CN111191227A

CN111191227A - Method and device for preventing malicious code from executing

Info

Publication number: CN111191227A
Application number: CN201910663153.7A
Authority: CN
Inventors: 焦晴阳
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2019-07-22
Filing date: 2019-07-22
Publication date: 2020-05-22
Anticipated expiration: 2039-07-22
Also published as: CN111191227B

Abstract

The application discloses a method for preventing malicious codes from being executed, and belongs to the technical field of internet. The method comprises the following steps: receiving a browser homepage locking instruction input by a user; starting to monitor the establishment event of the browser process; after the browser process is monitored to be established, when a preset trigger event for triggering code calling is detected, acquiring a target memory address for carrying out the code calling; acquiring a target code stored in the target memory address; and determining whether the target code is malicious code or not based on a malicious code library, and preventing the target code from being executed after determining that the target code is the malicious code. By the method and the device, malicious applications can be effectively prevented from tampering the browser homepage.

Description

Method and device for preventing malicious code from executing

Technical Field

The present application relates to the field of internet technologies, and in particular, to a method and an apparatus for preventing malicious code from being executed.

Background

Browsers are a type of application that people often use more frequently. Some malicious application programs tamper with the browser homepage by adopting various technical means so as to display various promotion information on the browser homepage and achieve the purpose of profit.

A common method for tampering with a browser homepage by a malicious application is as follows: and the malicious application program process writes the homepage tampering function module of the malicious application program process into the browser process by simulating the function of a LoadLibrary function called during memory loading, wherein the function of the LoadLibrary function is to write a certain function module into a target process by system calling. Then, an executable shellcode is inserted into the browser process to call the written homepage tampering function module. Because, in the functional module list of the browser process, only the functional module of the browser process itself is recorded, and the homepage tampering functional module written by the malicious application program is not recorded. Thus, the security application cannot directly discover the homepage tampered function module by querying the function module list.

The tampered browser homepage brings poor use experience to users, however, at present, no effective solution exists for the means for tampering the browser homepage. Therefore, in order to provide a good browser use environment for users, a method for effectively preventing malicious applications from tampering with the browser homepage is needed.

Disclosure of Invention

The embodiment of the application provides a method for preventing malicious codes from being executed, and the problem that a malicious application program tampers with a browser homepage can be solved. The technical scheme is as follows:

in a first aspect, a method for preventing malicious code from executing is provided, the method comprising:

receiving a browser homepage locking instruction input by a user;

starting to monitor the establishment event of the browser process;

after the browser process is monitored to be established, when a preset trigger event for triggering code calling is detected, acquiring a target memory address for carrying out the code calling;

acquiring a target code stored in the target memory address;

and determining whether the target code is malicious code or not based on a malicious code library, and preventing the target code from being executed after determining that the target code is the malicious code.

Optionally, the obtaining a target memory address for performing the code call when a preset trigger event for triggering the code call is detected includes:

when a first instruction for establishing a first thread in the browser process is received, a target memory address corresponding to the first instruction and used for calling a thread initial execution code is obtained.

when a second instruction for calling the APC function in the browser process is received, acquiring a first parameter in an APC function calling statement corresponding to the second instruction, wherein the first parameter is a target memory address to which a code to be called by the APC function belongs.

Optionally, after monitoring that the browser process is established, and when a preset trigger event for triggering code invocation is detected, acquiring a target memory address for performing the code invocation, the method further includes:

determining that the memory type of the target memory address is a preset memory type, and the target memory state is a preset memory state, wherein the preset memory type and the preset memory state are a memory type and a memory state applied in a cross-process mode.

Optionally, the preventing the target code from executing includes:

and modifying the target code into a preset code, wherein the preset code comprises a return statement, and the return statement is used for returning a preset value.

In another aspect, an apparatus for preventing malicious code from executing is provided, the apparatus comprising:

the receiving module is used for receiving a browser homepage locking instruction input by a user;

the monitoring module is used for starting to monitor the establishment event of the browser process;

the detection module is used for acquiring a target memory address for code calling when a preset trigger event for triggering code calling is detected after the browser process is monitored to be established;

an obtaining module, configured to obtain a target code stored in the target memory address;

and the blocking module is used for determining whether the target code is a malicious code or not based on a malicious code library, and blocking the target code from being executed after the target code is determined to be the malicious code.

Optionally, the detection module is configured to:

Optionally, the apparatus further includes:

the determining module is configured to determine that the memory type of the target memory address is a preset memory type, and the target memory state is a preset memory state, where the preset memory type and the preset memory state are a memory type and a memory state applied for a cross-process.

Optionally, the preventing module is configured to:

A third aspect is a computer device, comprising a processor and a memory, wherein the memory stores at least one instruction, and the instruction is loaded and executed by the processor to implement the operation performed by the method for preventing malicious code from executing according to the first aspect.

A fourth aspect is a computer-readable storage medium having at least one instruction stored therein, the instruction being loaded and executed by a processor to implement the operations performed by the method for preventing malicious code from executing according to the first aspect.

The technical scheme provided by the embodiment of the application has the following beneficial effects:

and after receiving a browser homepage locking instruction of the user, starting to continuously monitor the establishment event of the browser process. After the browser process is monitored to be established, when a preset trigger event for triggering code calling is detected, a target memory address for carrying out the code calling is obtained. The code to be called by the preset trigger event may be code written by a malicious application program and used for calling the homepage tampering function module. Then, after the memory address storing the code is obtained, the target code stored in the memory address can be obtained. Then, in the malicious code library, the target code is matched to determine whether the target code is malicious code, and if so, the target code can be prevented from being executed by some technical means, so that the aim of preventing the malicious application program from tampering the browser homepage is fulfilled.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1 is a flowchart of a method for preventing malicious code from executing according to an embodiment of the present disclosure;

FIG. 2 is an interface diagram of a security application provided in an embodiment of the present application;

FIG. 3 is an interface diagram of a security application provided in an embodiment of the present application;

FIG. 4 is a schematic structural diagram of an apparatus for preventing malicious code from executing according to an embodiment of the present disclosure;

fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

The method for preventing the malicious code from being executed can be realized by computer equipment, and the computer equipment can be a desktop computer, a handheld computer and the like. The computer equipment can be provided with a browser and a safety protection application program, the safety protection application program can be an application program only having a browser safety protection function, and can also be a comprehensive safety protection application program having functions of network safety, virus killing, payment protection, browser safety protection and the like, and the driver of the safety protection application program can monitor a browser process installed in the computer equipment. The following exemplifies an implementation environment of the embodiments of the present application.

When a user downloads an application through some software download website, it is likely that some malicious applications that may tamper with the browser homepage will be downloaded. After the user installs the downloaded malicious application program into the computer equipment, the malicious application program can write the homepage tampering functional module into the browser process, and call the homepage tampering functional module at a specific time so as to achieve the purpose of tampering the homepage of the browser. The safety protection application program can prevent the code used for calling the homepage tampering functional module from being executed by the method provided by the embodiment of the application, so that the aim of preventing malicious application programs from tampering the homepage of the browser is fulfilled.

Fig. 1 is a flowchart for preventing malicious code from executing according to an embodiment of the present disclosure. Referring to fig. 1, the embodiment includes:

step 101, receiving a browser homepage locking instruction input by a user.

In implementation, a security application may be installed in the computer device, and the security application provides a browser protection function option for a user, as shown in fig. 2, and the security application interface may include a browser protection function option, a virus killing function option, a payment protection function option, and the like. The user may select a browser protection function option to enter a browser protection function interface, as shown in fig. 3, in which a default browser setting field, a browser engine setting field, and a browser homepage lock field may be included. The user may select a default browser in the default browser settings field, a default browser engine in the browser engine settings field, and a default browser home page in the browser home page lock field. After the browser locking bar is provided with a locking option, namely a locking icon, after the user selects the default browser homepage, the user clicks the locking option, namely a browser homepage locking instruction is sent to the computer device, so that the browser homepage locking function of the safety protection application program is started. And after receiving a browser homepage locking instruction, starting to execute subsequent processing.

Step 102, starting to monitor the establishment event of the browser process.

In implementation, after the browser homepage locking function is started by the security application, the driver installed in the computer device by the security application continuously monitors the browser process establishment event. So as to protect the browser in time.

Step 103, after the browser process is monitored to be established, when a preset trigger event for triggering code calling is detected, a target memory address for code calling is obtained.

In implementation, a malicious application program is written into a malicious code used for calling a homepage tampering function module in a browser process, and the malicious application program can be executed only by being called by the browser process, and there are generally two ways for the browser process to call the malicious code, which are described below.

And in the first calling mode, the malicious application program process establishes a new thread in the browser process through the remote thread to call the malicious code.

And in the second calling mode, the malicious application program process inserts an APC (Asynchronous Procedure Call) function into an APC queue of a specific thread in the browser process, and the APC function calls back the malicious code.

For the two calling modes, the embodiments of the present application respectively provide processing methods.

The processing for the first calling mode may be as follows: when a first instruction for establishing a first thread in the browser process is received, a target memory address corresponding to the instruction and used for calling a thread initial execution code is obtained.

In implementation, whenever a process creates a new thread, it needs to call the entry functions of all functional modules loaded in the process space of the process, and it can be seen that the call to these entry functions is before the new thread executes. Therefore, as long as malicious code is found when these entry functions are called, the malicious code call homepage can be prevented from tampering with the functional module. The specific implementation procedure may be as follows.

First, it is necessary to configure an entry function of a function module requiring hook, which may be any function module loaded in the process space of the browser process, such as rpcrt4. dll. When the driver of the safety protection application program is used for monitoring the browser process to call rpcrt4.dll, the memory address of the entry function of rpcrt4.dll is obtained, and a hook function is written into the memory address, namely when the browser process calls the entry function of rpcrt4.dll, the hook is sent to the function configured by the safety protection application program, and the configured function is executed. And the safety protection application program uses a function with a writing function to write a preset memory address acquisition function into the browser process, wherein the preset memory address acquisition function is the configured function. The function with the write function may be a virtualallochex function, a WriteProcessmemory function, and the like, and the preset memory address obtaining function may be an NtQueryInformation5read function.

Then, when a malicious application program establishes a first thread in a browser process (i.e. when a new thread is established, the first thread is used here to represent the new thread, it should be noted that "first" does not represent the order of thread establishment here), as can be seen from the above, when a first instruction for establishing the first thread is received, an entry function of all functional modules loaded in a process space of the browser process is called first, because there is a hook function in the memory address of the entry function, when the entry function of rpcrt4.dll is called, the hook function is written into an nqqurylnformation5 read function, and the nqqurylnformation5 read function acquires a target memory address to which a code initially called when the first thread executes.

The processing for the second call mode may be as follows: when a second instruction for calling the APC function in the browser process is received, acquiring a first parameter in an APC function calling statement corresponding to the second instruction, wherein the first parameter is a target memory address to which a code to be called by the APC function belongs.

In an implementation, each time the process calls the APC function in the APC queue, the rtldispatch APC function of the rtdll of the process is executed first, and the first parameter of the rtldispatch APC function is the memory address of the code called back by the called APC function. Then, as long as the first parameter of the rtldispatch apc function is acquired when the rtldispatch apc function is executed, if the code in the memory address (the first parameter) is malicious code, the rtldispatch apc function can be prevented from calling the homepage tamper function module. The specific implementation procedure may be as follows.

Firstly, configuring an rtldispatch APC function of rtdll, using a driver of a security application program to monitor the starting of a browser process and load rtdll, using a GetProcAddress function to acquire a memory address of the rtldispatch APC function, writing a hook function in the memory address of the rtldispatch APC function, and writing a first code for acquiring a first parameter of the rtldispatch APC function in a process space of the browser process, wherein the hook is used for jumping to execute the code for acquiring the first parameter of the rtldispatch APC function through the hook function when the browser process calls the rtldispatch APC function.

Then, in the second thread execution process, when a second instruction for calling the APC function is received, the corresponding APC function in the APC queue is called by executing the rtldispatch APC function, before the rtldispatch APC function is executed, the hook function is executed first, and the written first code is adjusted and executed by the hook function to obtain the first parameter of the rtldispatch APC function, so that the target memory address to which the code to be called back by the APC function belongs is obtained.

In a possible implementation manner, since the malicious code is written into the process space of the browser process by the malicious application program applying the memory across processes, and the memory type and the memory state applied in this manner are fixed, in order to avoid unnecessary processing, before acquiring the code in the target memory space, it may be determined whether the target memory address meets the requirements of the memory type and the memory state, and accordingly, the processing may be as follows: and determining that the memory type of the target memory address is a preset memory type, and the target memory state is a preset memory state.

The preset memory type and the preset memory state are the memory type and the memory state applied in a cross-process mode, the preset memory type is MEM _ PRIVATE, and the preset memory state is MEM _ COMMIT.

In the implementation, in the two processes, a ZwQueryVirtualMemory function may also be written in the process space of the browser process. After the target memory address is obtained, the ZwQueryVirtualMemory function is called to obtain the memory type and the memory state of the target memory address. Then, it can be determined whether the memory type of the target memory address is MEM _ prior and the memory status is MEM _ COMMIT, and if both are satisfied, the subsequent processing can be performed.

Through the judgment processing, the whole processing efficiency can be effectively improved, and the possibility of subsequent error processing is reduced.

And 104, acquiring a target code stored in the target memory address.

In an implementation, in the two processes, a ZwReadVirtualMemory function may be written in a process space of the browser process, and the ZwReadVirtualMemory function may acquire an object code in the memory address.

And 105, determining whether the target code is a malicious code or not based on the malicious code library, and preventing the target code from being executed after the target code is determined to be the malicious code.

In implementation, the technician may pre-establish a malicious code library in which some common malicious codes are stored. When the malicious code library is established, the malicious application program can be acquired in a mode of internet collection, and also can be acquired in a mode of user feedback. After the malicious application program is obtained, the malicious application program can be reversed and debugged to obtain the malicious code.

After the target code is obtained, the target code is matched in a stored malicious code library, if the same code is matched, the target code is indicated to be a malicious code, and the target code is processed to prevent the target code from calling a homepage tampering function module.

In one possible implementation, the processing of the object code may be as follows:

In the implementation, in the above processing for the two calling methods, a patch code may be written in the process space of the browser process, and after the target code is determined to be malicious code, the patch code is used to modify the target code into a preset code, for example, a statement that the target code calls a homepage tampering function module is directly changed into a return statement. That is, when the browser process calls the target code, the target code may execute a return statement and return to a preset value, such as return 4, to indicate that the code is successfully executed, and the browser process may continue to call to execute other codes. In addition, other modification modes can be provided, as long as the modified code does not execute the calling of the homepage tampering function module any more.

In the above embodiment, after receiving the browser homepage locking instruction of the user, the establishment event of the browser process is continuously monitored. After the browser process is monitored to be established, when a preset trigger event for triggering code calling is detected, a target memory address for carrying out the code calling is obtained. The code to be called by the preset trigger event may be code written by a malicious application program and used for calling the homepage tampering function module. Then, after the memory address storing the code is obtained, the target code stored in the memory address can be obtained. Then, in the malicious code library, the target code is matched to determine whether the target code is malicious code, and if so, the target code can be prevented from being executed by some technical means, so that the aim of preventing the malicious application program from tampering the browser homepage is fulfilled.

All the above optional technical solutions may be combined arbitrarily to form the optional embodiments of the present disclosure, and are not described herein again.

Based on the same technical concept, an embodiment of the present application further provides an apparatus for preventing malicious code from being executed, where the apparatus may be a computer device in the foregoing embodiment, and as shown in fig. 4, the apparatus includes: a receiving module 410, a monitoring module 420, a detecting module 430, an obtaining module 440, and a preventing module 450.

A receiving module 410, configured to receive a browser homepage locking instruction input by a user;

a monitoring module 420, configured to start monitoring a setup event of a browser process;

the detection module 430 is configured to, after monitoring that the browser process is established, obtain a target memory address for code invocation when a preset trigger event for triggering the code invocation is detected;

an obtaining module 440, configured to obtain a target code stored in the target memory address;

a blocking module 450, configured to determine whether the target code is a malicious code based on a malicious code library, and block the target code from being executed after determining that the target code is the malicious code.

Optionally, the detecting module 430 is configured to:

Optionally, the apparatus further includes:

Optionally, the preventing module 450 is configured to:

It should be noted that: in the apparatus for preventing malicious code from being executed according to the foregoing embodiment, when preventing malicious code from being executed, the above-mentioned division of each functional module is merely used as an example, and in practical applications, the above-mentioned function distribution may be completed by different functional modules according to needs, that is, the internal structure of the computer device is divided into different functional modules, so as to complete all or part of the above-mentioned functions. In addition, the apparatus for preventing malicious code from being executed and the method for preventing malicious code from being executed provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.

Fig. 5 shows a block diagram of a computer device 500 provided in an exemplary embodiment of the present application. The computer device 500 may be: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group audio Layer III, motion Picture Experts compression standard audio Layer 3), an MP4 player (Moving Picture Experts Group audio Layer IV, motion Picture Experts compression standard audio Layer 4), a notebook computer, or a desktop computer. Computer device 500 may also be referred to by other names such as user device, portable computer device, laptop computer device, desktop computer device, and so forth.

Generally, the computer device 500 includes: a processor 501 and a memory 502.

The processor 501 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and so on. The processor 501 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 501 may also include a main processor and a coprocessor, where the main processor is a processor for processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 501 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, processor 501 may also include an AI (Artificial Intelligence) processor for processing computational operations related to machine learning.

Memory 502 may include one or more computer-readable storage media, which may be non-transitory. Memory 502 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 502 is used to store at least one instruction for execution by processor 501 to implement the method of preventing malicious code execution provided by method embodiments herein.

In some embodiments, the computer device 500 may further optionally include: a peripheral interface 503 and at least one peripheral. The processor 501, memory 502 and peripheral interface 503 may be connected by a bus or signal lines. Each peripheral may be connected to the peripheral interface 503 by a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 504, touch screen display 505, camera 506, audio circuitry 507, positioning components 508, and power supply 509.

The peripheral interface 503 may be used to connect at least one peripheral related to I/O (Input/Output) to the processor 501 and the memory 502. In some embodiments, the processor 501, memory 502, and peripheral interface 503 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 501, the memory 502, and the peripheral interface 503 may be implemented on a separate chip or circuit board, which is not limited in this embodiment.

The Radio Frequency circuit 504 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuitry 504 communicates with communication networks and other communication devices via electromagnetic signals. The rf circuit 504 converts an electrical signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 504 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuitry 504 may communicate with other computer devices via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generation mobile communication networks (2G, 3G, 4G, and 5G), Wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, the rf circuit 504 may further include NFC (Near Field Communication) related circuits, which are not limited in this application.

The display screen 505 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display screen 505 is a touch display screen, the display screen 505 also has the ability to capture touch signals on or over the surface of the display screen 505. The touch signal may be input to the processor 501 as a control signal for processing. At this point, the display screen 505 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display screen 505 may be one, providing the front panel of the computer device 500; in other embodiments, the display screens 505 may be at least two, each disposed on a different surface of the computer device 500 or in a folded design; in still other embodiments, the display screen 505 may be a flexible display screen, disposed on a curved surface or on a folded surface of the computer device 500. Even more, the display screen 505 can be arranged in a non-rectangular irregular figure, i.e. a shaped screen. The Display screen 505 may be made of LCD (Liquid Crystal Display), OLED (Organic Light-emitting diode), and the like.

The camera assembly 506 is used to capture images or video. Optionally, camera assembly 506 includes a front camera and a rear camera. Generally, a front camera is disposed on a front panel of a computer apparatus, and a rear camera is disposed on a rear surface of the computer apparatus. In some embodiments, the number of the rear cameras is at least two, and each rear camera is any one of a main camera, a depth-of-field camera, a wide-angle camera and a telephoto camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize panoramic shooting and VR (Virtual Reality) shooting functions or other fusion shooting functions. In some embodiments, camera assembly 506 may also include a flash. The flash lamp can be a monochrome temperature flash lamp or a bicolor temperature flash lamp. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp, and can be used for light compensation at different color temperatures.

Audio circuitry 507 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 501 for processing, or inputting the electric signals to the radio frequency circuit 504 to realize voice communication. For stereo capture or noise reduction purposes, the microphones may be multiple and located at different locations on the computer device 500. The microphone may also be an array microphone or an omni-directional pick-up microphone. The speaker is used to convert electrical signals from the processor 501 or the radio frequency circuit 504 into sound waves. The loudspeaker can be a traditional film loudspeaker or a piezoelectric ceramic loudspeaker. When the speaker is a piezoelectric ceramic speaker, the speaker can be used for purposes such as converting an electric signal into a sound wave audible to a human being, or converting an electric signal into a sound wave inaudible to a human being to measure a distance. In some embodiments, audio circuitry 507 may also include a headphone jack.

The Location component 508 is used to locate the current geographic Location of the computer device 500 for navigation or LBS (Location Based Service). The positioning component 508 may be a positioning component based on the GPS (global positioning System) in the united states, the beidou System in china, the graves System in russia, or the galileo System in the european union.

The power supply 509 is used to power the various components in the computer device 500. The power source 509 may be alternating current, direct current, disposable or rechargeable. When power supply 509 includes a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.

In some embodiments, the computer device 500 also includes one or more sensors 510. The one or more sensors 510 include, but are not limited to: acceleration sensor 511, gyro sensor 512, pressure sensor 513, fingerprint sensor 514, optical sensor 515, and proximity sensor 516.

The acceleration sensor 511 may detect the magnitude of acceleration in three coordinate axes of a coordinate system established with the computer apparatus 500. For example, the acceleration sensor 511 may be used to detect components of the gravitational acceleration in three coordinate axes. The processor 501 may control the touch screen 505 to display the user interface in a landscape view or a portrait view according to the gravitational acceleration signal collected by the acceleration sensor 511. The acceleration sensor 511 may also be used for acquisition of motion data of a game or a user.

The gyro sensor 512 may detect a body direction and a rotation angle of the computer device 500, and the gyro sensor 512 may cooperate with the acceleration sensor 511 to acquire a 3D motion of the user on the computer device 500. The processor 501 may implement the following functions according to the data collected by the gyro sensor 512: motion sensing (such as changing the UI according to a user's tilting operation), image stabilization at the time of photographing, game control, and inertial navigation.

The pressure sensors 513 may be disposed on a side bezel of the computer device 500 and/or underneath the touch display screen 505. When the pressure sensor 513 is disposed on the side frame of the computer device 500, the holding signal of the user to the computer device 500 can be detected, and the processor 501 performs left-right hand recognition or shortcut operation according to the holding signal collected by the pressure sensor 513. When the pressure sensor 513 is disposed at the lower layer of the touch display screen 505, the processor 501 controls the operability control on the UI interface according to the pressure operation of the user on the touch display screen 505. The operability control comprises at least one of a button control, a scroll bar control, an icon control and a menu control.

The fingerprint sensor 514 is used for collecting a fingerprint of the user, and the processor 501 identifies the identity of the user according to the fingerprint collected by the fingerprint sensor 514, or the fingerprint sensor 514 identifies the identity of the user according to the collected fingerprint. Upon recognizing that the user's identity is a trusted identity, the processor 501 authorizes the user to perform relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying, and changing settings, etc. The fingerprint sensor 514 may be disposed on the front, back, or side of the computer device 500. When a physical key or vendor Logo is provided on the computer device 500, the fingerprint sensor 514 may be integrated with the physical key or vendor Logo.

The optical sensor 515 is used to collect the ambient light intensity. In one embodiment, the processor 501 may control the display brightness of the touch display screen 505 based on the ambient light intensity collected by the optical sensor 515. Specifically, when the ambient light intensity is high, the display brightness of the touch display screen 505 is increased; when the ambient light intensity is low, the display brightness of the touch display screen 505 is turned down. In another embodiment, processor 501 may also dynamically adjust the shooting parameters of camera head assembly 506 based on the ambient light intensity collected by optical sensor 515.

A proximity sensor 516, also known as a distance sensor, is typically disposed on the front panel of the computer device 500. The proximity sensor 516 is used to capture the distance between the user and the front of the computer device 500. In one embodiment, the touch display screen 505 is controlled by the processor 501 to switch from the bright screen state to the dark screen state when the proximity sensor 516 detects that the distance between the user and the front face of the computer device 500 is gradually decreased; when the proximity sensor 516 detects that the distance between the user and the front of the computer device 500 becomes gradually larger, the touch display screen 505 is controlled by the processor 501 to switch from the breath screen state to the bright screen state.

Those skilled in the art will appreciate that the configuration shown in FIG. 5 does not constitute a limitation of the computer device 500, and may include more or fewer components than those shown, or combine certain components, or employ a different arrangement of components.

In an exemplary embodiment, a computer-readable storage medium, such as a memory including instructions executable by a processor in a computer device, is also provided to perform a method of preventing malicious code from executing in the embodiments described below. For example, the computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims

1. A method of blocking malicious code execution, the method comprising:

receiving a browser homepage locking instruction input by a user;

starting to monitor the establishment event of the browser process;

acquiring a target code stored in the target memory address;

2. The method according to claim 1, wherein the obtaining a target memory address for performing a code call when a preset trigger event for triggering the code call is detected comprises:

3. The method according to claim 1, wherein the obtaining a target memory address for performing a code call when a preset trigger event for triggering the code call is detected comprises:

when a second instruction for calling the APC function in the browser process is received, acquiring a first parameter of an APC function calling statement corresponding to the second instruction, wherein the first parameter is a target memory address to which a code to be called by the APC function belongs.

4. The method according to any one of claims 1 to 3, wherein after monitoring that the browser process is established, and when a preset trigger event for triggering a code call is detected, acquiring a target memory address for performing the code call, the method further comprises:

5. The method of any of claims 1-3, wherein the preventing the target code from executing comprises:

6. An apparatus to block malicious code execution, the apparatus comprising:

7. The apparatus of claim 1, wherein the detection module is configured to:

8. The apparatus of claim 1, wherein the detection module is configured to:

9. The apparatus according to any one of claims 6-8, further comprising:

10. The apparatus of any one of claims 6-8, wherein the preventing means is configured to: