CN105868625B - Method and device for intercepting restart deletion of file - Google Patents

Method and device for intercepting restart deletion of file Download PDF

Info

Publication number
CN105868625B
CN105868625B CN201610457599.0A CN201610457599A CN105868625B CN 105868625 B CN105868625 B CN 105868625B CN 201610457599 A CN201610457599 A CN 201610457599A CN 105868625 B CN105868625 B CN 105868625B
Authority
CN
China
Prior art keywords
file
path
characteristic value
setting
deletion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610457599.0A
Other languages
Chinese (zh)
Other versions
CN105868625A (en
Inventor
杨峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201610457599.0A priority Critical patent/CN105868625B/en
Publication of CN105868625A publication Critical patent/CN105868625A/en
Application granted granted Critical
Publication of CN105868625B publication Critical patent/CN105868625B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a method and a device for intercepting restart deletion of a file and electronic equipment, relates to the technical field of computer security, and can effectively prevent a malicious process from deleting the file of security software. The method comprises the following steps: monitoring an event for calling a system information function in an operating system by a process; acquiring a type index number and setting data of the setting system information transmitted by the process according to the monitored event; judging whether the type index number of the set system information is an index number representing additional character string information of a set system registry, and judging whether a registry path to be modified in the set data is a restart deletion registry path, and judging whether a file path to be written in the set data is a protected file path and the process is a malicious process, if so, preventing the process from setting the system information. The method and the device are suitable for protecting the restart deletion of the security file.

Description

A kind of method and device for intercepting file and being restarted deletion
Technical field
The present invention relates to computer security technique field more particularly to a kind of methods and dress for intercepting file and being restarted deletion It sets.
Background technology
Currently, security software has self-shield, in the presence of self-shield, Malware deletes the correlation text of security software Part can be rejected.Then, a kind of mechanism for restarting deletion file that malicious process is provided using Windows systems, will be safe soft Following registry-location is written in the associated documents routing information of part:HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet Control Session Manager PendingFileRenameOperations, work as next time When system reboot, before the self-shield also Pending The Entry Into Force of security software, system will delete the associated documents of security software, pacify in this way Full software cannot normally protect custom system.
The method of the write-in registration table of mainstream is the kernel function NtSetValueKey that calling system provides, and can be changed Registry data.In the implementation of the present invention, inventor has found that Windows system kernel layers additionally provide kernel function NtSetSystemInformation, this function are some information for system to be arranged, such as time, processor, and process is interior Deposit etc. information;For NtSetSystemInformation functions there are three parameter, first parameter is the system letter for needing to be arranged The types index number of breath, such as the corresponding call number of setting temporal information are 28, and the corresponding call number of setting progress information is 5, Etc., second parameter is then the specific data of setting, if call number is 28, this parameter is that specific time number is arranged According to;Through research, the call number that setting value is 110 indicates setting system registry additional character string information.It calls Its first parameter is set as 110 by NtSetSystemInformation functions, can change registry data, second Parameter includes the information such as the specific data of the registration table path changed, specific key assignments title and modification.Therefore malicious process can The file of security software to be deleted by way of hidden modification registration table using NtSetSystemInformation functions It removes, to reduce the Prevention-Security performance of system.
Invention content
In view of this, the embodiment of the present invention provides a kind of method, apparatus and electronic equipment for intercepting file and being restarted deletion, It can effectively prevent malicious process from deleting the file of security software, achieve the purpose that protect custom system.
In a first aspect, the embodiment of the present invention provides a kind of method that interception file is restarted deletion, including:
The event that monitor process is called to system information function is arranged in operating system;
According to the event listened to, types index number and the setting of the setting system information of the process transmission are obtained Data;
Judge whether that the types index number of the setting system information is to indicate that setting system registry additional character string is believed The call number of breath, and the registration table path to be modified in the setting data is to restart to delete registration table path, and institute The file path to be written stated in setting data is shielded file path, and the process is malicious process;
If so, preventing the process setting system information.
With reference to first aspect, in the first embodiment of first aspect, the system is Windows operations system System;The setting system information function is the NtSetSystemInformation functions of operating system nucleus layer;
The monitor process is to before the event that system information function is called is arranged in operating system, the method is also Including:Pre-set the Hook Function of hook setting system information function;
The event that the monitor process is called to system information function is arranged in operating system, including:By described The event that Hook Function monitor process is called to system information function is arranged in operating system.
The first embodiment with reference to first aspect, in second of embodiment of first aspect, the prevention institute Process setting system information is stated, including:
By the Hook Function refuse information is returned to the process;Or
The Hook Function refusal calls setting system information function, to prevent the process that system information is arranged.
The first embodiment with reference to first aspect, in the third embodiment of first aspect, the expression is set The call number for setting system registry additional character string information is 110.
The first embodiment with reference to first aspect, in the 4th kind of embodiment of first aspect, it is described restart delete Except registration table path is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ PendingFileRenameOperations。
With reference to first aspect, described to judge whether the setting in the 5th kind of possible realization method of first aspect File path to be written in data is shielded file path, including:
According to pre-set feature value-based algorithm, the file path respective file to be written in the setting data is sought Characteristic value;
In the characteristic value library for judging pre-set agent-protected file, if record has the file path to be written to correspond to The characteristic value of file;
If record has the characteristic value of the file path respective file to be written in the characteristic value library of the agent-protected file, Then determine that the file path to be written is shielded file path;
Wherein, the spy for having known shielded file path respective file is recorded in the characteristic value library of the agent-protected file Value indicative.
The 6th kind of embodiment with reference to first aspect, in the 7th kind of possible realization method of first aspect, in institute It states according to pre-set feature value-based algorithm, seeks the characteristic value of the file path respective file to be written in the setting data Before, further include:
The known agent-protected file path of statistics;
According to pre-set feature value-based algorithm, the characteristic value of the known agent-protected file path respective file is obtained;
The characteristic value of known agent-protected file path respective file is written in the characteristic value library of agent-protected file.
With reference to first aspect, described to judge whether that the process is malice in the 7th kind of embodiment of first aspect Process, including:
Obtain the process path;
According to pre-set feature value-based algorithm, the characteristic value of the process path respective file is sought;
Judge in pre-set malicious process characteristic value library, if record has the feature of the process path respective file Value;
If malicious process characteristic value library, which records, the characteristic value of the process path respective file, it is determined that it is described into Journey is malicious process;
Wherein, the characteristic value for having known malicious process path respective file is recorded in malicious process characteristic value library.
The 7th kind of embodiment with reference to first aspect, in the 8th kind of embodiment of first aspect, the basis is pre- The feature value-based algorithm being first arranged before the characteristic value for seeking the process path respective file, further includes:
Count known malicious process path;
According to pre-set feature value-based algorithm, the characteristic value of the known malicious process path respective file is obtained;
It will be in the characteristic value write-in malicious process characteristic value library of known malicious process path respective file.
Any one of the 5th to the 8th kind of embodiment with reference to first aspect embodiment, the 9th of first aspect the In kind embodiment, the pre-set feature value-based algorithm is:
Seek the feature of calculating the Message Digest 5 value or cryptographic Hash in path as characteristic value as path respective file Value, or
Characteristic value of the fileversion number as path respective file is obtained from path.
Second aspect, the embodiment of the present invention provide a kind of device for intercepting file and being restarted deletion, including:
Module is monitored, the event being called for monitor process to system information function is arranged in operating system;
Acquisition module, the event for being listened to according to the monitoring module obtain the setting system of the process transmission The types index number and setting data of information;
Judgment module, for judging whether that the types index number of the setting system information of the acquisition module acquisition is to indicate The call number of system registry additional character string information is set, and the registration table path to be modified in the setting data is Restart and delete registration table path, and the file path to be written in the setting data is shielded file path, and The process is malicious process;
Blocking module is to prevent the process setting system information when being for the judging result in the judgment module.
In conjunction with second aspect, in the first embodiment of second aspect, the operating system is Windows operations system When system, described monitor is previously provided with the NtSetSystemInformation functions for linking up with operating system nucleus layer in module Hook Function, the monitoring module are carried out by the Hook Function monitor process to system information function is arranged in operating system The event of calling.
In conjunction with the first embodiment of second aspect, in second of embodiment of second aspect, the interception mould Block returns to refuse information to the process by the Hook Function or refusal calls setting system information function, described in prevention System information is arranged in process.
In conjunction with the first embodiment of second aspect, in the third embodiment of second aspect, the judgement mould Block judges whether the types index number for the setting system information that the acquisition module obtains is 110, is that then determining setting system is believed The types index number of breath is to indicate the call number of setting system registry additional character string information.
It is described to state judgement in the 4th kind of embodiment of second aspect in conjunction with the first embodiment of second aspect Module judge it is described setting data in registration table path to be modified whether be:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ PendingFileRenameOperations is that the registration table path to be modified in the determining setting data is to restart Delete registration table path.
In conjunction with second aspect, in the 5th kind of embodiment of second aspect, the judgment module, including:
First judging submodule, the types index number of the setting system information for judging whether the acquisition module acquisition To indicate the call number of setting system registry additional character string information;
Second judgment submodule is to judge whether described when being for the judging result in first judging submodule Registration table path to be modified in the setting data that acquisition module obtains is to restart to delete registration table path;
The First Eigenvalue computational submodule is when being, according to pre- for the judging result in the second judgment submodule The feature value-based algorithm being first arranged seeks the file path respective file to be written in the setting data that the acquisition module obtains Characteristic value;
First path judging submodule, in the characteristic value library for judging pre-set agent-protected file, if record There is the characteristic value for the file path respective file to be written that the First Eigenvalue computational submodule seeks;If so, determining The file path to be written is shielded file path;Wherein, being recorded in the characteristic value library of the agent-protected file has Know the characteristic value of shielded file path respective file;
Third judging submodule, for judging that the file path to be written is in the first path judging submodule When shielded file path, judge whether that the process is malicious process.
In conjunction with the 5th kind of embodiment of second aspect, in the 6th kind of embodiment of second aspect, the judgement mould Block further includes:
The characteristic value library of agent-protected file generates submodule, for the known agent-protected file path of statistics in advance, and according to Pre-set feature value-based algorithm obtains the characteristic value of the known agent-protected file path respective file and is stored in protected In the characteristic value library of file.
In conjunction with second aspect, in the 7th kind of embodiment of second aspect, the judgment module, including:
First judging submodule, the types index number of the setting system information for judging whether the acquisition module acquisition To indicate the call number of setting system registry additional character string information;
Second judgment submodule is to judge whether described when being for the judging result in first judging submodule Registration table path to be modified in the setting data that acquisition module obtains is to restart to delete registration table path;
4th judging submodule is to judge whether described when being for the judging result in the second judgment submodule File path to be written in the setting data that acquisition module obtains is shielded file path;
Process path acquisition submodule, be when being for the judging result in the 4th judgment module obtain it is described into Journey path;
Second Eigenvalue computational submodule, for according to pre-set feature value-based algorithm, seeking the process path and obtaining Take the characteristic value of the process path respective file of submodule acquisition;
Second path judging submodule, for judging in pre-set malicious process characteristic value library, if record is The characteristic value for the process path respective file that Second Eigenvalue computational submodule is sought is stated, if so, determining that the process is Malicious process;Wherein, the characteristic value for having known malicious process path respective file is recorded in malicious process characteristic value library.
In conjunction with the 7th kind of embodiment of second aspect, in the 8th kind of embodiment of second aspect, the judgement mould Block further includes:
Malicious process characteristic value library generates submodule, for counting known malicious process path in advance, and according to setting in advance The feature value-based algorithm set obtains the characteristic value of the known malicious process path and is stored in malicious process characteristic value library.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, including:Shell, processor, memory, circuit board And power circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards; Power circuit, for being each circuit or the device power supply of above-mentioned electronic equipment;Memory is for storing executable program code; Processor runs program corresponding with executable program code by reading the executable program code stored in memory, uses In the method that the interception file executed described in any one of aforementioned embodiment is restarted deletion.
A kind of method, apparatus and electronic equipment for intercepting file and being restarted deletion provided in an embodiment of the present invention, passes through prison Listen process to the event that is called of system information function is arranged in operating system, if listen to setting system information function by into Journey is called, then obtains the types index number and setting data of the setting system information of the process transmission, and is judged whether described The types index number that system information is arranged is to indicate the call number of setting system registry additional character string information, and the setting Registration table path to be modified in data is to restart to delete registration table path, and the file road to be written in the setting data Diameter is shielded file path, and the process is malicious process, if meeting the above Rule of judgment, the process is prevented to set Set system information.Thus, it is possible to intercept Malware it is hidden modification registration table by way of carry out file restart deletion row To improve security of system energy.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method one of deletion;
Fig. 2 is a kind of implementation flow chart of step 103;
Fig. 3 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method two of deletion;
Fig. 4 is a kind of structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention;
Fig. 5 is another structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention;
Fig. 6 is another structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention;
Fig. 7 is the structural schematic diagram of electronic equipment one embodiment of the present invention.
Specific implementation mode
The method, apparatus of deletion is restarted to interception file provided in an embodiment of the present invention below in conjunction with the accompanying drawings and electronics is set It is standby to be described in detail.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base Embodiment in the present invention, those of ordinary skill in the art obtained without creative efforts it is all its Its embodiment, shall fall within the protection scope of the present invention.
Fig. 1 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method one of deletion, as shown in Figure 1, this implementation Example method may include:
The event that step 101, monitor process are called to system information function is arranged in operating system.
Operating system provides setting system information function.The process of malicious application is by calling the setting system The associated documents routing information of security software, which can be written, in information function restarts deletion registry-location, then subsystem is restarted instantly When, before the self-shield also Pending The Entry Into Force of security software, system will delete the associated documents of security software.It is right that the present embodiment passes through The event of setting system information function is called to be monitored that can intercept and capture malicious application in time will be arranged disappearing for system information Breath.
The event that step 102, basis listen to obtains the types index of the setting system information of the process transmission Number and setting data.
It, can be to setting system information function when the process of malicious application starts to call the setting system information function The types index number and setting data of transmission setting system information.It, can be in the type of the setting system information in the present embodiment Call number and setting data are intercepted and captured before reaching the setting system information function.
Step 103 judges whether that the types index number of the setting system information is to indicate that setting system registry is additional The call number of character string information, and the registration table path to be modified in the setting data is to restart to delete registration table road Diameter, and the file path to be written in the setting data is shielded file path, and the process be malice into Journey;If so, thening follow the steps 104.
Only it is to indicate setting system registry additional character string in the types index number of setting system information in this step The call number of information, and registration table path to be modified is to restart to delete registration table path, and file path to be written is to be protected The file path of shield, and when the process is malicious process, just prove that the event that this is monitored is malicious process calling system Middle setting system information function, it is desirable to which the write-in of agent-protected file path is restarted to the thing for the process path for deleting registration table path Part needs to prevent it.
Step 104 prevents the process that system information is arranged.
Fig. 2 is a kind of implementation flow chart of step 103, as shown in Fig. 2, step 103 may include following steps 1031- 1036:
Step 1031:Whether the types index number for judging that system information is arranged is to indicate setting system registry additional character The call number of string information;If so, thening follow the steps 1032.
Step 1032 obtains registration table path to be modified from the setting data.
Step 1033 judges whether the registration table path to be modified is to restart to delete registration table path;If so, holding Row step 1034.
In the present embodiment, if whether the types index number of setting system information is to indicate setting system registry additional character Go here and there the call number of information, then in order to prevent malicious process setting system information so that agent-protected file is restarted deletion, obtain to Registration table path to be modified in the setting data of system information function transfer is set, judges whether it is to restart deletion registration table Path.If it is not, then illustrating that the system information of this process setting is not about the setting information for restarting deletion file.
Step 1034 obtains file path to be written from the setting data.
Step 1035 judges whether the file path to be written is shielded file path;If so, thening follow the steps 1036。
In the present embodiment, if registration table path to be modified is to restart to delete registration table path, further obtain to be written Enter file path, judges whether file path to be written is shielded file path, that is, judge that deletion is restarted in this secondary write-in Whether the file in registration table path is shielded file, if it is, this time setting system information is likely to be evil to explanation Meaning behavior.
In the present embodiment, as an optional mode, step 1035 can be sought described according to pre-set feature value-based algorithm The characteristic value of file path respective file to be written;Then in the characteristic value library for judging pre-set agent-protected file, if Record has the characteristic value of the file path respective file to be written;If being recorded in the characteristic value library of the agent-protected file State the characteristic value of file path respective file to be written, it is determined that the file path to be written is shielded file path; Wherein, the characteristic value for having known shielded file path respective file is recorded in the characteristic value library of the agent-protected file.By The generation method in characteristic value library of file is protected to be:Count known agent-protected file path in advance before the present invention executes;Root According to pre-set feature value-based algorithm, obtains the characteristic value of the known agent-protected file path respective file and be written protected In the characteristic value library of file.
Step 1036 judges whether the process is malicious process.
In this step, if the process is malicious process, the judging result of step 103 is yes, can perform step 104.
Since rogue program can not almost accomplish the process path of stochastic transformation, it is optional as one in the present embodiment Mode, step 1036 judge whether the process is that the method for malicious process is:It obtains first and system is set in current calling system System information function is wanted to restart the write-in of agent-protected file path into the process path for deleting registration table path;Then basis is set in advance The feature value-based algorithm set obtains the characteristic value of the process path respective file;Then judge in pre-set feature database, be It is no to record the characteristic value for having the process path respective file;If record has the process path pair in pre-set feature database Answer the characteristic value of file, it is determined that the process is malicious process;If not recording the process in pre-set feature database The characteristic value of path respective file, it is determined that the process is not malicious process.Wherein, feature database is pre-set, feature The generating process in library is:Count known malicious process path;According to pre-set feature value-based algorithm, the known malicious is obtained The characteristic value of process path respective file is stored in feature database.
By above step, Malware will fail when restarting delete operation to shielded file process.
Preferably, in the characteristic value for the characteristic value or process path respective file for calculating file path respective file to be written When, the feature value-based algorithm that uses for:Seek calculating Message Digest 5 (MD5) value or Hash of file/process path to be written (HASH) characteristic value of the value as file to be written/process path respective file, or obtained from file/process path to be written Take fileversion number as the characteristic value of file to be written/process path respective file.
The method provided in this embodiment for intercepting file and being restarted deletion, by monitor process to system is arranged in operating system The event that system information function is called is called by process if listening to setting system information function, obtains the process and pass The types index number and setting data for the setting system information sent, and whether judge the types index number that system information is set To indicate the call number of setting system registry additional character string information, if the types index number of the setting system information is table The call number for showing setting system registry additional character string information, then obtain registration table road to be modified from the setting data Diameter, and judge whether the registration table path to be modified is to restart to delete registration table path, if the registration table to be modified Path is to restart to delete registration table path, then obtains file path to be written from the setting data, and judge described to be written Enter whether file path is shielded file path, if the file path to be written is shielded file path, obtains The process path is taken, and by the process path, judge whether the process is malicious process, if the process is malice Process then prevents the process setting system information.Thus, it is possible to intercept Malware by way of hidden modification registration table The act of deleting of restarting for carrying out file, improves security of system energy.
Fig. 3 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method two of deletion, and the present embodiment is used for Windows operating system;The generation system error functions are the NtSetSystemInformation of operating system nucleus layer Function.The embodiment of the present invention is suitable for shutdown of the security protections class application program such as Jinshan anti-virus software or Kingsoft bodyguard to operating system Protection.As shown in figure 3, the method for the present embodiment includes the following steps:
Step 201, monitor process are to NtSetSystemInformation functions are called in operating system event.
Hook Function is actually the program segment of a processing message, is called by system, it is linked into system.Whenever spy Fixed message is sent out, and before no arrival purpose window, Hook Function just first captures the message, that is, Hook Function is first controlled System power.At this moment Hook Function can the working process message, can not also deal with and continue to transmit the message, can also be strong The transmission of end message processed.
In the present embodiment, Hook Function pre-establishes before the execution of this step in security protection class application program such as Kingsoft In the defence driving of poison despot, which links up with the NtSetSystemInformation functions in operating system.Safety is anti- The defence driving of shield class application program brings into operation after Windows operating system booting.
In the present embodiment, the original entry address of NtSetSystemInformation functions is revised as in the present embodiment Hook Function entry address.Malicious process when calling NtSetSystemInformation functions, due to The original entry address of NtSetSystemInformation functions is with being modified to the entrance of the Hook Function of the present embodiment Location when then calling NtSetSystemInformation functions, can skip to the execution of the Hook Function of the present embodiment, be achieved in Monitoring to NtSetSystemInformation functions.NtSetSystemInformation functions are returned in order to realize It adjusts, entering for the Hook Function in the present embodiment is being revised as in the original entry address of NtSetSystemInformation functions Before port address, need to preserve the original entry address of NtSetSystemInformation functions.
Step 202, Hook Function obtain the type of the setting system information of process transmission according to the event listened to Call number and setting data.
In the present embodiment, malicious process is by Windows to the calling of NtSetSystemInformation functions Operating system, which is sent out, calls the message of NtSetSystemInformation functions to realize, which can directly be cut by Hook Function It obtains.Hook Function intercepts the message, that is, is considered as and listens to the thing that NtSetSystemInformation functions are called by process Part, the message include the relevant parameter that process is transmitted to NtSetSystemInformation functions, including setting system is believed The types index number of breath and setting data, setting data include registration table path to be modified, specific key assignments title, to be written The information such as file path and the specific data of modification.
Whether step 203, the types index number for judging that system information is arranged are to indicate setting system registry additional character The call number of string information;If so, thening follow the steps 204;Otherwise, step 210 is executed.
In the present embodiment, if the types index number of setting system information is 110, which is to indicate setting system note The call number of volume table additional character string information, executes step 204;If the types index number that system information is arranged is not 110, say It is to carry out registration table write-in that bright this, which calls not, executes step 210.
Step 204 obtains registration table path to be modified from the setting data.
Step 205 judges whether the registration table path to be modified is to restart to delete registration table path;If so, holding Row step 206;Otherwise, step 210 is executed.
In the present embodiment, judge whether registration table path to be modified is to restart to delete registration table path:HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ PendingFileRenameOperations is said if registration table path to be modified is not to restart to delete registration table path Bright this is not that deletion registration table path is restarted in operation, executes step 210.
Step 206 obtains file path to be written from the setting data.
Step 207 judges whether the file path to be written is shielded file path;If so, thening follow the steps 208;Otherwise, step 210 is executed.
In the present embodiment, the implementation of step 207 is similar with the step 1035 of above method embodiment, no longer superfluous herein It states.
Step 208 judges whether the process is malicious process;If the process is malicious process, then follow the steps 209;If the process is not malicious process, 210 are thened follow the steps.
In the present embodiment, judge the process whether be malicious process method and above method embodiment step 1036 Similar, details are not described herein again.
Step 209, Hook Function returns to refuse information to the process or refusal calls NtSetSystemInformation functions, to prevent the process that system information is arranged.
Step 210 allows the process to call NtSetSystemInformation functions.
The present embodiment, by Hook Function to calling the event of NtSetSystemInformation functions to monitor, And system information function is set in judging calling system, deletion registration table path is restarted into the write-in of agent-protected file path Process path be malicious process when, prevent its calling behavior in time, the secure file for capableing of anti-locking system is not restarted and deletes It removes, improves the security performance of system.
Use a specific embodiment below, to the technical solution of embodiment of the method shown in any of Fig. 1~Fig. 3 into Row is described in detail.
In user computer environment, the file for deleting Jinshan anti-virus software is wanted there are a Malware A, but is used conventional File delete operation can fail because there are self-shields for Jinshan anti-virus software, file can be protected not deleted maliciously, then this malice Software deletes the file of Jinshan anti-virus software by the way of restarting deletion.Present invention Hook in the defence driving of Jinshan anti-virus software is hidden The NtSetSystemInformation functions for covering modification registration table, when the process of Malware A is called NtSetSystemInformation functions, which are written to the file path information of Jinshan anti-virus software, restarts deletion registry-location, thinks When carrying out restarting deletion to the file of Jinshan anti-virus software, defence driving will intercept this behavior, and return to refusal and call Message so that Malware cannot delete the file of Jinshan anti-virus software by restarting, to preferably protect user system environment not It is destroyed.
Fig. 4 is a kind of structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention, as shown in figure 4, The device of the present embodiment may include:Monitor module 11, acquisition module 12, judgment module 13, blocking module 14;Wherein, it monitors Module 11, the event being called for monitor process to system information function is arranged in operating system;Acquisition module 12, is used for The event listened to according to module 11 is monitored obtains the types index number and setting data of the setting system information of process transmission; Judgment module 13, for judging whether that the types index number of the setting system information of the acquisition of acquisition module 12 is to indicate setting system The call number of registration table additional character string information, and the registration table path to be modified in the setting data is to restart deletion Registration table path, and the file path to be written in the setting data is shielded file path, and the process It is malicious process;Blocking module 14 is to prevent the process setting system from believing when being for the judging result in judgment module 13 Breath.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill Art effect is similar, and details are not described herein again.
In another embodiment, when interception file is restarted the device of deletion in Windows operating system, prison The Hook Function for the NtSetSystemInformation functions that hook operating system nucleus layer is previously provided in module 11 is listened, Monitor the event that module 11 is called by the Hook Function monitor process to system information function is arranged in operating system. The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 3, implementing principle and technical effect class Seemingly, details are not described herein again.
In another alternative embodiment, blocking module 14 returns to refuse information by the Hook Function to the process Or refusal calls setting system information function, to prevent the process that system information is arranged.The device of the present embodiment, can be used for The technical solution of embodiment of the method shown in Fig. 3 is executed, implementing principle and technical effect are similar, and details are not described herein again.
In another alternative embodiment, judgment module 13 judges the type for the setting system information that acquisition module 12 obtains Whether call number is 110, and the types index number for being then determining setting system information is to indicate setting system registry additional character The call number of string information.The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 3, realize Principle is similar with technique effect, and details are not described herein again.
In another alternative embodiment, judgment module 14 judge registration table path to be modified whether be:HKEY_ LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ PendingFileRenameOperations is that the registration table path to be modified in the determining setting data is to restart Delete registration table path.The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 3, realize Principle is similar with technique effect, and details are not described herein again.
Fig. 5 is another structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention, such as Fig. 5 institutes Show, on the basis of the device apparatus structure shown in Fig. 4 of the present embodiment, further, judgment module 13 includes:First judges son Module 131, second judgment submodule 132, the First Eigenvalue computational submodule 133, first path judging submodule 134, third Judging submodule 135;Wherein,
First judging submodule 131, the type of the setting system information for judging whether the acquisition of the acquisition module 12 Call number is to indicate the call number of setting system registry additional character string information;Second judgment submodule 132, for described The judging result of first judging submodule 131 is to judge whether to wait in the setting data that the acquisition module 12 obtains when being The registration table path of modification is to restart to delete registration table path;The First Eigenvalue computational submodule 133, for sentencing described second The judging result of disconnected submodule 132 is, according to pre-set feature value-based algorithm, to seek the setting of the acquisition of acquisition module 12 when being The characteristic value of file path respective file to be written in data;First path judging submodule 134 is pre-set for judging Agent-protected file characteristic value library in, if record have the file to be written that the First Eigenvalue computational submodule 133 is sought The characteristic value of path respective file;If so, determining that the file path to be written is shielded file path;Wherein, institute Stating record in the characteristic value library of agent-protected file has the characteristic value of known shielded file path respective file;Third judges son Module 135, for judging that the file path to be written is shielded file in the first path judging submodule 134 When path, judge whether that the process is malicious process.In this embodiment, blocking module 14 are specifically used for judging in third The judging result of submodule 135 is to prevent the process setting system information when being.The device of the present embodiment can be used for holding The technical solution of embodiment of the method shown in row Fig. 1 or Fig. 3, implementing principle and technical effect are similar, and details are not described herein again.
Preferably, in another embodiment, judgment module 13 shown in fig. 5 may also include the characteristic value of agent-protected file Library generates submodule, for counting known agent-protected file path in advance, and according to pre-set feature value-based algorithm, known to acquisition The characteristic value of agent-protected file path respective file is simultaneously stored in the characteristic value library of agent-protected file.Then first path judges son Module 134 is in the characteristic value library for generate the agent-protected file that submodule generates to the characteristic value library of agent-protected file when judging Whether matching has the characteristic value of file path respective file to be written.The device of the present embodiment can be used for executing Fig. 1 or Fig. 3 The technical solution of shown embodiment of the method, implementing principle and technical effect are similar, and details are not described herein again.
Fig. 6 is another structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention, such as Fig. 6 institutes Show, on the basis of the device apparatus structure shown in Fig. 4 of the present embodiment, further, judgment module 13 includes:First judges son Module 131, second judgment submodule 132, the 4th judging submodule 136, process path acquisition submodule 137, Second Eigenvalue Computational submodule 138, the second path judging submodule 139;Wherein, the first judging submodule 131, for judging whether described obtain The types index number for the setting system information that modulus block 12 obtains is to indicate the rope of setting system registry additional character string information Quotation marks;Second judgment submodule 132 is when being, to judge whether institute for the judging result in first judging submodule 131 It is to restart to delete registration table path to state the registration table path to be modified in the setting data of the acquisition of acquisition module 12;4th judges Submodule 136 is when being, to judge whether the acquisition module 12 for the judging result in the second judgment submodule 132 File path to be written in the setting data of acquisition is shielded file path;Process path acquisition submodule 137, is used for When the judging result of the 4th judgment module 136 is to be, the process path is obtained;Second Eigenvalue computational submodule 138 is used According to pre-set feature value-based algorithm, the process path for seeking the acquisition of process path acquisition submodule 136 corresponds to text The characteristic value of part;Second path judging submodule 139, for judging in pre-set malicious process characteristic value library, if note Record has the characteristic value for the process path respective file that Second Eigenvalue computational submodule 138 seeks, if so, determine it is described into Journey is malicious process;Wherein, the feature for having known malicious process path respective file is recorded in malicious process characteristic value library Value.In this embodiment, blocking module 14, specifically for determining that the process is to dislike in the second path judging submodule 139 When meaning process, the process setting system information is prevented.The device of the present embodiment can be used for executing method shown in Fig. 1 or Fig. 3 The technical solution of embodiment, implementing principle and technical effect are similar, and details are not described herein again.
Preferably, in another embodiment, judgment module shown in fig. 6 may also include the generation of malicious process characteristic value library Submodule is used to count known malicious process path in advance, and according to pre-set feature value-based algorithm, obtains the known evil The characteristic value of meaning process path is simultaneously stored in malicious process characteristic value library.Then the second path judging submodule 139 is when judging It is to generate in the malicious process characteristic value library that submodule generates match whether have Second Eigenvalue meter to malicious process characteristic value library The characteristic value for the process path respective file that operator module 138 is sought.The device of the present embodiment, can be used for execute Fig. 1 or The technical solution of embodiment of the method shown in Fig. 3, implementing principle and technical effect are similar, and details are not described herein again.
The embodiment of the present invention also provides a kind of electronic equipment.Fig. 7 is that the structure of electronic equipment one embodiment of the present invention is shown It is intended to, the flow of Fig. 1 or Fig. 2 of the present invention or embodiment illustrated in fig. 3 may be implemented, as shown in fig. 7, above-mentioned electronic equipment can wrap It includes:Shell 21, processor 22, memory 23, circuit board 24 and power circuit 25, wherein circuit board 24 is placed in shell 21 and encloses At space interior, processor 22 and memory 23 are arranged on circuit board 24;Power circuit 25, for being above-mentioned electronic equipment Each circuit or device power supply;Memory 23 is for storing executable program code;Processor 22 is by reading memory 23 The executable program code of middle storage runs program corresponding with executable program code, for executing aforementioned any embodiment The method that the interception file is restarted deletion.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment:The characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data Communication is main target.This Terminal Type includes:Smart mobile phone (such as iPhone), multimedia handset, functional mobile phone and low Hold mobile phone etc..
(2) super mobile personal computer equipment:This kind of equipment belongs to the scope of personal computer, there is calculating and processing work( Can, generally also have mobile Internet access characteristic.This Terminal Type includes:PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device:This kind of equipment can show and play multimedia content.Such equipment includes:Audio, Video playback module (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server:The equipment for providing the service of calculating, the composition of server include that processor, hard disk, memory, system are total Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in a computer read/write memory medium In, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, all answer by the change or replacement that can be readily occurred in It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.

Claims (20)

1. a kind of method for intercepting file and being restarted deletion, which is characterized in that including:
The event that monitor process is called to system information function is arranged in operating system;
According to the event listened to, the types index number and setting number of the setting system information of the process transmission are obtained According to;
Judge whether that the types index number of the setting system information is to indicate setting system registry additional character string information Call number, and the registration table path to be modified in the setting data is to restart to delete registration table path, and described set It is shielded file path to set the file path to be written in data, and the process is malicious process;
If so, preventing the process setting system information;
Wherein, the system is Windows operating system;The setting system information function is operating system nucleus layer NtSetSystemInformation functions.
2. intercepting the method that file is restarted deletion as described in claim 1, which is characterized in that the monitor process is to operation It is arranged before the event that system information function is called in system, the method further includes:Pre-set hook setting system The Hook Function of information function;
The event that the monitor process is called to system information function is arranged in operating system, including:Pass through the hook The event that function monitor process is called to system information function is arranged in operating system.
3. intercepting the method that file is restarted deletion as claimed in claim 2, which is characterized in that described that the process is prevented to set System information is set, including:
By the Hook Function refuse information is returned to the process;Or
The Hook Function refusal calls setting system information function, to prevent the process that system information is arranged.
4. intercepting the method that file is restarted deletion as claimed in claim 2, which is characterized in that the expression setting system note The call number of volume table additional character string information is 110.
5. intercepting the method that file is restarted deletion as claimed in claim 2, which is characterized in that described to restart deletion registration table Path is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ PendingFileRenameOperations。
6. intercepting the method that file is restarted deletion as described in claim 1, which is characterized in that described to judge whether described set It is shielded file path to set the file path to be written in data, including:
According to pre-set feature value-based algorithm, the feature of the file path respective file to be written in the setting data is sought Value;
In the characteristic value library for judging pre-set agent-protected file, if record has the file path respective file to be written Characteristic value;
If record has the characteristic value of the file path respective file to be written in the characteristic value library of the agent-protected file, really The fixed file path to be written is shielded file path;
Wherein, the feature for having known shielded file path respective file is recorded in the characteristic value library of the agent-protected file Value.
7. intercepting the method that file is restarted deletion as claimed in claim 6, which is characterized in that pre-set in the basis Feature value-based algorithm, seek it is described setting data in file path respective file to be written characteristic value before, further include:
The known agent-protected file path of statistics;
According to pre-set feature value-based algorithm, the characteristic value of the known agent-protected file path respective file is obtained;
The characteristic value of known agent-protected file path respective file is written in the characteristic value library of agent-protected file.
8. intercepting the file method that is restarted deletion as described in claim 1, which is characterized in that it is described judge whether it is described into Journey is malicious process, including:
Obtain the process path;
According to pre-set feature value-based algorithm, the characteristic value of the process path respective file is sought;
Judge in pre-set malicious process characteristic value library, if record has the characteristic value of the process path respective file;
If malicious process characteristic value library, which records, the characteristic value of the process path respective file, it is determined that the process is Malicious process;
Wherein, the characteristic value for having known malicious process path respective file is recorded in malicious process characteristic value library.
9. intercepting the method that file is restarted deletion as claimed in claim 8, which is characterized in that described according to pre-set Feature value-based algorithm before the characteristic value for seeking the process path respective file, further includes:
Count known malicious process path;
According to pre-set feature value-based algorithm, the characteristic value of the known malicious process path respective file is obtained;
It will be in the characteristic value write-in malicious process characteristic value library of known malicious process path respective file.
10. as claim 6-9 any one of them intercepts the method that file is restarted deletion, which is characterized in that described advance The feature value-based algorithm of setting is:
The characteristic value of calculating the Message Digest 5 value or cryptographic Hash in path as characteristic value as path respective file is sought, or Person
Characteristic value of the fileversion number as path respective file is obtained from path.
11. a kind of device for intercepting file and being restarted deletion, which is characterized in that including:
Module is monitored, the event being called for monitor process to system information function is arranged in operating system;
Acquisition module, the event for being listened to according to the monitoring module obtain the setting system information of the process transmission Types index number and setting data;
Judgment module, for judging whether that the types index number of the setting system information of the acquisition module acquisition is to indicate to be arranged The call number of system registry additional character string information, and the registration table path to be modified in the setting data is to restart Registration table path is deleted, and the file path to be written in the setting data is shielded file path, and described Process is malicious process;
Blocking module is to prevent the process setting system information when being for the judging result in the judgment module;
Wherein, the system is Windows operating system;The setting system information function is operating system nucleus layer NtSetSystemInformation functions.
12. the device according to claim 11 for intercepting file and being restarted deletion, which is characterized in that in the monitoring module It is previously provided with the Hook Function of the NtSetSystemInformation functions of hook operating system nucleus layer, the monitoring mould The event that block is called by the Hook Function monitor process to system information function is arranged in operating system.
13. the device according to claim 12 for intercepting file and being restarted deletion, which is characterized in that the blocking module is logical It crosses the Hook Function and returns to refuse information or refusal calling setting system information function to the process, to prevent the process System information is set.
14. the device according to claim 12 for intercepting file and being restarted deletion, which is characterized in that the judgment module is sentenced Whether the types index number for the setting system information that the disconnected acquisition module obtains is 110, is then determining setting system information Types index number is to indicate the call number of setting system registry additional character string information.
15. the device according to claim 12 for intercepting file and being restarted deletion, which is characterized in that the judgment module is sentenced Registration table path to be modified in the disconnected setting data whether be:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ PendingFileRenameOperations is that the registration table path to be modified in the determining setting data is to restart Delete registration table path.
16. intercepting the device that file is restarted deletion as claimed in claim 11, which is characterized in that the judgment module, packet It includes:
First judging submodule, for judging whether that the types index number of the setting system information of the acquisition module acquisition is table Show the call number of setting system registry additional character string information;
Second judgment submodule is when being, to judge whether the acquisition for the judging result in first judging submodule Registration table path to be modified in the setting data that module obtains is to restart to delete registration table path;
The First Eigenvalue computational submodule is when being, according to setting in advance for the judging result in the second judgment submodule The feature value-based algorithm set seeks the feature of the file path respective file to be written in the setting data that the acquisition module obtains Value;
First path judging submodule, in the characteristic value library for judging pre-set agent-protected file, if record is State the characteristic value for the file path respective file to be written that the First Eigenvalue computational submodule is sought;If so, described in determining File path to be written is shielded file path;Wherein, in the characteristic value library of the agent-protected file record have it is known by The characteristic value of the file path respective file of protection;
Third judging submodule, for judging that the file path to be written is to be protected in the first path judging submodule When the file path of shield, judge whether that the process is malicious process.
17. intercepting the device that file is restarted deletion as claimed in claim 16, which is characterized in that the judgment module also wraps It includes:
The characteristic value library of agent-protected file generates submodule, for counting known agent-protected file path in advance, and according to advance The feature value-based algorithm of setting obtains the characteristic value of the known agent-protected file path respective file and is stored in agent-protected file Characteristic value library in.
18. intercepting the device that file is restarted deletion as claimed in claim 11, which is characterized in that the judgment module, packet It includes:
First judging submodule, for judging whether that the types index number of the setting system information of the acquisition module acquisition is table Show the call number of setting system registry additional character string information;
Second judgment submodule is when being, to judge whether the acquisition for the judging result in first judging submodule Registration table path to be modified in the setting data that module obtains is to restart to delete registration table path;
4th judging submodule is when being, to judge whether the acquisition for the judging result in the second judgment submodule File path to be written in the setting data that module obtains is shielded file path;
Process path acquisition submodule is when being, to obtain the process road for the judging result in the 4th judgment module Diameter;
Second Eigenvalue computational submodule, for according to pre-set feature value-based algorithm, seeking the process path and obtaining son The characteristic value for the process path respective file that module obtains;
Second path judging submodule, for judging in pre-set malicious process characteristic value library, if record has described the The characteristic value for the process path respective file that two characteristic value computational submodules are sought, if so, determining that the process is malice Process;Wherein, the characteristic value for having known malicious process path respective file is recorded in malicious process characteristic value library.
19. intercepting the device that file is restarted deletion as claimed in claim 18, which is characterized in that the judgment module also wraps It includes:
Malicious process characteristic value library generates submodule, for counting known malicious process path in advance, and according to pre-set Feature value-based algorithm obtains the characteristic value of the known malicious process path and is stored in malicious process characteristic value library.
20. a kind of electronic equipment, which is characterized in that the electronic equipment includes:Shell, processor, memory, circuit board and electricity Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply Circuit, for being each circuit or the device power supply of above-mentioned electronic equipment;Memory is for storing executable program code;Processing Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding Row preceding claims 1-10 any one of them intercepts the method that file is restarted deletion.
CN201610457599.0A 2016-06-22 2016-06-22 Method and device for intercepting restart deletion of file Active CN105868625B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610457599.0A CN105868625B (en) 2016-06-22 2016-06-22 Method and device for intercepting restart deletion of file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610457599.0A CN105868625B (en) 2016-06-22 2016-06-22 Method and device for intercepting restart deletion of file

Publications (2)

Publication Number Publication Date
CN105868625A CN105868625A (en) 2016-08-17
CN105868625B true CN105868625B (en) 2018-10-12

Family

ID=56649877

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610457599.0A Active CN105868625B (en) 2016-06-22 2016-06-22 Method and device for intercepting restart deletion of file

Country Status (1)

Country Link
CN (1) CN105868625B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107645546B (en) * 2017-09-12 2021-07-06 深圳Tcl新技术有限公司 File monitoring method based on android system, intelligent device and storage medium
CN108363931B (en) * 2018-02-13 2020-06-23 奇安信科技集团股份有限公司 Method and device for restoring files in isolation area
CN108304699B (en) * 2018-02-13 2020-07-14 奇安信科技集团股份有限公司 Method and device for protecting security software
CN116204883B (en) * 2023-01-11 2023-08-22 安芯网盾(北京)科技有限公司 Method and system for detecting and blocking file self-deletion based on Linux kernel

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102902919A (en) * 2012-08-30 2013-01-30 北京奇虎科技有限公司 Method, device and system for identifying and processing suspicious practices
CN104035842A (en) * 2014-06-30 2014-09-10 上海斐讯数据通信技术有限公司 Method for deleting and recovering built-in application program
CN104182661A (en) * 2013-05-24 2014-12-03 富泰华工业(深圳)有限公司 Software protection system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100025116A (en) * 2008-08-27 2010-03-09 (주) 애니컴페니언 Fully automatic deletion using the system to prevent the leakage of documents
US8510597B2 (en) * 2011-02-08 2013-08-13 Wisconsin Alumni Research Foundation Providing restartable file systems within computing devices

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102902919A (en) * 2012-08-30 2013-01-30 北京奇虎科技有限公司 Method, device and system for identifying and processing suspicious practices
CN104182661A (en) * 2013-05-24 2014-12-03 富泰华工业(深圳)有限公司 Software protection system
CN104035842A (en) * 2014-06-30 2014-09-10 上海斐讯数据通信技术有限公司 Method for deleting and recovering built-in application program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于微过滤驱动的文件操作检测及重定向方法;刘晟等;《信息与电子工程》;20121231;全文 *

Also Published As

Publication number Publication date
CN105868625A (en) 2016-08-17

Similar Documents

Publication Publication Date Title
CN106682495B (en) Safety protection method and safety protection device
US8301433B2 (en) Software behavior modeling apparatus, software behavior monitoring apparatus, software behavior modeling method, and software behavior monitoring method
CN105868625B (en) Method and device for intercepting restart deletion of file
CN108932428B (en) Lesog software processing method, device, equipment and readable storage medium
CN107133498A (en) A kind of privacy application management method and device and mobile terminal
JP2017211978A (en) Business processing system monitoring device and monitoring method
Mohsen et al. Android keylogging threat
CN107563192A (en) A kind of means of defence for extorting software, device, electronic equipment and storage medium
CN113872965B (en) SQL injection detection method based on Snort engine
CN106203092A (en) Method and device for intercepting shutdown of malicious program and electronic equipment
CN106127034B (en) A kind of method, apparatus that anti-locking system is maliciously closed and electronic equipment
Stirparo et al. In-memory credentials robbery on android phones
CN110321731A (en) A kind of information protecting method and mobile terminal
Yang et al. Inference attack in android activity based on program fingerprint
Kim et al. A study on the digital forensic investigation method of clever malware in IoT devices
CN106127050A (en) Method and device for preventing system cursor from being maliciously modified and electronic equipment
CN106203107A (en) Method and device for preventing system menu from being maliciously modified and electronic equipment
CN113596044B (en) Network protection method and device, electronic equipment and storage medium
CN106127051A (en) Method and device for preventing mouse from being maliciously captured and electronic equipment
CN111651764B (en) Process monitoring method and device, electronic equipment and storage medium
Djemaiel et al. Intrusion detection and tolerance: A global scheme
CN113392410A (en) Interface security detection method and device, computer equipment and storage medium
CN113672925A (en) Method, device, storage medium and electronic equipment for preventing lasso software attack
CN106709357A (en) Kernel internal storage monitoring based vulnerability prevention system for Android platform
Kayabaş et al. Cyber Wars and Cyber Threats Against Mobile Devices: Analysis of Mobile Devices

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20190109

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Patentee after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing

Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

TR01 Transfer of patent right