path information of the parent process after the process path information of the parent process corresponding to the child process is screened out.
Optionally, in the apparatus for determining a parent process of a child process according to the embodiment of the present invention, the verifying device is further configured to search for a parent process file from a process file list according to the process path information of the parent process; checking the parent process file; if the verification is successful, determining that the parent process is legal; and if the verification fails, determining that the parent process is illegal.
Optionally, in the apparatus for determining a parent process of a child process according to the embodiment of the present invention, the verifying device is further configured to calculate a hash value of the parent process file; and carrying out consistency check on the hash value of the parent process file and the hash value of the parent process file stored in advance.
According to a third aspect of the present invention, there is provided an apparatus for determining a parent process of a child process, comprising: one or more processors; a memory; a program stored in the memory, which when executed by the one or more processors, causes the processors to perform the method of any one of the first aspect, the first aspect.
According to a fourth aspect of the present invention, there is provided a computer readable storage medium storing a program which, when executed by a processor, causes the processor to perform the method of any one of the first aspect and the first aspect.
The method for searching the parent process of the child process can directly acquire the memory address information corresponding to the child process in a function calling mode after the parent process exits; further searching an information list according to the memory address information, wherein the information list comprises a plurality of memory detailed information; and finally, traversing the information list based on a specific screening condition, and screening out the process path information of the parent process corresponding to the child process. Therefore, the embodiment of the invention omits the operation of monitoring and recording the process creation process in real time, thereby continuously enhancing the processing rate of the processor in the process of program operation of the processor, reducing the occupation of the storage space and effectively improving the storage utilization rate.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present invention will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
in the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
FIG. 1 schematically illustrates a flow diagram of one embodiment of a method for determining a parent process of a child process in an embodiment of the invention;
FIG. 2 is a schematic diagram illustrating the structure of a device for determining a parent process of a child process in accordance with an embodiment of the present invention;
FIG. 3 schematically illustrates an implementation of a device for determining a parent process of a child process according to an embodiment of the invention;
fig. 4 schematically shows a schematic diagram of a computer-readable storage medium storing a computer program implementing a method of determining a parent process of a child process according to an embodiment of the present invention.
Detailed Description
The principles and spirit of the present invention will be described with reference to a number of exemplary embodiments. It is understood that these embodiments are given solely for the purpose of enabling those skilled in the art to better understand and to practice the invention, and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The following detailed description of embodiments of the invention refers to the accompanying drawings.
The following description is given taking a Windows operating system environment as an example.
FIG. 1 schematically illustrates a flow diagram of an embodiment of a method for determining a parent process of a child process in an embodiment of the invention.
As shown in fig. 1, a method 10 for determining a parent process of a child process according to an embodiment of the present invention includes: operation 101, acquiring memory address information corresponding to the subprocess; operation 102, searching an information list according to the memory address information, wherein the information list comprises a plurality of pieces of memory detailed information; in operation 103, the information list is traversed based on a specific filtering condition to filter out process path information of the parent process corresponding to the child process.
In operation 101, memory address information corresponding to the sub-process may be obtained by calling GetProcessMemoryInfo. The information format of the memory address information is in a list format including a memory range determined by a memory start address and a memory end address, such as memory ranges (0, 3f0000), (3f0000, 3f1000) …, (53a0000, 53a1000), and the like. Of course, the memory address information only includes a memory range and includes other information.
In operation 102, an information list may be searched according to the memory address information by calling VirtualQuery, where the information list includes a plurality of pieces of memory details. The information list, where the information list includes each piece of detailed memory information in a plurality of pieces of detailed memory information, may include: start address, end address, size, type (e.g., executable, private, mapped), status (e.g., commit, release, reserve), protection (e.g., inaccessible, read-only, read-write, read and execute), manner of use (e.g., unknown, executable, mapped file, release, PEB, Thread Environment Block (TEB), stack, heap, other).
According to an embodiment of the present invention, in operation 103, first, the information list is traversed based on a specific filtering condition to filter out the detailed target information; further, the memory content of the target detailed information can be obtained by calling ReadProcessmemory according to a specific offset address, and the memory content is determined as the process path information of the parent process corresponding to the child process; the value of the specific offset address is the sum of a start address of the target detailed information and a specific offset, and the specific offset is used for indicating the position of the process path information in the target detailed information.
Here, the value of the specific offset differs depending on the version of the operating system. For example, for different os versions such as xp, win7, win8, win8.1, and win10, values of specific offsets in the memory contents corresponding to the os versions are different, and the values of the specific offsets are obtained by debugging.
It should be added that, as a result of extensive debugging, the specific screening conditions in the embodiments of the present invention include at least one of the following conditions: size, type, status, protection and usage of the memory details. Wherein, the value of the size can be 4 kbytes; the value of the type is private; the value of the state is submission; the value of protection is read and write; and/or the value of the use mode is PEB. For example, if the specific screening conditions are: size 4 kbytes, type private, state commit, protection read and write, and usage PEB. Of course, the specific screening conditions described herein are merely exemplary and are not intended to limit the present invention.
Based on the specific screening condition, in the process of traversing the information list based on the specific screening condition and screening out the target detailed information in operation 103, firstly traversing the information list for screening based on at least one of the size, type, state, protection and using mode of the memory detailed information to obtain the memory detailed information uniquely determined by the using mode taking the value as PEB; further, the next piece of the memory detailed information in the information list, which is next to the memory detailed information uniquely determined by the use mode taking the value as the PEB, is taken as the target detailed information.
It should be added that, in the actual screening process, in embodiment 103 of the present invention, the value of the usage mode in the specific screening condition may be first determined as unknown, that is, a number of pieces of detailed memory information satisfying the screening condition are screened from the information list through the screening condition with the size of 4 kbytes, the type of private, the state of submitting, the protection of read/write, and the usage mode of unknown; furthermore, a unique memory detailed information can be determined from the screened memory detailed information by adding a condition of using a mode (PEB); and finally, taking the next piece of memory detailed information which is next to the memory detailed information uniquely determined by the using mode (PEB) in the information list as target detailed information.
In an example, taking the specific offset value of 750 under the win10 operating system as an example, operation 103 of the embodiment of the present invention is specifically described as follows:
firstly, a piece of memory detailed information uniquely determined by a Usage (Usage) PEB is found in an information list based on a specific screening condition, that is:
312d000 3130000 3000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PEB[2d50];
further, the next piece of detailed memory information next to the detailed memory information using the PEB is found in the information list, that is:
3240000 3241000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE<unknown>[............L...];
finally, according to the start address 3240000 of the target detailed information and the specific offset 750 under the win10 operating system, adding the specific offset address 4240750 to obtain the memory content of the target detailed information, and determining the memory content as the process path information of the parent process corresponding to the child process.
According to an embodiment of the present invention, as shown in fig. 1, after operation 103, the method further includes: and operation 104, verifying the legality of the parent process according to the process path information of the parent process.
In operation 104, a parent process file may be first obtained by searching a process file list according to the process path information of the parent process; further checking the parent process file; if the verification is successful, determining that the parent process is legal; and if the verification fails, determining that the parent process is illegal.
Here, verifying the parent process file includes: calculating the hash value of the parent process file; and carrying out consistency check on the hash value of the parent process file and the hash value of the parent process file stored in advance. Wherein, the parent process file can be a digital signature file.
In an example, the verifying the parent process file may be performed by checking a hash value of the digital signature file of the parent process, and if the hash value of the digital signature file of the parent process is not consistent with a hash value of a pre-stored digital signature file of the parent process, it is determined that the parent process is tampered. Therefore, when it is determined that the parent process is tampered with, it can be known that the current child process belongs to illegal activation. Therefore, the illegal starting of the subprocess can be forcibly intercepted, and the running safety of the whole program is ensured.
Therefore, the embodiment of the invention can directly acquire the memory address information corresponding to the child process in a function calling mode after the parent process exits; further searching an information list according to the memory address information, wherein the information list comprises a plurality of memory detailed information; and finally, traversing the information list based on a specific screening condition, and screening out the process path information of the parent process corresponding to the child process. Therefore, the embodiment of the invention omits the operation of monitoring and recording the process creation process in real time, thereby continuously enhancing the processing rate of the processor in the process of program operation of the processor, reducing the occupation of the storage space and effectively improving the storage utilization rate.
Fig. 2 is a schematic diagram showing a component structure of a device for determining a parent process of a child process in an embodiment of the present invention.
As shown in fig. 2, an embodiment of the present invention provides an apparatus 20 for determining a parent process of a child process, where the apparatus 20 includes: an obtaining device 201, configured to obtain memory address information corresponding to a sub-process; the searching device 202 is configured to search an information list according to the memory address information, where the information list includes a plurality of pieces of memory detailed information; and the screening device 203 is used for traversing the information list based on a specific screening condition to screen out the process path information of the parent process corresponding to the child process.
According to an embodiment of the present invention, the screening device 203 is further configured to filter out the target detailed information by traversing the information list based on a specific screening condition; acquiring the memory content of the target detailed information according to a specific offset address, and determining the memory content as the process path information of a parent process corresponding to the child process; the value of the specific offset address is the sum of a start address of the target detailed information and a specific offset, and the specific offset is used for indicating the position of the process path information in the target detailed information.
Here, the value of the specific offset differs depending on the version of the operating system.
According to an embodiment of the present invention, the specific screening condition includes at least one of the following conditions: size, type, status, protection and usage of the memory details.
Wherein, the value of the size can be 4 kbytes; the value of the type is private; the value of the state is submission; the value of protection is read and write; and/or the value of the use mode is PEB.
According to an embodiment of the present invention, the screening device 203 is further configured to traverse the information list for screening based on at least one of a size, a type, a state, a protection mode, and a usage mode of the detailed memory information, so as to obtain the detailed memory information uniquely determined by the usage mode whose value is PEB; and taking the next piece of memory detailed information which is next to the memory detailed information uniquely determined by the use mode taking the value as the PEB in the information list as the target detailed information.
According to an embodiment of the present invention, as shown in fig. 2, the apparatus 20 further includes: the verifying device 204 is configured to verify the validity of the parent process according to the process path information of the parent process after the process path information of the parent process corresponding to the child process is screened out by the screening device 203.
According to an embodiment of the present invention, the verifying unit 204 is further configured to search for a parent process file from a process file list according to the process path information of the parent process; checking the parent process file; if the verification is successful, determining that the parent process is legal; and if the verification fails, determining that the parent process is illegal.
According to an embodiment of the present invention, the verifying unit 204 is further configured to: calculating the hash value of the parent process file; and carrying out consistency check on the hash value of the parent process file and the hash value of the parent process file stored in advance.
The specific configuration and operation of each constituent structure in the device 20 for determining a parent process of a child process according to an embodiment of the present application have been described in detail in the method for determining a parent process of a child process described above with reference to fig. 1, and therefore, a repetitive description thereof will be omitted.
Exemplary device
Having described the method and apparatus of exemplary embodiments of the present invention, next, an apparatus for determining a parent process of a child process according to another exemplary embodiment of the present invention is described.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer-readable storage medium. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
In some possible embodiments, the device of the present invention that determines the parent of the child process may include at least one or more processors, and at least one memory. Wherein the memory stores a program, and when the program is executed by the processor, the program causes the processor to execute the steps of the method for determining the parent process of the child process described in this specification, for example, the processor may execute operation 101 shown in fig. 1 to obtain the memory address information corresponding to the child process; operation 102, searching an information list according to the memory address information, wherein the information list comprises a plurality of pieces of memory detailed information; in operation 103, the information list is traversed based on a specific filtering condition to filter out process path information of the parent process corresponding to the child process.
Fig. 3 schematically shows an implementation of a device for determining a parent process of a sub-process according to an embodiment of the invention.
An apparatus 300 for determining a parent process of a sub-process according to this embodiment of the present invention is described below with reference to fig. 3. The device 300 shown in fig. 3 is only an example and should not bring any limitation to the function and scope of use of the embodiments of the present invention.
As shown in FIG. 3, device 300 is illustrated in the form of a general purpose computing device, including but not limited to: the at least one processor 310, the at least one memory 320, and a bus 360 that couples the various system components including the memory 320 and the processor 310.
Bus 360 includes an address bus, a control bus, and a data bus.
The memory 320 may include volatile memory, such as Random Access Memory (RAM)321 and/or cache memory 322, and may further include Read Only Memory (ROM) 323.
Memory 320 may also include a set (at least one) of program modules 324, such program modules 324 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The device 300 may also communicate with one or more external devices 30 (e.g., keyboard, pointing device, bluetooth device, etc.). Such communication may be via an input/output (I/O) interface 340 and displayed on display unit 330. Further, device 300 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via network adapter 350. As shown, the network adapter 350 communicates with other modules in the device 300 over a bus 360. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with device 300, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Exemplary computer program product
In some possible embodiments, the various aspects of the present invention may also be implemented in a computer program product, which includes program code, when executed by a processor, for causing the processor to perform the steps of the method described above, for example, the processor may execute operation 101 shown in fig. 1 to obtain memory address information corresponding to a sub-process; operation 102, searching an information list according to the memory address information, wherein the information list comprises a plurality of pieces of memory detailed information; in operation 103, the information list is traversed based on a specific filtering condition to filter out process path information of the parent process corresponding to the child process.
The computer program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Fig. 4 schematically shows a schematic diagram of a computer-readable storage medium storing a computer program implementing a method of determining a parent process of a child process according to an embodiment of the present invention.
As shown in fig. 4, a program product 400 according to an embodiment of the present invention is depicted, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal or server. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user computing device, partly on the user computing device, or entirely on a remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device over any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., over the internet using an internet service provider).
Moreover, while the operations of the method of the invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
It should be noted that although several devices and sub-devices for software testing are mentioned in the above detailed description, such partitioning is not mandatory. Indeed, the features and functions of two or more of the devices described above may be embodied in one device, according to embodiments of the invention. Conversely, the features and functions of one apparatus described above may be further divided into embodiments by a plurality of apparatuses.
While the spirit and principles of the invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (8)

1.一种确定子进程的父进程的方法,包括:1. A method of determining the parent process of a child process, comprising: 获取子进程所对应的内存地址信息;所述内存地址信息的信息格式为包括由内存起始地址和内存结束地址所确定的内存范围的列表形式;Obtain the memory address information corresponding to the child process; the information format of the memory address information is a list form including the memory range determined by the memory start address and the memory end address; 根据所述内存地址信息,查找信息列表,所述信息列表包括多条内存详细信息;Find an information list according to the memory address information, where the information list includes multiple pieces of detailed memory information; 基于特定筛选条件遍历所述信息列表,筛选出与所述子进程对应的父进程的进程路径信息;Traverse the information list based on specific filtering conditions, and filter out the process path information of the parent process corresponding to the child process; 基于特定筛选条件遍历所述信息列表,筛选出与所述子进程对应的父进程的进程路径信息,包括:Traverse the information list based on specific filtering conditions, and filter out the process path information of the parent process corresponding to the child process, including: 基于特定筛选条件遍历所述信息列表,得到由取值为PEB的使用方式所唯一确定的内存详细信息;Traverse the information list based on specific filtering conditions, and obtain detailed memory information uniquely determined by the usage mode whose value is PEB; 将所述信息列表中紧邻由取值为PEB的使用方式所唯一确定的内存详细信息的下一条内存详细信息,作为目标详细信息;Taking the next piece of memory detailed information in the information list that is next to the memory detailed information uniquely determined by the usage mode whose value is PEB as the target detailed information; 根据特定偏移地址获取所述目标详细信息的内存内容,并将所述内存内容确定为与所述子进程对应的父进程的进程路径信息;Acquire the memory content of the target detailed information according to the specific offset address, and determine the memory content as the process path information of the parent process corresponding to the child process; 其中,所述特定偏移地址的取值为目标详细信息的起始地址与特定偏移量二者之和,所述特定偏移量用于指示所述进程路径信息在所述目标详细信息中所处的位置。The value of the specific offset address is the sum of the starting address of the target detailed information and a specific offset, and the specific offset is used to indicate that the process path information is in the target detailed information the location. 2.根据权利要求1所述的方法,其中,所述特定偏移量的取值因操作系统版本的不同而不同。2 . The method according to claim 1 , wherein the value of the specific offset varies with different operating system versions. 3 . 3.根据权利要求1所述的方法,其中,所述特定筛选条件包括如下条件至少之一:内存详细信息的大小、类型、状态、保护及使用方式。3. The method according to claim 1, wherein the specific filtering condition comprises at least one of the following conditions: size, type, status, protection and usage of detailed memory information. 4.根据权利要求3所述的方法,其中,4. The method of claim 3, wherein, 所述大小的取值为4k字节;The value of the size is 4k bytes; 类型的取值为私有;The value of the type is private; 状态的取值为提交;The value of the status is submitted; 保护的取值为读写;和/或The value of protection is read and write; and/or 使用方式的取值为进程环境块PEB。The value of the usage mode is the process environment block PEB. 5.根据权利要求1至4任一项所述的方法,其中,进一步包括:5. The method of any one of claims 1 to 4, further comprising: 筛选出与所述子进程对应的父进程的进程路径信息之后,根据所述父进程的进程路径信息对所述父进程的合法性加以校验。After filtering out the process path information of the parent process corresponding to the child process, the validity of the parent process is checked according to the process path information of the parent process. 6.一种确定子进程的父进程的设备,包括:6. A device for determining the parent process of a child process, comprising: 获取装置,用于获取子进程对应的内存地址信息,所述内存地址信息的信息格式为包括由内存起始地址和内存结束地址所确定的内存范围的列表形式;an acquisition device, used for acquiring the memory address information corresponding to the subprocess, the information format of the memory address information is a list form including the memory range determined by the memory start address and the memory end address; 查找装置,用于根据所述内存地址信息,查找信息列表,所述信息列表包括多条内存详细信息;a search device, configured to search an information list according to the memory address information, where the information list includes multiple pieces of detailed memory information; 筛选装置,用于基于特定筛选条件遍历所述信息列表,筛选出与所述子进程对应的父进程的进程路径信息;a screening device, configured to traverse the information list based on a specific screening condition, and filter out the process path information of the parent process corresponding to the child process; 所述筛选装置,还用于基于特定筛选条件遍历所述信息列表,得到由取值为PEB的使用方式所唯一确定的内存详细信息;将所述信息列表中紧邻由取值为PEB的使用方式所唯一确定的内存详细信息的下一条内存详细信息,作为目标详细信息;根据特定偏移地址获取所述目标详细信息的内存内容,并将所述内存内容确定为与所述子进程对应的父进程的进程路径信息;其中,所述特定偏移地址的取值为目标详细信息的起始地址与特定偏移量二者之和,所述特定偏移量用于指示所述进程路径信息在所述目标详细信息中所处的位置。The screening device is further configured to traverse the information list based on a specific screening condition to obtain detailed memory information uniquely determined by the usage mode whose value is PEB; place the usage mode that is next to the PEB value in the information list. The next memory detailed information of the uniquely determined memory detailed information is used as the target detailed information; the memory content of the target detailed information is obtained according to a specific offset address, and the memory content is determined as the parent corresponding to the child process. Process path information of the process; wherein, the value of the specific offset address is the sum of the starting address of the target detailed information and the specific offset, and the specific offset is used to indicate that the process path information is in The location in the target details. 7.一种确定子进程的父进程的设备,包括:7. A device for determining the parent process of a child process, comprising: 一个或者多个处理器;one or more processors; 存储器;memory; 存储在所述存储器中的程序,当被所述一个或者多个处理器执行时,所述程序使所述处理器执行如权利要求1-5中任意一项所述的方法。A program stored in the memory which, when executed by the one or more processors, causes the processors to perform the method of any of claims 1-5. 8.一种计算机可读存储介质,所述计算机可读存储介质存储有程序,当所述程序被处理器执行时,使得所述处理器执行如权利要求1-5中任意一项所述的方法。8. A computer-readable storage medium storing a program that, when the program is executed by a processor, causes the processor to execute the method according to any one of claims 1-5 method.
CN201711464927.0A 2017-12-28 2017-12-28 Method, device and storage medium for determining parent process of child process Active CN108197041B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711464927.0A CN108197041B (en) 2017-12-28 2017-12-28 Method, device and storage medium for determining parent process of child process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711464927.0A CN108197041B (en) 2017-12-28 2017-12-28 Method, device and storage medium for determining parent process of child process

Publications (2)

Publication Number Publication Date
CN108197041A CN108197041A (en) 2018-06-22
CN108197041B true CN108197041B (en) 2021-09-28

Family

ID=62585701

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711464927.0A Active CN108197041B (en) 2017-12-28 2017-12-28 Method, device and storage medium for determining parent process of child process

Country Status (1)

Country Link
CN (1) CN108197041B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112395611B (en) * 2019-08-15 2024-01-30 奇安信安全技术(珠海)有限公司 Process chain processing methods, devices and equipment
CN112269644B (en) * 2020-10-16 2022-07-08 苏州浪潮智能科技有限公司 Verification method, system and device for subprocess calling and readable storage medium
CN114647843B (en) * 2020-12-21 2025-07-25 奇安信安全技术(珠海)有限公司 Parent process identification method, device, electronic equipment, storage medium and program

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103631612B (en) * 2012-08-23 2017-09-29 腾讯科技(深圳)有限公司 The method and apparatus of start-up operation system
CN102945343B (en) * 2012-09-25 2017-05-17 北京奇虎科技有限公司 Method and device for enumerating system process
CN104572394B (en) * 2013-10-29 2018-04-27 腾讯科技(深圳)有限公司 process monitoring method and device
CN105488415B (en) * 2015-11-30 2019-09-03 福建天晴数码有限公司 The method and apparatus of scanning system process
CN105608375A (en) * 2015-12-17 2016-05-25 北京金山安全软件有限公司 Process information acquisition method and device
EP3430557B1 (en) * 2016-03-15 2021-04-21 Carbon Black, Inc. System and method for reverse command shell detection
CN107292169B (en) * 2016-03-31 2021-04-16 阿里巴巴集团控股有限公司 Threat tracing method and device for malicious software
CN107122663B (en) * 2017-04-28 2021-04-02 北京梆梆安全科技有限公司 Injection attack detection method and device

Also Published As

Publication number Publication date
CN108197041A (en) 2018-06-22

Similar Documents

Publication Publication Date Title
US10437703B2 (en) Correlation of source code with system dump information
CN109597677B (en) Method and apparatus for processing information
WO2019140828A1 (en) Electronic apparatus, method for querying logs in distributed system, and storage medium
US9177129B2 (en) Devices, systems, and methods for monitoring and asserting trust level using persistent trust log
US8930761B2 (en) Test case result processing
US12007849B2 (en) System and method for securing instant access of data in file based backups in a backup storage system using metadata files
US10540523B2 (en) Comprehensive system wide cross-reference mechanism using runtime data collection
US10264011B2 (en) Persistent cross-site scripting vulnerability detection
US20210056000A1 (en) Data validation during data recovery in a log-structured array storage system
US11853284B2 (en) In-place updates with concurrent reads in a decomposed state
CN108197041B (en) Method, device and storage medium for determining parent process of child process
CN106528322B (en) Method and apparatus for detecting silent corruption of data
US9262274B2 (en) Persistent data across reboots
US8195876B2 (en) Adaptation of contentious storage virtualization configurations
CN105608150A (en) Business data processing method and system
US9009430B2 (en) Restoration of data from a backup storage volume
CN111026333A (en) Access request processing method, processing device, electronic equipment and storage medium
US20150039834A1 (en) Sharing local cache from a failover node
CN108563552B (en) Method, equipment and storage medium for recording peripheral operation behaviors
US8676867B2 (en) File system location verification using a sentinel
US20200142807A1 (en) Debugger with hardware transactional memory
US8397295B1 (en) Method and apparatus for detecting a rootkit
CN108009039A (en) Recording method, device, storage medium and the electronic equipment of end message
US20160275096A1 (en) Meta data and data verification
CN118819908A (en) Method, device, medium and electronic equipment for preventing downtime of equipment operation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant