Method and device for detecting Java agent without file injection into memory horse

• Main Authors: ZHANG XIAORUI, BAO CHUNJIE, JIANG XIANGQIAN
• Format: Patent
• Language: Chinese; English
• Published: 03.02.2023
• Subjects: CALCULATING; COMPUTING; COUNTING; ELECTRIC DIGITAL DATA PROCESSING; PHYSICS

The invention discloses a method and device for detecting a Java agent without file injection into a memory horse, and the method comprises the steps: analyzing a/proc/self/maps file in a JAVA system, and obtaining a loading range of libjvm.so; performing real-time detection on a/proc/sef/mem file in the JAVA system; judging whether the write-in range of the read-write operation of the/proc/self/mem file in the memory is the loading range of libjvm.so or not; if yes, the read-write operation is judged to be malicious memory operation, and interception is carried out; and if not, judging that the read-write operation is normal memory operation. Malicious shellcode writing is detected by monitoring/proc/self/mem memory operation of a Java web container program, malicious memory injection is found in time and intercepted, and safety and stability are improved. 本发明公开了一种Java agent无文件注入内存马的检测方法及装置，包括：解析JAVA系统中的/proc/self/maps文件，得到libjvm.so的加载范围；对JAVA系统中的/proc/self/mem文件进行实时检测；判断/proc/self/mem文件在内存中读写操作的写入范围是否为libjv