CN115328580B - Processing method, device and medium for registry operation in application migration environment - Google Patents

Processing method, device and medium for registry operation in application migration environment Download PDF

Info

Publication number
CN115328580B
CN115328580B CN202211250372.0A CN202211250372A CN115328580B CN 115328580 B CN115328580 B CN 115328580B CN 202211250372 A CN202211250372 A CN 202211250372A CN 115328580 B CN115328580 B CN 115328580B
Authority
CN
China
Prior art keywords
registry
target
processing
option
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211250372.0A
Other languages
Chinese (zh)
Other versions
CN115328580A (en
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nfs China Software Co ltd
Original Assignee
Nfs China Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nfs China Software Co ltd filed Critical Nfs China Software Co ltd
Priority to CN202211250372.0A priority Critical patent/CN115328580B/en
Publication of CN115328580A publication Critical patent/CN115328580A/en
Application granted granted Critical
Publication of CN115328580B publication Critical patent/CN115328580B/en
Priority to PCT/CN2023/122242 priority patent/WO2024078348A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/76Adapting program code to run in a different environment; Porting

Abstract

The embodiment of the application provides a processing method, a device and a medium for registry operation in an application migration environment, wherein the method is applied to compatible layer software running on a first operating system, and specifically comprises the following steps: receiving a call request sent by an application program of a second operating system through a compatible layer service process; acquiring a target calling request from the calling request; detecting registry operation corresponding to the target call request; displaying processing options under the condition that the detection result represents that the registry operation is malicious operation; the processing options include: a disable option, an enable option, and an add trust option; adding a trust option for setting a registry path corresponding to the target call request as a trust path; and processing the registry operation corresponding to the target calling request according to the target processing option selected by the user. According to the embodiment of the application, the detection accuracy of the registry operation can be improved, and the matching degree between the processing result of the registry operation and the personalized requirements of the user can be improved.

Description

Processing method, device and medium for registry operation in application migration environment
Technical Field
The embodiment of the application relates to the technical field of application migration, in particular to a processing method, a processing device and a processing medium for registry operation in an application migration environment.
Background
In the application migration field, compatible layer software such as Wine (Wine Is Not a simulator) can be used to migrate the application program of the second operating system to the first operating system. Taking the second operating system as an example of a Windows operating system, the compatible layer software maintains a registry, and the registry stores various parameters and controls the loading of a hardware driver and the normal running of a Windows application program; once the registry is tampered or destroyed, it is likely to cause an exception to the Windows application.
In order to implement the protection of the registry, the related art may perform detection of the registry operation from the direction of the dynamic link library, where the specific detection process includes: acquiring a registry operation function from a dynamic link library, storing the address of the registry operation function as an original address, and replacing the address of the registry operation function by using the address of a Hook function; when any program carries out registry operation, the Hook function acquires corresponding operation information, judges the operation information, and prohibits the registry operation if the judgment result represents that the registry operation corresponds to malicious operation.
In practical application, because the dynamic link library often contains more registry operation functions, the registry operation is detected from the direction of the dynamic link library, omission of the registry operation functions may occur, the detection omission will occur, and further the detection accuracy of the registry operation is low.
Disclosure of Invention
The embodiment of the application provides a processing method of registry operation in an application migration environment, which can improve the detection accuracy of registry operation, improve the matching degree between the processing result of registry operation and the personalized requirements of a user, simplify the processing flow of the registry path and improve the processing efficiency of the registry path.
Correspondingly, the embodiment of the application also provides a processing device, an electronic device and a machine readable medium for registry operation in the application migration environment, so as to ensure the implementation and application of the method.
In order to solve the above problem, the embodiment of the present application discloses a processing method for registry operation in an application migration environment, where the method is applied to compatible layer software running on a first operating system; the method comprises the following steps:
receiving a call request sent by an application program of the second operating system aiming at the API through a compatible layer service process;
acquiring a target call request related to registry operation from the call request according to a preset identifier carried in the call request;
detecting registry operation corresponding to the target calling request to obtain a corresponding detection result;
displaying processing options under the condition that the detection result represents that the registry operation is malicious operation; the processing options include: a disable option, an enable option, and an add trust option; the added trust option is used for setting a registry path corresponding to the target call request as a trust path;
and processing the registry operation corresponding to the target calling request according to the target processing option selected by the user.
In order to solve the above problem, an embodiment of the present application discloses a processing apparatus for registry operation in an application migration environment, where the apparatus is applied to compatible layer software running on a first operating system; the device comprises: the device comprises a registry processing module, a detection module, an inquiry module and a display module;
the registry processing module, the detection module and the query module are positioned on a compatible layer service process side corresponding to the compatible layer software, and the display module is positioned on a window service process side corresponding to the compatible layer software;
the registry processing module is used for receiving a call request sent by an application program of a second operating system aiming at the API, acquiring a target call request related to registry operation from the call request according to a preset identifier carried in the call request, and sending a registry path corresponding to the target call request to the detection module;
the detection module is used for sending a registry path corresponding to the target calling request to the query module;
the query module is used for calling a database interface and/or a trust list interface, detecting registry operation corresponding to the target calling request according to a registry path corresponding to the target calling request, and returning a detection result to the detection module;
the detection module is further configured to send a processing option to the display module when the detection result indicates that the registry operation is a malicious operation;
the display module is used for displaying the processing options; the processing options include: a disable option, an enable option, and an add trust option; the added trust option is used for setting a registry path corresponding to the target call request as a trust path;
and the registry processing module is also used for processing the registry operation corresponding to the target calling request according to the target processing option selected by the user.
In order to solve the above problem, an embodiment of the present application discloses a processing apparatus for registry operation in an application migration environment, where the apparatus is applied to compatible layer software running on a first operating system; the device comprises:
the receiving module is used for receiving a calling request sent by an application program of the second operating system aiming at the API through the compatible layer service process;
the obtaining module is used for obtaining a target calling request related to registry operation from the calling request according to a preset identifier carried in the calling request;
the detection module is used for detecting the registry operation corresponding to the target calling request to obtain a corresponding detection result;
the display module is used for displaying processing options under the condition that the detection result represents that the registry operation is malicious operation; the processing options include: a disable option, an enable option, and an add trust option; the added trust option is used for setting a registry path corresponding to the target call request as a trust path;
and the processing module is used for processing the registry operation corresponding to the target calling request according to the target processing option selected by the user.
Optionally, the detection module includes:
the first detection module is used for searching in a database according to the registry path corresponding to the target call request; a registry path corresponding to malicious operation is recorded in the database; or
The second detection module is used for judging whether a registry path corresponding to the target calling request exists in the trust list or not so as to obtain a corresponding judgment result; a registry path corresponding to trust operation is recorded in the trust list; or
The third detection module is used for judging whether a registry path corresponding to the target calling request exists in the trust list or not so as to obtain a corresponding judgment result, and if the judgment result is that the registry path corresponding to the target calling request does not exist, searching in a database according to the registry path corresponding to the target calling request; a registry path corresponding to malicious operation is recorded in the database; and the trust list records a registry path corresponding to the trust operation.
Optionally, the processing module includes:
the first processing module is used for forbidding the registry operation corresponding to the target calling request under the condition that the target processing option selected by the user is a forbidding option; or alternatively
The second processing module is used for allowing the registry operation corresponding to the target calling request under the condition that the target processing option selected by the user is an allowing option; or
And the third processing module is used for allowing the registry operation corresponding to the target calling request and adding the registry path corresponding to the target calling request to a trust list under the condition that the target processing option selected by the user is the adding trust option.
Optionally, the apparatus further comprises:
and the operation allowing module is used for allowing the registry operation corresponding to the target calling request under the condition that the detection result represents that the registry operation is a normal operation or a trust operation.
Optionally, the obtaining module sends a registry path corresponding to the target call request to the detecting module; the detection module sends a registry path corresponding to the target calling request to a query module; and the query module calls a database interface and/or a trust list interface, detects the registry operation corresponding to the target calling request according to the registry path corresponding to the target calling request, and returns a detection result to the detection module.
Optionally, the detection module sends a processing option to a display module to enable the display module to display the processing option when the detection result indicates that the registry operation is a malicious operation.
The embodiment of the application also discloses an electronic device, which comprises: a processor; and a memory having executable code stored thereon that, when executed, causes the processor to perform a method as described in embodiments of the present application.
The embodiment of the application also discloses a machine-readable medium, wherein executable codes are stored on the machine-readable medium, and when the executable codes are executed, a processor is caused to execute the method according to the embodiment of the application.
The embodiment of the application has the following advantages:
in the technical scheme of the embodiment of the application, a call request sent by an application program of a second operating system to an API is received through a compatible layer service process, and a target call request related to registry operation is obtained from the call request according to a preset identifier carried in the call request. In the technical field of application migration, the compatible layer service process is responsible for communication with the application process, and the application process represents an application program of the second operating system and sends a call request aiming at the API to the compatible layer service process; thus, the compatible layer service process can function to aggregate call requests. Therefore, the call request sent by the application program of the second operating system aiming at the API is received through the compatible layer service process, omission of the target call request related to registry operation can be avoided, on the basis, the condition of detection omission can be avoided, and the detection accuracy of the registry operation can be improved.
And detecting the registry operation corresponding to the target calling request, displaying processing options under the condition that the detection result represents that the registry operation is malicious operation, and processing the registry operation corresponding to the target calling request according to the target processing options selected by the user. In the embodiment of the application, the selection right of the processing option is given to the user, and the registry operation corresponding to the target calling request is processed according to the target processing option selected by the user; therefore, the embodiment of the application can improve the matching degree between the processing result of the registry operation and the personalized requirement of the user.
The processing options of the embodiment of the application include a trust adding option, the trust adding option is used for setting the registry path corresponding to the target invoking request as a trust path, the trust path can represent the registry path trusted by the user, and a detection result corresponding to the trust path can be a trust operation. Because the embodiment of the present application allows the registry operation corresponding to the target invocation request under the condition that the detection result represents that the registry operation is the trusted operation, the registry operation corresponding to the target invocation request can be allowed under the condition that the registry path corresponding to the target invocation request appears in the following, and under the condition that the operations of displaying the processing options and selecting the target processing options by the user are saved; therefore, the embodiment of the application can simplify the processing flow of the registry path and improve the processing efficiency of the registry path.
Drawings
FIG. 1 is a flowchart illustrating steps of a method for processing registry operations in an application migration environment according to an embodiment of the present application;
FIG. 2 is a schematic structural diagram of a processing apparatus for registry operation in an application migration environment according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating steps of a method for processing registry operations in an application migration environment according to an embodiment of the present application;
FIG. 4 is a schematic structural diagram of a processing apparatus for processing a registry operation in an application migration environment according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an apparatus provided in an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
In the embodiment of the present application, the compatible layer software is a compatible layer capable of running an application program of a second Operating System on a plurality of kinds of first Operating systems compatible with a POSIX (Portable Operating System Interface). Taking the second operating system as an example of a Windows operating system, the compatible layer software can translate the call of the Windows API into a dynamic POSIX call, so that the Windows application can run in the first operating system outside Windows.
Examples of the first operating system may include: linux, macOS (Macintosh Operating System), BSD (berkeley software suite), and the like. Examples of the second operating system may include: windows operating system (Windows operating system), etc. It is understood that the embodiments of the present application do not impose limitations on the specific first operating system and the second operating system.
The compatibility layer software may include: a compatibility layer service process (wineserver) and a set of dynamic link libraries. In addition, the GUI (Graphical User Interface) of the compatibility layer software may rely on a windowing system with bitmap display.
In the process of running a certain Windows application, the following processes related to the Windows application can be included in the first operating system:
(1) The application process itself of the Windows application. Calls to the dynamically linked library may run in the context of the process. In case the service of the compatibility layer software needs to be available, or other (in particular kernel) services provided indirectly by the compatibility layer software, the application process calls down layer by layer via a dynamic link library provided by the compatibility layer software. Inside the compatible layer software, the application process usually communicates with the compatible layer service process through a socket to receive the management and coordination of the compatible layer service process; on the other hand, it is also possible to communicate with the window service process corresponding to the window system of the bitmap display via a socket, send a graphics operation request thereto, and receive keyboard and mouse inputs.
(2) The compatible layer service process specifically comprises the following functions: providing means for communication and synchronization between application processes; managing application processes and threads; registry services, and the like.
(3) The window service process specifically comprises the following functions: graphical display, and keyboard and mouse input.
In order to implement the protection of the registry, the related art may perform detection of the registry operation from the direction of the dynamic link library, where the specific detection process includes: acquiring a registry operation function from a dynamic link library, storing the address of the registry operation function as an original address, and replacing the address of the registry operation function by using the address of a Hook function; when any program carries out registry operation, the Hook function acquires corresponding operation information and judges the operation information, and if the judgment result represents that the registry operation corresponds to malicious operation, the registry operation is forbidden.
In order to implement the protection of the registry, the related art may perform detection of the registry operation from the direction of the dynamic link library, where the specific detection process includes: acquiring a registry operation function from a dynamic link library, storing the address of the registry operation function as an original address, and replacing the address of the registry operation function with the address of a Hook function; when any program carries out registry operation, the Hook function acquires corresponding operation information and judges the operation information, and if the judgment result represents that the registry operation corresponds to malicious operation, the registry operation is forbidden. However, in practical applications, since the dynamic link library often contains many registry operation functions, the detection of the registry operation from the direction of the dynamic link library may result in omission of the registry operation functions, which may result in detection omission, and thus the detection accuracy of the registry operation is low.
Aiming at the technical problem of low detection accuracy of registry operation in the related technology, the embodiment of the application provides a processing method of registry operation in an application transplantation environment, and the method can be applied to compatible layer software running on a first operating system; the method specifically comprises the following steps: receiving a call request sent by an application program of the second operating system aiming at the API through a compatible layer service process; acquiring a target call request related to registry operation from the call request according to a preset identifier carried in the call request; detecting registry operation corresponding to the target calling request to obtain a corresponding detection result; displaying processing options under the condition that the detection result represents that the registry operation is malicious operation; the processing options include: a disable option, an enable option, and an add trust option; the trust adding option is used for setting a registry path corresponding to the target calling request as a trust path; and processing the registry operation corresponding to the target calling request according to the target processing option selected by the user.
According to the embodiment of the application, a call request sent by an application program of a second operating system aiming at the API is received through a compatible layer service process, and a target call request related to registry operation is obtained from the call request according to a preset identifier carried in the call request. In the technical field of application migration, the compatible layer service process is responsible for communication with the application process, and the application process represents an application program of the second operating system and sends a call request aiming at the API to the compatible layer service process; thus, the compatible layer service process can function to aggregate call requests. Therefore, the call request sent by the application program of the second operating system aiming at the API is received through the compatible layer service process, omission of the target call request related to registry operation can be avoided, on the basis, the condition of detection omission can be avoided, and the detection accuracy of the registry operation can be improved.
And detecting the registry operation corresponding to the target calling request, displaying processing options under the condition that the detection result represents that the registry operation is malicious operation, and processing the registry operation corresponding to the target calling request according to the target processing options selected by the user. The embodiment of the application gives the user the option of the processing option and processes the registry operation corresponding to the target calling request according to the target processing option selected by the user; therefore, the embodiment of the application can improve the matching degree between the processing result of the registry operation and the personalized requirement of the user.
In addition, the processing options of the embodiment of the application include an adding trust option, where the adding trust option is used to set the registry path corresponding to the target invocation request as a trust path, the trust path may represent the registry path trusted by the user, and a detection result corresponding to the trust path may be a trust operation; therefore, under the condition that the registry path corresponding to the target call request appears in the follow-up process, the corresponding registry operation can be allowed, so that the processing flow of the registry path can be simplified, and the processing efficiency of the registry path can be improved.
Example one
Referring to fig. 1, a schematic flowchart of steps of a processing method for registry operation in an application migration environment according to an embodiment of the present application is shown, where the method may be applied to compatible layer software running on a first operating system, and the method specifically includes the following steps:
step 101, receiving a call request sent by an application program of a second operating system aiming at an API (application programming interface) through a compatible layer service process;
102, acquiring a target call request related to registry operation from the call request according to a preset identifier carried in the call request;
103, detecting registry operation corresponding to the target calling request to obtain a corresponding detection result;
104, displaying processing options under the condition that the detection result represents that the registry operation is malicious operation; the processing options specifically include: a disable option, an enable option, and an add trust option; the added trust option is used for setting a registry path corresponding to the target call request as a trust path;
and 105, processing the registry operation corresponding to the target calling request according to the target processing option selected by the user.
In step 101, the compatible layer service process may establish a connection, such as a socket, with an application process of an application program of the second operating system; in this way, the compatible layer service process can receive a call request sent by the application program of the second operating system for the API, using the connection.
In step 102, the invocation request may include: the target call request related to the registry operation may also include: a non-target call request that is independent of registry operation. According to the embodiment of the application, the target call request related to the registry operation can be obtained from the call request according to the preset identifier carried in the call request.
In practical application, the compatible layer service process may preset a preset identifier corresponding to the registry operation, so that the application process carries the preset identifier in the call request. The compatible layer service process can also store the mapping relation between the preset identification and the registry operation information; therefore, the information in the call request can be matched with the preset identifier in the mapping relation, and if the matching is successful, the call request can be regarded as a target call request related to the registry operation.
The registry operation information may characterize one or more registry operation categories. Examples of registry operation categories may include: a registry add category, or a registry modify category, or a registry delete category, etc.
In step 103, detecting the registry operation corresponding to the target call request, where the obtained detection result may include: malicious operation, or normal operation, or trusted operation.
The embodiment of the application can provide the following technical scheme for detecting the registry operation corresponding to the target call request:
according to the technical scheme 1, searching is carried out in a database according to a registry path corresponding to the target calling request; a registry path corresponding to the malicious operation is recorded in the database; or
According to the technical scheme 2, whether a registry path corresponding to the target calling request exists in a trust list or not is judged to obtain a corresponding judgment result; a registry path corresponding to trust operation is recorded in the trust list; or alternatively
Judging whether a registry path corresponding to the target calling request exists in a trust list or not to obtain a corresponding judgment result, and if the judgment result does not exist, searching in a database according to the registry path corresponding to the target calling request; a registry path corresponding to malicious operation is recorded in the database; and the trust list records a registry path corresponding to the trust operation.
Technical solution 1 may detect the registry operation corresponding to the target call request by using a database. Specifically, searching is performed in a database, and if a registry path corresponding to the target call request exists in the database, the detection result can be malicious operation; or, if the registry path corresponding to the target call request does not exist in the database, the detection result may be a normal operation.
The database records a registry path corresponding to the malicious operation. Referring to table 1, a schematic of a database according to an embodiment of the present application is shown, where the database may specifically include: a registry path field and a description field. A registry path may refer to a corresponding path of a registry key in disk.
TABLE 1
Figure 593269DEST_PATH_IMAGE001
The embodiment of the present application does not limit the collection manner of the registry path corresponding to malicious operation in the database. In practical application, whether the operation of the history registry in the registry operation log is malicious operation can be judged, and if so, the registry path corresponding to the behavior of the history registry is written into the database.
For example, in one collection manner, the history registry operation in the registry operation log may be matched with the registry operation rule, and if the matching is successful, the history registry operation may be considered as a malicious operation, and the registry path corresponding to the history registry behavior is written into the database. Wherein, the registry operation rule can be determined by those skilled in the art according to the actual application requirement. For example, registry operating rules may include, but are not limited to: modifying the starting association of the system, acquiring the browser agent information, shielding the hidden file function of the display system of the operating system and the like. As another example, another collection approach may employ a machine-learned classifier; the classifier can be trained by utilizing samples of malicious operation and samples of normal operation, so that the classifier has the classification capability of malicious operation or normal operation; therefore, the historical registry operation in the registry operation log is input into the classifier, the classification result output by the classifier can represent whether the historical registry operation is a malicious behavior, and if so, the registry path corresponding to the historical registry behavior is written into the database.
Technical solution 2 may detect the registry operation corresponding to the target call request by using the trust list. Specifically, whether a registry path corresponding to the target call request exists in the trust list is judged, and if the judgment result is yes, the detection result is the trust operation.
The trust list may record a registry path corresponding to a trust operation. Those skilled in the art can add a registry path corresponding to a trust operation in the trust list according to the actual application requirement. Or, when the target processing option selected by the user is an add trust option, adding the registry path corresponding to the target call request to the trust list.
Technical solution 3 may sequentially use the trust list and the database to detect the registry operation corresponding to the target call request.
Specifically, whether a registry path corresponding to the target call request exists in the trust list is judged to obtain a corresponding judgment result, and if the corresponding registry path does not exist in the trust list, the corresponding registry path corresponding to the target call request is searched in a database. If the registry path corresponding to the target call request exists in the database, the detection result can be malicious operation; or, if the registry path corresponding to the target call request does not exist in the database, the detection result may be a normal operation.
In step 104, in case that the detection result indicates that the registry operation is a malicious operation, a processing option may be displayed; the embodiment of the application gives the user the option of the processing option and processes the registry operation corresponding to the target calling request according to the target processing option selected by the user; therefore, the embodiment of the application can enable the processing result of the registry operation to meet the personalized requirements of the user.
In step 105, the registry operation corresponding to the target call request may be processed according to the target processing option selected by the user.
The embodiment of the application can provide the following processing modes for processing the registry operation corresponding to the target call request according to the target processing option selected by the user:
the processing method comprises the steps that 1, under the condition that a target processing option selected by a user is a forbidden option, registry operation corresponding to a target calling request is forbidden; or
A processing mode 2, allowing the registry operation corresponding to the target calling request under the condition that the target processing option selected by the user is an allowed option; or
And a processing mode 3, allowing the registry operation corresponding to the target calling request under the condition that the target processing option selected by the user is the added trust option, and adding the registry path corresponding to the target calling request to the trust list.
Prohibiting the registry operation corresponding to the target call request may refer to not executing the registry operation corresponding to the target call request. Allowing the registry operation corresponding to the target call request may refer to executing the registry operation corresponding to the target call request.
The method of the embodiment of the application may further include: and allowing the registry operation corresponding to the target call request under the condition that the detection result represents that the registry operation is normal operation or trust operation.
To sum up, the processing method for registry operation in an application migration environment according to the embodiment of the present application receives, through the compatible layer service process, a call request sent by an application program of the second operating system for the API, and obtains, according to a preset identifier carried in the call request, a target call request related to the registry operation from the call request. In the technical field of application migration, the compatible layer service process is responsible for communication with the application process, and the application process represents an application program of the second operating system and sends a call request aiming at the API to the compatible layer service process; thus, the compatible layer service process can function to aggregate call requests. Therefore, the call request sent by the application program of the second operating system aiming at the API is received through the compatible layer service process, omission of the target call request related to registry operation can be avoided, on the basis, the condition of detection omission can be avoided, and the detection accuracy of the registry operation can be improved.
And detecting the registry operation corresponding to the target calling request, displaying processing options under the condition that the detection result represents that the registry operation is malicious operation, and processing the registry operation corresponding to the target calling request according to the target processing options selected by the user. The embodiment of the application gives the user the option of the processing option and processes the registry operation corresponding to the target calling request according to the target processing option selected by the user; therefore, the embodiment of the application can improve the matching degree between the processing result of the registry operation and the personalized requirements of the user.
In addition, the processing options of the embodiment of the application include an add trust option, where the add trust option is used to set the registry path corresponding to the target invocation request as a trust path, the trust path may represent the registry path trusted by the user, and a detection result corresponding to the trust path may be a trust operation. Because the embodiment of the present application allows the registry operation corresponding to the target invocation request under the condition that the detection result represents that the registry operation is the trusted operation, the registry operation corresponding to the target invocation request can be allowed under the condition that the registry path corresponding to the target invocation request appears in the following, and under the condition that the operations of displaying the processing options and selecting the target processing options by the user are saved; therefore, the embodiment of the application can simplify the processing flow of the registry path and improve the processing efficiency of the registry path.
Example two
The method of the embodiment of the application can be executed by a processing device which applies registry operation in a migration environment. Referring to fig. 2, a schematic structural diagram of a processing apparatus for registry operation in an application migration environment according to an embodiment of the present application is shown, where the processing apparatus may include: a registry processing module 201, a detection module 202, a query module 203, and a display module 204.
The registry processing module 201, the detection module 202 and the query module 203 may be located on a compatible layer service process side, and the display module 204 may be located on a window service process side.
The registry processing module 201 is configured to receive a call request sent by an application program of a second operating system for an API, obtain a target call request related to registry operation from the call request according to a preset identifier carried in the call request, and send a registry path corresponding to the target call request to the detection module 202;
the detection module 202 is configured to send a registry path corresponding to the target call request to the query module 203;
the query module 203 is configured to invoke a database interface and/or a trust list interface, detect a registry operation corresponding to the target invocation request according to a registry path corresponding to the target invocation request, and return a detection result to the detection module 202;
the detection module 203 is further configured to send a processing option to the display module 204 when the detection result indicates that the registry operation is a malicious operation;
a display module 204, configured to display the processing options; the processing options may specifically include: a disable option, an enable option, and an add trust option; the added trust option is used for setting a registry path corresponding to the target call request as a trust path;
the registry processing module 201 is further configured to process, according to the target processing option selected by the user, a registry operation corresponding to the target call request.
The registry processing module 201 in the related art typically allows all target call requests to correspond to the registry operation. The registry processing module 201 in the embodiment of the application processes the registry operation corresponding to the target call request according to the detection result and the target processing option selected by the user by means of the processing results of the detection module 202, the query module 203 and the display module 204, so that not only can the detection accuracy of the registry operation be improved, but also the matching degree between the processing result of the registry operation and the personalized requirement of the user can be improved.
Applying the processing apparatus shown in fig. 2, the process of detecting the registry operation corresponding to the target invocation request may specifically include:
the registry processing module 201 sends a registry path corresponding to the target call request to the detection module 202;
the detection module 202 sends a registry path corresponding to the target call request to the query module 203;
the query module 203 invokes a database interface and/or a trust list interface, detects a registry operation corresponding to the target invocation request according to a registry path corresponding to the target invocation request, and returns a detection result to the detection module 202.
In practical applications, the detection module 202 may provide a detection interface to the registry processing module 201 in the form of a dynamically linked library for the registry processing module 201 to call. Referring to table 2, an illustration of a detection interface according to an embodiment of the present application is shown, where different detection interfaces are set for different registry operation categories, and a detection interface may also be referred to as a detection function.
TABLE 2
Figure 258474DEST_PATH_IMAGE002
Taking the target call request a of the registry modification category as an example, in a case that the application process sends the target call request of the registry modification category, the processing function DECL _ handle (set _ key _ value) of the registry processing module 201 may call a reg _ change _ check function, and the reg _ change _ check function detects a registry operation corresponding to the target call request a.
The query module 203 may provide the query interface and add the trust interface to the detection module 202 in a dynamically linked library format. For invocation by the detection module 202.
Referring to table 3, an illustration of a query interface of the embodiment of the present application is shown, where different query interfaces, which may also be referred to as query functions, are set for different registry operation categories. And under the condition that the query interface is called, further calling a database interface and/or a trust list interface, and detecting registry operation corresponding to the target calling request according to a registry path corresponding to the target calling request.
TABLE 3
Figure 259928DEST_PATH_IMAGE003
Taking target call request a of the registry modification category as an example, in the case that the application process sends the target call request of the registry modification category, the processing function DECL _ handle (set _ key _ value) of the registry processing module 201 may call the reg _ change _ check function.
The reg _ change _ check function calls the sty _ reg _ change _ get function and generates a registry path to the sty _ reg _ change _ get function, which passes the modification of the application process, for example:
“\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
the sty _ reg _ change _ get function will continue to call the database interface, and search the database for the path of the registry requested to be modified by the process, such as the path of the registry:
“\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”。
assuming that the database does not have a data record corresponding to the registry path, it can be stated that the registry operation corresponding to the target call request a is a normal operation (harmless operation); or, assuming that the database stores the data record corresponding to the registry path, it may be stated that the registry operation corresponding to the target call request a is a malicious operation.
Referring to table 4, an illustration of adding a trust interface according to an embodiment of the present application is shown, where different adding trust interfaces are set for different registry operation categories, and the adding trust interface may also be referred to as adding a trust function. And under the condition that the added trust is called, adding a registry path corresponding to the target calling request to the trust list.
TABLE 4
Figure 193249DEST_PATH_IMAGE004
In a specific implementation, the query module 203 returns the detection result to the detection module 202, so that the detection module 202 performs the subsequent processes. For example, in a case that the detection result is a normal operation or a trusted operation, the detection module 202 may forward the detection result to the registry processing module 201, and the registry processing module 201 may allow the target call request to perform the corresponding registry operation, that is, the registry processing module 201 may perform a normal processing flow. For another example, in the case that the detection result is a malicious operation, the detection module 202 may send a processing option to the display module 204.
Therefore, in the embodiment of the present application, when the detection result indicates that the registry operation is a malicious operation, displaying the processing option may specifically include: the detection module 202 sends the processing options to the display module 204 when the detection result represents that the registry operation is a malicious operation, so that the display module 204 displays the processing options.
In practical applications, the detection module 202 may communicate with the display module 204 according to a socket protocol. The display module 204 provides a plurality of processing options to the user and returns the user-selected target processing option to the detection module 202. The detection module 202 returns the target processing option selected by the user to the registry processing module 201.
Taking the type of the registry modification corresponding to the target call request as an example, under the condition that the target processing option selected by the user is a prohibition option, the registry processing module 201 may interrupt the relevant flow of the registry modification and return relevant error information to the application process; alternatively, in the case that the target processing option selected by the user is an allowed option, the registry processing module 201 may continue to execute the relevant flow of registry modification; or, in the case that the target processing option selected by the user is an add trust option, the registry processing module 201 may continue to execute the relevant flow of registry modification, call an add trust interface, and add the registry path corresponding to the target call request to the trust list.
Referring to fig. 3, a schematic step flow diagram illustrating a processing method of registry operation in an application migration environment according to an embodiment of the present application is shown, where the method may be applied to compatible layer software running on a first operating system, and the method specifically may include the following steps:
step 301, the registry processing module 201 receives a call request sent by an application program of the second operating system for the API via the compatible layer service process, and obtains a target call request related to the registry operation from the call request according to a preset identifier carried in the call request;
step 302, the registry processing module 201 sends the registry path corresponding to the target call request to the detection module 202;
step 303, the detection module 202 sends the registry path corresponding to the target call request to the query module 203;
step 304, the query module 203 calls a database interface and/or a trust list interface, detects the registry operation corresponding to the target call request according to the registry path corresponding to the target call request, and returns a detection result to the detection module 202;
the detection module 202 performs different processing according to different detection results, executes step 305 if the detection result is malicious operation, and executes step 309 if the detection result is trusted operation or normal operation;
step 305, in case that the detection result is a malicious operation, the detection module 202 sends a processing option to the display module 204, so that the display module 204 displays the processing option. The detection module 202 may also receive a target processing option selected by the user from the display module 204 and send the target processing option selected by the user to the registry processing module 201;
the registry processing module 201 performs different processing according to different target processing options, and executes step 306 if the target processing option is a prohibited option; in the case that the target processing option is the permission option, execute step 307; in the case that the target processing option is an add trust option, step 308 is executed;
step 306, the registry processing module 201 prohibits the registry operation corresponding to the target call request and returns relevant error information to the application process when the target processing option is the prohibition option;
step 307, the registry processing module 201 executes the registry operation corresponding to the target call request under the condition that the target processing option is the permission option;
step 308, the registry processing module 201 executes the registry operation corresponding to the target call request and calls the trust adding interface to add the registry path corresponding to the target call request to the trust list under the condition that the target processing option is the trust adding option;
step 309, in case that the detection result is the trusted operation or the normal operation, the detection module 202 transfers the detection result to the registry processing module 201, so that the registry processing module 201 executes the registry operation corresponding to the target call request.
In an application example of the application, a USER installs an application a of Windows via the compatible layer SOFTWARE, and the application a desires to be able to boot and Run automatically, so that the USER requests to modify the registry key "\\ HKEY _ CURRENT _ USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \", and supposing that the detection result obtained by the detection module 202 is a malicious operation, the USER is sent with a processing option via the display module 204.
If the user confirms that the behavior of the application program A for modifying the registry is harmless, trust can be added to the corresponding registry path, namely, a trust option is selected to be added. The display module 204 may send a message (which may carry the target processing option selected by the user) to the detection module 202 through socket communication. After receiving the target processing option, the detection module 202 calls an add trust interface, and adds a registry path corresponding to the target call request to a trust list.
It should be noted that for simplicity of description, the method embodiments are described as a series of acts, but those skilled in the art should understand that the embodiments are not limited by the described order of acts, as some steps can be performed in other orders or simultaneously according to the embodiments. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred and that no particular act is required of the embodiments of the application.
On the basis of the above embodiment, the embodiment of the present application further provides a processing apparatus for registry operation in an application migration environment, where the apparatus is applied to compatible layer software running on a first operating system; referring to fig. 4, the apparatus may specifically include: a receiving module 401, an obtaining module 402, a detecting module 403, a displaying module 404 and a processing module 405. The receiving module 401, the obtaining module 402 and the processing module 405 may be modules arranged in the registry processing module 201.
A receiving module 401, configured to receive, via the compatible layer service process, a call request sent by an application program of the second operating system for the API;
an obtaining module 402, configured to obtain, according to a preset identifier carried in the call request, a target call request related to a registry operation from the call request;
a detection module 403, configured to detect a registry operation corresponding to the target call request to obtain a corresponding detection result;
a display module 404, configured to display a processing option when the detection result indicates that the registry operation is a malicious operation; the processing options include: a disable option, an enable option, and an add trust option; the added trust option is used for setting a registry path corresponding to the target call request as a trust path;
and the processing module 405 is configured to process the registry operation corresponding to the target call request according to the target processing option selected by the user.
Optionally, the detecting module 403 may specifically include:
the first detection module is used for searching in a database according to the registry path corresponding to the target call request; a registry path corresponding to malicious operation is recorded in the database; or
The second detection module is used for judging whether a registry path corresponding to the target calling request exists in the trust list or not so as to obtain a corresponding judgment result; a registry path corresponding to trust operation is recorded in the trust list; or
The third detection module is used for judging whether a registry path corresponding to the target calling request exists in a trust list or not so as to obtain a corresponding judgment result, and if the judgment result is that the registry path corresponding to the target calling request does not exist, searching is carried out in a database according to the registry path corresponding to the target calling request; a registry path corresponding to malicious operation is recorded in the database; and the trust list records a registry path corresponding to the trust operation.
Optionally, the processing module 405 may specifically include:
the first processing module is used for forbidding the registry operation corresponding to the target calling request under the condition that the target processing option selected by the user is a forbidding option; or
The second processing module is used for allowing the registry operation corresponding to the target calling request under the condition that the target processing option selected by the user is an allowing option; or
And the third processing module is used for allowing the registry operation corresponding to the target calling request and adding the registry path corresponding to the target calling request to the trust list under the condition that the target processing option selected by the user is the added trust option.
Optionally, the apparatus may further include:
and the operation allowing module is used for allowing the registry operation corresponding to the target calling request under the condition that the detection result represents that the registry operation is normal operation or trust operation.
Optionally, the obtaining module sends a registry path corresponding to the target call request to the detecting module; the detection module sends a registry path corresponding to the target calling request to a query module; and the query module calls a database interface and/or a trust list interface, detects the registry operation corresponding to the target calling request according to the registry path corresponding to the target calling request, and returns a detection result to the detection module.
Optionally, the detection module sends a processing option to a display module to enable the display module to display the processing option when the detection result indicates that the registry operation is a malicious operation.
The present application further provides a non-transitory, readable storage medium, where one or more modules (programs) are stored, and when the one or more modules are applied to a device, the device may execute instructions (instructions) of method steps in this application.
Embodiments of the present application provide one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an electronic device to perform a method as described in one or more of the above embodiments. In the embodiment of the present application, the electronic device includes various types of devices such as a terminal device and a server (cluster).
Embodiments of the disclosure may be implemented as an apparatus for performing desired configurations using any suitable hardware, firmware, software, or any combination thereof, which may include: and electronic equipment such as terminal equipment, servers (clusters) and the like. Fig. 5 schematically illustrates an example apparatus 1100 that may be used to implement various embodiments described herein.
For one embodiment, fig. 5 illustrates an example apparatus 1100 having one or more processors 1102, a control module (chipset) 1104 coupled to at least one of the processor(s) 1102, a memory 1106 coupled to the control module 1104, a non-volatile memory (NVM)/storage 1108 coupled to the control module 1104, one or more input/output devices 1110 coupled to the control module 1104, and a network interface 1112 coupled to the control module 1104.
The processor 1102 may include one or more single-core or multi-core processors, and the processor 1102 may include any combination of general-purpose or special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). In some embodiments, the apparatus 1100 can be implemented as a terminal device, a server (cluster), or the like in the embodiments of the present application.
In some embodiments, the apparatus 1100 may include one or more computer-readable media (e.g., the memory 1106 or the NVM/storage 1108) having instructions 1114 and one or more processors 1102 in combination with the one or more computer-readable media configured to execute the instructions 1114 to implement modules to perform the actions described in this disclosure.
For one embodiment, control module 1104 may include any suitable interface controllers to provide any suitable interface to at least one of the processor(s) 1102 and/or to any suitable device or component in communication with control module 1104.
Control module 1104 may include a memory controller module to provide an interface to memory 1106. The memory controller module may be a hardware module, a software module, and/or a firmware module.
The memory 1106 may be used to load and store data and/or instructions 1114 for the device 1100, for example. For one embodiment, memory 1106 may include any suitable volatile memory, such as suitable DRAM. In some embodiments, the memory 1106 may comprise a double data rate type four synchronous dynamic random access memory (DDR 4 SDRAM).
For one embodiment, control module 1104 may include one or more input/output controllers to provide an interface to NVM/storage 1108 and input/output device(s) 1110.
For example, NVM/storage 1108 may be used to store data and/or instructions 1114. NVM/storage 1108 may include any suitable non-volatile memory (e.g., flash memory) and/or may include any suitable non-volatile storage device(s) (e.g., one or more Hard Disk Drives (HDDs), one or more Compact Disc (CD) drives, and/or one or more Digital Versatile Disc (DVD) drives).
NVM/storage 1108 may include storage resources that are physically part of the device on which apparatus 1100 is installed, or it may be accessible by the device and need not be part of the device. For example, NVM/storage 1108 may be accessed over a network via input/output device(s) 1110.
Input/output device(s) 1110 may provide an interface for apparatus 1100 to communicate with any other suitable device, input/output devices 1110 may include communication components, audio components, sensor components, and so forth. Network interface 1112 may provide an interface for device 1100 to communicate over one or more networks, and device 1100 may communicate wirelessly with one or more components of a wireless network according to any of one or more wireless network standards and/or protocols, such as access to a communication standard-based wireless network, e.g., wiFi, 2G, 3G, 4G, 5G, etc., or a combination thereof.
For one embodiment, at least one of the processor(s) 1102 may be packaged together with logic for one or more controller(s) (e.g., memory controller modules) of control module 1104. For one embodiment, at least one of the processor(s) 1102 may be packaged together with logic for one or more controllers of control module 1104 to form a System In Package (SiP). For one embodiment, at least one of the processor(s) 1102 may be integrated on the same die with logic for one or more controller(s) of the control module 1104. For one embodiment, at least one of the processor(s) 1102 may be integrated on the same die with logic for one or more controller(s) of control module 1104 to form a system on chip (SoC).
In various embodiments, the apparatus 1100 may be, but is not limited to: a server, a desktop computing device, or a mobile computing device (e.g., a laptop computing device, a handheld computing device, a tablet, a netbook, etc.), among other terminal devices. In various embodiments, the apparatus 1100 may have more or fewer components and/or different architectures. For example, in some embodiments, device 1100 includes one or more cameras, keyboards, liquid Crystal Display (LCD) screens (including touch screen displays), non-volatile memory ports, multiple antennas, graphics chips, application Specific Integrated Circuits (ASICs), and speakers.
The detection device can adopt a main control chip as a processor or a control module, sensor data, position information and the like are stored in a memory or an NVM/storage device, a sensor group can be used as an input/output device, and a communication interface can comprise a network interface.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or terminal apparatus that comprises the element.
The method and apparatus for processing registry operation in application migration environment, the electronic device and the machine-readable medium provided by the present application are introduced in detail, and specific examples are applied in the present application to explain the principles and embodiments of the present application, and the descriptions of the above embodiments are only used to help understand the method and core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A processing method for registry operation in application migration environment is characterized in that the method is applied to compatible layer software running on a first operating system; the method comprises the following steps:
receiving a call request sent by an application program of the second operating system aiming at the API through a compatible layer service process;
acquiring a target call request related to registry operation from the call request according to a preset identifier carried in the call request;
detecting registry operation corresponding to the target calling request to obtain a corresponding detection result;
displaying processing options under the condition that the detection result represents that the registry operation is malicious operation; the processing options include: a disable option, an enable option, and an add trust option; the added trust option is used for setting a registry path corresponding to the target call request as a trust path;
and processing the registry operation corresponding to the target calling request according to the target processing option selected by the user.
2. The method according to claim 1, wherein the detecting the registry operation corresponding to the target call request comprises:
searching in a database according to the registry path corresponding to the target call request; a registry path corresponding to malicious operation is recorded in the database; or
Judging whether a registry path corresponding to the target calling request exists in a trust list or not to obtain a corresponding judgment result; a registry path corresponding to trust operation is recorded in the trust list; or
Judging whether a registry path corresponding to the target calling request exists in a trust list or not to obtain a corresponding judgment result, and if the judgment result does not exist, searching in a database according to the registry path corresponding to the target calling request; a registry path corresponding to malicious operation is recorded in the database; and the trust list records a registry path corresponding to the trust operation.
3. The method according to claim 1, wherein the processing the registry operation corresponding to the target call request according to the target processing option selected by the user comprises:
under the condition that the target processing option selected by the user is a prohibition option, prohibiting registry operation corresponding to the target calling request; or
Allowing the registry operation corresponding to the target call request under the condition that the target processing option selected by the user is an allowing option; or
And under the condition that the target processing option selected by the user is an adding trust option, allowing the registry operation corresponding to the target calling request, and adding the registry path corresponding to the target calling request to a trust list.
4. A method according to claim 1, 2 or 3, characterized in that the method further comprises:
and allowing the registry operation corresponding to the target call request under the condition that the detection result represents that the registry operation is a normal operation or a trust operation.
5. The method according to claim 1, 2 or 3, wherein the detecting the registry operation corresponding to the target call request comprises:
the registry processing module sends a registry path corresponding to the target calling request to the detection module;
the detection module sends a registry path corresponding to the target calling request to a query module;
and the query module calls a database interface and/or a trust list interface, detects the registry operation corresponding to the target calling request according to the registry path corresponding to the target calling request, and returns a detection result to the detection module.
6. The method of claim 5, wherein in the case that the detection result characterizes the registry operation as a malicious operation, displaying processing options comprises:
and the detection module sends a processing option to a display module under the condition that the detection result represents that the registry operation is malicious operation, so that the display module displays the processing option.
7. A processing apparatus for registry operation in an application migration environment, wherein the apparatus is applied to compatible layer software running on a first operating system; the device comprises: the device comprises a registry processing module, a detection module, an inquiry module and a display module;
the registry processing module, the detection module and the query module are positioned on a compatible layer service process side corresponding to the compatible layer software, and the display module is positioned on a window service process side corresponding to the compatible layer software;
the registry processing module is used for receiving a call request sent by an application program of a second operating system aiming at the API, acquiring a target call request related to registry operation from the call request according to a preset identifier carried in the call request, and sending a registry path corresponding to the target call request to the detection module;
the detection module is used for sending a registry path corresponding to the target calling request to the query module;
the query module is used for calling a database interface and/or a trust list interface, detecting registry operation corresponding to the target calling request according to a registry path corresponding to the target calling request, and returning a detection result to the detection module;
the detection module is further configured to send a processing option to the display module when the detection result indicates that the registry operation is a malicious operation;
the display module is used for displaying the processing options; the processing options include: a disable option, an enable option, and an add trust option; the added trust option is used for setting a registry path corresponding to the target call request as a trust path;
and the registry processing module is also used for processing the registry operation corresponding to the target calling request according to the target processing option selected by the user.
8. A processing apparatus for registry operation in an application migration environment, wherein the apparatus is applied to compatible layer software running on a first operating system; the device comprises:
the receiving module is used for receiving a calling request sent by an application program of the second operating system aiming at the API through the compatible layer service process;
the obtaining module is used for obtaining a target call request related to registry operation from the call request according to a preset identifier carried in the call request;
the detection module is used for detecting the registry operation corresponding to the target calling request to obtain a corresponding detection result;
the display module is used for displaying processing options under the condition that the detection result represents that the registry operation is malicious operation; the processing options include: a disable option, an enable option, and an add trust option; the added trust option is used for setting a registry path corresponding to the target call request as a trust path;
and the processing module is used for processing the registry operation corresponding to the target calling request according to the target processing option selected by the user.
9. An electronic device, comprising: a processor; and
memory having stored thereon executable code which, when executed, causes the processor to perform the method of any of claims 1-6.
10. A machine readable medium having executable code stored thereon, which when executed, causes a processor to perform the method of any of claims 1-6.
CN202211250372.0A 2022-10-13 2022-10-13 Processing method, device and medium for registry operation in application migration environment Active CN115328580B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202211250372.0A CN115328580B (en) 2022-10-13 2022-10-13 Processing method, device and medium for registry operation in application migration environment
PCT/CN2023/122242 WO2024078348A1 (en) 2022-10-13 2023-09-27 Method and apparatus for processing registry operation in application porting environment, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211250372.0A CN115328580B (en) 2022-10-13 2022-10-13 Processing method, device and medium for registry operation in application migration environment

Publications (2)

Publication Number Publication Date
CN115328580A CN115328580A (en) 2022-11-11
CN115328580B true CN115328580B (en) 2022-12-16

Family

ID=83914176

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211250372.0A Active CN115328580B (en) 2022-10-13 2022-10-13 Processing method, device and medium for registry operation in application migration environment

Country Status (2)

Country Link
CN (1) CN115328580B (en)
WO (1) WO2024078348A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115328580B (en) * 2022-10-13 2022-12-16 中科方德软件有限公司 Processing method, device and medium for registry operation in application migration environment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101371228A (en) * 2005-12-13 2009-02-18 惠普开发有限公司 A procedure for booting a first computer using the operating system of a second computer
CN101645003A (en) * 2008-08-04 2010-02-10 优诺威讯国际有限公司 Method and device for software transplantation
CN104067284A (en) * 2011-12-02 2014-09-24 迈克菲公司 Preventing execution of task scheduled malware
CN104360839A (en) * 2014-10-20 2015-02-18 浪潮电子信息产业股份有限公司 Method for automatically migrating LINUX system to WINDOWS system
CN113139176A (en) * 2020-01-20 2021-07-20 华为技术有限公司 Malicious file detection method, device, equipment and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7721258B2 (en) * 2005-11-03 2010-05-18 Microsoft Corporation Integrated development environment with managed platform registry
CN102117286B (en) * 2009-12-30 2013-02-06 北大方正集团有限公司 Registry system and operation method thereof
CN102542182A (en) * 2010-12-15 2012-07-04 苏州凌霄科技有限公司 Device and method for controlling mandatory access based on Windows platform
CN103135947B (en) * 2013-03-26 2015-09-09 北京奇虎科技有限公司 A kind of method and apparatus showing Windows drive
CN105912952B (en) * 2016-05-04 2019-07-23 广州广电运通金融电子股份有限公司 A kind of registration list service system, method and financial self-service equipment based on Linux
US11204992B1 (en) * 2019-09-04 2021-12-21 Ca, Inc. Systems and methods for safely executing unreliable malware
CN115328580B (en) * 2022-10-13 2022-12-16 中科方德软件有限公司 Processing method, device and medium for registry operation in application migration environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101371228A (en) * 2005-12-13 2009-02-18 惠普开发有限公司 A procedure for booting a first computer using the operating system of a second computer
CN101645003A (en) * 2008-08-04 2010-02-10 优诺威讯国际有限公司 Method and device for software transplantation
CN104067284A (en) * 2011-12-02 2014-09-24 迈克菲公司 Preventing execution of task scheduled malware
CN104360839A (en) * 2014-10-20 2015-02-18 浪潮电子信息产业股份有限公司 Method for automatically migrating LINUX system to WINDOWS system
CN113139176A (en) * 2020-01-20 2021-07-20 华为技术有限公司 Malicious file detection method, device, equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Windows注册表在Unix操作系统中的实现;王晨 等;《通信世界》;19990612(第06期);全文 *

Also Published As

Publication number Publication date
CN115328580A (en) 2022-11-11
WO2024078348A1 (en) 2024-04-18

Similar Documents

Publication Publication Date Title
US9697353B2 (en) Method and device for intercepting call for service by application
CN102938039B (en) For the selectivity file access of application
US20160232374A1 (en) Permission control method and apparatus
CN110865888B (en) Resource loading method and device, server and storage medium
EP2867820B1 (en) Devices, systems, and methods for monitoring and asserting trust level using persistent trust log
WO2018176960A1 (en) Network picture displaying method, device and user terminal
WO2015062389A1 (en) Method and apparatus for uninstalling system application on terminal device
US10423471B2 (en) Virtualizing integrated calls to provide access to resources in a virtual namespace
EP3497586A1 (en) Discovery of calling application for control of file hydration behavior
CN115328580B (en) Processing method, device and medium for registry operation in application migration environment
WO2015067189A1 (en) Method and apparatus for installing application
CN112667246A (en) Application function extension method and device and electronic equipment
US8667157B2 (en) Hardware bus redirection switching
US20140282058A1 (en) Electronic device with a funiction of applying applications of different operating systems, system and method thereof
KR101170122B1 (en) System and method for executing applications stored in the external storage apparatus
CN111143089A (en) Method and device for calling third-party library dynamic lifting authority by application program
US20140282063A1 (en) System for updating icon interface with icons of different operating systems and method thereof
CN106203087B (en) Injection protection method, system, terminal and storage medium
CN114647411A (en) Programming interface loading method and device, electronic equipment and storage medium
CN107621903B (en) Double-touch-screen equipment and response control method thereof
US20140283132A1 (en) Computing application security and data settings overrides
EP3442161A1 (en) Application synchronization method and device
CN116578334B (en) User online dynamic docking method and system based on configuration
CN115454827B (en) Compatibility detection method, system, equipment and medium
CN115237688A (en) Equipment on-site detection method, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant