CN105279433B - Application program protection method and device - Google Patents

Application program protection method and device Download PDF

Info

Publication number
CN105279433B
CN105279433B CN201410327526.0A CN201410327526A CN105279433B CN 105279433 B CN105279433 B CN 105279433B CN 201410327526 A CN201410327526 A CN 201410327526A CN 105279433 B CN105279433 B CN 105279433B
Authority
CN
China
Prior art keywords
application program
protected application
module
event
operating system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410327526.0A
Other languages
Chinese (zh)
Other versions
CN105279433A (en
Inventor
王春鹏
蒋宁波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201410327526.0A priority Critical patent/CN105279433B/en
Publication of CN105279433A publication Critical patent/CN105279433A/en
Application granted granted Critical
Publication of CN105279433B publication Critical patent/CN105279433B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)
  • Telephone Function (AREA)

Abstract

The invention discloses a method and a device for protecting an application program, and belongs to the technical field of computers. The method comprises the following steps: monitoring the protected application program through a parent process; if monitoring that other processes access the protected application program, acquiring an access event of the other processes accessing the protected application program; sending the access event to a cloud end, and enabling the cloud end to analyze whether the access event is an abnormal event; and if the event is an abnormal event, preventing the other processes from accessing the protected application program. The invention ensures that the application program can be protected when the protection application program is not installed in the terminal; in addition, the process of inquiring whether the access event is an abnormal event or not through the cloud can effectively reduce the occupation of system resources of the terminal and improve the use efficiency of the system.

