CN105868625B - Method and device for intercepting restart deletion of file - Google Patents
Method and device for intercepting restart deletion of file Download PDFInfo
- Publication number
- CN105868625B CN105868625B CN201610457599.0A CN201610457599A CN105868625B CN 105868625 B CN105868625 B CN 105868625B CN 201610457599 A CN201610457599 A CN 201610457599A CN 105868625 B CN105868625 B CN 105868625B
- Authority
- CN
- China
- Prior art keywords
- file
- path
- characteristic value
- setting
- deletion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a method and a device for intercepting restart deletion of a file and electronic equipment, relates to the technical field of computer security, and can effectively prevent a malicious process from deleting the file of security software. The method comprises the following steps: monitoring an event for calling a system information function in an operating system by a process; acquiring a type index number and setting data of the setting system information transmitted by the process according to the monitored event; judging whether the type index number of the set system information is an index number representing additional character string information of a set system registry, and judging whether a registry path to be modified in the set data is a restart deletion registry path, and judging whether a file path to be written in the set data is a protected file path and the process is a malicious process, if so, preventing the process from setting the system information. The method and the device are suitable for protecting the restart deletion of the security file.
Description
Technical field
The present invention relates to computer security technique field more particularly to a kind of methods and dress for intercepting file and being restarted deletion
It sets.
Background technology
Currently, security software has self-shield, in the presence of self-shield, Malware deletes the correlation text of security software
Part can be rejected.Then, a kind of mechanism for restarting deletion file that malicious process is provided using Windows systems, will be safe soft
Following registry-location is written in the associated documents routing information of part:HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet Control Session Manager PendingFileRenameOperations, work as next time
When system reboot, before the self-shield also Pending The Entry Into Force of security software, system will delete the associated documents of security software, pacify in this way
Full software cannot normally protect custom system.
The method of the write-in registration table of mainstream is the kernel function NtSetValueKey that calling system provides, and can be changed
Registry data.In the implementation of the present invention, inventor has found that Windows system kernel layers additionally provide kernel function
NtSetSystemInformation, this function are some information for system to be arranged, such as time, processor, and process is interior
Deposit etc. information;For NtSetSystemInformation functions there are three parameter, first parameter is the system letter for needing to be arranged
The types index number of breath, such as the corresponding call number of setting temporal information are 28, and the corresponding call number of setting progress information is 5,
Etc., second parameter is then the specific data of setting, if call number is 28, this parameter is that specific time number is arranged
According to;Through research, the call number that setting value is 110 indicates setting system registry additional character string information.It calls
Its first parameter is set as 110 by NtSetSystemInformation functions, can change registry data, second
Parameter includes the information such as the specific data of the registration table path changed, specific key assignments title and modification.Therefore malicious process can
The file of security software to be deleted by way of hidden modification registration table using NtSetSystemInformation functions
It removes, to reduce the Prevention-Security performance of system.
Invention content
In view of this, the embodiment of the present invention provides a kind of method, apparatus and electronic equipment for intercepting file and being restarted deletion,
It can effectively prevent malicious process from deleting the file of security software, achieve the purpose that protect custom system.
In a first aspect, the embodiment of the present invention provides a kind of method that interception file is restarted deletion, including:
The event that monitor process is called to system information function is arranged in operating system;
According to the event listened to, types index number and the setting of the setting system information of the process transmission are obtained
Data;
Judge whether that the types index number of the setting system information is to indicate that setting system registry additional character string is believed
The call number of breath, and the registration table path to be modified in the setting data is to restart to delete registration table path, and institute
The file path to be written stated in setting data is shielded file path, and the process is malicious process;
If so, preventing the process setting system information.
With reference to first aspect, in the first embodiment of first aspect, the system is Windows operations system
System;The setting system information function is the NtSetSystemInformation functions of operating system nucleus layer;
The monitor process is to before the event that system information function is called is arranged in operating system, the method is also
Including:Pre-set the Hook Function of hook setting system information function;
The event that the monitor process is called to system information function is arranged in operating system, including:By described
The event that Hook Function monitor process is called to system information function is arranged in operating system.
The first embodiment with reference to first aspect, in second of embodiment of first aspect, the prevention institute
Process setting system information is stated, including:
By the Hook Function refuse information is returned to the process;Or
The Hook Function refusal calls setting system information function, to prevent the process that system information is arranged.
The first embodiment with reference to first aspect, in the third embodiment of first aspect, the expression is set
The call number for setting system registry additional character string information is 110.
The first embodiment with reference to first aspect, in the 4th kind of embodiment of first aspect, it is described restart delete
Except registration table path is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
PendingFileRenameOperations。
With reference to first aspect, described to judge whether the setting in the 5th kind of possible realization method of first aspect
File path to be written in data is shielded file path, including:
According to pre-set feature value-based algorithm, the file path respective file to be written in the setting data is sought
Characteristic value;
In the characteristic value library for judging pre-set agent-protected file, if record has the file path to be written to correspond to
The characteristic value of file;
If record has the characteristic value of the file path respective file to be written in the characteristic value library of the agent-protected file,
Then determine that the file path to be written is shielded file path;
Wherein, the spy for having known shielded file path respective file is recorded in the characteristic value library of the agent-protected file
Value indicative.
The 6th kind of embodiment with reference to first aspect, in the 7th kind of possible realization method of first aspect, in institute
It states according to pre-set feature value-based algorithm, seeks the characteristic value of the file path respective file to be written in the setting data
Before, further include:
The known agent-protected file path of statistics;
According to pre-set feature value-based algorithm, the characteristic value of the known agent-protected file path respective file is obtained;
The characteristic value of known agent-protected file path respective file is written in the characteristic value library of agent-protected file.
With reference to first aspect, described to judge whether that the process is malice in the 7th kind of embodiment of first aspect
Process, including:
Obtain the process path;
According to pre-set feature value-based algorithm, the characteristic value of the process path respective file is sought;
Judge in pre-set malicious process characteristic value library, if record has the feature of the process path respective file
Value;
If malicious process characteristic value library, which records, the characteristic value of the process path respective file, it is determined that it is described into
Journey is malicious process;
Wherein, the characteristic value for having known malicious process path respective file is recorded in malicious process characteristic value library.
The 7th kind of embodiment with reference to first aspect, in the 8th kind of embodiment of first aspect, the basis is pre-
The feature value-based algorithm being first arranged before the characteristic value for seeking the process path respective file, further includes:
Count known malicious process path;
According to pre-set feature value-based algorithm, the characteristic value of the known malicious process path respective file is obtained;
It will be in the characteristic value write-in malicious process characteristic value library of known malicious process path respective file.
Any one of the 5th to the 8th kind of embodiment with reference to first aspect embodiment, the 9th of first aspect the
In kind embodiment, the pre-set feature value-based algorithm is:
Seek the feature of calculating the Message Digest 5 value or cryptographic Hash in path as characteristic value as path respective file
Value, or
Characteristic value of the fileversion number as path respective file is obtained from path.
Second aspect, the embodiment of the present invention provide a kind of device for intercepting file and being restarted deletion, including:
Module is monitored, the event being called for monitor process to system information function is arranged in operating system;
Acquisition module, the event for being listened to according to the monitoring module obtain the setting system of the process transmission
The types index number and setting data of information;
Judgment module, for judging whether that the types index number of the setting system information of the acquisition module acquisition is to indicate
The call number of system registry additional character string information is set, and the registration table path to be modified in the setting data is
Restart and delete registration table path, and the file path to be written in the setting data is shielded file path, and
The process is malicious process;
Blocking module is to prevent the process setting system information when being for the judging result in the judgment module.
In conjunction with second aspect, in the first embodiment of second aspect, the operating system is Windows operations system
When system, described monitor is previously provided with the NtSetSystemInformation functions for linking up with operating system nucleus layer in module
Hook Function, the monitoring module are carried out by the Hook Function monitor process to system information function is arranged in operating system
The event of calling.
In conjunction with the first embodiment of second aspect, in second of embodiment of second aspect, the interception mould
Block returns to refuse information to the process by the Hook Function or refusal calls setting system information function, described in prevention
System information is arranged in process.
In conjunction with the first embodiment of second aspect, in the third embodiment of second aspect, the judgement mould
Block judges whether the types index number for the setting system information that the acquisition module obtains is 110, is that then determining setting system is believed
The types index number of breath is to indicate the call number of setting system registry additional character string information.
It is described to state judgement in the 4th kind of embodiment of second aspect in conjunction with the first embodiment of second aspect
Module judge it is described setting data in registration table path to be modified whether be:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
PendingFileRenameOperations is that the registration table path to be modified in the determining setting data is to restart
Delete registration table path.
In conjunction with second aspect, in the 5th kind of embodiment of second aspect, the judgment module, including:
First judging submodule, the types index number of the setting system information for judging whether the acquisition module acquisition
To indicate the call number of setting system registry additional character string information;
Second judgment submodule is to judge whether described when being for the judging result in first judging submodule
Registration table path to be modified in the setting data that acquisition module obtains is to restart to delete registration table path;
The First Eigenvalue computational submodule is when being, according to pre- for the judging result in the second judgment submodule
The feature value-based algorithm being first arranged seeks the file path respective file to be written in the setting data that the acquisition module obtains
Characteristic value;
First path judging submodule, in the characteristic value library for judging pre-set agent-protected file, if record
There is the characteristic value for the file path respective file to be written that the First Eigenvalue computational submodule seeks;If so, determining
The file path to be written is shielded file path;Wherein, being recorded in the characteristic value library of the agent-protected file has
Know the characteristic value of shielded file path respective file;
Third judging submodule, for judging that the file path to be written is in the first path judging submodule
When shielded file path, judge whether that the process is malicious process.
In conjunction with the 5th kind of embodiment of second aspect, in the 6th kind of embodiment of second aspect, the judgement mould
Block further includes:
The characteristic value library of agent-protected file generates submodule, for the known agent-protected file path of statistics in advance, and according to
Pre-set feature value-based algorithm obtains the characteristic value of the known agent-protected file path respective file and is stored in protected
In the characteristic value library of file.
In conjunction with second aspect, in the 7th kind of embodiment of second aspect, the judgment module, including:
First judging submodule, the types index number of the setting system information for judging whether the acquisition module acquisition
To indicate the call number of setting system registry additional character string information;
Second judgment submodule is to judge whether described when being for the judging result in first judging submodule
Registration table path to be modified in the setting data that acquisition module obtains is to restart to delete registration table path;
4th judging submodule is to judge whether described when being for the judging result in the second judgment submodule
File path to be written in the setting data that acquisition module obtains is shielded file path;
Process path acquisition submodule, be when being for the judging result in the 4th judgment module obtain it is described into
Journey path;
Second Eigenvalue computational submodule, for according to pre-set feature value-based algorithm, seeking the process path and obtaining
Take the characteristic value of the process path respective file of submodule acquisition;
Second path judging submodule, for judging in pre-set malicious process characteristic value library, if record is
The characteristic value for the process path respective file that Second Eigenvalue computational submodule is sought is stated, if so, determining that the process is
Malicious process;Wherein, the characteristic value for having known malicious process path respective file is recorded in malicious process characteristic value library.
In conjunction with the 7th kind of embodiment of second aspect, in the 8th kind of embodiment of second aspect, the judgement mould
Block further includes:
Malicious process characteristic value library generates submodule, for counting known malicious process path in advance, and according to setting in advance
The feature value-based algorithm set obtains the characteristic value of the known malicious process path and is stored in malicious process characteristic value library.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, including:Shell, processor, memory, circuit board
And power circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;
Power circuit, for being each circuit or the device power supply of above-mentioned electronic equipment;Memory is for storing executable program code;
Processor runs program corresponding with executable program code by reading the executable program code stored in memory, uses
In the method that the interception file executed described in any one of aforementioned embodiment is restarted deletion.
A kind of method, apparatus and electronic equipment for intercepting file and being restarted deletion provided in an embodiment of the present invention, passes through prison
Listen process to the event that is called of system information function is arranged in operating system, if listen to setting system information function by into
Journey is called, then obtains the types index number and setting data of the setting system information of the process transmission, and is judged whether described
The types index number that system information is arranged is to indicate the call number of setting system registry additional character string information, and the setting
Registration table path to be modified in data is to restart to delete registration table path, and the file road to be written in the setting data
Diameter is shielded file path, and the process is malicious process, if meeting the above Rule of judgment, the process is prevented to set
Set system information.Thus, it is possible to intercept Malware it is hidden modification registration table by way of carry out file restart deletion row
To improve security of system energy.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method one of deletion;
Fig. 2 is a kind of implementation flow chart of step 103;
Fig. 3 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method two of deletion;
Fig. 4 is a kind of structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention;
Fig. 5 is another structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention;
Fig. 6 is another structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention;
Fig. 7 is the structural schematic diagram of electronic equipment one embodiment of the present invention.
Specific implementation mode
The method, apparatus of deletion is restarted to interception file provided in an embodiment of the present invention below in conjunction with the accompanying drawings and electronics is set
It is standby to be described in detail.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base
Embodiment in the present invention, those of ordinary skill in the art obtained without creative efforts it is all its
Its embodiment, shall fall within the protection scope of the present invention.
Fig. 1 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method one of deletion, as shown in Figure 1, this implementation
Example method may include:
The event that step 101, monitor process are called to system information function is arranged in operating system.
Operating system provides setting system information function.The process of malicious application is by calling the setting system
The associated documents routing information of security software, which can be written, in information function restarts deletion registry-location, then subsystem is restarted instantly
When, before the self-shield also Pending The Entry Into Force of security software, system will delete the associated documents of security software.It is right that the present embodiment passes through
The event of setting system information function is called to be monitored that can intercept and capture malicious application in time will be arranged disappearing for system information
Breath.
The event that step 102, basis listen to obtains the types index of the setting system information of the process transmission
Number and setting data.
It, can be to setting system information function when the process of malicious application starts to call the setting system information function
The types index number and setting data of transmission setting system information.It, can be in the type of the setting system information in the present embodiment
Call number and setting data are intercepted and captured before reaching the setting system information function.
Step 103 judges whether that the types index number of the setting system information is to indicate that setting system registry is additional
The call number of character string information, and the registration table path to be modified in the setting data is to restart to delete registration table road
Diameter, and the file path to be written in the setting data is shielded file path, and the process be malice into
Journey;If so, thening follow the steps 104.
Only it is to indicate setting system registry additional character string in the types index number of setting system information in this step
The call number of information, and registration table path to be modified is to restart to delete registration table path, and file path to be written is to be protected
The file path of shield, and when the process is malicious process, just prove that the event that this is monitored is malicious process calling system
Middle setting system information function, it is desirable to which the write-in of agent-protected file path is restarted to the thing for the process path for deleting registration table path
Part needs to prevent it.
Step 104 prevents the process that system information is arranged.
Fig. 2 is a kind of implementation flow chart of step 103, as shown in Fig. 2, step 103 may include following steps 1031-
1036:
Step 1031:Whether the types index number for judging that system information is arranged is to indicate setting system registry additional character
The call number of string information;If so, thening follow the steps 1032.
Step 1032 obtains registration table path to be modified from the setting data.
Step 1033 judges whether the registration table path to be modified is to restart to delete registration table path;If so, holding
Row step 1034.
In the present embodiment, if whether the types index number of setting system information is to indicate setting system registry additional character
Go here and there the call number of information, then in order to prevent malicious process setting system information so that agent-protected file is restarted deletion, obtain to
Registration table path to be modified in the setting data of system information function transfer is set, judges whether it is to restart deletion registration table
Path.If it is not, then illustrating that the system information of this process setting is not about the setting information for restarting deletion file.
Step 1034 obtains file path to be written from the setting data.
Step 1035 judges whether the file path to be written is shielded file path;If so, thening follow the steps
1036。
In the present embodiment, if registration table path to be modified is to restart to delete registration table path, further obtain to be written
Enter file path, judges whether file path to be written is shielded file path, that is, judge that deletion is restarted in this secondary write-in
Whether the file in registration table path is shielded file, if it is, this time setting system information is likely to be evil to explanation
Meaning behavior.
In the present embodiment, as an optional mode, step 1035 can be sought described according to pre-set feature value-based algorithm
The characteristic value of file path respective file to be written;Then in the characteristic value library for judging pre-set agent-protected file, if
Record has the characteristic value of the file path respective file to be written;If being recorded in the characteristic value library of the agent-protected file
State the characteristic value of file path respective file to be written, it is determined that the file path to be written is shielded file path;
Wherein, the characteristic value for having known shielded file path respective file is recorded in the characteristic value library of the agent-protected file.By
The generation method in characteristic value library of file is protected to be:Count known agent-protected file path in advance before the present invention executes;Root
According to pre-set feature value-based algorithm, obtains the characteristic value of the known agent-protected file path respective file and be written protected
In the characteristic value library of file.
Step 1036 judges whether the process is malicious process.
In this step, if the process is malicious process, the judging result of step 103 is yes, can perform step 104.
Since rogue program can not almost accomplish the process path of stochastic transformation, it is optional as one in the present embodiment
Mode, step 1036 judge whether the process is that the method for malicious process is:It obtains first and system is set in current calling system
System information function is wanted to restart the write-in of agent-protected file path into the process path for deleting registration table path;Then basis is set in advance
The feature value-based algorithm set obtains the characteristic value of the process path respective file;Then judge in pre-set feature database, be
It is no to record the characteristic value for having the process path respective file;If record has the process path pair in pre-set feature database
Answer the characteristic value of file, it is determined that the process is malicious process;If not recording the process in pre-set feature database
The characteristic value of path respective file, it is determined that the process is not malicious process.Wherein, feature database is pre-set, feature
The generating process in library is:Count known malicious process path;According to pre-set feature value-based algorithm, the known malicious is obtained
The characteristic value of process path respective file is stored in feature database.
By above step, Malware will fail when restarting delete operation to shielded file process.
Preferably, in the characteristic value for the characteristic value or process path respective file for calculating file path respective file to be written
When, the feature value-based algorithm that uses for:Seek calculating Message Digest 5 (MD5) value or Hash of file/process path to be written
(HASH) characteristic value of the value as file to be written/process path respective file, or obtained from file/process path to be written
Take fileversion number as the characteristic value of file to be written/process path respective file.
The method provided in this embodiment for intercepting file and being restarted deletion, by monitor process to system is arranged in operating system
The event that system information function is called is called by process if listening to setting system information function, obtains the process and pass
The types index number and setting data for the setting system information sent, and whether judge the types index number that system information is set
To indicate the call number of setting system registry additional character string information, if the types index number of the setting system information is table
The call number for showing setting system registry additional character string information, then obtain registration table road to be modified from the setting data
Diameter, and judge whether the registration table path to be modified is to restart to delete registration table path, if the registration table to be modified
Path is to restart to delete registration table path, then obtains file path to be written from the setting data, and judge described to be written
Enter whether file path is shielded file path, if the file path to be written is shielded file path, obtains
The process path is taken, and by the process path, judge whether the process is malicious process, if the process is malice
Process then prevents the process setting system information.Thus, it is possible to intercept Malware by way of hidden modification registration table
The act of deleting of restarting for carrying out file, improves security of system energy.
Fig. 3 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method two of deletion, and the present embodiment is used for
Windows operating system;The generation system error functions are the NtSetSystemInformation of operating system nucleus layer
Function.The embodiment of the present invention is suitable for shutdown of the security protections class application program such as Jinshan anti-virus software or Kingsoft bodyguard to operating system
Protection.As shown in figure 3, the method for the present embodiment includes the following steps:
Step 201, monitor process are to NtSetSystemInformation functions are called in operating system event.
Hook Function is actually the program segment of a processing message, is called by system, it is linked into system.Whenever spy
Fixed message is sent out, and before no arrival purpose window, Hook Function just first captures the message, that is, Hook Function is first controlled
System power.At this moment Hook Function can the working process message, can not also deal with and continue to transmit the message, can also be strong
The transmission of end message processed.
In the present embodiment, Hook Function pre-establishes before the execution of this step in security protection class application program such as Kingsoft
In the defence driving of poison despot, which links up with the NtSetSystemInformation functions in operating system.Safety is anti-
The defence driving of shield class application program brings into operation after Windows operating system booting.
In the present embodiment, the original entry address of NtSetSystemInformation functions is revised as in the present embodiment
Hook Function entry address.Malicious process when calling NtSetSystemInformation functions, due to
The original entry address of NtSetSystemInformation functions is with being modified to the entrance of the Hook Function of the present embodiment
Location when then calling NtSetSystemInformation functions, can skip to the execution of the Hook Function of the present embodiment, be achieved in
Monitoring to NtSetSystemInformation functions.NtSetSystemInformation functions are returned in order to realize
It adjusts, entering for the Hook Function in the present embodiment is being revised as in the original entry address of NtSetSystemInformation functions
Before port address, need to preserve the original entry address of NtSetSystemInformation functions.
Step 202, Hook Function obtain the type of the setting system information of process transmission according to the event listened to
Call number and setting data.
In the present embodiment, malicious process is by Windows to the calling of NtSetSystemInformation functions
Operating system, which is sent out, calls the message of NtSetSystemInformation functions to realize, which can directly be cut by Hook Function
It obtains.Hook Function intercepts the message, that is, is considered as and listens to the thing that NtSetSystemInformation functions are called by process
Part, the message include the relevant parameter that process is transmitted to NtSetSystemInformation functions, including setting system is believed
The types index number of breath and setting data, setting data include registration table path to be modified, specific key assignments title, to be written
The information such as file path and the specific data of modification.
Whether step 203, the types index number for judging that system information is arranged are to indicate setting system registry additional character
The call number of string information;If so, thening follow the steps 204;Otherwise, step 210 is executed.
In the present embodiment, if the types index number of setting system information is 110, which is to indicate setting system note
The call number of volume table additional character string information, executes step 204;If the types index number that system information is arranged is not 110, say
It is to carry out registration table write-in that bright this, which calls not, executes step 210.
Step 204 obtains registration table path to be modified from the setting data.
Step 205 judges whether the registration table path to be modified is to restart to delete registration table path;If so, holding
Row step 206;Otherwise, step 210 is executed.
In the present embodiment, judge whether registration table path to be modified is to restart to delete registration table path:HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
PendingFileRenameOperations is said if registration table path to be modified is not to restart to delete registration table path
Bright this is not that deletion registration table path is restarted in operation, executes step 210.
Step 206 obtains file path to be written from the setting data.
Step 207 judges whether the file path to be written is shielded file path;If so, thening follow the steps
208;Otherwise, step 210 is executed.
In the present embodiment, the implementation of step 207 is similar with the step 1035 of above method embodiment, no longer superfluous herein
It states.
Step 208 judges whether the process is malicious process;If the process is malicious process, then follow the steps
209;If the process is not malicious process, 210 are thened follow the steps.
In the present embodiment, judge the process whether be malicious process method and above method embodiment step 1036
Similar, details are not described herein again.
Step 209, Hook Function returns to refuse information to the process or refusal calls
NtSetSystemInformation functions, to prevent the process that system information is arranged.
Step 210 allows the process to call NtSetSystemInformation functions.
The present embodiment, by Hook Function to calling the event of NtSetSystemInformation functions to monitor,
And system information function is set in judging calling system, deletion registration table path is restarted into the write-in of agent-protected file path
Process path be malicious process when, prevent its calling behavior in time, the secure file for capableing of anti-locking system is not restarted and deletes
It removes, improves the security performance of system.
Use a specific embodiment below, to the technical solution of embodiment of the method shown in any of Fig. 1~Fig. 3 into
Row is described in detail.
In user computer environment, the file for deleting Jinshan anti-virus software is wanted there are a Malware A, but is used conventional
File delete operation can fail because there are self-shields for Jinshan anti-virus software, file can be protected not deleted maliciously, then this malice
Software deletes the file of Jinshan anti-virus software by the way of restarting deletion.Present invention Hook in the defence driving of Jinshan anti-virus software is hidden
The NtSetSystemInformation functions for covering modification registration table, when the process of Malware A is called
NtSetSystemInformation functions, which are written to the file path information of Jinshan anti-virus software, restarts deletion registry-location, thinks
When carrying out restarting deletion to the file of Jinshan anti-virus software, defence driving will intercept this behavior, and return to refusal and call
Message so that Malware cannot delete the file of Jinshan anti-virus software by restarting, to preferably protect user system environment not
It is destroyed.
Fig. 4 is a kind of structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention, as shown in figure 4,
The device of the present embodiment may include:Monitor module 11, acquisition module 12, judgment module 13, blocking module 14;Wherein, it monitors
Module 11, the event being called for monitor process to system information function is arranged in operating system;Acquisition module 12, is used for
The event listened to according to module 11 is monitored obtains the types index number and setting data of the setting system information of process transmission;
Judgment module 13, for judging whether that the types index number of the setting system information of the acquisition of acquisition module 12 is to indicate setting system
The call number of registration table additional character string information, and the registration table path to be modified in the setting data is to restart deletion
Registration table path, and the file path to be written in the setting data is shielded file path, and the process
It is malicious process;Blocking module 14 is to prevent the process setting system from believing when being for the judging result in judgment module 13
Breath.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill
Art effect is similar, and details are not described herein again.
In another embodiment, when interception file is restarted the device of deletion in Windows operating system, prison
The Hook Function for the NtSetSystemInformation functions that hook operating system nucleus layer is previously provided in module 11 is listened,
Monitor the event that module 11 is called by the Hook Function monitor process to system information function is arranged in operating system.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 3, implementing principle and technical effect class
Seemingly, details are not described herein again.
In another alternative embodiment, blocking module 14 returns to refuse information by the Hook Function to the process
Or refusal calls setting system information function, to prevent the process that system information is arranged.The device of the present embodiment, can be used for
The technical solution of embodiment of the method shown in Fig. 3 is executed, implementing principle and technical effect are similar, and details are not described herein again.
In another alternative embodiment, judgment module 13 judges the type for the setting system information that acquisition module 12 obtains
Whether call number is 110, and the types index number for being then determining setting system information is to indicate setting system registry additional character
The call number of string information.The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 3, realize
Principle is similar with technique effect, and details are not described herein again.
In another alternative embodiment, judgment module 14 judge registration table path to be modified whether be:HKEY_
LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
PendingFileRenameOperations is that the registration table path to be modified in the determining setting data is to restart
Delete registration table path.The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 3, realize
Principle is similar with technique effect, and details are not described herein again.
Fig. 5 is another structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention, such as Fig. 5 institutes
Show, on the basis of the device apparatus structure shown in Fig. 4 of the present embodiment, further, judgment module 13 includes:First judges son
Module 131, second judgment submodule 132, the First Eigenvalue computational submodule 133, first path judging submodule 134, third
Judging submodule 135;Wherein,
First judging submodule 131, the type of the setting system information for judging whether the acquisition of the acquisition module 12
Call number is to indicate the call number of setting system registry additional character string information;Second judgment submodule 132, for described
The judging result of first judging submodule 131 is to judge whether to wait in the setting data that the acquisition module 12 obtains when being
The registration table path of modification is to restart to delete registration table path;The First Eigenvalue computational submodule 133, for sentencing described second
The judging result of disconnected submodule 132 is, according to pre-set feature value-based algorithm, to seek the setting of the acquisition of acquisition module 12 when being
The characteristic value of file path respective file to be written in data;First path judging submodule 134 is pre-set for judging
Agent-protected file characteristic value library in, if record have the file to be written that the First Eigenvalue computational submodule 133 is sought
The characteristic value of path respective file;If so, determining that the file path to be written is shielded file path;Wherein, institute
Stating record in the characteristic value library of agent-protected file has the characteristic value of known shielded file path respective file;Third judges son
Module 135, for judging that the file path to be written is shielded file in the first path judging submodule 134
When path, judge whether that the process is malicious process.In this embodiment, blocking module 14 are specifically used for judging in third
The judging result of submodule 135 is to prevent the process setting system information when being.The device of the present embodiment can be used for holding
The technical solution of embodiment of the method shown in row Fig. 1 or Fig. 3, implementing principle and technical effect are similar, and details are not described herein again.
Preferably, in another embodiment, judgment module 13 shown in fig. 5 may also include the characteristic value of agent-protected file
Library generates submodule, for counting known agent-protected file path in advance, and according to pre-set feature value-based algorithm, known to acquisition
The characteristic value of agent-protected file path respective file is simultaneously stored in the characteristic value library of agent-protected file.Then first path judges son
Module 134 is in the characteristic value library for generate the agent-protected file that submodule generates to the characteristic value library of agent-protected file when judging
Whether matching has the characteristic value of file path respective file to be written.The device of the present embodiment can be used for executing Fig. 1 or Fig. 3
The technical solution of shown embodiment of the method, implementing principle and technical effect are similar, and details are not described herein again.
Fig. 6 is another structural schematic diagram for intercepting file and being restarted the device of deletion provided by the invention, such as Fig. 6 institutes
Show, on the basis of the device apparatus structure shown in Fig. 4 of the present embodiment, further, judgment module 13 includes:First judges son
Module 131, second judgment submodule 132, the 4th judging submodule 136, process path acquisition submodule 137, Second Eigenvalue
Computational submodule 138, the second path judging submodule 139;Wherein, the first judging submodule 131, for judging whether described obtain
The types index number for the setting system information that modulus block 12 obtains is to indicate the rope of setting system registry additional character string information
Quotation marks;Second judgment submodule 132 is when being, to judge whether institute for the judging result in first judging submodule 131
It is to restart to delete registration table path to state the registration table path to be modified in the setting data of the acquisition of acquisition module 12;4th judges
Submodule 136 is when being, to judge whether the acquisition module 12 for the judging result in the second judgment submodule 132
File path to be written in the setting data of acquisition is shielded file path;Process path acquisition submodule 137, is used for
When the judging result of the 4th judgment module 136 is to be, the process path is obtained;Second Eigenvalue computational submodule 138 is used
According to pre-set feature value-based algorithm, the process path for seeking the acquisition of process path acquisition submodule 136 corresponds to text
The characteristic value of part;Second path judging submodule 139, for judging in pre-set malicious process characteristic value library, if note
Record has the characteristic value for the process path respective file that Second Eigenvalue computational submodule 138 seeks, if so, determine it is described into
Journey is malicious process;Wherein, the feature for having known malicious process path respective file is recorded in malicious process characteristic value library
Value.In this embodiment, blocking module 14, specifically for determining that the process is to dislike in the second path judging submodule 139
When meaning process, the process setting system information is prevented.The device of the present embodiment can be used for executing method shown in Fig. 1 or Fig. 3
The technical solution of embodiment, implementing principle and technical effect are similar, and details are not described herein again.
Preferably, in another embodiment, judgment module shown in fig. 6 may also include the generation of malicious process characteristic value library
Submodule is used to count known malicious process path in advance, and according to pre-set feature value-based algorithm, obtains the known evil
The characteristic value of meaning process path is simultaneously stored in malicious process characteristic value library.Then the second path judging submodule 139 is when judging
It is to generate in the malicious process characteristic value library that submodule generates match whether have Second Eigenvalue meter to malicious process characteristic value library
The characteristic value for the process path respective file that operator module 138 is sought.The device of the present embodiment, can be used for execute Fig. 1 or
The technical solution of embodiment of the method shown in Fig. 3, implementing principle and technical effect are similar, and details are not described herein again.
The embodiment of the present invention also provides a kind of electronic equipment.Fig. 7 is that the structure of electronic equipment one embodiment of the present invention is shown
It is intended to, the flow of Fig. 1 or Fig. 2 of the present invention or embodiment illustrated in fig. 3 may be implemented, as shown in fig. 7, above-mentioned electronic equipment can wrap
It includes:Shell 21, processor 22, memory 23, circuit board 24 and power circuit 25, wherein circuit board 24 is placed in shell 21 and encloses
At space interior, processor 22 and memory 23 are arranged on circuit board 24;Power circuit 25, for being above-mentioned electronic equipment
Each circuit or device power supply;Memory 23 is for storing executable program code;Processor 22 is by reading memory 23
The executable program code of middle storage runs program corresponding with executable program code, for executing aforementioned any embodiment
The method that the interception file is restarted deletion.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment:The characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes:Smart mobile phone (such as iPhone), multimedia handset, functional mobile phone and low
Hold mobile phone etc..
(2) super mobile personal computer equipment:This kind of equipment belongs to the scope of personal computer, there is calculating and processing work(
Can, generally also have mobile Internet access characteristic.This Terminal Type includes:PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device:This kind of equipment can show and play multimedia content.Such equipment includes:Audio,
Video playback module (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server:The equipment for providing the service of calculating, the composition of server include that processor, hard disk, memory, system are total
Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy
Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer read/write memory medium
In, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, all answer by the change or replacement that can be readily occurred in
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (20)
1. a kind of method for intercepting file and being restarted deletion, which is characterized in that including:
The event that monitor process is called to system information function is arranged in operating system;
According to the event listened to, the types index number and setting number of the setting system information of the process transmission are obtained
According to;
Judge whether that the types index number of the setting system information is to indicate setting system registry additional character string information
Call number, and the registration table path to be modified in the setting data is to restart to delete registration table path, and described set
It is shielded file path to set the file path to be written in data, and the process is malicious process;
If so, preventing the process setting system information;
Wherein, the system is Windows operating system;The setting system information function is operating system nucleus layer
NtSetSystemInformation functions.
2. intercepting the method that file is restarted deletion as described in claim 1, which is characterized in that the monitor process is to operation
It is arranged before the event that system information function is called in system, the method further includes:Pre-set hook setting system
The Hook Function of information function;
The event that the monitor process is called to system information function is arranged in operating system, including:Pass through the hook
The event that function monitor process is called to system information function is arranged in operating system.
3. intercepting the method that file is restarted deletion as claimed in claim 2, which is characterized in that described that the process is prevented to set
System information is set, including:
By the Hook Function refuse information is returned to the process;Or
The Hook Function refusal calls setting system information function, to prevent the process that system information is arranged.
4. intercepting the method that file is restarted deletion as claimed in claim 2, which is characterized in that the expression setting system note
The call number of volume table additional character string information is 110.
5. intercepting the method that file is restarted deletion as claimed in claim 2, which is characterized in that described to restart deletion registration table
Path is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
PendingFileRenameOperations。
6. intercepting the method that file is restarted deletion as described in claim 1, which is characterized in that described to judge whether described set
It is shielded file path to set the file path to be written in data, including:
According to pre-set feature value-based algorithm, the feature of the file path respective file to be written in the setting data is sought
Value;
In the characteristic value library for judging pre-set agent-protected file, if record has the file path respective file to be written
Characteristic value;
If record has the characteristic value of the file path respective file to be written in the characteristic value library of the agent-protected file, really
The fixed file path to be written is shielded file path;
Wherein, the feature for having known shielded file path respective file is recorded in the characteristic value library of the agent-protected file
Value.
7. intercepting the method that file is restarted deletion as claimed in claim 6, which is characterized in that pre-set in the basis
Feature value-based algorithm, seek it is described setting data in file path respective file to be written characteristic value before, further include:
The known agent-protected file path of statistics;
According to pre-set feature value-based algorithm, the characteristic value of the known agent-protected file path respective file is obtained;
The characteristic value of known agent-protected file path respective file is written in the characteristic value library of agent-protected file.
8. intercepting the file method that is restarted deletion as described in claim 1, which is characterized in that it is described judge whether it is described into
Journey is malicious process, including:
Obtain the process path;
According to pre-set feature value-based algorithm, the characteristic value of the process path respective file is sought;
Judge in pre-set malicious process characteristic value library, if record has the characteristic value of the process path respective file;
If malicious process characteristic value library, which records, the characteristic value of the process path respective file, it is determined that the process is
Malicious process;
Wherein, the characteristic value for having known malicious process path respective file is recorded in malicious process characteristic value library.
9. intercepting the method that file is restarted deletion as claimed in claim 8, which is characterized in that described according to pre-set
Feature value-based algorithm before the characteristic value for seeking the process path respective file, further includes:
Count known malicious process path;
According to pre-set feature value-based algorithm, the characteristic value of the known malicious process path respective file is obtained;
It will be in the characteristic value write-in malicious process characteristic value library of known malicious process path respective file.
10. as claim 6-9 any one of them intercepts the method that file is restarted deletion, which is characterized in that described advance
The feature value-based algorithm of setting is:
The characteristic value of calculating the Message Digest 5 value or cryptographic Hash in path as characteristic value as path respective file is sought, or
Person
Characteristic value of the fileversion number as path respective file is obtained from path.
11. a kind of device for intercepting file and being restarted deletion, which is characterized in that including:
Module is monitored, the event being called for monitor process to system information function is arranged in operating system;
Acquisition module, the event for being listened to according to the monitoring module obtain the setting system information of the process transmission
Types index number and setting data;
Judgment module, for judging whether that the types index number of the setting system information of the acquisition module acquisition is to indicate to be arranged
The call number of system registry additional character string information, and the registration table path to be modified in the setting data is to restart
Registration table path is deleted, and the file path to be written in the setting data is shielded file path, and described
Process is malicious process;
Blocking module is to prevent the process setting system information when being for the judging result in the judgment module;
Wherein, the system is Windows operating system;The setting system information function is operating system nucleus layer
NtSetSystemInformation functions.
12. the device according to claim 11 for intercepting file and being restarted deletion, which is characterized in that in the monitoring module
It is previously provided with the Hook Function of the NtSetSystemInformation functions of hook operating system nucleus layer, the monitoring mould
The event that block is called by the Hook Function monitor process to system information function is arranged in operating system.
13. the device according to claim 12 for intercepting file and being restarted deletion, which is characterized in that the blocking module is logical
It crosses the Hook Function and returns to refuse information or refusal calling setting system information function to the process, to prevent the process
System information is set.
14. the device according to claim 12 for intercepting file and being restarted deletion, which is characterized in that the judgment module is sentenced
Whether the types index number for the setting system information that the disconnected acquisition module obtains is 110, is then determining setting system information
Types index number is to indicate the call number of setting system registry additional character string information.
15. the device according to claim 12 for intercepting file and being restarted deletion, which is characterized in that the judgment module is sentenced
Registration table path to be modified in the disconnected setting data whether be:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
PendingFileRenameOperations is that the registration table path to be modified in the determining setting data is to restart
Delete registration table path.
16. intercepting the device that file is restarted deletion as claimed in claim 11, which is characterized in that the judgment module, packet
It includes:
First judging submodule, for judging whether that the types index number of the setting system information of the acquisition module acquisition is table
Show the call number of setting system registry additional character string information;
Second judgment submodule is when being, to judge whether the acquisition for the judging result in first judging submodule
Registration table path to be modified in the setting data that module obtains is to restart to delete registration table path;
The First Eigenvalue computational submodule is when being, according to setting in advance for the judging result in the second judgment submodule
The feature value-based algorithm set seeks the feature of the file path respective file to be written in the setting data that the acquisition module obtains
Value;
First path judging submodule, in the characteristic value library for judging pre-set agent-protected file, if record is
State the characteristic value for the file path respective file to be written that the First Eigenvalue computational submodule is sought;If so, described in determining
File path to be written is shielded file path;Wherein, in the characteristic value library of the agent-protected file record have it is known by
The characteristic value of the file path respective file of protection;
Third judging submodule, for judging that the file path to be written is to be protected in the first path judging submodule
When the file path of shield, judge whether that the process is malicious process.
17. intercepting the device that file is restarted deletion as claimed in claim 16, which is characterized in that the judgment module also wraps
It includes:
The characteristic value library of agent-protected file generates submodule, for counting known agent-protected file path in advance, and according to advance
The feature value-based algorithm of setting obtains the characteristic value of the known agent-protected file path respective file and is stored in agent-protected file
Characteristic value library in.
18. intercepting the device that file is restarted deletion as claimed in claim 11, which is characterized in that the judgment module, packet
It includes:
First judging submodule, for judging whether that the types index number of the setting system information of the acquisition module acquisition is table
Show the call number of setting system registry additional character string information;
Second judgment submodule is when being, to judge whether the acquisition for the judging result in first judging submodule
Registration table path to be modified in the setting data that module obtains is to restart to delete registration table path;
4th judging submodule is when being, to judge whether the acquisition for the judging result in the second judgment submodule
File path to be written in the setting data that module obtains is shielded file path;
Process path acquisition submodule is when being, to obtain the process road for the judging result in the 4th judgment module
Diameter;
Second Eigenvalue computational submodule, for according to pre-set feature value-based algorithm, seeking the process path and obtaining son
The characteristic value for the process path respective file that module obtains;
Second path judging submodule, for judging in pre-set malicious process characteristic value library, if record has described the
The characteristic value for the process path respective file that two characteristic value computational submodules are sought, if so, determining that the process is malice
Process;Wherein, the characteristic value for having known malicious process path respective file is recorded in malicious process characteristic value library.
19. intercepting the device that file is restarted deletion as claimed in claim 18, which is characterized in that the judgment module also wraps
It includes:
Malicious process characteristic value library generates submodule, for counting known malicious process path in advance, and according to pre-set
Feature value-based algorithm obtains the characteristic value of the known malicious process path and is stored in malicious process characteristic value library.
20. a kind of electronic equipment, which is characterized in that the electronic equipment includes:Shell, processor, memory, circuit board and electricity
Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply
Circuit, for being each circuit or the device power supply of above-mentioned electronic equipment;Memory is for storing executable program code;Processing
Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding
Row preceding claims 1-10 any one of them intercepts the method that file is restarted deletion.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610457599.0A CN105868625B (en) | 2016-06-22 | 2016-06-22 | Method and device for intercepting restart deletion of file |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610457599.0A CN105868625B (en) | 2016-06-22 | 2016-06-22 | Method and device for intercepting restart deletion of file |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105868625A CN105868625A (en) | 2016-08-17 |
CN105868625B true CN105868625B (en) | 2018-10-12 |
Family
ID=56649877
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610457599.0A Active CN105868625B (en) | 2016-06-22 | 2016-06-22 | Method and device for intercepting restart deletion of file |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105868625B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107645546B (en) * | 2017-09-12 | 2021-07-06 | 深圳Tcl新技术有限公司 | File monitoring method based on android system, intelligent device and storage medium |
CN108363931B (en) * | 2018-02-13 | 2020-06-23 | 奇安信科技集团股份有限公司 | Method and device for restoring files in isolation area |
CN108304699B (en) * | 2018-02-13 | 2020-07-14 | 奇安信科技集团股份有限公司 | Method and device for protecting security software |
CN116204883B (en) * | 2023-01-11 | 2023-08-22 | 安芯网盾(北京)科技有限公司 | Method and system for detecting and blocking file self-deletion based on Linux kernel |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102902919A (en) * | 2012-08-30 | 2013-01-30 | 北京奇虎科技有限公司 | Method, device and system for identifying and processing suspicious practices |
CN104035842A (en) * | 2014-06-30 | 2014-09-10 | 上海斐讯数据通信技术有限公司 | Method for deleting and recovering built-in application program |
CN104182661A (en) * | 2013-05-24 | 2014-12-03 | 富泰华工业(深圳)有限公司 | Software protection system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100025116A (en) * | 2008-08-27 | 2010-03-09 | (주) 애니컴페니언 | Fully automatic deletion using the system to prevent the leakage of documents |
US8510597B2 (en) * | 2011-02-08 | 2013-08-13 | Wisconsin Alumni Research Foundation | Providing restartable file systems within computing devices |
-
2016
- 2016-06-22 CN CN201610457599.0A patent/CN105868625B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102902919A (en) * | 2012-08-30 | 2013-01-30 | 北京奇虎科技有限公司 | Method, device and system for identifying and processing suspicious practices |
CN104182661A (en) * | 2013-05-24 | 2014-12-03 | 富泰华工业(深圳)有限公司 | Software protection system |
CN104035842A (en) * | 2014-06-30 | 2014-09-10 | 上海斐讯数据通信技术有限公司 | Method for deleting and recovering built-in application program |
Non-Patent Citations (1)
Title |
---|
基于微过滤驱动的文件操作检测及重定向方法;刘晟等;《信息与电子工程》;20121231;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN105868625A (en) | 2016-08-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106682495B (en) | Safety protection method and safety protection device | |
US8301433B2 (en) | Software behavior modeling apparatus, software behavior monitoring apparatus, software behavior modeling method, and software behavior monitoring method | |
CN105868625B (en) | Method and device for intercepting restart deletion of file | |
CN108932428B (en) | Lesog software processing method, device, equipment and readable storage medium | |
CN107133498A (en) | A kind of privacy application management method and device and mobile terminal | |
JP2017211978A (en) | Business processing system monitoring device and monitoring method | |
Mohsen et al. | Android keylogging threat | |
CN107563192A (en) | A kind of means of defence for extorting software, device, electronic equipment and storage medium | |
CN113872965B (en) | SQL injection detection method based on Snort engine | |
CN106203092A (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
CN106127034B (en) | A kind of method, apparatus that anti-locking system is maliciously closed and electronic equipment | |
Stirparo et al. | In-memory credentials robbery on android phones | |
CN110321731A (en) | A kind of information protecting method and mobile terminal | |
Yang et al. | Inference attack in android activity based on program fingerprint | |
Kim et al. | A study on the digital forensic investigation method of clever malware in IoT devices | |
CN106127050A (en) | Method and device for preventing system cursor from being maliciously modified and electronic equipment | |
CN106203107A (en) | Method and device for preventing system menu from being maliciously modified and electronic equipment | |
CN113596044B (en) | Network protection method and device, electronic equipment and storage medium | |
CN106127051A (en) | Method and device for preventing mouse from being maliciously captured and electronic equipment | |
CN111651764B (en) | Process monitoring method and device, electronic equipment and storage medium | |
Djemaiel et al. | Intrusion detection and tolerance: A global scheme | |
CN113392410A (en) | Interface security detection method and device, computer equipment and storage medium | |
CN113672925A (en) | Method, device, storage medium and electronic equipment for preventing lasso software attack | |
CN106709357A (en) | Kernel internal storage monitoring based vulnerability prevention system for Android platform | |
Kayabaş et al. | Cyber Wars and Cyber Threats Against Mobile Devices: Analysis of Mobile Devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20190109 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
TR01 | Transfer of patent right |