CN106469272A - A kind of windows process protection method and system - Google Patents
A kind of windows process protection method and system Download PDFInfo
- Publication number
- CN106469272A CN106469272A CN201610795200.XA CN201610795200A CN106469272A CN 106469272 A CN106469272 A CN 106469272A CN 201610795200 A CN201610795200 A CN 201610795200A CN 106469272 A CN106469272 A CN 106469272A
- Authority
- CN
- China
- Prior art keywords
- function
- instructions
- white list
- windows
- original function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of windows process protection method and system, and the embodiment of the present invention is according to windows API original function construction first function instructions to be performed;Wherein, described first function refusal terminates the access to the process in the white list of Process Protection for the process instruction; or, described first function refusal terminates the access in the white list of the Process Protection but not process in the process white list that can be moved to end for the process instruction;Adjust described antiderivative current stack, described original function obtains the entry address of described first function;Redirect the described first function of execution from described original function, by executing described first function, to avoid described process to be interrupted.It is contemplated that digging by the depth of HOOK technology scarce, realizing a kind of Process Protection mechanism, having abandoned traditional SSDT HOOK technology, in inner nuclear layer, Windows API having been modified, it is to avoid the killing of antivirus software.
Description
Technical field
The present invention relates to communication technical field, more particularly, to a kind of windows process protection method and system.
Background technology
In the prior art, the technological means that the common method solving technical problem proposed by the invention is conventional are usual
Mainly realized by way of changing SSDT table based on SSDT HOOK technology, the ground that core A PI is preserved in table (SSDT)
The function address oneself write is revised as in location, Windows is preserved certain ' storehouse ' of core A PI to distorting, works as operating system
When wanting to call Windows API, will automatic jump on our function.
Its technology is related to the similar message Hook technology relevant with windows messaging of the present invention, so-called message Hook,
It is exactly to realize for oneself design volume hook inserting hook chain foremost by SetWindowsHookEx (), hook processes letter
Number is sent to the message of Hook window by intercepting and capturing, that is, we can have precedence over forms and first capture these message, Windows
Message Hook can be implemented as message Hook and global message Hook in process.
System service descriptor table SSDT (System Services Descriptor Table) is a system service
Descriptor, can be connected core A PI of Win32API and Ring0 of Ring3 by this table.It not only only comprises
One huge address reference table, it also comprises some other useful information, the base address of such as allocation index, service letter
Several numbers etc..We can carry out Hook to conventional Windows function and API by changing the function address of this table, thus real
Now the purpose protecting, monitor is carried out to system killing process action to some.But the detection instrument such as ICESword can be light
Judge whether SSDT is tampered, and user can be notified by rights.
Content of the invention
A kind of The embodiment provides windows process protection method, the invention provides following scheme:
According to windows API original function construction first function instructions to be performed;Wherein, described first function refusal knot
The bundle access to the process in the white list of Process Protection for the process instruction, or, described first function refusal terminates process instruction
Access in the white list of the Process Protection but not process in the process white list that can be moved to end;
Adjust described antiderivative current stack, described original function obtains the entry address of described first function;
Redirect the described first function of execution from described original function, by executing described first function, to enter described in avoiding
Journey is interrupted.
According to the said method of the present invention, the described antiderivative current stack of described adjustment, obtain in described original function
The entry address of described first function, including:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entrance of described first function
Address.
According to the said method of the present invention, after the described first function of described execution, including:
The position popped according to the described front some articles of instructions that a described JMP sentence is recorded and described first some articles
The byte that instruction takies calculates the described first some addresses instructing again pop down;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call the UNHOOK function will be described former
Front some of function instruct again pop down in described original function.
According to the said method of the present invention, the described original function instructions to be performed according to windows API constructs the first letter
Number, including:
Forbid terminating process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed
Access to the process in the white list of Process Protection;Or,
Forbid refusing end process according to the original function construction DetourMy function setup that windows API is instructions to be performed
The access in the white list of the Process Protection but not process in the process white list that can be moved to end for the instruction.
According to the said method of the present invention, the described original function instructions to be performed according to windows API constructs the first letter
Number, including:
Accept to terminate process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed
Access to the not process in the white list of Process Protection, or, according to windows API original function construction instructions to be performed
DetourMy function setup accepts to terminate process instruction in the white list of Process Protection and white in the process that can be moved to end
The access of the process in list.
According to a further aspect in the invention, a kind of windows Process Protection system is also provided, including:
Constructing module:It is used for according to windows API original function construction first function instructions to be performed;Wherein, institute
State first function refusal and terminate the access to the process in the white list of Process Protection for the process instruction, or, described first function
Refusal terminates process instruction in the white list of the Process Protection but not process in the process white list that can be moved to end
Access;
Adjusting module:It is used for adjusting described antiderivative current stack, obtains described first letter in described original function
The entry address of number;
Performing module:It is used for redirecting the described first function of execution from described original function, by executing described first letter
Number, to avoid described process to be interrupted.
According to a further aspect in the invention, described adjusting module, its specifically for:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entrance of described first function
Address.
According to a further aspect in the invention, also include:Pop down module, it is used for:
After executing described first function, popped according to the described front some articles of instructions that a described JMP sentence is recorded
Position and the bytes that take of described front some instructions calculate the addresses of described front some instruction pop downs again;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call the UNHOOK function will be described former
Front some of function instruct again pop down in described original function.
According to a further aspect in the invention, described constructing module, specifically for:
Construction DetourMy function setup forbids terminating the visit to the process in the white list of Process Protection for the process instruction
Ask;Or,
Construction DetourMy function setup forbid refusal terminate process instruction in the white list of Process Protection but do not exist
The access of the process in process white list that can be moved to end.
According to a further aspect in the invention, described constructing module, also particularly useful for:
Accept to terminate the access to the not process in the white list of Process Protection for the process instruction, or, accepting end process
The access to the process in the white list of Process Protection and in the process white list that can be moved to end for the instruction.
The embodiment of the present invention be can be seen that according to windows by the technical scheme that embodiments of the invention described above provide
API original function construction first function instructions to be performed;Wherein, described first function refusal end process instruction is protected in process
The access of the process in the white list of shield, or, described first function refusal terminates process instruction to the white list in Process Protection
Interior but the not process in the process white list that can be moved to end access;Adjust described antiderivative current stack, described
The entry address of described first function is obtained in original function;Redirect the described first function of execution from described original function, by holding
The described first function of row, to avoid described process to be interrupted.It is contemplated that dug scarce by the depth of HOOK technology, realize a kind of
Process Protection mechanism, abandoned traditional SSDT HOOK technology, in inner nuclear layer, WindowsAPI modified, it is to avoid kills
The killing of malicious software.This technology will readjust current stack, by redirect execution construction first function, thus realize into
The purpose of journey protection.
Brief description
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be to required use in embodiment description
Accompanying drawing be briefly described it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this
For the those of ordinary skill of field, without having to pay creative labor, other can also be obtained according to these accompanying drawings
Accompanying drawing.
A kind of process chart of windows process protection method that Fig. 1 provides for the embodiment of the present invention one;
A kind of system module figure of windows Process Protection system that Fig. 2 provides for the embodiment of the present invention two.
Specific embodiment
For ease of the understanding to the embodiment of the present invention, do further below in conjunction with accompanying drawing taking several specific embodiments as a example
Explanation, and each embodiment does not constitute the restriction to the embodiment of the present invention.
Embodiment one
This embodiment offers a kind of its handling process of windows process protection method as shown in figure 1, including following place
Reason step:
Step 11, according to windows API instructions to be performed original function construction first function;Wherein, described first letter
Number refusal terminates the access to the process in the white list of Process Protection for the process instruction, or, described first function refusal terminates
The access in the white list of the Process Protection but not process in the process white list that can be moved to end for the process instruction;
The described original function construction first function instructions to be performed according to windows API, including:
Forbid terminating process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed
Access to the process in the white list of Process Protection;Or,
Forbid refusing end process according to the original function construction DetourMy function setup that windows API is instructions to be performed
The access in the white list of the Process Protection but not process in the process white list that can be moved to end for the instruction.
The described original function construction first function instructions to be performed according to windows API, including:
Accept to terminate process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed
Access to the not process in the white list of Process Protection, or, according to windows API original function construction instructions to be performed
DetourMy function setup accepts to terminate process instruction in the white list of Process Protection and white in the process that can be moved to end
The access of the process in list.
Specifically, in the present embodiment, with the derivation function of process ntoskrnl.exe of Windows kernel
As a example ObReferenceObjectByHandle () is as original function, first quotes HOOK function and tick original function, as follows:
Reconstruct DetourMy function as follows:
Wherein, in HOOK function, ObReferenceObjectByHandle () belongs to the process of Windows kernel
The derivation function of ntoskrnl.exe, it calls frequently, HOOK in this programme as the original function of the present embodiment in kernel
Object is exactly this function,
This function of ObReferenceObjectByHandle () is that the function that inner nuclear layer obtains object according to handle is detailed
Check MSDN, the parameter of the inside has a desired access position, this is the end process instruction that capture user sends,
If this position is PROCESS_TERMINATE, that is, user have sent end process instruction.
Used sentence IN ACCESS_MASK DesiredAccess in construction DetourMy function, capture
DesiredAccess position, and its corresponding process is obtained according to DesiredAccess position;
In the present embodiment, there are two kinds of application scenarios for management of process:
Situation one:
Only set up a Process Protection white list, when the corresponding process in DesiredAccess position is in the white name of Process Protection
Dan Zhong, forbids terminating the access to this process for the process instruction;When the corresponding process in DesiredAccess position is not in Process Protection
In white list, accept to terminate the access to this process for the process instruction.
Situation two:
Set up a Process Protection white list and a process white list that cannot be moved to end respectively;When
The corresponding process in DesiredAccess position in the white list of Process Protection but not in the process white list that can be moved to end,
Then forbid terminating the access to this process for the process instruction;When the corresponding process in DesiredAccess position is in the white name of Process Protection
In single and in the process white list that can be moved to end, accept to terminate the access to this process for the process instruction.
Step 12, the described antiderivative current stack of adjustment, obtain the entrance of described first function in described original function
Address;
The described antiderivative current stack of described adjustment, obtains the entrance ground of described first function in described original function
Location, including:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entrance of described first function
Address.
In the present embodiment, described antiderivative front some instructions are popped and preserved, directly invoking HOOK function will
Described antiderivative first five byte for storing front some instructions is popped and is preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entrance of described first function
Address, in the present embodiment, using the position of five bytes described in a JMP sentence record.
Specifically, in the present embodiment, program is realized as follows:
BYTE jmp_add [5]={ 0xE9,0,0,0,0 };//HOOK function address
BYTE five_bytes [5]={ 0 };The array of // preservation first five byte of original function
Step 13, redirect from described original function execution described first function, by execute described first function, to avoid
Described process is interrupted.
Additionally, after executing described first function, including:
The position popped according to the described front some articles of instructions that a described JMP sentence is recorded and described first some articles
The byte that instruction takies calculates the described first some addresses instructing again pop down;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call the UNHOOK function will be described former
Front some of function instruct again pop down in described original function.
Specifically, in the present embodiment, program is realized as follows:
Embodiment two
This embodiment offers a kind of windows Process Protection system, it implements structure as shown in Fig. 2 specifically may be used
To include following module:
Constructing module 21:It is used for according to windows API original function construction first function instructions to be performed;Wherein,
Described first function refusal terminates the access to the process in the white list of Process Protection for the process instruction, or, described first letter
Number refusal terminates process instructions in the white list of the Process Protection but not process in the process white list that can be moved to end
Access;
Adjusting module 22:It is used for adjusting described antiderivative current stack, obtains described first in described original function
The entry address of function;
Performing module 23:It is used for redirecting the described first function of execution from described original function, by executing described first
Function, to avoid described process to be interrupted.
Described adjusting module 22, its specifically for:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entrance of described first function
Address.
Pop down module 24, it is used for:
After executing described first function, popped according to the described front some articles of instructions that a described JMP sentence is recorded
Position and the bytes that take of described front some instructions calculate the addresses of described front some instruction pop downs again;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call the UNHOOK function will be described former
Front some of function instruct again pop down in described original function.
Described constructing module 21, specifically for:
Forbid terminating process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed
Access to the process in the white list of Process Protection;Or,
Forbid refusing end process according to the original function construction DetourMy function setup that windows API is instructions to be performed
The access in the white list of the Process Protection but not process in the process white list that can be moved to end for the instruction.
Described constructing module 21, also particularly useful for:
Accept to terminate process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed
Access to the not process in the white list of Process Protection, or, according to windows API original function construction instructions to be performed
DetourMy function setup accepts to terminate process instruction in the white list of Process Protection and white in the process that can be moved to end
The access of the process in list.
Carry out detailed process and the preceding method embodiment class of windows Process Protection with the system of the embodiment of the present invention
Seemingly, here is omitted.
In sum, the embodiment of the present invention passes through the embodiment of the present invention according to windows API former letter instructions to be performed
Number construction first function;Wherein, described first function refusal terminates process instruction to the process in the white list of Process Protection
Access, or, described first function refusal terminate process instruction in the white list of Process Protection but can not be moved to end
Process white list in process access;Adjust described antiderivative current stack, described original function obtains described
The entry address of one function;Redirect the described first function of execution from described original function, by executing described first function, to keep away
Exempt from described process to be interrupted.It is contemplated that being dug by the depth of HOOK technology scarce, realizing a kind of Process Protection mechanism, abandoning
Traditional SSDT HOOK technology, modify to Windows API in inner nuclear layer, it is to avoid the killing of antivirus software.This skill
Art will readjust current stack, by redirecting the first function of execution construction, thus realizing the purpose of Process Protection.
One of ordinary skill in the art will appreciate that:Accompanying drawing is the schematic diagram of an embodiment, the module in accompanying drawing or
Flow process is not necessarily implemented necessary to the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can
Mode by software plus necessary general hardware platform to be realized.Based on such understanding, technical scheme essence
On in other words prior art is contributed partly can be embodied in the form of software product, this computer software product
Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., include some instructions use so that a computer equipment
(can be personal computer, server, or network equipment etc.) executes some of each embodiment of the present invention or embodiment
Partly described method.
Each embodiment in this specification is all described by the way of going forward one by one, identical similar portion between each embodiment
Divide mutually referring to what each embodiment stressed is the difference with other embodiment.Especially for device or
For system embodiment, because it is substantially similar to embodiment of the method, so describing fairly simple, referring to method in place of correlation
The part of embodiment illustrates.Apparatus and system embodiment described above is only schematically wherein said conduct
Separating component explanation unit can be or may not be physically separate, as the part that unit shows can be or
Person may not be physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can root
Factually border need select the purpose to realize this embodiment scheme for some or all of module therein.Ordinary skill
Personnel are not in the case of paying creative work, you can to understand and to implement.
The above, the only present invention preferably specific embodiment, but protection scope of the present invention is not limited thereto,
Any those familiar with the art the invention discloses technical scope in, the change or replacement that can readily occur in,
All should be included within the scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims
It is defined.
Claims (10)
1. a kind of windows process protection method is it is characterised in that include:
According to windows API original function construction first function instructions to be performed;Wherein, described first function refusal terminate into
The access to the process in the white list of Process Protection for the Cheng Zhiling, or, described first function refusal terminate process instruction to
In the white list of the Process Protection but not access of the process in the process white list that can be moved to end;
Adjust described antiderivative current stack, described original function obtains the entry address of described first function;
Redirect the described first function of execution from described original function, by executing described first function, to avoid described process quilt
Interrupt.
2. a kind of windows process protection method according to claim 1 is it is characterised in that the described former letter of described adjustment
The current stack of number, obtains the entry address of described first function in described original function, including:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entry address of described first function.
3. a kind of windows process protection method according to claim 2 is it is characterised in that described execution described first
After function, including:
The position popped according to the described front some articles of instructions that a described JMP sentence is recorded and described front some articles of instructions
The byte taking calculates the described first some addresses instructing again pop down;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call UNHOOK function by described original function
Front some instruction again pop down in described original function.
4. a kind of windows process protection method according to claim 1-3 it is characterised in that described according to windows
API original function construction first function instructions to be performed, including:
According to windows API instructions to be performed original function construction DetourMy function setup forbid terminate process instruction to
The access of the process in the white list of Process Protection;Or,
Forbid that refusal terminates process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed
Access in the white list of the Process Protection but not process in the process white list that can be moved to end.
5. a kind of windows process protection method according to claim 4 it is characterised in that described according to windows
API original function construction first function instructions to be performed, including:
Accept to terminate process instruction to not according to the original function construction DetourMy function setup that windows API is instructions to be performed
The access of the process in the white list of Process Protection, or, according to windows API original function construction instructions to be performed
DetourMy function setup accepts to terminate process instruction in the white list of Process Protection and white in the process that can be moved to end
The access of the process in list.
6. a kind of windows Process Protection system is it is characterised in that include:
Constructing module:It is used for according to windows API original function construction first function instructions to be performed;Wherein, described
One function refusal terminates the access to the process in the white list of Process Protection for the process instruction, or, described first function refusal
Terminate the access in the white list of the Process Protection but not process in the process white list that can be moved to end for the process instruction;
Adjusting module:It is used for adjusting described antiderivative current stack, obtains described first function in described original function
Entry address;
Performing module:It is used for redirecting the described first function of execution from described original function, by executing described first function, with
Described process is avoided to be interrupted.
7. it is characterised in that described adjusting module, it has a kind of windows Process Protection system according to claim 6
Body is used for:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entry address of described first function.
8. a kind of windows Process Protection system according to claim 7 is it is characterised in that also include:Pop down module,
It is used for:
After executing described first function, the position popped according to the described front some articles of instructions that a described JMP sentence is recorded
Put and the byte of described front some instruction occupancy calculates the described first some addresses instructing again pop down;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call UNHOOK function by described original function
Front some instruction again pop down in described original function.
9. a kind of windows Process Protection system according to claim 6-8, it is characterised in that described constructing module, has
Body is used for:
According to windows API instructions to be performed original function construction DetourMy function setup forbid terminate process instruction to
The access of the process in the white list of Process Protection;Or,
Forbid that refusal terminates process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed
Access in the white list of the Process Protection but not process in the process white list that can be moved to end.
10. a kind of windows Process Protection system according to claim 9, it is characterised in that described constructing module, is gone back
Specifically for:
Accept to terminate process instruction to not according to the original function construction DetourMy function setup that windows API is instructions to be performed
The access of the process in the white list of Process Protection, or, according to windows API original function construction instructions to be performed
DetourMy function setup accepts to terminate process instruction in the white list of Process Protection and white in the process that can be moved to end
The access of the process in list.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610795200.XA CN106469272A (en) | 2016-08-31 | 2016-08-31 | A kind of windows process protection method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610795200.XA CN106469272A (en) | 2016-08-31 | 2016-08-31 | A kind of windows process protection method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106469272A true CN106469272A (en) | 2017-03-01 |
Family
ID=58230289
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610795200.XA Pending CN106469272A (en) | 2016-08-31 | 2016-08-31 | A kind of windows process protection method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106469272A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107566843A (en) * | 2017-10-09 | 2018-01-09 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
CN107729132A (en) * | 2017-10-09 | 2018-02-23 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
CN110472409A (en) * | 2019-08-06 | 2019-11-19 | 长沙学院 | A kind of process management method and system based on white list mechanism |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
CN102156834A (en) * | 2011-04-18 | 2011-08-17 | 北京思创银联科技股份有限公司 | Method for realizing program killing prevention |
CN102799493A (en) * | 2012-06-21 | 2012-11-28 | 北京伸得纬科技有限公司 | Method for intercepting target progress with self-protection |
CN105426751A (en) * | 2015-10-27 | 2016-03-23 | 珠海市君天电子科技有限公司 | Method and device for preventing system time from being tampered |
-
2016
- 2016-08-31 CN CN201610795200.XA patent/CN106469272A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
CN102156834A (en) * | 2011-04-18 | 2011-08-17 | 北京思创银联科技股份有限公司 | Method for realizing program killing prevention |
CN102799493A (en) * | 2012-06-21 | 2012-11-28 | 北京伸得纬科技有限公司 | Method for intercepting target progress with self-protection |
CN105426751A (en) * | 2015-10-27 | 2016-03-23 | 珠海市君天电子科技有限公司 | Method and device for preventing system time from being tampered |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107566843A (en) * | 2017-10-09 | 2018-01-09 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
CN107729132A (en) * | 2017-10-09 | 2018-02-23 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
CN107566843B (en) * | 2017-10-09 | 2019-07-09 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
CN107729132B (en) * | 2017-10-09 | 2019-10-25 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
CN110472409A (en) * | 2019-08-06 | 2019-11-19 | 长沙学院 | A kind of process management method and system based on white list mechanism |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU2019200445B2 (en) | Methods and apparatus for dealing with malware | |
US10192059B2 (en) | System and method for protecting systems from active content | |
CN106055979B (en) | Kernel restorative procedure and device | |
US9323804B2 (en) | Method and system for allowing access to developed applications via a multi-tenant on-demand database service | |
US7877803B2 (en) | Automated immune response for a computer | |
EP2577540B1 (en) | Malware scanning | |
CN103023906B (en) | Method and system aiming at remote procedure calling conventions to perform status tracking | |
DE112012000750T5 (en) | Backup and manage apps in one device | |
DE112012001389T5 (en) | Secure execution of an unsecured app on a device | |
CN108475217A (en) | System and method for virtual machine of auditing | |
CN105893228A (en) | Systems and methods for behavioral sandboxing | |
CN106469272A (en) | A kind of windows process protection method and system | |
CN113138836B (en) | Escape prevention method using escape prevention system based on Docker container | |
US20160314296A1 (en) | Method and System for Dynamic Runtime Selection and Modification of Conditional Expressions in Computations | |
WO2019165883A1 (en) | Data processing method and apparatus | |
TW201337620A (en) | Software modification for partial secure memory processing | |
CN109800571B (en) | Event processing method and device, storage medium and electronic device | |
CN109218296B (en) | XSS (XSS) defense system and method based on improved CSP (chip size service) strategy | |
US20100199357A1 (en) | Secure hosting for untrusted code | |
CN109286630A (en) | Deng guarantor's processing method, device, equipment and storage medium | |
US9990493B2 (en) | Data processing system security device and security method | |
CN110084038A (en) | Prevent third party's JavaScript loophole | |
CN109150890A (en) | The means of defence and relevant device of newly-built connection attack | |
CN107657181A (en) | A kind of database manipulation blocking-up method and system | |
CN106203115A (en) | Application program protection method and device and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |