CN111191227B - Method and device for preventing malicious code from executing - Google Patents
Method and device for preventing malicious code from executing Download PDFInfo
- Publication number
- CN111191227B CN111191227B CN201910663153.7A CN201910663153A CN111191227B CN 111191227 B CN111191227 B CN 111191227B CN 201910663153 A CN201910663153 A CN 201910663153A CN 111191227 B CN111191227 B CN 111191227B
- Authority
- CN
- China
- Prior art keywords
- code
- target
- preset
- browser
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 108
- 230000008569 process Effects 0.000 claims abstract description 79
- 230000006870 function Effects 0.000 claims description 111
- 230000000903 blocking effect Effects 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 description 20
- 230000002093 peripheral effect Effects 0.000 description 10
- 230000001133 acceleration Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 241000700605 Viruses Species 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 239000000919 ceramic Substances 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000006386 memory function Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000006641 stabilisation Effects 0.000 description 1
- 238000011105 stabilization Methods 0.000 description 1
- 239000010409 thin film Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method for preventing malicious codes from being executed, and belongs to the technical field of Internet. The method comprises the following steps: receiving a browser homepage locking instruction input by a user; starting to monitor an establishment event of the browser process; after the browser process is monitored to be established, when a preset trigger event for triggering code call is detected, a target memory address for performing the code call is obtained; acquiring a target code stored in the target memory address; based on a malicious code library, determining whether the target code is malicious code, and after the target code is determined to be malicious code, preventing the target code from executing. The application can effectively prevent malicious application programs from tampering with the homepage of the browser.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to a method and apparatus for preventing malicious code from being executed.
Background
Browsers are a type of application that is commonly used by people more frequently. Some malicious application programs tamper with the browser homepage by adopting various technical means so as to display various popularization information on the browser homepage, thereby achieving the purpose of profit.
The means that malicious applications tamper with the browser homepage are more common: the malicious application program process writes the self homepage tampering function module into the browser process through simulating the function of the LoadLibrary function called during memory loading, wherein the function of the LoadLibrary function is that a certain function module is written into the target process through system call. Then, a section of executable shellcode is inserted in the browser process for calling the written homepage tampering function module. Because, in the function module list of the browser process, only the function module of the browser process itself is recorded, and the homepage falsification function module written by the malicious application program is not recorded. Thus, the security protection class application cannot directly discover the homepage tampering function by querying the function list.
Tampered browser homepage brings a poor use experience to users, however, currently, there is no effective solution for using the means for tampering the browser homepage. Therefore, in order to provide a good browser use environment for users, a method for effectively preventing malicious applications from tampering with the browser homepage is needed.
Disclosure of Invention
The embodiment of the application provides a method for preventing malicious codes from being executed, which can solve the problem that a malicious application program falsifies a browser homepage. The technical scheme is as follows:
in a first aspect, a method of preventing malicious code from executing is provided, the method comprising:
receiving a browser homepage locking instruction input by a user;
starting to monitor an establishment event of the browser process;
after the browser process is monitored to be established, when a preset trigger event for triggering code call is detected, a target memory address for performing the code call is obtained;
acquiring a target code stored in the target memory address;
based on a malicious code library, determining whether the target code is malicious code, and after the target code is determined to be malicious code, preventing the target code from executing.
Optionally, when detecting a preset trigger event for triggering the code call, acquiring the target memory address for performing the code call includes:
when a first instruction for establishing a first thread in the browser process is received, a target memory address corresponding to the first instruction and used for calling an initial execution code of the thread is obtained.
Optionally, when detecting a preset trigger event for triggering the code call, acquiring the target memory address for performing the code call includes:
when a second instruction for calling the APC function in the browser process is received, a first parameter in an APC function call statement corresponding to the second instruction is obtained, wherein the first parameter is a target memory address to which a code to be called by the APC function belongs.
Optionally, after the monitoring that the browser process is established, when a preset trigger event for triggering the code call is detected, acquiring a target memory address for performing the code call further includes:
determining the memory type of the target memory address as a preset memory type, and determining the target memory state as a preset memory state, wherein the preset memory type and the preset memory state are the memory type and the memory state of the cross-process application.
Optionally, the preventing the target code from executing includes:
and modifying the target code into a preset code, wherein the preset code comprises a return statement, and the return statement is used for returning to a preset value.
In another aspect, an apparatus for preventing malicious code from executing is provided, the apparatus comprising:
the receiving module is used for receiving a browser homepage locking instruction input by a user;
the monitoring module is used for starting to monitor the establishment event of the browser process;
the detection module is used for acquiring a target memory address for performing code call when a preset trigger event for triggering the code call is detected after the browser process is monitored to be established;
the acquisition module is used for acquiring the target codes stored in the target memory address;
and the blocking module is used for determining whether the target code is malicious code based on a malicious code library, and blocking the target code from being executed after the target code is determined to be malicious code.
Optionally, the detection module is configured to:
when a first instruction for establishing a first thread in the browser process is received, a target memory address corresponding to the first instruction and used for calling an initial execution code of the thread is obtained.
Optionally, the detection module is configured to:
when a second instruction for calling the APC function in the browser process is received, a first parameter in an APC function call statement corresponding to the second instruction is obtained, wherein the first parameter is a target memory address to which a code to be called by the APC function belongs.
Optionally, the apparatus further includes:
the determining module is configured to determine that the memory type of the target memory address is a preset memory type, and the target memory state is a preset memory state, where the preset memory type and the preset memory state are a memory type and a memory state of a cross-process application.
Optionally, the blocking module is configured to:
and modifying the target code into a preset code, wherein the preset code comprises a return statement, and the return statement is used for returning to a preset value.
A third aspect, a computer device, characterized in that it comprises a processor and a memory, said memory having stored therein at least one instruction that is loaded and executed by said processor to implement the operations performed by the method of preventing malicious code from being executed as described in the first aspect above.
A fourth aspect is a computer readable storage medium having stored therein at least one instruction that is loaded and executed by a processor to implement operations performed by a method of preventing malicious code from being executed as described in the first aspect above.
The technical scheme provided by the embodiment of the application has the beneficial effects that:
after receiving a browser homepage locking instruction of a user, starting to continuously monitor the establishment event of the browser process. After the browser process is monitored to be established, when a preset trigger event for triggering code call is detected, a target memory address for code call is acquired. The code to be invoked by the preset trigger event may be a code written by a malicious application program and used for invoking the homepage tampering function module. Then, after the memory address storing the code is obtained here, the target code stored in the memory address can be obtained. Then, in the malicious code library, the target code is matched to determine whether the target code is malicious code, and if so, the target code can be prevented from being executed by some technical means, so that the purpose of preventing malicious application programs from tampering with the browser homepage is achieved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for preventing malicious code from being executed according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an interface of a security application according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an interface of a security application according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an apparatus for preventing malicious code from being executed according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
The method for preventing the malicious codes from being executed can be realized by computer equipment, and the computer equipment can be a desktop computer, a portable computer and the like. The browser and the safety protection application program can be installed in the computer equipment, the safety protection application program can be an application program with the safety protection function of the browser only, and can also be a comprehensive safety protection application program with the functions of network safety, virus searching and killing, payment protection, safety protection of the browser and the like, and the drive of the safety protection application program can monitor the browser process installed in the computer equipment. The following exemplary listing of one implementation environment for embodiments of the present application.
When a user downloads an application through some software download website, it is likely to download some malicious application that can tamper with the browser homepage. After the user installs the downloaded malicious application program on the computer equipment, the malicious application program writes the homepage tampering function module into the browser process, and calls the homepage tampering function module at a specific occasion so as to achieve the purpose of tampering the homepage of the browser. The safety protection application program can prevent the code used for calling the homepage tampering function module from executing by the method provided by the embodiment of the application, so as to achieve the purpose of preventing malicious application programs from tampering with the homepage of the browser.
FIG. 1 is a flow chart of preventing malicious code from executing provided by an embodiment of the present application. Referring to fig. 1, this embodiment includes:
step 101, receiving a browser homepage locking instruction input by a user.
In implementation, a security application may be installed in the computer device, where the security application provides the user with a browser protection function option, as shown in fig. 2, and the security application interface may include a browser protection function option, a virus checking function option, a payment protection function option, and so on. The user may select a browser protection function option to enter a browser protection function interface, as shown in fig. 3, where the browser protection function interface may include a default browser setting field, a browser engine setting field, and a browser home page lock field. The user may select a default browser in the default browser settings field, select a default browser engine in the browser engine settings field, and select a default browser home page in the browser home page lock field. After the browser locking bar is provided with a locking option, namely, a lock-shaped icon, after the user selects a default browser homepage, the user clicks the locking option, namely, a browser homepage locking instruction is sent to the computer equipment so as to open the browser homepage locking function of the safety protection application program. After receiving the browser homepage locking instruction, the subsequent processing is started to be executed.
Step 102, starting to monitor the establishment event of the browser process.
In practice, after the security application opens the browser home page lock function, the driver of the security application installed in the computer device will continuously monitor the browser process for an established event. So as to protect the browser in time.
Step 103, after the browser process is monitored to be established, when a preset trigger event for triggering code call is detected, a target memory address for performing code call is obtained.
In implementation, malicious codes for calling the homepage tampering function module are written into the browser process by the malicious application program, and the malicious codes can be executed only by being called by the browser process, and the malicious application program generally has two modes for calling the malicious codes by the browser process, and the two calling modes are respectively described below.
The malicious application program process establishes a new thread in the browser process through the remote thread to call the malicious code.
And calling the malicious application program process in the second mode, and calling the malicious code by inserting an APC function into an APC (Asynchronous Procedure Call ) queue of a specific thread in the browser process.
For the two calling modes, the embodiment of the application respectively provides a processing method.
The processing of the calling mode one can be as follows: when a first instruction for establishing a first thread in the browser process is received, a target memory address corresponding to the instruction and used for calling an initial execution code of the thread is obtained.
In practice, whenever a process establishes a new thread, it is necessary to call the entry functions of all functional modules already loaded in the process space of the process first, it being seen that these entry functions are called before the new thread executes. Thus, as long as malicious code is found when these entry functions are called, the malicious code is prevented from calling the homepage tamper function module. The specific implementation process can be as follows.
First, an entry function of a function module requiring hook needs to be configured, and the function module may be any function module already loaded in the process space of the browser process, such as rpcrt4.Dll. When the drive of the safety protection application program is used for monitoring the access function of the rpcrt4.Dll, the memory address of the access function of the rpcrt4.Dll is obtained, and a hook function is written in the memory address, namely when the access function of the rpcrt4.Dll is called by the browser program, the hook is added into the function configured by the safety protection application program, and the configured function is executed. The safety protection application program uses a function with a writing function to write a preset memory address acquisition function into the browser process, wherein the preset memory address acquisition function is the function configured above. The function with the writing function may be a function such as VirtualAllocEx, writeProcessmemory, and the preset memory address obtaining function may be an ntquery information5read function.
Then, when the malicious application program process builds a first thread in the browser process (i.e. when a new thread is built, the first thread is used herein to represent the new thread, it should be noted that "first" does not represent the built sequence of the threads herein), it is known that when receiving the first instruction for building the first thread, the entry functions of all the functional modules already loaded in the process space of the browser process are called first, and because the hook function is in the memory address of the entry function, when the rpcrt4.Dll entry function is called, the hook is used to obtain the target memory address of the code originally called when the first thread is executed by the ntquery information5read function.
The processing of the calling mode two can be as follows: when a second instruction for calling the APC function in the browser process is received, a first parameter in an APC function call statement corresponding to the second instruction is obtained, wherein the first parameter is a target memory address to which a code to be called by the APC function belongs.
In implementation, whenever a process calls an APC function in the APC queue, the rtlddispatch APC function of rtdll of the process is executed first, and the first parameter of the rtlddispatch APC function is the memory address to which the called APC function calls the code to be called. Then, as long as the rtldopatchapc function is being executed, the first parameter thereof is acquired, and if the code in the memory address (the first parameter described above) is malicious, it can be prevented from calling the homepage tampering function module. The specific implementation process can be as follows.
Firstly, configuring an rtlddispatch apc function of rtdll, using a driver of a security protection application program, monitoring a browser process, when the rtdll is started and loaded, using a GetProcAddress function to acquire a memory address of the rtlddispatch apc function, writing a hook function into the memory address of the rtlddispatch apc function, and writing a first code for acquiring a first parameter of the rtlddispatch apc function into a process space of the browser process, wherein the hook is used for executing the code for acquiring the first parameter of the rtlddispatch apc function in a jump manner through the hook function when the rtlddispatch apc function is called by the browser process.
And then, in the execution process of the second thread, when a second instruction for calling the APC function is received, the corresponding APC function in the APC queue is called by executing the RtlDispatch APC function, a hook function is executed first before the execution of the RtlDispatch APC function, the hook function adjusts and executes the written first code to acquire the first parameter of the RtlDispatch APC function, and thus, the target memory address of the code to be called back by the APC function is acquired.
In one possible implementation, since the malicious code is written into the process space of the browser process by the malicious application program through the process application memory, and the memory type and the memory state applied in this way are fixed, in order to avoid unnecessary processing, before acquiring the code in the target memory space, it may be determined whether the target memory address meets the requirements of the memory type and the memory state, and accordingly, the processing may be as follows: determining the memory type of the target memory address as a preset memory type, and determining the target memory state as a preset memory state.
The preset memory type and the preset memory state are the memory type and the memory state of the cross-process application, the preset memory type is MEM_PRIVATE, and the preset memory state is MEM_COMMIT.
In implementation, in the two processes, the zwquery virtual memory function may also be written in the process space of the browser process. After the target memory address is obtained, the ZwQueryVirtualmemory function is called, and the memory type and the memory state of the target memory address are obtained. Then, it can be determined whether the memory type of the target memory address is mem_private, whether the memory state is mem_commit, and if both are satisfied, then the subsequent processing can be performed.
By the judging processing, the overall processing efficiency can be effectively improved, and the possibility of subsequent error processing is reduced.
Step 104, obtaining the target code stored in the target memory address.
In implementation, in the above two processes, a zwraaddvirtualmemor function may be written in a process space of the browser process, and the zwraaddvirtualmemor function may obtain the object code in the memory address.
Step 105, determining whether the target code is malicious code based on the malicious code library, and preventing the target code from executing after determining that the target code is malicious code.
In practice, a technician may pre-build a malicious code library in which some common malicious code is stored. When the malicious code library is established, a malicious application program can be acquired through an internet collection mode, and the malicious application program can also be acquired through a user feedback mode. After the malicious application program is obtained, the malicious application program can be reversed and debugged to obtain the malicious code.
After the target code is obtained, the target code is matched in a stored malicious code library, if the target code is the malicious code, the target code is processed to prevent the target code from calling the homepage tampering function module.
In one possible implementation, the processing of the object code may be as follows:
and modifying the target code into a preset code, wherein the preset code comprises a return statement, and the return statement is used for returning to a preset value.
In implementation, in the processing of the two calling modes, patch codes can be written in a process space of the browser process, after the target code is determined to be malicious code, the target code is modified to be a preset code by using the patch codes, for example, a statement that calls a homepage tampering function module is directly changed to a return statement. That is, when the browser process calls to the object code, the object code will execute a return statement and return to a preset value, such as return 4, to indicate that the code was executed successfully, and the browser process may continue to call to execute other code. In addition, other modification modes are also possible, so long as the modified code is not executed to call the homepage tampering function module.
In the above embodiment, after receiving the user's browser homepage locking instruction, the establishment event of the browser process is continuously monitored. After the browser process is monitored to be established, when a preset trigger event for triggering code call is detected, a target memory address for code call is acquired. The code to be invoked by the preset trigger event may be a code written by a malicious application program and used for invoking the homepage tampering function module. Then, after the memory address storing the code is obtained here, the target code stored in the memory address can be obtained. Then, in the malicious code library, the target code is matched to determine whether the target code is malicious code, and if so, the target code can be prevented from being executed by some technical means, so that the purpose of preventing malicious application programs from tampering with the browser homepage is achieved.
Any combination of the above-mentioned optional solutions may be adopted to form an optional embodiment of the present disclosure, which is not described herein in detail.
Based on the same technical concept, the embodiment of the present application further provides an apparatus for preventing malicious code from being executed, where the apparatus may be the computer device in the foregoing embodiment, as shown in fig. 4, and the apparatus includes: the device comprises a receiving module 410, a monitoring module 420, a detecting module 430, an acquiring module 440 and a blocking module 450.
A receiving module 410, configured to receive a browser homepage locking instruction input by a user;
a monitoring module 420, configured to start monitoring an establishment event of a browser process;
the detection module 430 is configured to obtain a target memory address for performing the code call when a preset trigger event for triggering the code call is detected after the browser process is monitored to be established;
an obtaining module 440, configured to obtain the object code stored in the object memory address;
and the blocking module 450 is configured to determine whether the target code is malicious code based on the malicious code library, and block the target code from executing after determining that the target code is malicious code.
Optionally, the detection module 430 is configured to:
when a first instruction for establishing a first thread in the browser process is received, a target memory address corresponding to the first instruction and used for calling an initial execution code of the thread is obtained.
Optionally, the detection module 430 is configured to:
when a second instruction for calling the APC function in the browser process is received, a first parameter in an APC function call statement corresponding to the second instruction is obtained, wherein the first parameter is a target memory address to which a code to be called by the APC function belongs.
Optionally, the apparatus further includes:
the determining module is configured to determine that the memory type of the target memory address is a preset memory type, and the target memory state is a preset memory state, where the preset memory type and the preset memory state are a memory type and a memory state of a cross-process application.
Optionally, the blocking module 450 is configured to:
and modifying the target code into a preset code, wherein the preset code comprises a return statement, and the return statement is used for returning to a preset value.
It should be noted that: the device for preventing malicious code from executing provided in the above embodiment only illustrates the division of the above functional modules when preventing malicious code from executing, in practical application, the above functional allocation may be completed by different functional modules according to needs, that is, the internal structure of the computer device is divided into different functional modules to complete all or part of the functions described above. In addition, the device for preventing malicious code from executing and the method embodiment for preventing malicious code from executing provided in the foregoing embodiments belong to the same concept, and detailed implementation processes of the device for preventing malicious code from executing are referred to the method embodiment, and are not repeated here.
Fig. 5 shows a block diagram of a computer device 500 according to an exemplary embodiment of the application. The computer device 500 may be: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio Layer III, motion picture expert compression standard audio plane 3), an MP4 (Moving Picture Experts Group Audio Layer IV, motion picture expert compression standard audio plane 4) player, a notebook computer, or a desktop computer. Computer device 500 may also be referred to by other names of user devices, portable computer devices, laptop computer devices, desktop computer devices, and the like.
In general, the computer device 500 includes: a processor 501 and a memory 502.
Processor 501 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 501 may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 501 may also include a main processor and a coprocessor, the main processor being a processor for processing data in an awake state, also referred to as a CPU (Central Processing Unit ); a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 501 may integrate a GPU (Graphics Processing Unit, image processor) for rendering and drawing of content required to be displayed by the display screen. In some embodiments, the processor 501 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.
Memory 502 may include one or more computer-readable storage media, which may be non-transitory. Memory 502 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 502 is used to store at least one instruction for execution by processor 501 to implement the method of preventing malicious code execution provided by the method embodiments of the present application.
In some embodiments, the computer device 500 may further optionally include: a peripheral interface 503 and at least one peripheral. The processor 501, memory 502, and peripheral interface 503 may be connected by buses or signal lines. The individual peripheral devices may be connected to the peripheral device interface 503 by buses, signal lines or circuit boards. Specifically, the peripheral device includes: at least one of radio frequency circuitry 504, touch display 505, camera 506, audio circuitry 507, positioning component 508, and power supply 509.
Peripheral interface 503 may be used to connect at least one Input/Output (I/O) related peripheral to processor 501 and memory 502. In some embodiments, processor 501, memory 502, and peripheral interface 503 are integrated on the same chip or circuit board; in some other embodiments, either or both of the processor 501, memory 502, and peripheral interface 503 may be implemented on separate chips or circuit boards, which is not limited in this embodiment.
The Radio Frequency circuit 504 is configured to receive and transmit RF (Radio Frequency) signals, also known as electromagnetic signals. The radio frequency circuitry 504 communicates with a communication network and other communication devices via electromagnetic signals. The radio frequency circuit 504 converts an electrical signal into an electromagnetic signal for transmission, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 504 includes: antenna systems, RF transceivers, one or more amplifiers, tuners, oscillators, digital signal processors, codec chipsets, subscriber identity module cards, and so forth. The radio frequency circuitry 504 may communicate with other computer devices via at least one wireless communication protocol. The wireless communication protocol includes, but is not limited to: metropolitan area networks, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (Wireless Fidelity ) networks. In some embodiments, the radio frequency circuitry 504 may also include NFC (Near Field Communication ) related circuitry, which is not limited by the present application.
The display 505 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display 505 is a touch display, the display 505 also has the ability to collect touch signals at or above the surface of the display 505. The touch signal may be input as a control signal to the processor 501 for processing. At this time, the display 505 may also be used to provide virtual buttons and/or virtual keyboards, also referred to as soft buttons and/or soft keyboards. In some embodiments, the display 505 may be one, providing a front panel of the computer device 500; in other embodiments, the display 505 may be at least two, respectively disposed on different surfaces of the computer device 500 or in a folded design; in still other embodiments, the display 505 may be a flexible display disposed on a curved surface or a folded surface of the computer device 500. Even more, the display 505 may be arranged in a non-rectangular irregular pattern, i.e., a shaped screen. The display 505 may be made of LCD (Liquid Crystal Display ), OLED (Organic Light-Emitting Diode) or other materials.
The camera assembly 506 is used to capture images or video. Optionally, the camera assembly 506 includes a front camera and a rear camera. Typically, the front camera is disposed on a front panel of the computer device and the rear camera is disposed on a rear surface of the computer device. In some embodiments, the at least two rear cameras are any one of a main camera, a depth camera, a wide-angle camera and a tele camera, so as to realize that the main camera and the depth camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize a panoramic shooting and Virtual Reality (VR) shooting function or other fusion shooting functions. In some embodiments, camera assembly 506 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The dual-color temperature flash lamp refers to a combination of a warm light flash lamp and a cold light flash lamp, and can be used for light compensation under different color temperatures.
The audio circuitry 507 may include a microphone and a speaker. The microphone is used for collecting sound waves of users and environments, converting the sound waves into electric signals, and inputting the electric signals to the processor 501 for processing, or inputting the electric signals to the radio frequency circuit 504 for voice communication. The microphone may be provided in a plurality of different locations of the computer device 500 for stereo acquisition or noise reduction purposes. The microphone may also be an array microphone or an omni-directional pickup microphone. The speaker is used to convert electrical signals from the processor 501 or the radio frequency circuit 504 into sound waves. The speaker may be a conventional thin film speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only the electric signal can be converted into a sound wave audible to humans, but also the electric signal can be converted into a sound wave inaudible to humans for ranging and other purposes. In some embodiments, audio circuitry 507 may also include a headphone jack.
The location component 508 is used to locate the current geographic location of the computer device 500 to enable navigation or LBS (Location Based Service, location-based services). The positioning component 508 may be a positioning component based on the United states GPS (Global Positioning System ), the Beidou system of China, the Granati system of Russia, or the Galileo system of the European Union.
The power supply 509 is used to power the various components in the computer device 500. The power supply 509 may be an alternating current, a direct current, a disposable battery, or a rechargeable battery. When the power supply 509 comprises a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.
In some embodiments, the computer device 500 further includes one or more sensors 510. The one or more sensors 510 include, but are not limited to: an acceleration sensor 511, a gyro sensor 512, a pressure sensor 513, a fingerprint sensor 514, an optical sensor 515, and a proximity sensor 516.
The acceleration sensor 511 can detect the magnitudes of accelerations on three coordinate axes of the coordinate system established with the computer device 500. For example, the acceleration sensor 511 may be used to detect components of gravitational acceleration on three coordinate axes. The processor 501 may control the touch display 505 to display a user interface in a landscape view or a portrait view according to a gravitational acceleration signal acquired by the acceleration sensor 511. The acceleration sensor 511 may also be used for acquisition of motion data of a game or a user.
The gyro sensor 512 may detect a body direction and a rotation angle of the computer device 500, and the gyro sensor 512 may collect a 3D motion of the user on the computer device 500 in cooperation with the acceleration sensor 511. The processor 501 may implement the following functions based on the data collected by the gyro sensor 512: motion sensing (e.g., changing UI according to a tilting operation by a user), image stabilization at shooting, game control, and inertial navigation.
The pressure sensor 513 may be disposed on a side frame of the computer device 500 and/or on an underlying layer of the touch screen 505. When the pressure sensor 513 is disposed on the side frame of the computer device 500, a grip signal of the computer device 500 by a user may be detected, and the processor 501 performs left-right hand recognition or quick operation according to the grip signal collected by the pressure sensor 513. When the pressure sensor 513 is disposed at the lower layer of the touch display screen 505, the processor 501 controls the operability control on the UI interface according to the pressure operation of the user on the touch display screen 505. The operability controls include at least one of a button control, a scroll bar control, an icon control, and a menu control.
The fingerprint sensor 514 is used for collecting the fingerprint of the user, and the processor 501 identifies the identity of the user according to the fingerprint collected by the fingerprint sensor 514, or the fingerprint sensor 514 identifies the identity of the user according to the collected fingerprint. Upon recognizing that the user's identity is a trusted identity, the user is authorized by the processor 501 to perform relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, etc. The fingerprint sensor 514 may be provided on the front, back or side of the computer device 500. When a physical key or vendor Logo is provided on the computer device 500, the fingerprint sensor 514 may be integrated with the physical key or vendor Logo.
The optical sensor 515 is used to collect the ambient light intensity. In one embodiment, the processor 501 may control the display brightness of the touch screen 505 based on the ambient light intensity collected by the optical sensor 515. Specifically, when the intensity of the ambient light is high, the display brightness of the touch display screen 505 is turned up; when the ambient light intensity is low, the display brightness of the touch display screen 505 is turned down. In another embodiment, the processor 501 may also dynamically adjust the shooting parameters of the camera assembly 506 based on the ambient light intensity collected by the optical sensor 515.
A proximity sensor 516, also referred to as a distance sensor, is typically provided on the front panel of the computer device 500. The proximity sensor 516 is used to collect the distance between the user and the front of the computer device 500. In one embodiment, when the proximity sensor 516 detects a gradual decrease in the distance between the user and the front of the computer device 500, the processor 501 controls the touch display 505 to switch from the bright screen state to the off screen state; when the proximity sensor 516 detects that the distance between the user and the front of the computer device 500 gradually increases, the touch display 505 is controlled by the processor 501 to switch from the off-screen state to the on-screen state.
Those skilled in the art will appreciate that the architecture shown in fig. 5 is not limiting as to the computer device 500, and may include more or fewer components than shown, or may combine certain components, or employ a different arrangement of components.
In an exemplary embodiment, a computer-readable storage medium, such as a memory comprising instructions executable by a processor in a computer device to perform the method of preventing malicious code execution in the embodiments described below, is also provided. For example, the computer readable storage medium may be ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing description of the preferred embodiments of the application is not intended to limit the application to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the application are intended to be included within the scope of the application.
Claims (10)
1. A method of preventing malicious code from executing, the method comprising:
receiving a browser homepage locking instruction input by a user;
starting to monitor an establishment event of the browser process;
when a second instruction for calling an APC function in an asynchronous process in the browser process is received, acquiring a first parameter of an APC function call statement corresponding to the second instruction, wherein the first parameter is a target memory address to which a code to be called by the APC function belongs;
acquiring a target code stored in the target memory address;
based on a malicious code library, determining whether the target code is malicious code, and after the target code is determined to be malicious code, preventing the target code from executing.
2. The method according to claim 1, wherein the method further comprises:
when a first instruction for establishing a first thread in the browser process is received, a target memory address corresponding to the first instruction and used for calling an initial execution code of the thread is obtained.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
determining the memory type of the target memory address as a preset memory type, and determining the target memory state as a preset memory state, wherein the preset memory type and the preset memory state are the memory type and the memory state of the cross-process application.
4. The method of claim 1 or 2, wherein the preventing the object code from executing comprises:
and modifying the target code into a preset code, wherein the preset code comprises a return statement, and the return statement is used for returning to a preset value.
5. An apparatus for preventing malicious code from executing, the apparatus comprising:
the receiving module is used for receiving a browser homepage locking instruction input by a user;
the monitoring module is used for starting to monitor the establishment event of the browser process;
the detection module is used for acquiring a first parameter of an APC function call statement corresponding to a second instruction when receiving the second instruction for calling an APC function in the browser process, wherein the first parameter is a target memory address to which a code to be called by the APC function belongs;
the acquisition module is used for acquiring the target codes stored in the target memory address;
and the blocking module is used for determining whether the target code is malicious code based on a malicious code library, and blocking the target code from being executed after the target code is determined to be malicious code.
6. The apparatus of claim 5, wherein the detection module is further configured to:
when a first instruction for establishing a first thread in the browser process is received, a target memory address corresponding to the first instruction and used for calling an initial execution code of the thread is obtained.
7. The apparatus of claim 5, wherein the apparatus further comprises:
the determining module is used for determining that the memory type of the target memory address is a preset memory type, and the target memory state is a preset memory state, wherein the preset memory type and the preset memory state are the memory type and the memory state of the cross-process application.
8. The apparatus of claim 5 or 6, wherein the blocking module is configured to:
and modifying the target code into a preset code, wherein the preset code comprises a return statement, and the return statement is used for returning to a preset value.
9. A computer device comprising a processor and a memory having at least one instruction stored therein, the instructions being loaded and executed by the processor to implement operations performed by any of claims 1-4.
10. A computer readable storage medium having stored therein at least one instruction that is loaded and executed by a processor to implement operations performed by any one of the preceding claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910663153.7A CN111191227B (en) | 2019-07-22 | 2019-07-22 | Method and device for preventing malicious code from executing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910663153.7A CN111191227B (en) | 2019-07-22 | 2019-07-22 | Method and device for preventing malicious code from executing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111191227A CN111191227A (en) | 2020-05-22 |
| CN111191227B true CN111191227B (en) | 2023-12-12 |
Family
ID=70707161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910663153.7A Active CN111191227B (en) | 2019-07-22 | 2019-07-22 | Method and device for preventing malicious code from executing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111191227B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110737892B (en) * | 2018-07-20 | 2021-11-09 | 武汉斗鱼网络科技有限公司 | Detection method aiming at APC injection and related device |
| CN112052167A (en) * | 2020-08-25 | 2020-12-08 | 北京梧桐车联科技有限责任公司 | Method and device for generating test script code |
| CN114707150B (en) * | 2022-03-21 | 2023-05-09 | 安芯网盾(北京)科技有限公司 | Malicious code detection method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN102831339A (en) * | 2012-07-19 | 2012-12-19 | 北京奇虎科技有限公司 | Method, device and browser for protecting webpage against malicious attack |
| CN106682512A (en) * | 2016-11-25 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Method, device and system for preventing programs from being corrected |
| CN109583202A (en) * | 2017-09-29 | 2019-04-05 | 卡巴斯基实验室股份制公司 | System and method for the malicious code in the address space of detection procedure |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9509714B2 (en) * | 2014-05-22 | 2016-11-29 | Cabara Software Ltd. | Web page and web browser protection against malicious injections |
-
2019
- 2019-07-22 CN CN201910663153.7A patent/CN111191227B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN102831339A (en) * | 2012-07-19 | 2012-12-19 | 北京奇虎科技有限公司 | Method, device and browser for protecting webpage against malicious attack |
| CN106682512A (en) * | 2016-11-25 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Method, device and system for preventing programs from being corrected |
| CN109583202A (en) * | 2017-09-29 | 2019-04-05 | 卡巴斯基实验室股份制公司 | System and method for the malicious code in the address space of detection procedure |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111191227A (en) | 2020-05-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110308956B (en) | Application interface display method and device and mobile terminal | |
| CN110602321B (en) | Application program switching method and device, electronic device and storage medium | |
| CN111191224B (en) | Countermeasure method and device for virtual machine detection and computer readable storage medium | |
| CN111752666B (en) | Window display method, device and terminal | |
| CN110837473B (en) | Application program debugging method, device, terminal and storage medium | |
| CN110362366B (en) | Application interface display method and device | |
| CN111191227B (en) | Method and device for preventing malicious code from executing | |
| CN111510482B (en) | Method and device for determining failed network request and computer storage medium | |
| CN110851823B (en) | Data access method, device, terminal and storage medium | |
| CN111897465B (en) | Popup display method, device, equipment and storage medium | |
| CN108229171B (en) | Driver processing method, device and storage medium | |
| CN109783176B (en) | Page switching method and device | |
| CN111881423B (en) | Method, device and system for authorizing restricted function use | |
| CN108984259B (en) | Interface display method and device and terminal | |
| CN110941458B (en) | Method, device, equipment and storage medium for starting application program | |
| CN112764824B (en) | Method, device, equipment and storage medium for triggering identity verification in application program | |
| CN110502708B (en) | Method, device and storage medium for communication based on JSbridge | |
| CN111708581B (en) | Application starting method, device, equipment and computer storage medium | |
| CN111158780B (en) | Method, device, electronic equipment and medium for storing application data | |
| CN112015612B (en) | Method and device for acquiring stuck information | |
| CN111131619B (en) | Account switching processing method, device and system | |
| CN112068887B (en) | Method and device for accelerating application | |
| CN111580892B (en) | Method, device, terminal and storage medium for calling service components | |
| CN111367588B (en) | Method and device for obtaining stack usage | |
| CN111008381B (en) | Terminal detection method, device, terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |