CN110659491B - Computer system recovery method, device, equipment and readable storage medium - Google Patents
Computer system recovery method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN110659491B CN110659491B CN201910901645.5A CN201910901645A CN110659491B CN 110659491 B CN110659491 B CN 110659491B CN 201910901645 A CN201910901645 A CN 201910901645A CN 110659491 B CN110659491 B CN 110659491B
- Authority
- CN
- China
- Prior art keywords
- virus
- registry
- folder
- information
- computer system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a computer system recovery method, which comprises the following steps: acquiring attribute information of each subdirectory in the disk root directory after the folder viruses are searched and killed; modifying the hidden attribute in the attribute information into a non-hidden attribute; deleting the registry key containing malicious information in the registry to obtain a simplified registry; setting the value of each target registry key in the simplified registry key as a preset legal value so as to recover the function of the computer system; the method can restore the folder attributes modified by the folder viruses and repair the computer registry modified by the folder viruses so as to solve the problem that the system function is limited due to the infection of the folder viruses; in addition, the invention also provides a computer system recovery device, equipment and a computer readable storage medium, which also have the beneficial effects.
Description
Technical Field
The present invention relates to the field of computer security, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for recovering a computer system.
Background
The folder virus is also called a folder worm, is a virus which is confused by a folder icon and is opened by double-click to be copied, and has strong spreading capability and a wide variety of families.
The folder virus is usually transmitted through a channel such as a usb disk or file sharing, and is very common in computers in places such as schools and hospitals. After the computer is infected with the folder virus, the folder virus sets all folders as hidden attributes, disguises the folders as original folders and modifies part of registry entries of the computer registry. But also copies the file into the root directory of the mobile storage device such as a U disk, and changes the file into the name of the folder under the root directory. Meanwhile, the non-hidden attribute of the folder is modified into the hidden attribute, so that the user can run the virus when opening the folder by using the mobile storage device, and the purpose of copying and spreading is achieved. The existing security software, such as various antivirus software, can check and kill folder viruses, but cannot restore the functions of the computer system to normal, and the functions of the computer system are still limited after the folder viruses are checked and killed.
Therefore, how to solve the problem that the computer system functions are limited due to the infection of the folder virus is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
In view of the above, the present invention provides a computer system recovery method, apparatus, device and computer readable storage medium, which solve the problem of computer system function limitation caused by folder virus infection.
In order to solve the above technical problem, the present invention provides a computer system recovery method, including:
acquiring attribute information of each subdirectory in the disk root directory after the folder viruses are searched and killed;
modifying the hidden attribute in the attribute information into a non-hidden attribute;
deleting the registry key containing malicious information in the registry to obtain a simplified registry;
and setting the value of each target registry key in the simplified registry key to be a preset legal value so as to recover the function of the computer system.
Optionally, the process of killing the folder virus includes:
acquiring virus information in a preset virus library;
detecting a magnetic disk by using the virus information and a preset matching rule to obtain a folder virus matrix and obtain a complete path of the folder virus;
acquiring a process tree with the complete path in a process list, finishing the process tree and deleting the folder virus parent;
and deleting the virus file generated by the folder virus parent.
Optionally, deleting the registry key containing the malicious information in the registry key to obtain a simplified registry key, including:
deleting the registry key containing malicious information in the registry to obtain a first registry;
and deleting the special registry key corresponding to the virus information in the first registry to obtain the simplified registry.
Optionally, deleting the registry key containing the malicious information in the registry to obtain the first registry, including:
and deleting the registry key containing the option information of forbidding opening the folder or the information of forbidding calling the system operation command in the registry to obtain the first registry.
Optionally, the detecting the disk by using the virus information and a preset matching rule to obtain a folder virus parent, and obtain a complete path of the folder virus, including:
matching the virus parent paths by using a fixed path matching rule, and judging whether files identical to the virus parent paths exist or not;
if the file with the same path as the virus parent body exists, verifying and matching the file by using a verification and matching rule;
when verification matching is successful, determining the file corresponding to the virus mother path as the folder virus mother, and determining the complete path as the virus mother path;
if the file with the same path as the virus parent path does not exist, verifying and matching the target file in the disk by using the verification and matching rule;
and when the verification and the matching are successful, determining that the target file is the folder virus parent, and determining that the path of the target file is the complete path.
Optionally, the performing verification matching on the file by using a verification matching rule includes:
and performing yara verification matching on the file by using a yara verification matching rule, and performing hash verification matching on the file by using a hash verification matching rule.
Optionally, modifying the hidden attribute in the attribute information to be a non-hidden attribute includes:
modifying the hidden attribute in the attribute information to a non-hidden attribute using a bat command.
The invention also provides a computer system recovery device, comprising:
the attribute information acquisition module is used for acquiring the attribute information of each subdirectory in the disk root directory after the folder viruses are searched and killed;
the attribute information modification module is used for modifying the hidden attribute in the attribute information into a non-hidden attribute;
the simplified registry acquisition module is used for deleting registry entries containing malicious information in the registry to obtain a simplified registry;
and the recovery module is used for setting the value of each target registry key in the simplified registry key to be a preset legal value so as to recover the function of the computer system.
The invention also provides a computer system recovery device comprising a memory and a processor, wherein:
the memory for storing a computer program;
the processor is configured to execute the computer program to implement the computer system recovery method.
The invention also provides a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the computer system recovery method described above.
Therefore, the method obtains the folder attribute of each subfolder after the folder viruses are killed, and modifies the hidden attribute into the non-hidden attribute to enable the folder attribute to be recovered to be normal; meanwhile, the registry key containing malicious information is deleted, and the registry key modified by the folder virus is repaired, so that the registry of the computer is recovered to be normal. After the folder attribute and the registry are recovered to be normal, the computer system function limited due to the infection of the folder virus can be recovered, namely the problem that the computer system function is limited due to the infection of the folder virus is solved.
In addition, the invention also provides a computer system recovery device, equipment and a computer readable storage medium, which also have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a computer system recovery method according to an embodiment of the present invention;
FIG. 2 is a flowchart of another computer system recovery method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating the operation principle of a folder virus according to an embodiment of the present invention;
FIG. 4 is a flowchart of another computer system recovery method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer system recovery apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a computer system recovery apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
referring to fig. 1, fig. 1 is a flowchart illustrating a computer system recovery method according to an embodiment of the present invention. The method comprises the following steps:
s101: and acquiring attribute information of each subdirectory in the disk root directory after the folder viruses are killed.
Specifically, after the folder virus is infected, the attribute of each subdirectory in the disk root directory is modified. Most of the existing safety protection software has the capability of searching and killing the folder viruses, so that when the folder viruses exist in a computer, the folder viruses can be searched and killed by using safety protection software such as stellar antivirus or 360 antivirus. And after the folder virus is searched and killed, acquiring the attribute information of each subdirectory in the root directory of the disk.
S102: and modifying the hidden attribute in the attribute information into a non-hidden attribute.
And after the attribute information of each subdirectory is acquired, modifying the hidden attribute in the attribute information into the non-hidden attribute. The embodiment does not limit what manner to modify the hidden attribute into the non-hidden attribute, for example, a bat command, i.e., a batch command, may be used to modify the hidden attribute of the subdirectory into the non-hidden attribute; or the hidden attribute of the subdirectory can be modified to be a non-hidden attribute through the API interface.
S103: and deleting the registry key containing the malicious information in the registry to obtain the simplified registry.
And acquiring a computer registry, and detecting registry entries containing malicious information in the registry, namely malicious system policy entries. Such registry keys may disable some computer system functions or modify some computer system settings, thereby preventing the computer system from functioning properly and facilitating the propagation of folder viruses. The embodiment does not limit the specific content of the malicious information, that is, the specific content of the malicious system policy item, and may be, for example, information for prohibiting opening a folder option, that is, information for nodolderooptions; or may be call prohibited system run command information, i.e., nourn information. In this embodiment, a malicious system policy item list may be preset, each registry entry in the registry is compared with the malicious system policy item list, and the detected malicious system policy item is deleted; or a legal registry key list can be preset, each registry key in the registry key is compared with the legal registry key list, and registry keys which do not belong to the legal registry key list are deleted. And after deleting the registry key containing the malicious information, obtaining the simplified registry key.
S104: and setting the value of each target registry key in the simplified registry key to be a preset legal value so as to recover the functions of the computer system.
In this embodiment, a target registry key and its predetermined legal value are set, which are used to modify the value of the corresponding registry key in the reduced registry key. After the value of each target registry key in the simplified registry is set as a preset legal value, the computer system function limited by the infection of the folder virus can be recovered. The embodiment does not limit the specific content and number of the target registry key, and can be set according to specific situations as long as the registry key is included, which is easy to modify by folder viruses. Since folders of different virus families have different virus-modified registry keys, the number of registry keys that are modified will also vary. Therefore, the more the number of target registry entries is, the slower the recovery operation speed is, and the higher the recovery success rate is; the smaller the number of target registry keys, the faster the recovery operation speed, and the lower the recovery success rate.
In this embodiment, the steps S101 and S102 may be collectively referred to as an attribute modification operation, and the steps S103 and S104 may be collectively referred to as a registry repair operation. The present embodiment does not limit the execution sequence of the attribute modification operation and the registry repair operation, for example, the attribute modification operation may be executed first, and then the registry repair operation may be executed; or the registry repair operation may be performed first and then the attribute modification operation. In order to reduce the time required for the recovery of the computer system, it is preferable in the present embodiment to perform the attribute repairing operation and the registry repairing operation at the same time.
By applying the computer system recovery method provided by the embodiment of the invention, the folder attribute is recovered by acquiring the attribute information of each subdirectory in the disk root directory and modifying the hidden attribute in the attribute information into the non-hidden attribute; and then restoring the computer registry by deleting the registry key containing the malicious information and setting the value of each target registry key as a preset legal value. After the folder attribute and the registry information are recovered, the computer can recover to the state before the folder virus is infected, the computer system function can recover to be normal, and the problem that the computer system function is limited due to the infection of the folder virus is solved.
Example two:
in practical applications, because the virus families of the folder viruses are various and the registry entries modified by the folder viruses of different families are different, the method in the first embodiment can repair the folder attributes and the registry, and further recover part of the computer system functions. However, some special registry entries corresponding to the virus family information in the registry cannot be detected, so that the registry cannot be completely repaired, and the functions of the computer system cannot be completely restored. Based on the first embodiment, the present embodiment provides a method for recovering a computer system of a virus family, and specifically please refer to fig. 2, where fig. 2 is a flowchart of another method for recovering a computer system according to the first embodiment of the present invention, including:
s201: and acquiring virus information in a preset virus library.
In this embodiment, a preset virus library is provided, and virus information of folder viruses of different families is stored in the preset virus library. The virus information may include virus family information and may further include at least one of a virus hash, a virus feature, and a virus maternal path. By utilizing the virus information, the folder viruses of different virus families can be searched and killed more specifically, and the recovery operation of the computer system with more specificity is executed after the searching and killing.
S202: and detecting the disk by using the virus information and a preset matching rule to obtain a folder virus matrix and obtain a complete path of the folder virus.
Specifically, the file information of each file in the disk may be matched with the virus information in the preset virus library by using a preset matching rule, and when the information matching is successful, it is determined that the file information is the same as the virus information, that is, the file is a folder virus corresponding to the virus information and belongs to a virus family corresponding to the virus information. For the specific content of the file information, this embodiment is not limited, and may be path information, for example; or may be hash information. In this embodiment, the preset matching rule may include a fixed path matching rule and a verification matching rule. Referring to fig. 4, fig. 4 is a flowchart of another computer system recovery method according to an embodiment of the present invention, including:
s401: and matching the virus mother body path by using a fixed path matching rule.
Specifically, referring to fig. 3, fig. 3 is a schematic diagram illustrating a working principle of a folder virus according to an embodiment of the present invention. After entering the computer, the parent of the folder virus automatically runs to generate a virus process. After the virus process is operated, a folder virus body can be generated, and a series of operations are carried out at the same time, such as hiding the original folder; modifying a registry of the computer; releasing the virus script for automatic start and self-copy; and performing reverse checking and killing operation. After the folder virus is generated, the folder virus automatically runs and copies the parent, so that the folder virus parent is ensured not to be deleted and further spread. Since the folder virus mother is always stored in a fixed position in the computer, the path at the fixed position is the virus mother path. The viral maternal pathways of folder viruses of different virus families are also different. For example, the virus parent pathway of the Worm.Win32.FakeFolder.USBINFO family is C: \ Windows \ system32\ Drivers \ USBInfo.com or C: \ Windows \ system32\ ScarenSave.scr; the viral maternal pathway of the world, win32, fakefolder, pikachu family is% temp% \ tuyen _ tap _ hai _2008. exe; \\ \ phi hai cuc hay. The present embodiment does not limit the specific content of the fixed path matching rule, as long as the path matching operation can be performed to determine whether the two paths are the same. Using the fixed path matching rule, step S402 may be performed, that is, it is determined whether there is a file identical to the virus mother path.
S402: and judging whether a file with the same path as the virus mother body exists or not.
And matching the virus parent path by using a fixed path matching rule, and further judging whether a file identical to the virus parent path exists. When the matching is successful, namely a file with the same path as the virus parent path is determined to exist, the step S405 is executed; when the matching is unsuccessful, that is, it is determined that there is no file whose own path is the same as the virus parent path, the process proceeds to step S403. When the virus parent path of a certain virus family is not included, i.e. the virus parent path is empty, the matching with the path of any file is not successful, so the process proceeds to step S403.
S403: and carrying out verification matching on the target file in the disk by using a verification matching rule.
When no file in the disk is the same as the virus parent path of each virus family in the preset virus library, verification matching can be performed on the target file in the disk by using a verification matching rule. In this embodiment, each file in the disk may be verified and matched by using a verification matching rule, and the currently verified file is the target file. In this embodiment, specific content of the verification matching rule is not limited, and in order to ensure reliability of verification matching and improve capability of detecting a folder virus, it is preferable in this embodiment that yara verification matching rule may be used to perform yara verification matching on the feature of the target file and the virus features of each virus family in the preset virus library, and meanwhile, hash matching may be performed on hash of the target file and the virus hash of each virus family in the preset virus library by using hash verification matching rule.
S404: and when the verification and the matching are successful, determining that the target file is a folder virus parent and determining that the path of the target file is a complete path.
When the yara verification match passes, namely when the yara characteristic of the target file is the same as the virus characteristic of a certain virus family in the preset virus library; or when the hash verification matching is passed, namely when the hash of the target file is the same as the virus hash of a certain virus family in the preset virus library; or when both yara feature matching and hash matching pass, the target file can be determined to belong to the virus family corresponding to the matched virus feature or virus hash. The target file is the parent of the folder virus, and the path of the target file is the complete path.
S405: and carrying out verification matching on the file by utilizing a verification matching rule.
When a file exists in the disk and the virus parent path of a certain virus family in a preset virus library is the same, verification matching is carried out on the file by using a verification matching rule. In order to ensure the reliability of verification matching and improve the capability of detecting the folder virus, the embodiment may perform yara verification matching on the features of the target file and the virus features of each virus family in the preset virus library by using a yara verification matching rule, and may perform hash matching on the hash of the target file and the virus hashes of each virus family in the preset virus library by using a hash verification matching rule.
S406: and when the verification and the matching are successful, determining that the file corresponding to the virus mother path is a folder virus mother path, and determining that the complete path is the virus mother path.
When the yara verification match passes, namely when the yara characteristic of the file is the same as the virus characteristic of a certain virus family in the preset virus library; or when the hash verification matching is passed, namely when the hash of the file is the same as the virus hash of a certain virus family in the preset virus library; or when both yara feature matching and hash matching pass, it can be determined that the file belongs to the virus family corresponding to the virus feature or virus hash it matches. The file is a folder virus mother, and the path of the file, i.e. the virus mother path, is a complete path.
S203: and acquiring a process tree with a complete path in the process list, finishing the process tree and deleting the folder virus parent.
And acquiring a process tree formed by all processes with complete paths in the process list, closing all processes with complete paths to finish the process tree, and deleting the folder virus parent to avoid the failure of killing caused by the fact that the folder virus parent is copied again.
S204: and deleting the virus files generated by the folder virus parent.
After the process tree is ended and the folder virus parent is deleted, virus files such as virus scripts generated by the folder virus parent in the whole disk range can be deleted; or the EXE virus files under the disk root directory and with the same name as each subdirectory. Some folder virus masters in the virus family also release other fixed path files, such as special virus registries. In this embodiment, the virus information in the preset virus library may include a path of another fixed path file, and the path may be acquired and the path may be used to delete the other fixed path file.
S205: and acquiring attribute information of each subdirectory in the disk root directory after the folder viruses are killed.
After the virus file is deleted, the attribute information of each subdirectory in the root directory of the disk can be obtained by using the bat command.
S206: and modifying the hidden attribute in the attribute information into a non-hidden attribute.
And after the attribute information of each subdirectory is acquired, modifying the hidden attribute in the attribute information into the non-hidden attribute. Since the bat command has an advantage of fast execution speed, the present embodiment can utilize the bat command
if exist desktop.ini del/f/a/q desktop.ini
dir/a:d/b>desktop.ini
for/f"usebackq tokens=*"%%i in(desktop.ini)do if exist"%%i"(attrib-s-h"%%i")
del/f/a/q desktop.ini
The hidden attribute of the subdirectory is modified to be a non-hidden attribute.
S207: and deleting the registry key containing the malicious information in the registry to obtain the simplified registry.
The method comprises the steps of obtaining a computer registry, and detecting registry entries containing malicious information in the computer registry, namely malicious system strategy entries, to obtain a first registry. The embodiment does not limit the specific content of the malicious information, that is, the specific content of the malicious system policy item, and may be, for example, information for prohibiting opening a folder option, that is, information for nodolderooptions; or may be call prohibited system run command information, i.e., nourn information. In this embodiment, a "HKEY _ CURRENT _ USER \ SoftWare \ Microsoft \ Windows \ CurrentVersion \ Policies \ System" - - > "DisableTaskmgr" instruction may be used to delete the registry key named DisableTaskmgr, i.e., the registry key with DisableTaskmgr information; or the registry key named NoRun, namely the registry key with NoRun information, can be deleted by using ' HKEY _ CURRENT _ USER \ SoftWare \ Microsoft \ Windows \ Current Version \ Policies \ Explorer "- - > ' NoRun '; or a "HKEY _ CURRENT _ USER \ SoftWare \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer" - > "nofolderocations" instruction may be utilized to delete a registry key named nofolderocations, i.e., a registry key with nofolderocations information.
In this embodiment, after obtaining the first registry, it may be determined, by using the virus family information stored in the preset virus library, which special registry entries corresponding to the virus information are added to the registry by the folder virus in each virus family, that is, special registry entries specific to the virus family. And deleting the special registry key corresponding to the virus information in the first registry to obtain the simplified registry. For example, the path may be deleted as the "scansaveout" registry entry of HKEY _ CURRENT _ USER \ Control patch \ Desktop "- >" scansaveout "registry entry; deleting the registration table item of 'SCRSAVE.EXE' with the path of 'HKEY _ CURRENT _ USER \ Control Panel \ Desktop' > 'SCRSAVE.EXE'; deleting the "@" registry key of HKEY _ LOCAL _ MACHINE \ Software \ Microsoft \ Windows \ Currentversion \ Run "- >", wherein the deletion path is HKEY _ LOCAL _ MACHINE \ Software \ Microsoft \ Windows \ Currentversion \ Run "@"; deleting the ' @ ' registry key of ' HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ Currentversion \ RunOnCE ' - > ' by using the ' HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ Currentversion \ RunOnCE '; the ' @ ' registration table entry of ' HKEY _ CURRENT _ USER \ SOFTWARE \ Microsoft \ Windows \ Currentversion \ RunOnOne ' - > ' is deleted by using the ' HKEY _ CURRENT _ USER \ SOFTWARE \ Microsoft \ Windows \ Currentversion \ RunOnOnE ' deletion path.
S208: and setting the value of each target registry key in the simplified registry key to be a preset legal value so as to recover the functions of the computer system.
In this embodiment, the target registry key and its predetermined legal value are predetermined and used to modify the value of the corresponding registry key in the reduced registry key. After the value of each target registry key in the simplified registry is set as a preset legal value, the computer system function limited by the infection of the folder virus can be recovered. For example, the value of the registry key HideFileExt may be set to 0 using the instruction "HKEY _ CURRENT _ USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced" - > "HideFileExt" - - > REG _ DWORD "- > 0; setting the value of the registry key ShowSuperHidden to be 1 by using an instruction of 'HKEY _ CURRENT _ USER \ Software \ Microsoft \ Windows \ Currentversion \ Explorer \ Advanced "- >' ShowSuperHidden" - - > REG _ DWORD- - > 1; setting the value of the registry key Hidden to be 1 by using an instruction of 'HKEY _ CURRENT _ USER \ Software \ Microsoft \ Windows \ Currentversion \ Explorer \ Advanced "- >' Hidden" - - > REG _ DWORD- - > 1; the value of registry key Checkdvalue is set to 1 using the "HKEY _ LOCAL _ MACHINE \ Software \ Microsoft \ Windows \ Currentversion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL" - > "Checkdvalue" - > REG _ DWORD- - >1 instruction.
After deleting the registry key containing malicious information and the special registry key corresponding to the virus information, the registry key modified by the folder virus is set as a preset legal value, so that the registry can be completely repaired, and the problem that partial functions of the computer system are limited due to the fact that the registry cannot be completely repaired is solved.
By applying the computer system recovery method provided by the embodiment of the invention, the file folder virus parent can be accurately positioned and killed by using the virus information in the preset virus library. Meanwhile, after virus checking and killing are finished, the folder attributes modified by the folder viruses are restored, namely the hidden attributes of all subfolders in the magnetic packing directory are modified into non-hidden attributes; and the computer registry which is modified by the folder virus is completely repaired by utilizing the virus information, and the computer registry is repaired to be in a state before the folder virus is infected. After the folder attribute and the registry are modified, the functions of the computer system can be completely recovered, and the problem that partial functions of the computer system are limited due to the fact that the registry cannot be completely repaired is solved.
Example three:
in the following, the computer system recovery apparatus provided by the embodiment of the present invention is introduced, and the computer system recovery apparatus described below and the computer system recovery method described above may be referred to correspondingly.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a computer system recovery apparatus according to an embodiment of the present invention, including:
the attribute information acquisition module 100 is configured to acquire attribute information of each subdirectory in the disk root directory after the folder virus is killed;
an attribute information modification module 200, configured to modify a hidden attribute in the attribute information to be a non-hidden attribute;
the simplified registry obtaining module 300 is configured to delete a registry key containing malicious information in the registry key to obtain a simplified registry key;
a restoring module 400, configured to set the value of each target registry key in the simplified registry key to a preset legal value, so as to restore the computer system function.
Optionally, the method includes:
the virus information acquisition module is used for acquiring virus information in a preset virus library;
the complete path and virus parent acquisition module is used for detecting the disk by using the virus information and a preset matching rule to obtain a folder virus parent and acquiring a complete path of the folder virus;
the virus parent deletion module is used for acquiring a process tree with a complete path in the process list, ending the process tree and deleting the folder virus parent;
and the virus file deleting module is used for deleting the virus files generated by the virus parent of the folder.
Optionally, the simplified registry obtaining module 300 includes:
the first acquisition unit is used for deleting the registry key containing the malicious information in the registry to obtain a first registry;
and the second acquisition unit is used for deleting the special registry key corresponding to the virus information in the first registry to obtain the simplified registry.
Optionally, the first obtaining unit includes:
and the registry acquisition subunit is used for deleting the registry key containing the option information of the open-forbidden folder and the information of the call-forbidden system operation command in the registry to obtain the first registry.
Optionally, the complete path and virus mother acquisition module includes:
the judging unit is used for matching the virus parent paths by using a fixed path matching rule and judging whether files identical to the virus parent paths exist or not;
the first verification unit is used for verifying and matching the file by using a verification matching rule if the file with the same path as the virus parent body exists;
the first determining unit is used for determining that the file corresponding to the virus mother path is a folder virus mother and determining that the complete path is the virus mother path when the verification matching is successful;
the second verification unit is used for verifying and matching the target file in the disk by using a verification matching rule if the file with the same path as the virus parent body does not exist;
and the second determining unit is used for determining that the target file is a folder virus parent and determining that the path of the target file is a complete path when the verification matching is successful.
Optionally, the first verification unit includes:
and the verification subunit is used for performing yara verification matching on the file by using the yara verification matching rule and performing hash verification matching on the file by using the hash verification matching rule.
Optionally, the attribute information modifying module 200 includes:
a Bat modifying unit, configured to modify the hidden attribute in the attribute information to a non-hidden attribute using a Bat command.
Example four:
in the following, the computer system recovery device provided by the embodiment of the present invention is introduced, and the computer system recovery device described below and the computer system recovery method described above may be referred to correspondingly.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a computer system recovery apparatus according to an embodiment of the present invention. Wherein the computer system recovery device 700 may include a processor 701 and a memory 702, and may further include one or more of a multimedia component 703, an information input/information output (I/O) interface 704, and a communication component 705.
The processor 701 is configured to control the overall operation of the computer system recovery apparatus 700, so as to complete all or part of the steps in the computer system recovery method; the memory 702 is used to store various types of data to support the operation of the computer system recovery device 700, such data may include, for example, instructions for any application or method operating on the computer system recovery device 700 and application-related data, such as a preset legal value for a target registry key. The Memory 702 may be implemented by any type or combination of volatile and non-volatile Memory devices, such as one or more of Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic or optical disk.
The multimedia components 703 may include screen and audio components. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 702 or transmitted through the communication component 705. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 704 provides an interface between the processor 701 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 705 is used for wired or wireless communication between the computer system recovery device 700 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, or 4G, or a combination of one or more of them, so that the corresponding Communication component 705 may include: Wi-Fi part, Bluetooth part, NFC part.
The computer system recovery Device 700 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors or other electronic components, and is used to perform the method for accessing the ciphertext data provided by the above embodiments.
Example five:
the following describes a computer-readable storage medium provided by an embodiment of the present invention, and the computer-readable storage medium described below and the computer system recovery method described above may be referred to correspondingly.
The present invention also provides a computer readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the computer system recovery method described above.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relationships such as first and second, etc., are intended only to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms include, or any other variation is intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that includes a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The computer system recovery method, apparatus, device and computer-readable storage medium provided by the present invention are described in detail above, and a specific example is applied in the present disclosure to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (9)
1. A computer system recovery method, comprising:
acquiring attribute information of each subdirectory in the disk root directory after the folder viruses are searched and killed;
modifying the hidden attribute in the attribute information into a non-hidden attribute;
deleting the registry key containing malicious information in the registry to obtain a simplified registry;
setting the value of each target registry key in the simplified registry key as a preset legal value according to a preset target registry key and a corresponding preset legal value so as to recover the function of the computer system;
the process of checking and killing the folder virus comprises the following steps:
acquiring virus information in a preset virus library;
detecting a magnetic disk by using the virus information and a preset matching rule to obtain a folder virus matrix and obtain a complete path of the folder virus;
acquiring a process tree with the complete path in a process list, finishing the process tree and deleting the folder virus parent; the process tree is formed by all processes with the complete path in a process list;
and deleting the virus file generated by the folder virus parent.
2. The method for recovering a computer system according to claim 1, wherein deleting a registry key containing malicious information from the registry key to obtain a simplified registry key comprises:
deleting the registry key containing malicious information in the registry to obtain a first registry;
and deleting the special registry key corresponding to the virus information in the first registry to obtain the simplified registry.
3. The method for recovering a computer system according to claim 2, wherein deleting the registry key containing malicious information from the registry key to obtain a first registry key comprises:
and deleting the registry key containing the option information of forbidding opening the folder or the information of forbidding calling the system operation command in the registry to obtain the first registry.
4. The computer system recovery method according to claim 1, wherein detecting the disk by using the virus information and a preset matching rule to obtain a folder virus parent, and obtaining a complete path of the folder virus comprises:
matching the virus parent paths by using a fixed path matching rule, and judging whether files identical to the virus parent paths exist or not;
if the file with the same path as the virus parent body exists, verifying and matching the file by using a verification and matching rule;
when verification matching is successful, determining the file corresponding to the virus mother path as the folder virus mother, and determining the complete path as the virus mother path;
if the file with the same path as the virus parent path does not exist, verifying and matching the target file in the disk by using the verification and matching rule;
and when the verification and the matching are successful, determining that the target file is the folder virus parent, and determining that the path of the target file is the complete path.
5. The computer system recovery method of claim 4, wherein said validating the file using a validation matching rule comprises:
and performing yara verification matching on the file by using a yara verification matching rule, and performing hash verification matching on the file by using a hash verification matching rule.
6. The computer system recovery method of any one of claims 1 to 5, wherein modifying the hidden attribute in the attribute information to be a non-hidden attribute comprises:
modifying the hidden attribute in the attribute information to a non-hidden attribute using a bat command.
7. A computer system recovery apparatus, comprising:
the attribute information acquisition module is used for acquiring the attribute information of each subdirectory in the disk root directory after the folder viruses are searched and killed;
the attribute information modification module is used for modifying the hidden attribute in the attribute information into a non-hidden attribute;
the simplified registry acquisition module is used for deleting registry entries containing malicious information in the registry to obtain a simplified registry;
the recovery module is used for setting the value of each target registry key in the simplified registry key to be a preset legal value according to a preset target registry key and a corresponding preset legal value so as to recover the function of the computer system;
the virus information acquisition module is used for acquiring virus information in a preset virus library;
the complete path and virus parent acquisition module is used for detecting the disk by using the virus information and a preset matching rule to obtain a folder virus parent and acquiring a complete path of the folder virus;
the virus parent deletion module is used for acquiring a process tree with a complete path in the process list, ending the process tree and deleting the folder virus parent; the process tree is formed by all processes with the complete path in a process list;
and the virus file deleting module is used for deleting the virus files generated by the virus parent of the folder.
8. A computer system recovery device comprising a memory and a processor, wherein:
the memory for storing a computer program;
the processor for executing the computer program to implement the computer system recovery method of any one of claims 1 to 6.
9. A computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the computer system recovery method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910901645.5A CN110659491B (en) | 2019-09-23 | 2019-09-23 | Computer system recovery method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910901645.5A CN110659491B (en) | 2019-09-23 | 2019-09-23 | Computer system recovery method, device, equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110659491A CN110659491A (en) | 2020-01-07 |
| CN110659491B true CN110659491B (en) | 2022-04-29 |
Family
ID=69039180
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910901645.5A Active CN110659491B (en) | 2019-09-23 | 2019-09-23 | Computer system recovery method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110659491B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112306725A (en) * | 2020-09-11 | 2021-02-02 | 神州融安科技(北京)有限公司 | Program repair method and device, electronic equipment and computer readable storage medium |
| CN113032783B (en) * | 2021-03-11 | 2024-03-19 | 北京顶象技术有限公司 | Virus detection method and system based on non-code characteristics |
| CN114692151B (en) * | 2022-04-08 | 2023-07-18 | 成都理工大学 | USB flash disk virus discovery method and application tool thereof |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295339A (en) * | 2016-07-28 | 2017-01-04 | 韦春 | A kind of method identifying file virus |
| CN107688743A (en) * | 2017-08-14 | 2018-02-13 | 北京奇虎科技有限公司 | The determination method and system of a kind of rogue program |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1784725A1 (en) * | 2004-08-03 | 2007-05-16 | Softricity, Inc. | System and method for controlling inter-application association through contextual policy control |
| US7934261B1 (en) * | 2007-06-13 | 2011-04-26 | Trend Micro, Inc. | On-demand cleanup system |
| CN101788915A (en) * | 2010-02-05 | 2010-07-28 | 北京工业大学 | White list updating method based on trusted process tree |
| CN102103676B (en) * | 2011-02-28 | 2013-09-25 | 南京邮电大学 | Method for protecting Java program progress based on inheritance relationship among progresses |
| CN102163161B (en) * | 2011-04-01 | 2018-09-25 | 奇智软件(北京)有限公司 | A kind of process management method and device |
| CN103618626A (en) * | 2013-11-28 | 2014-03-05 | 北京奇虎科技有限公司 | Method and system for generating safety analysis report on basis of logs |
| CN105608377A (en) * | 2015-12-24 | 2016-05-25 | 国家电网公司 | Information system process safety management system and management method |
| CN105930739B (en) * | 2016-04-14 | 2019-07-23 | 珠海豹趣科技有限公司 | A kind of method and terminal for preventing file deleted |
| CN106657102A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | LAN based threat processing method and device |
-
2019
- 2019-09-23 CN CN201910901645.5A patent/CN110659491B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295339A (en) * | 2016-07-28 | 2017-01-04 | 韦春 | A kind of method identifying file virus |
| CN107688743A (en) * | 2017-08-14 | 2018-02-13 | 北京奇虎科技有限公司 | The determination method and system of a kind of rogue program |
Non-Patent Citations (3)
| Title |
|---|
| 孙国卿.计算机操作系统注册表紧急恢复方法.《浙江现代教育技术》.2002,正文第二节. * |
| 手动查杀"文件夹病毒";吴吟皎;《网管员世界》;20120731;文章第108-110页 * |
| 计算机操作系统注册表紧急恢复方法;孙国卿;《浙江现代教育技术》;20020828;正文第二节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110659491A (en) | 2020-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10691806B2 (en) | Self-measuring nonvolatile memory device systems and methods | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| US20230376576A1 (en) | Secure deployment of a software package | |
| CN110659491B (en) | Computer system recovery method, device, equipment and readable storage medium | |
| US9589139B2 (en) | Method and device for altering a unified extensible firmware interface (UEFI) secure boot process in a computing device | |
| US20160224207A1 (en) | Method and system for freezing and unfreezing applications | |
| EP3568791A1 (en) | Early runtime detection and prevention of ransomware | |
| EP2904535B1 (en) | Limiting the functionality of a software program based on a security model | |
| RU2535506C2 (en) | System and method for creating application behaviour model scripts | |
| US9852052B2 (en) | Trusted execution of called function | |
| MX2014007792A (en) | File system access for one or more sandboxed applications. | |
| RU2618947C2 (en) | Method of preventing program operation comprising functional undesirable for user | |
| CN108763951B (en) | Data protection method and device | |
| JP2017527864A (en) | Patch file analysis system and analysis method | |
| US10783041B2 (en) | Backup and recovery of data files using hard links | |
| JP2018124893A (en) | Computer system and file access controlling method | |
| US10063558B2 (en) | Method for blocking unauthorized data access and computing device with feature of blocking unauthorized data access | |
| Liu et al. | Research on the technology of iOS jailbreak | |
| JP2019207661A (en) | Protection device and protection method | |
| CN112883370B (en) | Application program state detection method and device, storage medium and electronic equipment | |
| WO2017114341A1 (en) | Root virus removal method and apparatus, and electronic device | |
| KR20210057239A (en) | Apparatus and method for disabling anti-debugging | |
| US11816211B2 (en) | Active signaling in response to attacks on a transformed binary | |
| TWI779257B (en) | Firmware update method and firmware update system thereof | |
| EP3454237B1 (en) | Secure deployment of a software package |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |