CN111368299A - Dynamic link library file hijacking detection method, device and storage medium - Google Patents
Dynamic link library file hijacking detection method, device and storage medium Download PDFInfo
- Publication number
- CN111368299A CN111368299A CN202010136570.9A CN202010136570A CN111368299A CN 111368299 A CN111368299 A CN 111368299A CN 202010136570 A CN202010136570 A CN 202010136570A CN 111368299 A CN111368299 A CN 111368299A
- Authority
- CN
- China
- Prior art keywords
- dll
- dll file
- program
- loaded
- hijacking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims description 29
- 238000000034 method Methods 0.000 claims abstract description 48
- 238000012795 verification Methods 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure provides a method, equipment and a storage medium for detecting hijacking of a dynamic link library, relates to the technical field of computer security, and can solve the problem that the existing program cannot detect the DLL hijacking in the starting process. The specific technical scheme is as follows: acquiring a Dynamic Link Library (DLL) file list corresponding to a target program; embedding the DLL file list into a preset starter program; debugging and starting a target program through a starter program, and capturing a DLL file loading event of the target program; detecting whether the loaded DLL file is matched with the DLL file in the DLL file list or not according to the DLL file loading event; and when the loaded DLL file is not matched with any DLL file in the DLL file list, determining that DLL hijacking exists. The invention is used for detecting whether DLL hijacking exists or not.
Description
Technical Field
The present disclosure relates to the field of computer security technologies, and in particular, to a method, an apparatus, and a storage medium for detecting hijacking of a dynamic link library.
Background
A Dynamic Link Library (DLL) is a Library that contains code and data that can be used by multiple programs simultaneously, saving memory and enabling code reuse. In Windows, when a program is executed, the corresponding DLL is called. When a process does not specify the absolute paths of a DLL when loading a DLL, Windows will use a predefined search path to find the DLL file and will retrieve the paths in a particular order. If an attacker puts a malicious DLL file under one path and ensures that the malicious DLL is found by a program before a legal DLL is found, the malicious DLL can be loaded by a process, and so-called DLL hijacking occurs.
In the prior art, a program itself can be used for defending or detecting DLL hijacking, but the program can start defending after being started, but the DLL needs to be loaded in the program starting process, and if the DLL is hijacked in the starting process, the defending or detecting logic of the original program can be modified, so that all programs cannot defend the DLL hijacking in the starting process.
Disclosure of Invention
The embodiment of the disclosure provides a dynamic database hijacking detection method, device and storage medium, which can solve the problem that the existing program cannot detect DLL hijacking in the starting process. The technical scheme is as follows:
according to a first aspect of the embodiments of the present disclosure, a method for detecting dynamic database hijacking is provided, where the method includes:
acquiring a Dynamic Link Library (DLL) file list corresponding to a target program, wherein the DLL file list comprises all DLL files to be called by the target program;
embedding the DLL file list into a preset starter program;
debugging and starting a target program through a starter program, and capturing a DLL file loading event of the target program;
detecting whether the loaded DLL file is matched with the DLL file in the DLL file list or not according to the DLL file loading event;
and when the loaded DLL file is not matched with any DLL file in the DLL file list, determining that DLL hijacking exists.
The method and the device for debugging the starting target program can debug the starting target program by adding the starter program under the condition that the original target program is not modified, the loading information of the DLL file of the target program is obtained at the first time, and whether DLL hijacking or tampering occurs or not is determined by comparing the loaded DLL file with the DLL file in the DLL file list, so that the problem that the existing program cannot detect the DLL hijacking in the starting process can be solved.
In one embodiment, the DLL file list further includes: a check value for each DLL file; the method further comprises the following steps:
when the loaded DLL file is matched with a target DLL file in the DLL file list, calculating a check value of the loaded DLL file;
detecting whether the check value of the loaded DLL file is the same as the check value of the target DLL file;
and when the verification value of the loaded DLL file is different from the verification value of the target DLL file, determining that DLL hijacking exists.
In one embodiment, the method further comprises: and when determining that the DLL hijacking exists, generating prompt information and finishing running the target program.
In one embodiment, the method further comprises: and when the verification value of the loaded DLL file is the same as that of the target DLL file, continuing to run the target program.
In one embodiment, the obtaining the dynamic link library DLL file list corresponding to the target program includes:
and acquiring all DLL files to be called from a program directory and/or a system directory corresponding to the target program to obtain a DLL file list.
In one embodiment, before obtaining the list of the dynamic link library DLL files corresponding to the target program, the method further includes:
and acquiring a launcher program and installing the launcher program in a system directory.
In one embodiment, after embedding the DLL file list into the preset launcher program, the method further comprises:
and performing digital signature on all DLL files in the DLL file list, and starting a flag bit for forcibly checking the signature so as to perform digital signature checking when the DLL files are loaded.
In one embodiment, the check value is a hash value obtained by using SHA256 hash algorithm.
According to a second aspect of the embodiments of the present disclosure, a dynamic link library hijacking detection device is provided, where the dynamic link library hijacking detection device includes a processor and a memory, where the memory stores at least one computer instruction, and the instruction is loaded and executed by the processor to implement the steps performed in the dynamic link library hijacking detection method described in any one of the first aspect and the first aspect.
According to a third aspect of the embodiments of the present disclosure, a computer-readable storage medium is provided, in which at least one computer instruction is stored, where the instruction is loaded and executed by a processor to implement the steps performed in the dynamic link library hijacking detection method described in the first aspect and any embodiment of the first aspect.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a flowchart of a method for detecting hijacking of a dynamic link library according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a method for detecting hijacking of a dynamic link library according to an embodiment of the present disclosure;
fig. 3 is a structural diagram of a dynamic link library hijacking detection apparatus according to an embodiment of the present disclosure;
fig. 4 is a structural diagram of a dynamic link library hijacking detection apparatus according to an embodiment of the present disclosure;
fig. 5 is a structural diagram of a dynamic link library hijacking detection apparatus according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
Before introducing the embodiments of the present disclosure, Windows will briefly describe finding the directory of DLL files and the corresponding order.
Before Windows XP SP2, Windows looked up the directory of DLLs and the corresponding order was:
1. a directory where an application program corresponding to the process is located; 2. a Current Directory (i.e., a Directory where a certain file is operated); 3. system directory (obtained by getsystemdrectory, system 32); 4. a 16-bit system directory (system); 5. windows directory (obtained through getwindows directory); 6. individual directories in PATH environment variables.
After Windows XP SP2, a safedlllsearchmode (secure DLL search model) registry attribute was added, with the registry path as follows:
HKEY _ LOCAL _ MACHINE \ System \ Current Control \ Session Manager \ SafeDllSearchMode. When the value of safedllsearcchmode is set to 1, i.e. the secure DLL search mode is on, Windows finds the directory of the DLL and the corresponding order is:
1. a directory where an application program corresponding to the process is located; 2. a system directory; 3. a 16-bit system directory; 4. a Windows directory; 5. current directory (directory where a certain file is running); 6. individual directories in PATH environment variables.
For the version above Windows 7, the SYSTEM does not have safedlllsearchmode but uses KnownDLLs, so that all DLL files in this item are prohibited from being called from the directory where exe is located, but can only be called from the SYSTEM directory, i.e. SYSTEM32, and the registry position: HKEY _ LOCAL _ MACHINE \ SYSTEM \ CURRENTControlSet \ Control \ Session Mana ger \ KnownDLLs.
Then, the operating systems above Windows2003 and win7 determine the DLL path to be called by the application program through the mechanisms of "DLL path search directory order" and "KnownDLLs registry key", and then the application program loads the DLL into its own memory space to execute the corresponding function.
The disclosed embodiment provides a dynamic link library hijacking detection method, as shown in fig. 1, the dynamic link library hijacking detection method includes the following steps:
101. and acquiring a dynamic link library DLL file list corresponding to the target program.
The DLL file list includes all DLL files that the target program is to call. In the embodiment of the present disclosure, acquiring the DLL file list corresponding to the target program includes: and acquiring all DLL files to be called from a program directory and/or a system directory corresponding to the target program to obtain a DLL file list. The program target is a directory where an application program corresponding to a process is located, and generally, the program directory and the system directory contain all DLL files required by the target program, so that a DLL file list of the target program is generated according to the acquired DLL files.
It should be noted that the target program refers to any program, the present disclosure only describes, by taking the target program as an example, a process of detecting whether the DLL file loaded when the program runs is hijacked or tampered, and the target does not represent any limitation.
102. And embedding the DLL file list into a preset starter program.
In the embodiment of the disclosure, a simple debugger is written in advance as a launcher program and is put into a system target at the time of installation, so as to prevent the simple debugger from being tampered or hijacked by a malicious program. And after the DLL file list of the target program is obtained, embedding the DLL file list into a preset starter program.
103. And debugging and starting the target program through the starter program, and capturing a DLL file loading event of the target program.
In the embodiment of the disclosure, the target program needs to be debugged and started through the starter program, otherwise, the DLL file loading event of the target program cannot be acquired, and after the target program is started, the starter program can capture all loaded DLL files of the target program in the starting of the target program, so that one starter program can be added under the condition that the original target program is not modified, and the loading information of the DLL file is acquired at the first time in a debugging mode to detect whether DLL hijacking or tampering exists.
104. And detecting whether the loaded DLL file is matched with the DLL file in the DLL file list or not according to the DLL file loading event.
When the DLL file is detected to be loaded by the target program, the loaded DLL file and each DLL file in the DLL file list are sequentially compared, and whether the loaded DLL file is matched with the DLL file in the DLL file list or not is detected.
105. And when the loaded DLL file is not matched with any DLL file in the DLL file list, determining that DLL hijacking exists.
Because the DLL file in the DLL file list is a legal DLL file which needs to be called by the target program, if the loaded DLL file is not matched with any DLL file in the DLL file list, the DLL hijacking is indicated. When the DLL hijacking exists, the starter program can produce prompt information to prompt that the DLL file is tampered, and the target program is finished to run.
The method for detecting hijacking of the dynamic link library, provided by the embodiment of the disclosure, comprises the steps of obtaining a dynamic link library DLL file list corresponding to a target program; embedding the DLL file list into a preset starter program; debugging and starting a target program through a starter program, and capturing a DLL file loading event of the target program; detecting whether the loaded DLL file is matched with the DLL file in the DLL file list or not according to the DLL file loading event; and when the loaded DLL file is not matched with any DLL file in the DLL file list, determining that DLL hijacking exists. The method and the device for debugging the starting target program can debug the starting target program by adding the starter program under the condition that the original target program is not modified, the loading information of the DLL file of the target program is obtained at the first time, and whether DLL hijacking or tampering occurs or not is determined by comparing the loaded DLL file with the DLL file in the DLL file list, so that the problem that the existing program cannot detect the DLL hijacking in the starting process can be solved.
Based on the dynamic link library hijacking detection method provided by the embodiment corresponding to fig. 1, another embodiment of the present disclosure provides another dynamic link library hijacking detection method, in the method, it is assumed that the system directory does not have write permission for the malicious program, otherwise, the malicious program directly tampers with the DLL of the system directory, and thus the entire operating system can be controlled, and it is not necessary to tamper with a program. In addition, the hijacking of the DLL and the file tampering are necessarily preferentially performed in the program directory (namely, the directory where the application program corresponding to the process is located), because the program directory is the first-preferred DLL search directory, generally, the program directory and the system directory contain all DLLs required by the program, and because the hijacking of the system directory and the tampering of the malicious program do not have write-in authority, the program directory only needs to be defended and detected.
Referring to fig. 2, the method for detecting hijacking of a dynamic link library provided in this embodiment includes the following steps:
201. and acquiring a dynamic link library DLL file list corresponding to the target program.
The DLL file list includes all DLL files to be called by the target program and a check value of each DLL file. In the embodiment of the present disclosure, acquiring the DLL file list corresponding to the target program includes: and acquiring all DLL files to be called and the check value of each DLL file from the program directory and/or the system directory corresponding to the target program to obtain a DLL file list. For the check value of the DLL file, a hash value calculated by using an SHA256 hash algorithm may be used, and of course, other algorithms may also be used to calculate respective corresponding check values of the DLL file.
202. And embedding the DLL file list into a preset starter program.
In the embodiment of the present disclosure, the DLL file list is embedded into a preset initiator program, and at the same time, digital signatures are performed on all DLL files in the DLL file list, and a flag bit of a system forced check signature is opened, that is, an integrity check (integrity check) option is used when a program is linked, so that digital signature check is performed when the DLL files are loaded.
203. And debugging and starting the target program through the starter program, and capturing a DLL file loading event of the target program.
204. And detecting whether the loaded DLL file is matched with the DLL file in the DLL file list or not according to the DLL file loading event.
For the description of steps 203-204, reference may be made to the description of steps 103-104 in FIG. 1, which is not repeated here. When the loaded DLL file is not matched with any DLL file in the DLL file list, executing step 205; step 206 is performed when the loaded DLL file matches the target DLL file in the DLL file list.
205. And when the loaded DLL file is not matched with any DLL file in the DLL file list, determining that DLL hijacking exists.
Because the DLL file in the DLL file list is a legal DLL file which needs to be called by the target program, if the loaded DLL file is in the program directory and is not matched with any DLL file in the DLL file list, the DLL hijacking is indicated. When there is DLL hijacking, step 210 is performed.
206. And when the loaded DLL file is matched with the target DLL file in the DLL file list, calculating the check value of the loaded DLL file.
207. And detecting whether the check value of the loaded DLL file is the same as the check value of the target DLL file.
When the loaded DLL file is matched with the target DLL file in the DLL file list, further calculating a check value of the loaded DLL file, comparing the check value with the check value of the target DLL file, and executing the step 208 when the check value of the loaded DLL file is different from the check value of the target DLL file; when the check value of the loaded DLL file is identical to the check value of the target DLL file, step 209 is performed.
208. And when the verification value of the loaded DLL file is different from the verification value of the target DLL file, determining that DLL hijacking exists.
209. And when the verification value of the loaded DLL file is the same as that of the target DLL file, continuing to run the target program.
210. And when determining that the DLL hijacking exists, generating prompt information and finishing running the target program.
The method and the device for detecting the DLL hijacking and the tampering can solve the problem that the existing program cannot detect the DLL hijacking or the tampering in the starting process.
Based on the above-described dynamic link library hijacking detection method described in the embodiments corresponding to fig. 1 and fig. 3, the following is an embodiment of the apparatus of the present disclosure, and may be used to execute the embodiment of the method of the present disclosure.
The embodiment of the present disclosure provides a dynamic link library hijacking detection device, as shown in fig. 3, where the dynamic link library hijacking detection device 30 includes: an acquisition module 301, an embedding module 302, a capture module 303, a detection module 304, and a determination module 305;
an obtaining module 301, configured to obtain a dynamic link library DLL file list corresponding to a target program, where the DLL file list includes all DLL files to be called by the target program;
an embedding module 302, configured to embed the DLL file list into a preset initiator program;
the capturing module 303 is configured to debug and start the target program through the launcher program, and capture a DLL file loading event of the target program;
the detection module 304 is configured to detect whether the loaded DLL file is matched with a DLL file in the DLL file list according to the DLL file loading event;
the determining module 305 is configured to determine that DLL hijacking exists when the loaded DLL file does not match any DLL file in the DLL file list.
In one embodiment, the DLL file list further includes: a check value for each DLL file; as shown in fig. 4, the dynamic link library hijacking detecting device 30 further includes: a calculation module 306;
a calculating module 306, configured to calculate a check value of the loaded DLL file when the loaded DLL file matches a target DLL file in the DLL file list;
a detection module 304, configured to detect whether a check value of the loaded DLL file is the same as a check value of the target DLL file;
the determining module 305 is configured to determine that DLL hijacking exists when the check value of the loaded DLL file is different from the check value of the target DLL file.
In one embodiment, as shown in fig. 5, the dynamically linked library hijacking detection device 30 further comprises: a processing module 307;
and the processing module 307 is configured to generate a prompt message and end running the target program when it is determined that the DLL hijacking exists.
In one embodiment, the processing module 307 is configured to continue running the target program when the check value of the loaded DLL file is the same as the check value of the target DLL file.
In an embodiment, the obtaining module 301 is configured to obtain all DLL files to be called from a program directory and/or a system directory corresponding to a target program, so as to obtain a DLL file list.
In one embodiment, the obtaining module 301 is configured to obtain a launcher program and install the launcher program in a system directory.
In one embodiment, the check value is a hash value obtained by using SHA256 hash algorithm.
In one embodiment, the processing module 307 is configured to digitally sign all DLL files in the DLL file list, and turn on a flag bit of the mandatory check signature, so as to perform digital signature check when the DLL file is loaded.
The method and the device for detecting the DLL hijacking and the tampering can solve the problem that the existing program cannot detect the DLL hijacking or the tampering in the starting process.
The embodiment of the present disclosure further provides a dynamic link library hijacking detection device, where the dynamic link library hijacking detection device includes a receiver, a transmitter, a memory, and a processor, the transmitter and the memory are respectively connected to the processor, the memory stores at least one computer instruction, and the processor is configured to load and execute the at least one computer instruction, so as to implement the dynamic link library hijacking detection method described in the embodiment corresponding to fig. 1 and fig. 2.
Based on the above-described hijacking detection method for the dynamic link library described in the embodiment corresponding to fig. 1 and fig. 2, an embodiment of the present disclosure further provides a computer-readable storage medium, for example, the non-transitory computer-readable storage medium may be a Read Only Memory (ROM), a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like. The storage medium stores computer instructions for executing the method for detecting hijacking of a dynamic link library described in the embodiment corresponding to fig. 1 and fig. 2, which is not described herein again.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (10)
1. A dynamic link library hijacking detection method is characterized by comprising the following steps:
acquiring a Dynamic Link Library (DLL) file list corresponding to a target program, wherein the DLL file list comprises all DLL files to be called by the target program;
embedding the DLL file list into a preset starter program;
debugging and starting the target program through the starter program, and capturing a DLL file loading event of the target program;
detecting whether the loaded DLL file is matched with the DLL file in the DLL file list or not according to the DLL file loading event;
and determining that DLL hijacking exists when the loaded DLL file is not matched with any DLL file in the DLL file list.
2. The method of claim 1, wherein the DLL file list further comprises: a check value for each DLL file; the method further comprises the following steps:
when the loaded DLL file is matched with a target DLL file in the DLL file list, calculating a check value of the loaded DLL file;
detecting whether the check value of the loaded DLL file is the same as the check value of the target DLL file;
and when the verification value of the loaded DLL file is different from the verification value of the target DLL file, determining that DLL hijacking exists.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
and when determining that the DLL hijacking exists, generating prompt information and finishing running the target program.
4. The method of claim 2, further comprising:
and when the verification value of the loaded DLL file is the same as that of the target DLL file, continuing to run the target program.
5. The method of claim 1, wherein the obtaining a list of Dynamic Link Library (DLL) files corresponding to the target program comprises:
and acquiring all DLL files to be called from the program directory and/or the system directory corresponding to the target program to obtain the DLL file list.
6. The method of claim 1, wherein before the obtaining the list of Dynamic Link Library (DLL) files corresponding to the target program, the method further comprises:
and acquiring the launcher program, and installing the launcher program in a system directory.
7. The method of claim 1 or 2, wherein after embedding the DLL file list in a preset launcher program, the method further comprises:
and performing digital signature on all DLL files in the DLL file list, and starting a flag bit for forcibly checking the signature so as to perform digital signature checking when the DLL files are loaded.
8. The method of claim 1, wherein the check value is a hash value obtained by using SHA256 hash algorithm.
9. A dynamic linked library hijacking detection device, characterized in that it comprises a processor and a memory, said memory having stored therein at least one computer instruction, said instruction being loaded and executed by said processor to implement the steps performed in the dynamic linked library hijacking detection method of any one of claims 1 to 8.
10. A computer-readable storage medium having stored therein at least one computer instruction which is loaded and executed by a processor to implement the steps performed in the dynamic link library hijacking detection method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010136570.9A CN111368299A (en) | 2020-03-02 | 2020-03-02 | Dynamic link library file hijacking detection method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010136570.9A CN111368299A (en) | 2020-03-02 | 2020-03-02 | Dynamic link library file hijacking detection method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111368299A true CN111368299A (en) | 2020-07-03 |
Family
ID=71206671
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010136570.9A Pending CN111368299A (en) | 2020-03-02 | 2020-03-02 | Dynamic link library file hijacking detection method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111368299A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111984452A (en) * | 2020-08-26 | 2020-11-24 | 网易(杭州)网络有限公司 | Program failure detection method, program failure detection device, electronic device, and storage medium |
| CN112231694A (en) * | 2020-10-27 | 2021-01-15 | 北京人大金仓信息技术股份有限公司 | Database detection method, device, equipment and medium |
| CN113536242A (en) * | 2021-07-09 | 2021-10-22 | 深圳市元征未来汽车技术有限公司 | Dynamic library calling method and device, terminal equipment and storage medium |
| CN113760393A (en) * | 2021-09-22 | 2021-12-07 | 杭州安恒信息技术股份有限公司 | Protection method, device, equipment and medium for dynamic link library |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2000062159A2 (en) * | 1999-04-08 | 2000-10-19 | Chicago-Soft, Ltd. | Method and system for dynamic injection of dynamic link libraries into a windowed operating system |
| CN102999720A (en) * | 2012-11-09 | 2013-03-27 | 北京奇虎科技有限公司 | Program identification method and system |
| CN103065092A (en) * | 2012-12-24 | 2013-04-24 | 公安部第一研究所 | Method for intercepting operating of suspicious programs |
| CN109240707A (en) * | 2018-09-29 | 2019-01-18 | 珠海市君天电子科技有限公司 | The method and apparatus for preventing malice dynamic link library (DLL) file from injecting |
| CN110688661A (en) * | 2019-08-30 | 2020-01-14 | 深圳壹账通智能科技有限公司 | Method and device for preventing dynamic link library file hijacking and computer equipment |
-
2020
- 2020-03-02 CN CN202010136570.9A patent/CN111368299A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2000062159A2 (en) * | 1999-04-08 | 2000-10-19 | Chicago-Soft, Ltd. | Method and system for dynamic injection of dynamic link libraries into a windowed operating system |
| CN102999720A (en) * | 2012-11-09 | 2013-03-27 | 北京奇虎科技有限公司 | Program identification method and system |
| CN103065092A (en) * | 2012-12-24 | 2013-04-24 | 公安部第一研究所 | Method for intercepting operating of suspicious programs |
| CN109240707A (en) * | 2018-09-29 | 2019-01-18 | 珠海市君天电子科技有限公司 | The method and apparatus for preventing malice dynamic link library (DLL) file from injecting |
| CN110688661A (en) * | 2019-08-30 | 2020-01-14 | 深圳壹账通智能科技有限公司 | Method and device for preventing dynamic link library file hijacking and computer equipment |
Non-Patent Citations (2)
| Title |
|---|
| 大江: "《个人电脑与外设故障排除:实用详解》", 31 January 2009 * |
| 王洪香 等: "《Java程序设计案例教程》", 31 August 2007 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111984452A (en) * | 2020-08-26 | 2020-11-24 | 网易(杭州)网络有限公司 | Program failure detection method, program failure detection device, electronic device, and storage medium |
| CN112231694A (en) * | 2020-10-27 | 2021-01-15 | 北京人大金仓信息技术股份有限公司 | Database detection method, device, equipment and medium |
| CN113536242A (en) * | 2021-07-09 | 2021-10-22 | 深圳市元征未来汽车技术有限公司 | Dynamic library calling method and device, terminal equipment and storage medium |
| CN113760393A (en) * | 2021-09-22 | 2021-12-07 | 杭州安恒信息技术股份有限公司 | Protection method, device, equipment and medium for dynamic link library |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111368299A (en) | Dynamic link library file hijacking detection method, device and storage medium | |
| US8424090B2 (en) | Apparatus and method for detecting obfuscated malicious web page | |
| US8082442B2 (en) | Securely sharing applications installed by unprivileged users | |
| US8443354B1 (en) | Detecting new or modified portions of code | |
| US20160142437A1 (en) | Method and system for preventing injection-type attacks in a web based operating system | |
| US7921461B1 (en) | System and method for rootkit detection and cure | |
| CN108763951B (en) | Data protection method and device | |
| CN110795128B (en) | Program bug repairing method and device, storage medium and server | |
| US20180218153A1 (en) | Comparing structural information of a snapshot of system memory | |
| CN114417335A (en) | Malicious file detection method and device, electronic equipment and storage medium | |
| JP6659180B2 (en) | Control device and control method | |
| CN110427758B (en) | Position spoofing detection method, intelligent terminal and storage medium | |
| CN111931192B (en) | rootkit detection method and device and electronic equipment | |
| CN109583206B (en) | Method, device, equipment and storage medium for monitoring access process of application program | |
| CN116611075A (en) | Detection method, os detection firmware and system for preventing attack chip during XIP starting | |
| CN113312623B (en) | Process detection method and device in access control, electronic equipment and storage medium | |
| JP4643201B2 (en) | Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program | |
| GB2599195A (en) | Computer program trust assurance for Internet of Things (IoT) devices | |
| CN114546420A (en) | Software remote installation protection uninstalling method | |
| CN114282205A (en) | Firmware starting method and device and computer readable storage medium | |
| JP4898823B2 (en) | Application information alteration monitoring device and method | |
| CN117786666B (en) | Function code starting verification method and device, electronic equipment and storage medium | |
| US11256492B2 (en) | Computer program trust assurance for internet of things (IoT) devices | |
| CN116910768B (en) | Attack defending method, system, device and medium | |
| KR101616793B1 (en) | Method for checking integrity of application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200703 |