CN109784041B - Event processing method and device, storage medium and electronic device - Google Patents
Event processing method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN109784041B CN109784041B CN201811645682.6A CN201811645682A CN109784041B CN 109784041 B CN109784041 B CN 109784041B CN 201811645682 A CN201811645682 A CN 201811645682A CN 109784041 B CN109784041 B CN 109784041B
- Authority
- CN
- China
- Prior art keywords
- target
- target event
- file
- event
- condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides an event processing method and device, a storage medium and an electronic device, wherein the method comprises the following steps: monitoring whether a target event is received or not by utilizing a micro-filter driver of a file system, wherein the target event is used for mapping the file content of a target file to a memory block; under the condition of receiving a target event, judging whether the target event meets a first preset condition by using a micro-filter driver; under the condition that the target event does not meet a first preset condition, allowing the target event to be executed; and under the condition that the target event meets a first preset condition, filtering the target event by using the target application, and determining whether the target event is allowed to be executed according to a filtering result. The method and the device solve the technical problem that the system is easy to crash in a mode of preventing the drive loading in the drive layer in the related technology.
Description
Technical Field
The invention relates to the field of security protection, in particular to an event processing method and device, a storage medium and an electronic device.
Background
The kernel driver is widely used for hardware installation programs, system control, safety software and the like, because the kernel driver runs on the bottom layer of a system and has a large authority, a virus Trojan can damage the system through the implanted driver, if the driver loading is not controlled, great harm can be caused, particularly, the system setting can be changed at will by the implanted driver of the virus program.
According to the technical scheme for preventing the driver loading in the application layer, the driver loading function is monitored by injecting the existing and newly created programs into the application layer through the dynamic library, but because the authority of the application layer is limited, a mode of bypassing the monitoring of the application layer still exists.
In addition, the drive loading is prevented in the drive layer, and particularly in a Hook (Hook) mode under 32 bits, so that the authority is relatively high, the drive loading can be prevented, but if other drive modules also adopt similar technologies, the existing Hook can be covered, and the system can be crashed in some cases. In addition, the technical scheme also has the defects of false alarm, low system performance and poor interactivity.
In view of the above problems in the related art, no effective solution has been found at present.
Disclosure of Invention
The embodiment of the invention provides an event processing method and device, a storage medium and an electronic device.
According to an embodiment of the present invention, there is provided an event processing method including: monitoring whether a target event is received or not by utilizing a micro-filter driver of a file system, wherein the target event is used for mapping the file content of a target file to a memory block; under the condition of receiving a target event, judging whether the target event meets a first preset condition by using a micro-filter driver; under the condition that the target event does not meet a first preset condition, allowing the target event to be executed; and under the condition that the target event meets a first preset condition, filtering the target event by using the target application, and determining whether the target event is allowed to be executed according to a filtering result.
Further, the first preset condition is as follows: the target application is already opened; moreover, the target event is used for requesting to newly build a memory block; the target event is used for requesting the target authority of the memory block; moreover, the file pointed by the target file does not exist, or the file name of the file pointed by the target file is not null, or the file name of the file pointed by the target file is not obtained; and, the target event is initiated by the application layer; and, the current process is a system process.
Further, filtering the target event by using the target application, and determining whether to allow the target event to be executed according to a filtering result, including: judging whether the target event meets a second preset condition or not by using the target application background; allowing the target event to be executed under the condition that the target event meets a second preset condition; and in the case that the target event does not meet the second preset condition, determining whether the target event is allowed to be executed through an interface of the target application.
Further, the second preset condition is as follows: the target file is a target system file or a dynamic library file; alternatively, the target event was allowed to execute before the preset time interval; alternatively, the target file has been signed by the operating system.
Further, determining whether to allow the target event to be executed through the interface of the target application includes: receiving input selection operation through an interface of a target application; whether the target event is allowed to be executed is determined according to the selection operation.
Further, before determining whether to allow the target event to be executed according to the selection operation, the method further includes: judging whether the selection operation is not received after the preset time length is exceeded; and under the condition that the selection operation is not received after the preset time length is exceeded, prohibiting the target event from being executed.
Further, the monitoring whether the target event is received by utilizing the micro-filtering driver of the file system comprises the following steps: receiving a calling request sent by a client application through an application layer interface; and in response to the call request, monitoring whether a target event is received by utilizing a micro-filtering driver.
According to another embodiment of the present invention, there is provided an event processing apparatus including: the monitoring module is used for monitoring whether a target event is received or not by utilizing a micro filter driver of the file system, wherein the target event is used for mapping the file content of a target file to the memory block; the judging module is used for judging whether the target event meets a first preset condition by utilizing the micro-filter driver under the condition of receiving the target event; the logic module is used for allowing the target event to be executed under the condition that the target event does not accord with a first preset condition; and the filtering module is used for filtering the target event by using the target application under the condition that the target event meets the first preset condition, and determining whether the target event is allowed to be executed or not according to a filtering result.
According to a further embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
The event processing method provided by the embodiment of the present invention is used for processing a target event that maps file content of a target file to a memory block, where the step is one of steps in a drive loading process, and if an event that maps file content to a memory block is prevented, a drive cannot be loaded.
Specifically, in the event processing method provided in the embodiment of the present invention, after receiving the target event, filtering some conditions on the target event is performed in a driver layer through a micro filter driver (minifilter) of the file system, and whether to allow the target event to be executed is determined according to a filtering result, where in order to make an operating system more stable, the filtering conditions of the driver layer are reduced as much as possible, and a code scale of the driver layer is reduced, after filtering the driver layer, the target event is thrown to an application layer, and a target application passing through the application layer further passes through the conditional filtering until finally determining whether to allow the target event to be executed. That is, only a part of the filtering conditions are set in the driving layer, and the other part of the filtering conditions are thrown to the application layer, so that the method not only has higher authority of the driving layer, but also can reduce the code scale of the driving layer, solve the technical problem that the system breakdown is easily caused by the way of preventing driving loading in the driving layer in the related technology, and achieve the technical effects of improving the compatibility with the operating system and reducing the false alarm rate.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a block diagram of a hardware configuration of a computer device according to an embodiment of the present invention;
FIG. 2 is a flow diagram of an alternative event processing method according to an embodiment of the invention;
FIG. 3 is a flow diagram of an alternative event processing method according to an embodiment of the invention;
fig. 4 is a block diagram of an alternative event processing device according to an embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Example 1
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer device, a server, or a similar computing device. Taking an example of the present invention running on a computer device, fig. 1 is a block diagram of a hardware structure of a computer device according to an embodiment of the present invention. As shown in fig. 1, the computer device may include one or more (only one shown in fig. 1) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the computer device described above. For example, the computer device may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the event processing method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the mobile terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of such networks may include wireless networks provided by communication providers of computer devices. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In the present embodiment, an event processing method is provided, and fig. 2 is a flowchart of a method according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
and 204, filtering the target event by using the target application under the condition that the target event meets the first preset condition, and determining whether to allow the target event to be executed according to a filtering result.
The event processing method provided by the embodiment of the invention is used for processing a target event which maps the file content of a target file into a memory block, after the target event is received, filtering some conditions on the target event is executed on a drive layer through a micro filter driver (minifilter) of a file system, and whether the target event is allowed to be executed is determined according to the filtering result, wherein in order to enable an operating system to be more stable, the filtering conditions of the drive layer are reduced as much as possible, the code scale of the drive layer is reduced, after the drive layer is filtered, the target event is thrown to an application layer, and the target application of the application layer further passes through the condition filtering until whether the target event is allowed to be executed is finally determined.
The event processing method provided by the embodiment of the invention can be applied to protection and control of loading of the driver. This is because when the driver is loaded, an Application Programming Interface (API) function needs to be called step by step from the application layer to the driver layer, and several processes may be involved in the application layer, such as a process initiating an operation to svchort, rpc, services, and the like, and then a kernel function NtLoadDriver is called, and the kernel function NtLoadDriver may access a specific driver file, import the driver file into the memory block, give execution authority to the driver file, map the content of the file to the memory block, fill an import/export table in the memory, redirect the base address of the imported memory, and set the execution address of the CPU to its entry address.
It can be seen from the above-mentioned drive loading process that if the creation of the memory card is prevented and the drive is prevented from mapping the file content to the memory block, the drive cannot be introduced into the memory, and cannot be loaded, so that the file content can be filtered by using a certain condition when being mapped to the memory block, and it is determined whether to prevent the drive from mapping the file content to the memory block according to the filtering result.
The micro filter driver (minifilter) of the file system may be invoked by registering some operations in the filter manager that require filtering and then providing a callback function in a specified format. For one operation, the minifilter may register a "pre-filter" and "post-filter" called callback function. Optionally, a callback function in the minifilter may be used to determine whether the first preset condition is met, and if the first preset condition is not met, the target event is allowed to be executed; and if the first preset condition is met, further filtering the target event by using the target application, and determining whether the target event is allowed to be executed according to a filtering result. For example, the callback function in minifilter performs filtering when the following events are detected in the operating system:
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION。
an alternative drive layer arrangement has the filter conditions (first preset conditions) as: the target application is already opened; moreover, the target event is used for requesting to newly build a memory block; the target event is used for requesting the target authority of the memory block, wherein the target authority is the execution authority, the read authority, the write authority and the copy authority of the memory block; moreover, the file pointed by the target file does not exist, or the file name of the file pointed by the target file is not null, or the file name of the file pointed by the target file is not obtained; and, the target event is initiated by the application layer; and, the current process is a system process.
That is, in the above alternative embodiment: if it is detected that the target application is not opened (or further, it is determined that the target function/target plug-in of the target application is not opened), the target application cannot perform filtering at the application layer without throwing the target event to the application layer. If the target event does not request to create the memory block newly, the target event is determined not to be the operation of driving loading, and the target event does not need to be thrown to an application layer. If the target event does not request some specific rights (target rights), the target event does not need to be thrown up to the application layer. If the host file pointed by the target file exists, the file name of the host file is not null, and the file name of the host file can be acquired, the target event does not need to be thrown to an application layer. If the target event is not initiated by the application layer, the target event does not need to be thrown up. If the current process is not a system process (i.e., a system process with process number 4), the target event need not be thrown up.
The first preset condition is filtering performed at the drive layer using minifilter. After the driving layer filtering, the events meeting the first preset condition are thrown up to the application layer, and the events not meeting the first preset condition are released (allowed to be executed).
Further, after the target event is thrown up to the application layer, the target application is used for further filtering, target information of the target event is obtained, for example, a process number, a thread number, a file path and the like which are returned by the driver layer to the application layer, and whether the target event is allowed to be executed is judged by using the target information.
For example, when filtering is performed by using the target application, a first step of filtering may be performed in a background application layer, if the second preset condition is not met, further filtering is performed by using an interface of the target application, and if the second preset condition is met, the target event is allowed to be executed, as shown in fig. 3.
An optional implementation manner of the second preset condition is as follows: the target file is a target system file (e.g., ntoskrnl. exe file) or a dynamic library file; alternatively, the target event was allowed to execute before the preset time interval; alternatively, the target file has been signed by the operating system.
In some operating systems (such as win10), the dynamic library file is sometimes transferred to the application layer, so the application layer can read the header of the file first, determine whether the Subsystem is Native, if so, the target file is the dynamic library file, and can release it. Sometimes, the system file ntoskrnl.exe is also transmitted back to the application layer, so that whether the target file is the ntoskrnl.exe file is detected. And if the target file is a dynamic library file or a target system file such as an ntoskrnl.exe file, determining that a second preset condition is met, releasing the target event, and not needing to perform further filtering through an interface of the target application.
Furthermore, for some operating systems (such as win7 and win10), the mapping of the memory block is used three times during the drive loading, but the event cannot be thrown from the drive layer to the application layer each time, so a time interval can be set at the application layer, and if the target event for mapping the file content of the target file to the memory block is received within a preset time range and is allowed to be executed, the target event is released.
Optionally, the user may be allowed to set the filtering to be synchronous or asynchronous in the interface of the target application. And if the target event is the synchronous filtering, the intervention of a user is required, and after the target event is filtered by the background of the target application, the target event which does not meet the second preset condition is displayed in the interface and is selected to be released or intercepted by the user. Optionally, if the user does not operate within the specified time, a default behavior, such as release or interception, is performed, and the default behavior may be preset, or may be set or modified by the user. If the asynchronous filtering is set, when the target event is uploaded to the interface of the target application each time, default behaviors such as releasing or intercepting are directly executed, and meanwhile, relevant information of the target event, such as process name, time, driving path and the like, is displayed in the interface.
It should be noted that the method provided by the embodiment of the present invention needs to be deployed in an x86 or x64 environment with a micro-filtering driver, such as win7 or win 10. The event processing method provided by the embodiment of the invention and the optional embodiment has good compatibility with an operating system, is stable in operation, can monitor and control the event that the driver maps the file to the memory in real time, has low false alarm rate, good interactivity and convenient operation, and can record the behavior in detail through a log.
It should be noted that although the event processing method provided in the embodiment of the present invention requires filtering at the kernel driver layer, an interface of the application layer may also be derived, for example, a definition manner may be provided in a header file, and accordingly, the client application only needs to call the time processing method provided in the embodiment of the present invention through the interface to implement seamless integration.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
In this embodiment, an event processing apparatus is further provided, where the event processing apparatus is used to implement the foregoing embodiments and preferred embodiments, and includes a client, a server, and the like, which have already been described and are not described again. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 4 is a block diagram of an event processing apparatus according to an embodiment of the present invention, as shown in fig. 4, the apparatus including: a monitoring module 10, a judging module 20, a logic module 30 and a filtering module 40.
The monitoring module is used for monitoring whether a target event is received by utilizing a micro filter driver of the file system, wherein the target event is used for mapping the file content of the target file to the memory block; the judging module is used for judging whether the target event meets a first preset condition by utilizing the micro-filter driver under the condition of receiving the target event; the logic module is used for allowing the target event to be executed under the condition that the target event does not accord with a first preset condition; the filtering module is used for filtering the target event by using the target application under the condition that the target event meets a first preset condition, and determining whether the target event is allowed to be executed or not according to a filtering result.
Optionally, the first preset condition is as follows: the target application is already opened; moreover, the target event is used for requesting to newly build a memory block; the target event is used for requesting the target authority of the memory block; moreover, the file pointed by the target file does not exist, or the file name of the file pointed by the target file is not null, or the file name of the file pointed by the target file is not obtained; and, the target event is initiated by the application layer; and, the current process is a system process.
Optionally, the filtering module includes: the first judgment unit is used for judging whether the target event meets a second preset condition by using the target application background; the first logic unit is used for allowing the target event to be executed under the condition that the target event meets a second preset condition; and the first determining unit is used for determining whether the target event is allowed to be executed or not through the interface of the target application under the condition that the target event does not accord with the second preset condition.
Optionally, the second preset condition is as follows: the target file is a target system file or a dynamic library file; alternatively, the target event was allowed to execute before the preset time interval; alternatively, the target file has been signed by the operating system.
Optionally, the first determining unit includes: the receiving unit is used for receiving input selection operation through an interface of the target application; a second determination unit configured to determine whether execution of the target event is permitted according to the selection operation.
Optionally, the apparatus further comprises: the second judgment unit is used for judging whether the selection operation is not received after the preset time length is exceeded or not before determining whether the target event is allowed to be executed or not according to the selection operation; and the second logic unit is used for forbidding executing the target event under the condition that the selection operation is not received after the preset time length is exceeded.
Optionally, the monitoring module includes: the sending unit is used for receiving a calling request sent by the client application through the application layer interface; and the monitoring unit is used for responding to the calling request and monitoring whether the target event is received or not by utilizing the micro-filter driver.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Example 3
Embodiments of the present invention also provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Example 4
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the principle of the present invention should be included in the protection scope of the present invention.
Claims (14)
1. A method for monitoring abnormal requests of a malicious program is characterized by comprising the following steps:
monitoring whether a target event is received or not by utilizing a micro-filter driver of a file system, wherein the target event is used for mapping the file content of a target file to a memory block;
under the condition that the target event is received, judging whether the target event meets a first preset condition or not by utilizing the micro-filter driver;
allowing the target event to be executed under the condition that the target event does not meet the first preset condition;
under the condition that the target event meets the first preset condition, filtering the target event by using a target application, and determining whether to allow the target event to be executed according to a filtering result;
judging whether the target event meets a second preset condition or not by using the target application background;
allowing the target event to be executed under the condition that the target event meets the second preset condition;
and determining whether the target event is allowed to be executed or not through an interface of the target application under the condition that the target event does not accord with the second preset condition.
2. The method according to claim 1, wherein the first preset condition is as follows:
the target application is already opened; and the number of the first and second electrodes,
the target event is used for requesting to newly build the memory block; and the number of the first and second electrodes,
the target event is used for requesting the target permission of the memory block; and the number of the first and second electrodes,
the file pointed by the target file does not exist, or the file name of the file pointed by the target file is not null, or the file name of the file pointed by the target file is not obtained; and the number of the first and second electrodes,
the target event is initiated by an application layer; and the number of the first and second electrodes,
the current process is a system process.
3. The method according to claim 1, wherein the second preset condition is as follows:
the target file is a target system file or a dynamic library file; alternatively, the first and second electrodes may be,
allowing the target event to be executed before a preset time interval; alternatively, the first and second electrodes may be,
the target file has been signed by the operating system.
4. The method of claim 1, wherein the determining, via the interface of the target application, whether to allow the target event to be executed comprises:
receiving input selection operation through an interface of the target application;
and determining whether the target event is allowed to be executed according to the selection operation.
5. The method of claim 4, wherein prior to determining whether to allow execution of the target event in accordance with the selection operation, the method further comprises:
judging whether the selection operation is not received after the preset time length is exceeded;
and under the condition that the selection operation is not received after the preset time length is exceeded, the target event is forbidden to be executed.
6. The method of claim 1, wherein the listening whether the target event is received by using a micro-filtering driver of the file system comprises:
receiving a calling request sent by a client application through an application layer interface;
and responding to the calling request, and monitoring whether the target event is received by utilizing the micro-filtering driver.
7. An event processing apparatus, comprising:
the monitoring module is used for monitoring whether a target event is received or not by utilizing a micro filter driver of a file system, wherein the target event is used for mapping the file content of a target file to a memory block;
the judging module is used for judging whether the target event meets a first preset condition or not by utilizing the micro-filter driver under the condition of receiving the target event;
the logic module is used for allowing the target event to be executed under the condition that the target event does not accord with the first preset condition;
the filtering module is used for filtering the target event by using a target application under the condition that the target event meets the first preset condition, and determining whether the target event is allowed to be executed or not according to a filtering result;
the filtration module includes:
the first judgment unit is used for judging whether the target event meets a second preset condition by using the target application background;
a first logic unit, configured to allow the target event to be executed if the target event meets the second preset condition;
and the first determining unit is used for determining whether the target event is allowed to be executed or not through an interface of the target application under the condition that the target event does not accord with the second preset condition.
8. The apparatus of claim 7, wherein the first preset condition is as follows:
the target application is already opened; and the number of the first and second electrodes,
the target event is used for requesting to newly build the memory block; and the number of the first and second electrodes,
the target event is used for requesting the target permission of the memory block; and the number of the first and second electrodes,
the file pointed by the target file does not exist, or the file name of the file pointed by the target file is not null, or the file name of the file pointed by the target file is not obtained; and the number of the first and second electrodes,
the target event is initiated by an application layer; and the number of the first and second electrodes,
the current process is a system process.
9. The apparatus of claim 7, wherein the second preset condition is as follows:
the target file is a target system file or a dynamic library file; alternatively, the first and second electrodes may be,
allowing the target event to be executed before a preset time interval; alternatively, the first and second electrodes may be,
the target file has been signed by the operating system.
10. The apparatus according to claim 7, wherein the first determining unit comprises:
the receiving unit is used for receiving input selection operation through an interface of the target application;
a second determination unit configured to determine whether to allow execution of the target event according to the selection operation.
11. The apparatus of claim 10, further comprising:
the second judgment unit is used for judging whether the selection operation is not received after the preset time length is exceeded or not before determining whether the target event is allowed to be executed or not according to the selection operation;
and the second logic unit is used for forbidding to execute the target event under the condition that the selection operation is not received after the preset time length is exceeded.
12. The apparatus of claim 7, wherein the listening module comprises:
the sending unit is used for receiving a calling request sent by the client application through the application layer interface;
and the monitoring unit is used for responding to the calling request and monitoring whether the target event is received or not by utilizing the micro-filter driver.
13. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 6 when executed.
14. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811645682.6A CN109784041B (en) | 2018-12-29 | 2018-12-29 | Event processing method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811645682.6A CN109784041B (en) | 2018-12-29 | 2018-12-29 | Event processing method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109784041A CN109784041A (en) | 2019-05-21 |
| CN109784041B true CN109784041B (en) | 2020-10-16 |
Family
ID=66499640
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811645682.6A Active CN109784041B (en) | 2018-12-29 | 2018-12-29 | Event processing method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109784041B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113518055B (en) * | 2020-04-09 | 2023-04-21 | 奇安信安全技术(珠海)有限公司 | Data security protection processing method and device, storage medium and terminal |
| CN115509619A (en) * | 2022-09-27 | 2022-12-23 | 深圳市广和通无线股份有限公司 | Operating system event processing method, operating system, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227543A (en) * | 2007-01-15 | 2008-07-23 | 株式会社理光 | Information processing device, image processing apparatus, information processing method, and storage medium |
| CN102054142A (en) * | 2011-01-28 | 2011-05-11 | 李清宝 | Platform for simulating and training on hardware safety defects |
| CN103605930A (en) * | 2013-11-27 | 2014-02-26 | 湖北民族学院 | Double file anti-divulging method and system based on HOOK and filtering driving |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7844606B2 (en) * | 2003-11-04 | 2010-11-30 | Microsoft Corporation | Legacy filter support in a new managed file system filter model |
| US8364984B2 (en) * | 2009-03-13 | 2013-01-29 | Microsoft Corporation | Portable secure data files |
| US9355267B2 (en) * | 2009-03-26 | 2016-05-31 | The University Of Houston System | Integrated file level cryptographical access control |
| CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
| CN102567659B (en) * | 2010-12-28 | 2014-12-24 | 河南省躬行信息科技有限公司 | File security active protection method based on double-drive linkage |
| CN102523270B (en) * | 2011-12-09 | 2015-05-13 | 成都东方盛行电子有限责任公司 | Method for realizing cloud storage |
| CN102567670A (en) * | 2011-12-28 | 2012-07-11 | 南京邮电大学 | Filter drive encryption implementing method for file system |
| CN102819717B (en) * | 2012-08-07 | 2015-07-22 | 北京奇虎科技有限公司 | Method and device for carrying out protection processing on file |
| CN107609408B (en) * | 2017-08-18 | 2020-07-28 | 成都索贝数码科技股份有限公司 | Method for controlling file operation behavior based on filter driver |
-
2018
- 2018-12-29 CN CN201811645682.6A patent/CN109784041B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227543A (en) * | 2007-01-15 | 2008-07-23 | 株式会社理光 | Information processing device, image processing apparatus, information processing method, and storage medium |
| CN102054142A (en) * | 2011-01-28 | 2011-05-11 | 李清宝 | Platform for simulating and training on hardware safety defects |
| CN103605930A (en) * | 2013-11-27 | 2014-02-26 | 湖北民族学院 | Double file anti-divulging method and system based on HOOK and filtering driving |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109784041A (en) | 2019-05-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8938811B2 (en) | Information processing apparatus, method, program, and integrated circuit | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| CN109800576B (en) | Monitoring method and device for unknown program exception request and electronic device | |
| CA2485062A1 (en) | Security-related programming interface | |
| JP2014516191A (en) | System and method for monitoring virtual partitions | |
| CN111131221B (en) | Interface checking device, method and storage medium | |
| US8701195B2 (en) | Method for antivirus in a mobile device by using a mobile storage and a system thereof | |
| CN115378735B (en) | Data processing method and device, storage medium and electronic equipment | |
| CN109784041B (en) | Event processing method and device, storage medium and electronic device | |
| CN109800571B (en) | Event processing method and device, storage medium and electronic device | |
| DE102005035736B4 (en) | Safe correction software installation for WWAN systems | |
| CN109446847B (en) | Configuration method of dual-system peripheral resources, terminal equipment and storage medium | |
| CN110807191A (en) | Safe operation method and device of application program | |
| CN111651763B (en) | Process monitoring method and device, electronic equipment and storage medium | |
| CN111428240B (en) | Method and device for detecting illegal access of memory of software | |
| CN112966094A (en) | Transaction data processing method, device and system | |
| CN110865848B (en) | Component interception method and terminal equipment | |
| EP3843361A1 (en) | Resource configuration method and apparatus, and storage medium | |
| CN110069922B (en) | System interface hijacking detection method and device and terminal | |
| CN115758353A (en) | Application program protection method, device, equipment and storage medium | |
| CN109800567B (en) | Method and device for monitoring foreground application starting and terminal equipment | |
| CN113836529A (en) | Process detection method, device, storage medium and computer equipment | |
| CN114697440B (en) | Network management method and mobile terminal | |
| CN114861160A (en) | Method, device, equipment and storage medium for improving non-administrator account authority | |
| CN104008338B (en) | Android malicious program processing method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Patentee after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Patentee after: Qianxin Technology Group Co., Ltd Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Patentee before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Patentee before: Beijing Qianxin Technology Co., Ltd |
|
| CP01 | Change in the name or title of a patent holder |