Description

Application program protection method and device
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for protecting an application program.
Background
With the development of computer technology, various kinds of application programs have been generated in order to meet various demands of users. Along with this, malicious applications threatening the normal use of the computer are generated, which may affect the normal use of the computer and even cause leakage of user information.
In order to protect normal applications in a computer, protective applications such as antivirus software are generally installed in the computer. The protective application program actively detects the operation logic of all application programs operated by a computer, and once malicious access events such as code injection, data tampering, instruction change and the like of data in process spaces of other applications by a certain application program are detected, a prompt is generated, and a user decides whether to pass or block the malicious access events.
The inventor finds that the prior art has at least the following problems:
in some specific scenarios, the computer is not installed with the protection type application, or some users may close the protection type application in pursuit of the running performance of the computer, in which case the use environment of the computer is not protected by the protection type application, and the normal use of the computer is easily affected by malicious applications, even user information is leaked.
Disclosure of Invention
In order to solve the problems in the prior art, embodiments of the present invention provide a method and an apparatus for protecting an application program. The technical scheme is as follows:
in one aspect, a method for protecting an application program is provided, and the method includes:
monitoring the protected application program through a parent process;
if monitoring that other processes access the protected application program, acquiring an access event of the other processes accessing the protected application program;
sending the access event to a cloud end, and enabling the cloud end to analyze whether the access event is an abnormal event;
and if the event is an abnormal event, preventing the other processes from accessing the protected application program.
In another aspect, a device for protecting an application is provided, the device comprising:
the monitoring module is used for monitoring the protected application program through the parent process;
an obtaining module, configured to obtain an access event that another process accesses the protected application if it is monitored that the other process accesses the protected application;
the sending module is used for sending the access event to a cloud end, so that the cloud end analyzes whether the access event is an abnormal event;
and the blocking module is used for blocking the other processes from accessing the protected application program if the abnormal event is detected.
The technical scheme provided by the embodiment of the invention has the following beneficial effects:
monitoring the protected application program through the parent process, inquiring whether the access event is an abnormal event or not from the cloud when monitoring the access event of other processes to the protected application program, and if the access event is the abnormal event, stopping the access event. When the protection application is not installed in the terminal, the application program can be protected; in addition, the process of inquiring whether the access event is an abnormal event or not through the cloud can effectively reduce the occupation of system resources of the terminal and improve the use efficiency of the system.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a method for protecting an application according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for protecting an application according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a protection device for an application according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a terminal according to a fourth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Example one
The embodiment of the invention provides a method for protecting an application program, and with reference to fig. 1, the method comprises the following steps:
101: monitoring the protected application program through a parent process;
102: if monitoring that other processes access the protected application program, acquiring an access event of the other processes accessing the protected application program;
103: sending an access event to the cloud end, and enabling the cloud end to analyze whether the access event is an abnormal event or not;
104: if an exception event occurs, other processes are prevented from accessing the protected application.
The embodiment of the invention monitors the protected application program through the parent process, inquires whether the access event is an abnormal event or not from the cloud when monitoring the access event of other processes to the protected application program, and blocks the access event if the access event is the abnormal event. So that the application program can be protected when the protection application program is not installed in the terminal; in addition, the process of inquiring whether the access event is an abnormal event or not through the cloud can effectively reduce the occupation of system resources of the terminal and improve the use efficiency of the system.
Example two
The embodiment of the invention provides a method for protecting an application program, and with reference to fig. 2, the method comprises the following steps:
201: and when the operating system is started, a parent process is created, the parent process is used for running a functional module with a protection function, and the functional module can protect the application program in the terminal.
The installation package of the application program comprises an implementation code for implementing the application program and a functional module with a protection function. The functional module with the protection function can call a driver module in a kernel layer of an operating system to monitor and control an application program in the terminal, but does not include a virus library, so that the capacity of the functional module with the protection function is small and is often only dozens or hundreds of KB. When the installation package of the application program is installed, the application program is installed on the terminal, and the functional module with the protection function is added to the starting item of the operating system.
The method comprises the steps that when an operating system of the terminal is started, a starting item is detected, a corresponding process is established for each program in the starting item, and each program is operated through the process corresponding to each program. Therefore, when the operating system is started, the operating system creates a process for the functional module with the protection function in the startup starting item, the process is a parent process, and the functional module with the protection function is operated through the parent process.
After the operating system of the terminal is started, the user can select the application program to be run in the terminal. The parent process takes the application as a protected application and protects the protected application through the following process.
Step 202: the parent process performs security check on the current running environment, and when the check is passed, the following step 203 is performed.
Before creating a child process corresponding to the protected application program, the parent process detects the current operating environment of the operating system, and creates the child process corresponding to the protected application program after determining whether the operating environment of the current operating system is safe. The detected content may include, but is not limited to: detecting the registry, and checking whether the registry entry of the application program threatened to be protected exists; and detecting the system file, and checking whether the system file changed by the malicious application program exists. And if the abnormal condition is detected, sending prompt information to the user.
203: the protected application is monitored by the parent process.
The specific implementation of step 203 can be implemented through steps 2031 to 2033:
2031: starting a child process corresponding to the protected application program through the parent process, wherein the child process is used for running the protected application program so as to start the protected application program;
2032: controlling a parent process to call a driving module in an operating system;
2033: and monitoring the sub-process at a kernel layer of the operating system through the driving module so as to realize monitoring of the protected application program.
The driver module belongs to a kernel space in a kernel layer of an operating system, and kernel codes and data are stored in the kernel space, and the kernel space has ring 0-level authority, that is, the authority level in a Central Processing Unit (CPU). The general process is an application level and only has ring3 level authority, the code and data of the user program are stored in the process space of the process, the application program running in the process space can only see part of the system resources allowed to be used by the user program, certain specific system functions cannot be used, and the kernel space and hardware equipment cannot be directly accessed, and other specific use limitations are also met. The process space and the kernel space are arranged under the asymmetric access mechanism, so that the security is good, the snooping of malicious users can be effectively resisted, and the infringement of user programs with poor quality can be prevented, and the system can run more stably and reliably.
Because the kernel space has ring0 level authority, the driver module can monitor the processes of each user level and monitor the operation between the processes of each user level. At this time, the parent process calls the driving module to monitor the process of creating the child process, and calls the driving module to monitor the child process, and the monitored content is whether an access event of other processes to the child process exists.
The operation mode in the access event may include, but is not limited to: injecting codes; modifying data; instruction modification, etc.
204: and if the access of other processes to the protected application program is monitored, acquiring the access event of the other processes to the protected application program.
When other processes access the protected application program, the access event is intercepted, and process identifications, operation modes and operation contents corresponding to the other processes in the access event are obtained. At this time, the drive module prohibits other processes from executing the access event of the child process, waits for the parent process to send the access event to the cloud, and queries whether the access event is allowed to be executed or not by the cloud.
The access event may be a normal event, that is, a normal operation event, performed by a process corresponding to a normal application program on a process space of a subprocess of a protected application program; or performing an abnormal event on the process space of the sub-process of the protected application program for the process corresponding to the malicious application program, that is, an operation event which may cause a security threat to a terminal or a user.
The driver module records both the above two access events, and the specific recorded contents may include but are not limited to: the identification of the process or the file of the access event of the process space of the sub-process, the operation mode and the operation content of the access event of the process space of the sub-process and the like.
For example: and the A process carries out code injection access event on the process space of the sub-process, and then the access event records the process identification of the A process, the recorded operation mode is code injection, and the recorded operation content is the injected code.
205: and sending the access event to the cloud end, so that the cloud end analyzes whether the access event is an abnormal event.
And the terminal sends a query request to the cloud according to the access event, wherein the request carries the access event. And after receiving the query request sent by the terminal, the cloud queries the access event in the corresponding relation between the access event stored in advance and the judgment result. And if the access event is inquired in the corresponding relation, returning a judgment result corresponding to the access event to the terminal.
In the above example, the cloud end queries the pre-stored correspondence between the access event and the judgment result according to the process identifier, the operation mode and the operation content recorded in the access event, where the access event in the correspondence between the access event and the judgment result is the correspondence between the process identifier, the operation mode and the operation content. And inquiring whether the same record exists in the access event in the corresponding relation between the access event and the judgment result according to the process identification, the operation mode and the operation content in the reported access event, and if the same record is inquired, acquiring the judgment result corresponding to the searched record.
Wherein, the decision result may include: normal event, the processing mode is release; and (4) processing the abnormal event in an intercepting mode.
And when the judgment result is an abnormal event, the parent process informs the driving module of the interception operation so as to enable the kernel space to intercept the access event and prevent the access event from being carried out.
Optionally, if the access event is not queried, a preset warning prompt message may be returned to the terminal, and the user selects to pass or intercept the access event.
206: if an exception event occurs, other processes are prevented from accessing the protected application.
The specific implementation of step 206 can be implemented through steps 2061 to 2062:
2061: informing the analysis result of the cloud to a driving module of an operating system through a parent process;
2062: and the control driving module intercepts other processes in a kernel layer of the operating system according to the analysis result so as to prevent the other processes from accessing the protected application program.
207: setting the parent process and the child process to periodically carry out integrity check on each other, and when the check is not passed, terminating the operation of the protected application program.
In order to prevent the parent process and the child process from being isolated by a malicious process, in the running process of the child process after the parent process creates the child process, the integrity of process characteristics of the parent process and the child process is periodically checked through a preset algorithm. The content for integrity check includes, but is not limited to, data such as process space instructions, and city-entering features such as static file features.
The preset Algorithm may include, but is not limited to, a check Algorithm such as MD5(Message Digest Algorithm MD5, fifth version of Message Digest Algorithm).
And if the integrity check result is not passed, reminding a user or stopping the operation of the protected application program according to the integrity degree of the data in the process space. Wherein the protected application is terminated from running by terminating the sub-process.
Further, this step is a process performed after the child process corresponding to the protected application program is started by the parent process in step 2031, and a timing relationship does not exist between the child process and other steps.
The embodiment of the invention monitors the protected application program through the parent process, inquires whether the access event is an abnormal event or not from the cloud when monitoring the access event of other processes to the protected application program, and blocks the access event if the access event is the abnormal event. When the protection application program is not installed in the terminal, the application program can be protected; in addition, the process of inquiring whether the access event is an abnormal event or not through the cloud can effectively reduce the occupation of system resources of the terminal and improve the use efficiency of the system.
EXAMPLE III
An embodiment of the present invention provides a protection device for an application program, and referring to fig. 3, the device includes:
a monitoring module 301, configured to monitor a protected application through a parent process;
an obtaining module 302, configured to obtain an access event that another process accesses the protected application if it is monitored that the other process accesses the protected application;
the sending module 303 is configured to send the access event to the cloud, so that the cloud analyzes whether the access event is an abnormal event;
a block module 304, configured to block other processes from accessing the protected application if the exception event is an exception event.
Wherein, the monitoring module 301 includes:
the starting unit is used for starting a child process corresponding to the protected application program through a parent process so as to start the protected application program;
the calling unit is used for controlling the parent process to call a driving module in the operating system;
and the monitoring unit is used for monitoring the subprocess at a kernel layer of the operating system through the driving module so as to realize monitoring of the protected application program.
Wherein, the device still includes:
a setting module 305, configured to set the parent process and the child process to periodically perform integrity check on each other, and terminate the operation of the protected application when the check fails.
Wherein, the device still includes:
the detection module 306 is configured to create a parent process when the operating system is started, perform security detection on the current operating environment through the parent process, and execute an operation of starting a child process corresponding to the protected application program when the detection passes.
Wherein, the preventing module 304 includes:
the notification unit is used for notifying the analysis result of the cloud end to a driving module of the operating system through the parent process;
and the interception unit is used for controlling the drive module to intercept other processes at a kernel layer of the operating system according to the analysis result so as to prevent the other processes from accessing the protected application program.
The embodiment of the invention monitors the protected application program through the parent process, inquires whether the access event is an abnormal event or not from the cloud when monitoring the access event of other processes to the protected application program, and blocks the access event if the access event is the abnormal event. When the protection application program is not installed in the terminal, the application program can be protected; in addition, the process of inquiring whether the access event is an abnormal event or not through the cloud can effectively reduce the occupation of system resources of the terminal and improve the use efficiency of the system.
Example four
Referring to fig. 4, a schematic structural diagram of a terminal with a touch-sensitive surface according to an embodiment of the present invention is shown, so as to implement the method provided in the foregoing embodiment. Specifically, the method comprises the following steps:
the terminal 900 may include RF (Radio Frequency) circuitry 110, memory 120 including one or more computer-readable storage media, an input unit 130, a display unit 140, a sensor 150, audio circuitry 160, a WiFi (wireless fidelity) module 170, a processor 180 including one or more processing cores, and a power supply 190. Those skilled in the art will appreciate that the terminal configuration shown in fig. 4 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the RF circuit 110 may be used for receiving and transmitting signals during information transmission and reception or during a call, and in particular, receives downlink information from a base station and then sends the received downlink information to the one or more processors 180 for processing; in addition, data relating to uplink is transmitted to the base station. In general, the RF circuitry 110 includes, but is not limited to, an antenna, at least one Amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, an LNA (Low Noise Amplifier), a duplexer, and the like. In addition, the RF circuitry 110 may also communicate with networks and other devices via wireless communications. The wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System for Mobile communications), GPRS (General Packet Radio Service), CDMA (Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), LTE (Long Term Evolution), email, SMS (short messaging Service), etc.
The memory 120 may be used to store software programs and modules, and the processor 180 executes various functional applications and data processing by operating the software programs and modules stored in the memory 120. The memory 120 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the terminal 900, and the like. Further, the memory 120 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 120 may further include a memory controller to provide the processor 180 and the input unit 130 with access to the memory 120.
The input unit 130 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control. In particular, the input unit 130 may include a touch-sensitive surface 131 as well as other input devices 132. The touch-sensitive surface 131, also referred to as a touch display screen or a touch pad, may collect touch operations by a user on or near the touch-sensitive surface 131 (e.g., operations by a user on or near the touch-sensitive surface 131 using a finger, a stylus, or any other suitable object or attachment), and drive the corresponding connection device according to a predetermined program. Alternatively, the touch sensitive surface 131 may comprise two parts, a touch detection means and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to the processor 180, and can receive and execute commands sent by the processor 180. Additionally, the touch-sensitive surface 131 may be implemented using various types of resistive, capacitive, infrared, and surface acoustic waves. In addition to the touch-sensitive surface 131, the input unit 130 may also include other input devices 132. In particular, other input devices 132 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The display unit 140 may be used to display information input by or provided to a user and various graphical user interfaces of the terminal 900, which may be made up of graphics, text, icons, video, and any combination thereof. The Display unit 140 may include a Display panel 141, and optionally, the Display panel 141 may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like. Further, the touch-sensitive surface 131 may cover the display panel 141, and when a touch operation is detected on or near the touch-sensitive surface 131, the touch operation is transmitted to the processor 180 to determine the type of the touch event, and then the processor 180 provides a corresponding visual output on the display panel 141 according to the type of the touch event. Although in FIG. 4, touch-sensitive surface 131 and display panel 141 are shown as two separate components to implement input and output functions, in some embodiments, touch-sensitive surface 131 may be integrated with display panel 141 to implement input and output functions.
The terminal 900 can also include at least one sensor 150, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that may adjust the brightness of the display panel 141 according to the brightness of ambient light, and a proximity sensor that may turn off the display panel 141 and/or the backlight when the terminal 900 is moved to the ear. As one of the motion sensors, the gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when the mobile phone is stationary, and can be used for applications of recognizing the posture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured in the terminal 900, detailed descriptions thereof are omitted.
Audio circuitry 160, speaker 161, and microphone 162 may provide an audio interface between a user and terminal 900. The audio circuit 160 may transmit the electrical signal converted from the received audio data to the speaker 161, and convert the electrical signal into a sound signal for output by the speaker 161; on the other hand, the microphone 162 converts the collected sound signal into an electric signal, converts the electric signal into audio data after being received by the audio circuit 160, and then outputs the audio data to the processor 180 for processing, and then to the RF circuit 110 to be transmitted to, for example, another terminal, or outputs the audio data to the memory 120 for further processing. The audio circuitry 160 may also include an earbud jack to provide communication of peripheral headphones with the terminal 900.
WiFi belongs to a short-distance wireless transmission technology, and the terminal 900 can help a user send and receive e-mails, browse web pages, access streaming media, and the like through the WiFi module 170, and it provides wireless broadband internet access for the user. Although fig. 4 shows the WiFi module 170, it is understood that it does not belong to the essential constitution of the terminal 900 and can be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 180 is a control center of the terminal 900, connects various parts of the entire mobile phone using various interfaces and lines, and performs various functions of the terminal 900 and processes data by operating or executing software programs and/or modules stored in the memory 120 and calling data stored in the memory 120, thereby performing overall monitoring of the mobile phone. Optionally, processor 180 may include one or more processing cores; preferably, the processor 180 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 180.
Terminal 900 also includes a power supply 190 (e.g., a battery) for powering the various components, which may preferably be logically coupled to processor 180 via a power management system that may be used to manage charging, discharging, and power consumption. The power supply 190 may also include any component including one or more of a dc or ac power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
Although not shown, the terminal 900 may further include a camera, a bluetooth module, etc., which will not be described herein. Specifically, in this embodiment, the display unit of the terminal 900 is a touch screen display, the terminal 900 further includes a memory, and one or more programs, where the one or more programs are stored in the memory and configured to be executed by the one or more processors, and the one or more programs include instructions for:
monitoring the protected application program through a parent process;
if monitoring that other processes access the protected application program, acquiring an access event of the other processes accessing the protected application program;
sending an access event to the cloud end, and enabling the cloud end to analyze whether the access event is an abnormal event or not;
if an exception event occurs, other processes are prevented from accessing the protected application.
Preferably, the monitoring of the protected application by the parent process includes:
starting a child process corresponding to the protected application program through the parent process to realize starting of the protected application program;
controlling a parent process to call a driving module in an operating system;
and monitoring the sub-process at a kernel layer of the operating system through the driving module so as to realize monitoring of the protected application program.
Preferably, after monitoring the protected application program through the parent process, the method further includes:
setting the parent process and the child process to periodically carry out integrity check on each other, and when the check is not passed, terminating the operation of the protected application program.
Preferably, before monitoring the protected application program through the parent process, the method further includes:
and creating a parent process when the operating system is started, carrying out security detection on the current operating environment through the parent process, and executing the operation of starting a child process corresponding to the protected application program when the detection is passed.
Preferably, preventing other processes from accessing the protected application includes:
informing the analysis result of the cloud to a driving module of an operating system through a parent process;
and the control driving module intercepts other processes in a kernel layer of the operating system according to the analysis result so as to prevent the other processes from accessing the protected application program.
The embodiment of the invention monitors the protected application program through the parent process, inquires whether the access event is an abnormal event or not from the cloud when monitoring the access event of other processes to the protected application program, and blocks the access event if the access event is the abnormal event. When the protection application program is not installed in the terminal, the application program can be protected; in addition, the process of inquiring whether the access event is an abnormal event or not through the cloud can effectively reduce the occupation of system resources of the terminal and improve the use efficiency of the system.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (5)

1. A method for protecting an application, the method comprising:
creating a parent process when an operating system is started, carrying out security detection on a current registry and system files through the parent process, and starting a child process through the parent process when the security detection passes so as to start a protected application program;
controlling the parent process to call a driving module in an operating system, wherein the driving module is a module in a kernel layer of the operating system, and is used for monitoring the protected application program when the driving module is called by a functional module with a protection function in the protected application program, and the functional module is a module added into a starting item of the operating system from an installation package of the protected application program;
monitoring the sub-process in a kernel layer of the operating system through the driving module so as to realize monitoring of the protected application program;
if monitoring that other processes access the protected application program, acquiring an access event of the other processes accessing the protected application program;
sending the access event to a cloud end, and enabling the cloud end to analyze whether the access event is an abnormal event;
if the event is an abnormal event, preventing the other processes from accessing the protected application program;
setting child processes corresponding to the parent process and the protected application program to periodically perform integrity check on each other, and terminating the operation of the protected application program when the child processes do not pass the check, wherein the content of the integrity check comprises a process space instruction and/or a static file characteristic.
2. The method of claim 1, wherein preventing the other process from accessing the protected application comprises:
informing a driving module of an operating system of an analysis result of the cloud end through the parent process;
and controlling the driving module to intercept the other processes at a kernel layer of the operating system according to the analysis result so as to prevent the other processes from accessing the protected application program.
3. An apparatus for securing an application, the apparatus comprising:
the detection module is used for creating a parent process when the operating system is started, carrying out security detection on the current registry and system files through the parent process, and executing the operation of starting a child process corresponding to the protected application program when the detection is passed;
the monitoring module is used for monitoring the protected application program through the parent process;
the setting module is used for setting that the parent process and the child process corresponding to the protected application program periodically carry out integrity check on each other, and when the integrity check fails, the operation of the protected application program is terminated, wherein the content of the integrity check comprises a process space instruction and/or static file characteristics;
an obtaining module, configured to obtain an access event that another process accesses the protected application if it is monitored that the other process accesses the protected application;
the sending module is used for sending the access event to a cloud end, so that the cloud end analyzes whether the access event is an abnormal event;
a blocking module for blocking the other processes from accessing the protected application if the event is an abnormal event;
the monitoring module comprises a starting unit, a calling unit and a monitoring unit;
the starting unit is used for starting the child process through the parent process so as to start the protected application program;
the calling unit is used for controlling the parent process to call a driving module in the operating system, the driving module is a module in a kernel layer of the operating system, the driving module is used for monitoring the protected application program when the driving module is called by a functional module with a protection function in the protected application program, and the functional module is a module added into a starting item of the operating system from an installation package of the protected application program;
the monitoring unit is configured to monitor the sub-process at a kernel layer of the operating system through the driver module, so as to monitor the protected application program.
4. The apparatus of claim 3, wherein the preventing module comprises:
the notification unit is used for notifying the analysis result of the cloud end to a driving module of an operating system through the parent process;
and the interception unit is used for controlling the driving module to intercept the other processes at a kernel layer of the operating system according to the analysis result so as to prevent the other processes from accessing the protected application program.
5. A computer-readable storage medium, characterized in that the storage medium has stored therein a program for instructing associated hardware to perform a method of guarding an application program according to claim 1 or claim 2.
CN201410327526.0A 2014-07-10 2014-07-10 Application program protection method and device Active CN105279433B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410327526.0A CN105279433B (en) 2014-07-10 2014-07-10 Application program protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410327526.0A CN105279433B (en) 2014-07-10 2014-07-10 Application program protection method and device

Publications (2)

Publication Number Publication Date
CN105279433A CN105279433A (en) 2016-01-27
CN105279433B true CN105279433B (en) 2020-10-16

Family

ID=55148430

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410327526.0A Active CN105279433B (en) 2014-07-10 2014-07-10 Application program protection method and device

Country Status (1)

Country Link
CN (1) CN105279433B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107315952A (en) * 2016-04-26 2017-11-03 华为技术有限公司 Method and apparatus for determining application program suspicious actions
CN108804299B (en) 2017-04-26 2023-04-07 腾讯科技(深圳)有限公司 Application program exception handling method and device
CN109829270B (en) * 2018-12-27 2022-04-15 奇安信科技集团股份有限公司 Application program protection method and device
CN112784223A (en) * 2021-01-28 2021-05-11 深信服科技股份有限公司 Application program protection method, device, medium and user behavior control method
CN113553228A (en) * 2021-06-21 2021-10-26 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Lightweight computer state monitoring system and method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1477509A (en) * 2002-08-19 2004-02-25 万达信息股份有限公司 Process automatic restoring method
CN101122934A (en) * 2006-08-11 2008-02-13 珠海金山软件股份有限公司 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method
CN101493873A (en) * 2009-03-04 2009-07-29 浪潮电子信息产业股份有限公司 Read-write operation access control method for WIN platform based on inner core layer technology
CN102081722A (en) * 2011-01-04 2011-06-01 奇智软件(北京)有限公司 Method and device for protecting appointed application program
CN102693383A (en) * 2012-05-17 2012-09-26 西安交大捷普网络科技有限公司 Webpage tamper proofing method realized by windows driver layer
CN103544434A (en) * 2013-11-12 2014-01-29 北京网秦天下科技有限公司 Method and terminal used for ensuring safe operation of application program
CN103634311A (en) * 2013-11-26 2014-03-12 腾讯科技(深圳)有限公司 Safety protection method and device, and terminal
CN103870747A (en) * 2014-03-31 2014-06-18 可牛网络技术(北京)有限公司 Method and device for monitoring and processing application program

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7058629B1 (en) * 2001-02-28 2006-06-06 Oracle International Corporation System and method for detecting termination of an application instance using locks
US7665133B2 (en) * 2004-06-12 2010-02-16 Toshbia Tec Kabushiki Kaisha System and method for monitoring processing in a document processing peripheral
CN101009699B (en) * 2006-01-25 2010-09-08 北京鼎信高科信息技术有限公司 Transparent local security environment system and its implementation method
CN100543683C (en) * 2006-12-26 2009-09-23 华为技术有限公司 The method and system that process is monitored
CN101290587B (en) * 2008-06-12 2010-06-16 中兴通讯股份有限公司 Realization progress start-up and control process

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1477509A (en) * 2002-08-19 2004-02-25 万达信息股份有限公司 Process automatic restoring method
CN101122934A (en) * 2006-08-11 2008-02-13 珠海金山软件股份有限公司 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method
CN101493873A (en) * 2009-03-04 2009-07-29 浪潮电子信息产业股份有限公司 Read-write operation access control method for WIN platform based on inner core layer technology
CN102081722A (en) * 2011-01-04 2011-06-01 奇智软件(北京)有限公司 Method and device for protecting appointed application program
CN102693383A (en) * 2012-05-17 2012-09-26 西安交大捷普网络科技有限公司 Webpage tamper proofing method realized by windows driver layer
CN103544434A (en) * 2013-11-12 2014-01-29 北京网秦天下科技有限公司 Method and terminal used for ensuring safe operation of application program
CN103634311A (en) * 2013-11-26 2014-03-12 腾讯科技(深圳)有限公司 Safety protection method and device, and terminal
CN103870747A (en) * 2014-03-31 2014-06-18 可牛网络技术(北京)有限公司 Method and device for monitoring and processing application program

Also Published As

Publication number Publication date
CN105279433A (en) 2016-01-27

Similar Documents

Publication Publication Date Title
CN103400076B (en) Malware detection methods, devices and systems on a kind of mobile terminal
CN108932429B (en) Application program analysis method, terminal and storage medium
TWI606360B (en) Method, apparatus and system for detecting webpages
EP3200487B1 (en) Message processing method and apparatus
CN106598584B (en) Method, device and system for processing resource file
US9584476B2 (en) Safety protection method, firewall, terminal device and computer-readable storage medium
CN105279433B (en) Application program protection method and device
WO2015078264A1 (en) Safety protection method and device, and terminal
EP2979177B1 (en) Method for controlling process of application and computer system
CN106709282B (en) resource file decryption method and device
CN109873794B (en) Protection method for denial of service attack and server
CN106713608B (en) Application function state modification method and device and terminal
CN108804915B (en) Virus program cleaning method, storage device and electronic terminal
WO2018024138A1 (en) Method, device, terminal and computer storage medium for detecting malicious website
CN104965722A (en) Method and apparatus for displaying information
US11516654B2 (en) Method for automatically encrypting short message, storage device and mobile terminal
EP3129883B1 (en) Method and apparatus for repairing dynamic link library file
CN108984265B (en) Method and device for detecting virtual machine environment
EP2869233B1 (en) Method, device and terminal for protecting application program
WO2015062240A1 (en) Application installation method, apparatus and device
CN105278942B (en) Component management method and device
CN106709330B (en) Method and device for recording file execution behaviors
WO2014198118A1 (en) Method and device for protecting privacy information with browser
US10073957B2 (en) Method and terminal device for protecting application program
US20140366156A1 (en) Method and device for protecting privacy information with browser

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant