CN106469272A - A kind of windows process protection method and system - Google Patents

A kind of windows process protection method and system Download PDF

Info

Publication number
CN106469272A
CN106469272A CN201610795200.XA CN201610795200A CN106469272A CN 106469272 A CN106469272 A CN 106469272A CN 201610795200 A CN201610795200 A CN 201610795200A CN 106469272 A CN106469272 A CN 106469272A
Authority
CN
China
Prior art keywords
function
instructions
white list
windows
original function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610795200.XA
Other languages
Chinese (zh)
Inventor
刘培
万民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Nebula Micro Technology Co Ltd
Beijing Power Technology Co Ltd
Original Assignee
Beijing Nebula Micro Technology Co Ltd
Beijing Power Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Nebula Micro Technology Co Ltd, Beijing Power Technology Co Ltd filed Critical Beijing Nebula Micro Technology Co Ltd
Priority to CN201610795200.XA priority Critical patent/CN106469272A/en
Publication of CN106469272A publication Critical patent/CN106469272A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of windows process protection method and system, and the embodiment of the present invention is according to windows API original function construction first function instructions to be performed;Wherein, described first function refusal terminates the access to the process in the white list of Process Protection for the process instruction; or, described first function refusal terminates the access in the white list of the Process Protection but not process in the process white list that can be moved to end for the process instruction;Adjust described antiderivative current stack, described original function obtains the entry address of described first function;Redirect the described first function of execution from described original function, by executing described first function, to avoid described process to be interrupted.It is contemplated that digging by the depth of HOOK technology scarce, realizing a kind of Process Protection mechanism, having abandoned traditional SSDT HOOK technology, in inner nuclear layer, Windows API having been modified, it is to avoid the killing of antivirus software.

Description

A kind of windows process protection method and system
Technical field
The present invention relates to communication technical field, more particularly, to a kind of windows process protection method and system.
Background technology
In the prior art, the technological means that the common method solving technical problem proposed by the invention is conventional are usual Mainly realized by way of changing SSDT table based on SSDT HOOK technology, the ground that core A PI is preserved in table (SSDT) The function address oneself write is revised as in location, Windows is preserved certain ' storehouse ' of core A PI to distorting, works as operating system When wanting to call Windows API, will automatic jump on our function.
Its technology is related to the similar message Hook technology relevant with windows messaging of the present invention, so-called message Hook, It is exactly to realize for oneself design volume hook inserting hook chain foremost by SetWindowsHookEx (), hook processes letter Number is sent to the message of Hook window by intercepting and capturing, that is, we can have precedence over forms and first capture these message, Windows Message Hook can be implemented as message Hook and global message Hook in process.
System service descriptor table SSDT (System Services Descriptor Table) is a system service Descriptor, can be connected core A PI of Win32API and Ring0 of Ring3 by this table.It not only only comprises One huge address reference table, it also comprises some other useful information, the base address of such as allocation index, service letter Several numbers etc..We can carry out Hook to conventional Windows function and API by changing the function address of this table, thus real Now the purpose protecting, monitor is carried out to system killing process action to some.But the detection instrument such as ICESword can be light Judge whether SSDT is tampered, and user can be notified by rights.
Content of the invention
A kind of The embodiment provides windows process protection method, the invention provides following scheme:
According to windows API original function construction first function instructions to be performed;Wherein, described first function refusal knot The bundle access to the process in the white list of Process Protection for the process instruction, or, described first function refusal terminates process instruction Access in the white list of the Process Protection but not process in the process white list that can be moved to end;
Adjust described antiderivative current stack, described original function obtains the entry address of described first function;
Redirect the described first function of execution from described original function, by executing described first function, to enter described in avoiding Journey is interrupted.
According to the said method of the present invention, the described antiderivative current stack of described adjustment, obtain in described original function The entry address of described first function, including:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entrance of described first function Address.
According to the said method of the present invention, after the described first function of described execution, including:
The position popped according to the described front some articles of instructions that a described JMP sentence is recorded and described first some articles The byte that instruction takies calculates the described first some addresses instructing again pop down;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call the UNHOOK function will be described former Front some of function instruct again pop down in described original function.
According to the said method of the present invention, the described original function instructions to be performed according to windows API constructs the first letter Number, including:
Forbid terminating process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed Access to the process in the white list of Process Protection;Or,
Forbid refusing end process according to the original function construction DetourMy function setup that windows API is instructions to be performed The access in the white list of the Process Protection but not process in the process white list that can be moved to end for the instruction.
According to the said method of the present invention, the described original function instructions to be performed according to windows API constructs the first letter Number, including:
Accept to terminate process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed Access to the not process in the white list of Process Protection, or, according to windows API original function construction instructions to be performed DetourMy function setup accepts to terminate process instruction in the white list of Process Protection and white in the process that can be moved to end The access of the process in list.
According to a further aspect in the invention, a kind of windows Process Protection system is also provided, including:
Constructing module:It is used for according to windows API original function construction first function instructions to be performed;Wherein, institute State first function refusal and terminate the access to the process in the white list of Process Protection for the process instruction, or, described first function Refusal terminates process instruction in the white list of the Process Protection but not process in the process white list that can be moved to end Access;
Adjusting module:It is used for adjusting described antiderivative current stack, obtains described first letter in described original function The entry address of number;
Performing module:It is used for redirecting the described first function of execution from described original function, by executing described first letter Number, to avoid described process to be interrupted.
According to a further aspect in the invention, described adjusting module, its specifically for:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entrance of described first function Address.
According to a further aspect in the invention, also include:Pop down module, it is used for:
After executing described first function, popped according to the described front some articles of instructions that a described JMP sentence is recorded Position and the bytes that take of described front some instructions calculate the addresses of described front some instruction pop downs again;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call the UNHOOK function will be described former Front some of function instruct again pop down in described original function.
According to a further aspect in the invention, described constructing module, specifically for:
Construction DetourMy function setup forbids terminating the visit to the process in the white list of Process Protection for the process instruction Ask;Or,
Construction DetourMy function setup forbid refusal terminate process instruction in the white list of Process Protection but do not exist The access of the process in process white list that can be moved to end.
According to a further aspect in the invention, described constructing module, also particularly useful for:
Accept to terminate the access to the not process in the white list of Process Protection for the process instruction, or, accepting end process The access to the process in the white list of Process Protection and in the process white list that can be moved to end for the instruction.
The embodiment of the present invention be can be seen that according to windows by the technical scheme that embodiments of the invention described above provide API original function construction first function instructions to be performed;Wherein, described first function refusal end process instruction is protected in process The access of the process in the white list of shield, or, described first function refusal terminates process instruction to the white list in Process Protection Interior but the not process in the process white list that can be moved to end access;Adjust described antiderivative current stack, described The entry address of described first function is obtained in original function;Redirect the described first function of execution from described original function, by holding The described first function of row, to avoid described process to be interrupted.It is contemplated that dug scarce by the depth of HOOK technology, realize a kind of Process Protection mechanism, abandoned traditional SSDT HOOK technology, in inner nuclear layer, WindowsAPI modified, it is to avoid kills The killing of malicious software.This technology will readjust current stack, by redirect execution construction first function, thus realize into The purpose of journey protection.
Brief description
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be to required use in embodiment description Accompanying drawing be briefly described it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this For the those of ordinary skill of field, without having to pay creative labor, other can also be obtained according to these accompanying drawings Accompanying drawing.
A kind of process chart of windows process protection method that Fig. 1 provides for the embodiment of the present invention one;
A kind of system module figure of windows Process Protection system that Fig. 2 provides for the embodiment of the present invention two.
Specific embodiment
For ease of the understanding to the embodiment of the present invention, do further below in conjunction with accompanying drawing taking several specific embodiments as a example Explanation, and each embodiment does not constitute the restriction to the embodiment of the present invention.
Embodiment one
This embodiment offers a kind of its handling process of windows process protection method as shown in figure 1, including following place Reason step:
Step 11, according to windows API instructions to be performed original function construction first function;Wherein, described first letter Number refusal terminates the access to the process in the white list of Process Protection for the process instruction, or, described first function refusal terminates The access in the white list of the Process Protection but not process in the process white list that can be moved to end for the process instruction;
The described original function construction first function instructions to be performed according to windows API, including:
Forbid terminating process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed Access to the process in the white list of Process Protection;Or,
Forbid refusing end process according to the original function construction DetourMy function setup that windows API is instructions to be performed The access in the white list of the Process Protection but not process in the process white list that can be moved to end for the instruction.
The described original function construction first function instructions to be performed according to windows API, including:
Accept to terminate process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed Access to the not process in the white list of Process Protection, or, according to windows API original function construction instructions to be performed DetourMy function setup accepts to terminate process instruction in the white list of Process Protection and white in the process that can be moved to end The access of the process in list.
Specifically, in the present embodiment, with the derivation function of process ntoskrnl.exe of Windows kernel As a example ObReferenceObjectByHandle () is as original function, first quotes HOOK function and tick original function, as follows:
Reconstruct DetourMy function as follows:
Wherein, in HOOK function, ObReferenceObjectByHandle () belongs to the process of Windows kernel The derivation function of ntoskrnl.exe, it calls frequently, HOOK in this programme as the original function of the present embodiment in kernel Object is exactly this function,
This function of ObReferenceObjectByHandle () is that the function that inner nuclear layer obtains object according to handle is detailed Check MSDN, the parameter of the inside has a desired access position, this is the end process instruction that capture user sends, If this position is PROCESS_TERMINATE, that is, user have sent end process instruction.
Used sentence IN ACCESS_MASK DesiredAccess in construction DetourMy function, capture DesiredAccess position, and its corresponding process is obtained according to DesiredAccess position;
In the present embodiment, there are two kinds of application scenarios for management of process:
Situation one:
Only set up a Process Protection white list, when the corresponding process in DesiredAccess position is in the white name of Process Protection Dan Zhong, forbids terminating the access to this process for the process instruction;When the corresponding process in DesiredAccess position is not in Process Protection In white list, accept to terminate the access to this process for the process instruction.
Situation two:
Set up a Process Protection white list and a process white list that cannot be moved to end respectively;When The corresponding process in DesiredAccess position in the white list of Process Protection but not in the process white list that can be moved to end, Then forbid terminating the access to this process for the process instruction;When the corresponding process in DesiredAccess position is in the white name of Process Protection In single and in the process white list that can be moved to end, accept to terminate the access to this process for the process instruction.
Step 12, the described antiderivative current stack of adjustment, obtain the entrance of described first function in described original function Address;
The described antiderivative current stack of described adjustment, obtains the entrance ground of described first function in described original function Location, including:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entrance of described first function Address.
In the present embodiment, described antiderivative front some instructions are popped and preserved, directly invoking HOOK function will Described antiderivative first five byte for storing front some instructions is popped and is preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entrance of described first function Address, in the present embodiment, using the position of five bytes described in a JMP sentence record.
Specifically, in the present embodiment, program is realized as follows:
BYTE jmp_add [5]={ 0xE9,0,0,0,0 };//HOOK function address
BYTE five_bytes [5]={ 0 };The array of // preservation first five byte of original function
Step 13, redirect from described original function execution described first function, by execute described first function, to avoid Described process is interrupted.
Additionally, after executing described first function, including:
The position popped according to the described front some articles of instructions that a described JMP sentence is recorded and described first some articles The byte that instruction takies calculates the described first some addresses instructing again pop down;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call the UNHOOK function will be described former Front some of function instruct again pop down in described original function.
Specifically, in the present embodiment, program is realized as follows:
Embodiment two
This embodiment offers a kind of windows Process Protection system, it implements structure as shown in Fig. 2 specifically may be used To include following module:
Constructing module 21:It is used for according to windows API original function construction first function instructions to be performed;Wherein, Described first function refusal terminates the access to the process in the white list of Process Protection for the process instruction, or, described first letter Number refusal terminates process instructions in the white list of the Process Protection but not process in the process white list that can be moved to end Access;
Adjusting module 22:It is used for adjusting described antiderivative current stack, obtains described first in described original function The entry address of function;
Performing module 23:It is used for redirecting the described first function of execution from described original function, by executing described first Function, to avoid described process to be interrupted.
Described adjusting module 22, its specifically for:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entrance of described first function Address.
Pop down module 24, it is used for:
After executing described first function, popped according to the described front some articles of instructions that a described JMP sentence is recorded Position and the bytes that take of described front some instructions calculate the addresses of described front some instruction pop downs again;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call the UNHOOK function will be described former Front some of function instruct again pop down in described original function.
Described constructing module 21, specifically for:
Forbid terminating process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed Access to the process in the white list of Process Protection;Or,
Forbid refusing end process according to the original function construction DetourMy function setup that windows API is instructions to be performed The access in the white list of the Process Protection but not process in the process white list that can be moved to end for the instruction.
Described constructing module 21, also particularly useful for:
Accept to terminate process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed Access to the not process in the white list of Process Protection, or, according to windows API original function construction instructions to be performed DetourMy function setup accepts to terminate process instruction in the white list of Process Protection and white in the process that can be moved to end The access of the process in list.
Carry out detailed process and the preceding method embodiment class of windows Process Protection with the system of the embodiment of the present invention Seemingly, here is omitted.
In sum, the embodiment of the present invention passes through the embodiment of the present invention according to windows API former letter instructions to be performed Number construction first function;Wherein, described first function refusal terminates process instruction to the process in the white list of Process Protection Access, or, described first function refusal terminate process instruction in the white list of Process Protection but can not be moved to end Process white list in process access;Adjust described antiderivative current stack, described original function obtains described The entry address of one function;Redirect the described first function of execution from described original function, by executing described first function, to keep away Exempt from described process to be interrupted.It is contemplated that being dug by the depth of HOOK technology scarce, realizing a kind of Process Protection mechanism, abandoning Traditional SSDT HOOK technology, modify to Windows API in inner nuclear layer, it is to avoid the killing of antivirus software.This skill Art will readjust current stack, by redirecting the first function of execution construction, thus realizing the purpose of Process Protection.
One of ordinary skill in the art will appreciate that:Accompanying drawing is the schematic diagram of an embodiment, the module in accompanying drawing or Flow process is not necessarily implemented necessary to the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can Mode by software plus necessary general hardware platform to be realized.Based on such understanding, technical scheme essence On in other words prior art is contributed partly can be embodied in the form of software product, this computer software product Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., include some instructions use so that a computer equipment (can be personal computer, server, or network equipment etc.) executes some of each embodiment of the present invention or embodiment Partly described method.
Each embodiment in this specification is all described by the way of going forward one by one, identical similar portion between each embodiment Divide mutually referring to what each embodiment stressed is the difference with other embodiment.Especially for device or For system embodiment, because it is substantially similar to embodiment of the method, so describing fairly simple, referring to method in place of correlation The part of embodiment illustrates.Apparatus and system embodiment described above is only schematically wherein said conduct Separating component explanation unit can be or may not be physically separate, as the part that unit shows can be or Person may not be physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can root Factually border need select the purpose to realize this embodiment scheme for some or all of module therein.Ordinary skill Personnel are not in the case of paying creative work, you can to understand and to implement.
The above, the only present invention preferably specific embodiment, but protection scope of the present invention is not limited thereto, Any those familiar with the art the invention discloses technical scope in, the change or replacement that can readily occur in, All should be included within the scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims It is defined.

Claims (10)

1. a kind of windows process protection method is it is characterised in that include:
According to windows API original function construction first function instructions to be performed;Wherein, described first function refusal terminate into The access to the process in the white list of Process Protection for the Cheng Zhiling, or, described first function refusal terminate process instruction to In the white list of the Process Protection but not access of the process in the process white list that can be moved to end;
Adjust described antiderivative current stack, described original function obtains the entry address of described first function;
Redirect the described first function of execution from described original function, by executing described first function, to avoid described process quilt Interrupt.
2. a kind of windows process protection method according to claim 1 is it is characterised in that the described former letter of described adjustment The current stack of number, obtains the entry address of described first function in described original function, including:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entry address of described first function.
3. a kind of windows process protection method according to claim 2 is it is characterised in that described execution described first After function, including:
The position popped according to the described front some articles of instructions that a described JMP sentence is recorded and described front some articles of instructions The byte taking calculates the described first some addresses instructing again pop down;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call UNHOOK function by described original function Front some instruction again pop down in described original function.
4. a kind of windows process protection method according to claim 1-3 it is characterised in that described according to windows API original function construction first function instructions to be performed, including:
According to windows API instructions to be performed original function construction DetourMy function setup forbid terminate process instruction to The access of the process in the white list of Process Protection;Or,
Forbid that refusal terminates process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed Access in the white list of the Process Protection but not process in the process white list that can be moved to end.
5. a kind of windows process protection method according to claim 4 it is characterised in that described according to windows API original function construction first function instructions to be performed, including:
Accept to terminate process instruction to not according to the original function construction DetourMy function setup that windows API is instructions to be performed The access of the process in the white list of Process Protection, or, according to windows API original function construction instructions to be performed DetourMy function setup accepts to terminate process instruction in the white list of Process Protection and white in the process that can be moved to end The access of the process in list.
6. a kind of windows Process Protection system is it is characterised in that include:
Constructing module:It is used for according to windows API original function construction first function instructions to be performed;Wherein, described One function refusal terminates the access to the process in the white list of Process Protection for the process instruction, or, described first function refusal Terminate the access in the white list of the Process Protection but not process in the process white list that can be moved to end for the process instruction;
Adjusting module:It is used for adjusting described antiderivative current stack, obtains described first function in described original function Entry address;
Performing module:It is used for redirecting the described first function of execution from described original function, by executing described first function, with Described process is avoided to be interrupted.
7. it is characterised in that described adjusting module, it has a kind of windows Process Protection system according to claim 6 Body is used for:
Call HOOK function that described antiderivative front some instructions are popped and preserved;
The position popped using front some articles of instructions described in a JMP sentence record, as the entry address of described first function.
8. a kind of windows Process Protection system according to claim 7 is it is characterised in that also include:Pop down module, It is used for:
After executing described first function, the position popped according to the described front some articles of instructions that a described JMP sentence is recorded Put and the byte of described front some instruction occupancy calculates the described first some addresses instructing again pop down;
Jump to the address of described original function pop down again using the 2nd JMP sentence, call UNHOOK function by described original function Front some instruction again pop down in described original function.
9. a kind of windows Process Protection system according to claim 6-8, it is characterised in that described constructing module, has Body is used for:
According to windows API instructions to be performed original function construction DetourMy function setup forbid terminate process instruction to The access of the process in the white list of Process Protection;Or,
Forbid that refusal terminates process instruction according to the original function construction DetourMy function setup that windows API is instructions to be performed Access in the white list of the Process Protection but not process in the process white list that can be moved to end.
10. a kind of windows Process Protection system according to claim 9, it is characterised in that described constructing module, is gone back Specifically for:
Accept to terminate process instruction to not according to the original function construction DetourMy function setup that windows API is instructions to be performed The access of the process in the white list of Process Protection, or, according to windows API original function construction instructions to be performed DetourMy function setup accepts to terminate process instruction in the white list of Process Protection and white in the process that can be moved to end The access of the process in list.
CN201610795200.XA 2016-08-31 2016-08-31 A kind of windows process protection method and system Pending CN106469272A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610795200.XA CN106469272A (en) 2016-08-31 2016-08-31 A kind of windows process protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610795200.XA CN106469272A (en) 2016-08-31 2016-08-31 A kind of windows process protection method and system

Publications (1)

Publication Number Publication Date
CN106469272A true CN106469272A (en) 2017-03-01

Family

ID=58230289

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610795200.XA Pending CN106469272A (en) 2016-08-31 2016-08-31 A kind of windows process protection method and system

Country Status (1)

Country Link
CN (1) CN106469272A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566843A (en) * 2017-10-09 2018-01-09 武汉斗鱼网络科技有限公司 A kind of video decoding process guard method and device
CN107729132A (en) * 2017-10-09 2018-02-23 武汉斗鱼网络科技有限公司 A kind of video decoding process guard method and device
CN110472409A (en) * 2019-08-06 2019-11-19 长沙学院 A kind of process management method and system based on white list mechanism

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080016339A1 (en) * 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
CN102156834A (en) * 2011-04-18 2011-08-17 北京思创银联科技股份有限公司 Method for realizing program killing prevention
CN102799493A (en) * 2012-06-21 2012-11-28 北京伸得纬科技有限公司 Method for intercepting target progress with self-protection
CN105426751A (en) * 2015-10-27 2016-03-23 珠海市君天电子科技有限公司 Method and device for preventing system time from being tampered

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080016339A1 (en) * 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
CN102156834A (en) * 2011-04-18 2011-08-17 北京思创银联科技股份有限公司 Method for realizing program killing prevention
CN102799493A (en) * 2012-06-21 2012-11-28 北京伸得纬科技有限公司 Method for intercepting target progress with self-protection
CN105426751A (en) * 2015-10-27 2016-03-23 珠海市君天电子科技有限公司 Method and device for preventing system time from being tampered

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566843A (en) * 2017-10-09 2018-01-09 武汉斗鱼网络科技有限公司 A kind of video decoding process guard method and device
CN107729132A (en) * 2017-10-09 2018-02-23 武汉斗鱼网络科技有限公司 A kind of video decoding process guard method and device
CN107566843B (en) * 2017-10-09 2019-07-09 武汉斗鱼网络科技有限公司 A kind of video decoding process guard method and device
CN107729132B (en) * 2017-10-09 2019-10-25 武汉斗鱼网络科技有限公司 A kind of video decoding process guard method and device
CN110472409A (en) * 2019-08-06 2019-11-19 长沙学院 A kind of process management method and system based on white list mechanism

Similar Documents

Publication Publication Date Title
AU2019200445B2 (en) Methods and apparatus for dealing with malware
US10192059B2 (en) System and method for protecting systems from active content
CN106055979B (en) Kernel restorative procedure and device
US9323804B2 (en) Method and system for allowing access to developed applications via a multi-tenant on-demand database service
US7877803B2 (en) Automated immune response for a computer
EP2577540B1 (en) Malware scanning
CN103023906B (en) Method and system aiming at remote procedure calling conventions to perform status tracking
DE112012000750T5 (en) Backup and manage apps in one device
DE112012001389T5 (en) Secure execution of an unsecured app on a device
CN108475217A (en) System and method for virtual machine of auditing
CN105893228A (en) Systems and methods for behavioral sandboxing
CN106469272A (en) A kind of windows process protection method and system
CN113138836B (en) Escape prevention method using escape prevention system based on Docker container
US20160314296A1 (en) Method and System for Dynamic Runtime Selection and Modification of Conditional Expressions in Computations
WO2019165883A1 (en) Data processing method and apparatus
TW201337620A (en) Software modification for partial secure memory processing
CN109800571B (en) Event processing method and device, storage medium and electronic device
CN109218296B (en) XSS (XSS) defense system and method based on improved CSP (chip size service) strategy
US20100199357A1 (en) Secure hosting for untrusted code
CN109286630A (en) Deng guarantor's processing method, device, equipment and storage medium
US9990493B2 (en) Data processing system security device and security method
CN110084038A (en) Prevent third party's JavaScript loophole
CN109150890A (en) The means of defence and relevant device of newly-built connection attack
CN107657181A (en) A kind of database manipulation blocking-up method and system
CN106203115A (en) Application program protection method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination