CN101101619A - Computer safety proxy self-guard method - Google Patents
Computer safety proxy self-guard method Download PDFInfo
- Publication number
- CN101101619A CN101101619A CNA2007100252430A CN200710025243A CN101101619A CN 101101619 A CN101101619 A CN 101101619A CN A2007100252430 A CNA2007100252430 A CN A2007100252430A CN 200710025243 A CN200710025243 A CN 200710025243A CN 101101619 A CN101101619 A CN 101101619A
- Authority
- CN
- China
- Prior art keywords
- service
- enter
- backup
- time
- registry entry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Stored Programmes (AREA)
Abstract
Through hiding progress in task management, the method implements protecting service process. The method prohibits 'stop' the service, and prohibits changing to 'manual' operation in service items of the service manager. That is to say the 'stop' command is not acceptable when services are generated. The method for prohibiting changing to 'manual' operation includes following steps: it is realized by restoring register table; in first time of installation, backing up installed files in order to restore all files of security proxy regularly; in first time to start up services to back up items related to services in register table; then, in each time to be shout down, capturing message of shouting down, and doing operation to restore registered items. The invention solves coordination between upgrading new module and restoration of proxy by using self-defined relevant items as semaphores.
Description
Technical field
The present invention relates to computer system agency's guard method, especially a kind of self-guard method of computer safety proxy.
Background technology
The security of software and robustness become more and more important concerning a product, good product should be able to accomplish software product withdraw from unusually or the situation of artificial malice deletion under can regularly recover and sound and stable operation.The purpose of this service routine exploitation that Here it is.And just be necessary to understand around this purpose: the application process concealing technology; The relevant registry entry backup of service, recovery technology; Agency's auto-update and recovery technique etc.The process hiding main reference
Www.rootkit.comOn related article.This technology mainly is to reach hiding purpose by obtaining the process chained list and then disconnecting required hiding process node by searching of process PID.This concealing technology is realized by the driving stage program, therefore can well adapt to each system of NT.
The registration table backup, recovery technology itself is not so difficult, mainly is that the position that will make this action in service routine is determined.This has an integral body to hold with regard to the requirements of process that relates to service operation, specifically referring to summary of the invention.
For the anti-of agency that prevents to be monitored kills, be necessary the agency is done auto-update and reparation in addition.Upgrading mainly is to need the module of upgrading to do upgrading to the agency; Repair then mainly is to prevent that the relevant registry entry acted on behalf of and agency's installation file from being deleted by malice.Problem is: the new module of upgrading might be repaired program and cover.This just relates to the coordination between upgrading and the reparation.
In the service to acting on behalf of the technology of auto-update: agency upgrading is inevitable, but since act on behalf of may comprise in the AKU some in the current module that can't normally upgrade (as xfiter.dll-access to netwoks control module, because xfilter.dll is loaded by the program that all relate to network service behind machine startup) this just unloads xfilter.dll earlier before the needs upgrading, mainly realize unloading the xfilter.dll process by the method for recovering registration table, could normally upgrade after machine is restarted in the unloading back, so the preferably action of unloading is to do in shutdown, the message that it is necessary to catch the machine shutdown in service routine is done the processing of unloading.
Summary of the invention
The present invention seeks to propose a kind of self-guard method of computer safety proxy, solve the upgrading of new module and the coordination between agency's reparation, propose a kind of problem of coming Coordination module upgrading and agency to repair as semaphore by self-defining relevant registry entry.
Technical solution of the present invention is: the self-guard method of computer safety proxy, realize the protection of service processes in the task manager by process hiding; To the service entry in the service managerZ-HU, forbid " stopping " this service, forbid changing into the operation of " manually "; Promptly when this service of establishment, make it not accept the order that stops; And forbid that the method that changes " manually " into is: realize by the mode of recovering registration table, when installing for the first time, the file that backup is installed, regularly the All Files of Security Agent is recovered afterwards, can the relevant registry entry of service be backed up in the first time that service starts, can in each shutdown, do the operation of the registry entry that recovers backup therein then by catching shutdown message:
The flow process of monitor service routine: 1), start monitor service, 2), load the driver of hidden process, will the corresponding process hiding of service; 3), the service judged is to start for the first time? be to enter 4), otherwise enter 5); 4), the relevant registry entry of backup services; 5), prevent task malice deletion agency's associated documents according to the regular calling program of counting; 6), whether ROMPaq is arranged, be to enter 7), otherwise enter 8); 7), ROMPaq is acted on behalf of in execution; 8), monitoring agent master routine.
1), service catches the operation of being done after the shutdown message operating process of being done after the shutdown message is caught in monitor service routine service:; 2), import the relevant registry entry of service of backup to prevent from artificially to revise registration table; Carry out the recovery file program, prevent artificial revised file; 3), judged whether to act on behalf of AKU; Be then to enter 4), otherwise enter 5); 4), correlation module such as unloading network access control; 5), machine is restarted.
The monitor service routine is to agency's repair function, and the service meeting is regularly done repair function to the program of agent side, and purpose is in order to prevent to act on behalf of relevant file and the artificial malice deletion of registration table quilt.
The monitor service routine also can be moved under the network schemer in safe mode, mainly is to realize by the mode of revising registration table.
The service routine that the present invention is based on generally occurs in two places in operation: one is task manager; one is service managerZ-HU; we have well realized the protection of service processes in the task manager by process hiding; but the service entry in the service managerZ-HU? if it is cut off; it is changed into manually; service can not be played the effect of monitoring agent end master routine in the same old way, it is necessary to do and forbids " stopping " this service, forbids changing into the operation of " manually ".
Forbidding stopping the main method that adopts of this service is: the order that makes it not accept to stop when this service of establishment gets final product; And forbid changing into " manually " mainly is to realize by the mode of recovering registration table, can back up the first time that starts (restarting) in service to the relevant registry entry of service, can in each shutdown, do the operation of the registry entry that recovers backup therein then, distort registration table and cause serving unavailable with regard to avoiding artificial like this by catching shutdown message.
Characteristics of the present invention are: because when meeting the upgrading module, need unloading earlier as xfilter.dll correlation modules such as (access to netwoks controls) before upgrading.Realizing unloading the xfilter.dll process by the method for recovering registration table, just can normally upgrade after machine is restarted in the unloading back, handles by the unloading that the message of catching the machine shutdown in service routine is done before upgrading.Therefore when creating service, the parameter that allows to accept shutdown message is set, so just can catches shutdown message.
Description of drawings
Fig. 1 is the process flow diagram of monitor service routine of the present invention
Fig. 2 is the process flow diagram that the operation of being done after the shutdown message is caught in monitor service routine service of the present invention
Embodiment
The process flow diagram of service routine: this service routine mainly is at running background.
The process flow diagram of monitor service routine:
1. startup monitor service;
2, load the driver of hidden process, the process hiding that service is corresponding;
3, do you judge that service is to start for the first time? be to enter 4, otherwise enter 5;
4, the relevant registry entry of backup services;
5, prevent task malice deletion agency's associated documents according to the regular calling program of counting;
6, whether ROMPaq is arranged, be to enter 7, otherwise enter 8;
7, ROMPaq is acted on behalf of in execution;
8, monitoring agent master routine.
The operation of being done after the shutdown message is caught in service:
1, imports the relevant registry entry of service of backup to prevent from artificially to revise registration table;
2, judged whether to act on behalf of AKU; Be then to enter 3, otherwise enter 4;
3, correlation module such as unloading network access control;
4, machine is restarted.
The fine whole workflow that the monitor service routine is described of process flow diagram, this wherein emphasis be hiding of service self and to the processing mode of agency's upgrading.The exploitation of whole service is to guard around agency's process to carry out, so the thing of doing concerning this service all is around the agency and serves and self prevent killing developing that the concrete thing of doing has been done detailed explanation in summary of the invention.
The monitor service routine is to agency's repair function, and the service meeting is regularly done repair function to the program of agent side, and purpose is in order to prevent to act on behalf of relevant file and the artificial malice deletion of registration table quilt.
The monitor service routine also can be moved under the network schemer in safe mode, mainly is to realize by the mode of revising registration table.Relevant registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
Adopt above technology can protect agent process effectively, and can protect service routine itself.
Claims (2)
1, the self-guard method of computer safety proxy is realized the protection of service processes by process hiding in the task manager, it is characterized in that the service entry in the service managerZ-HU, forbids " stopping " this service, forbids changing into the operation of " manually "; Promptly when this service of establishment, make it not accept the order that stops; And forbid that the method that changes " manually " into is: realize by the mode of recovering registration table, when installing for the first time, the file that backup is installed, regularly the All Files of Security Agent is recovered afterwards, can the relevant registry entry of service be backed up in the first time that service starts, can in each shutdown, do the operation of the registry entry that recovers backup therein then by catching shutdown message:
The monitor service routine: 1), start monitor service, 2), load the driver of hidden process, will the corresponding process hiding of service; 3), the service judged is to start for the first time? be to enter 4), otherwise enter 5); 4), the relevant registry entry of backup services; 5), prevent task malice deletion agency's associated documents according to the regular calling program of counting; 6), whether ROMPaq is arranged, be to enter 7), otherwise enter 8); 7), ROMPaq is acted on behalf of in execution; 8), monitoring agent master routine.
1), service catches the operation of being done after the shutdown message 2, the self-guard method of computer safety proxy according to claim 1 is characterized in that monitor service routine service catches the operating process of being done after the shutdown message:; 2), import the relevant registry entry of service of backup to prevent from artificially to revise registration table; Carry out the recovery file program, prevent artificial revised file; 3), judged whether to act on behalf of AKU; Be then to enter 4), otherwise enter 5); 4), correlation module such as unloading network access control; 5), machine is restarted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100252430A CN100520796C (en) | 2007-07-19 | 2007-07-19 | Computer safety proxy self-guard method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100252430A CN100520796C (en) | 2007-07-19 | 2007-07-19 | Computer safety proxy self-guard method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101101619A true CN101101619A (en) | 2008-01-09 |
| CN100520796C CN100520796C (en) | 2009-07-29 |
Family
ID=39035891
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100252430A Expired - Fee Related CN100520796C (en) | 2007-07-19 | 2007-07-19 | Computer safety proxy self-guard method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100520796C (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102968359A (en) * | 2012-11-13 | 2013-03-13 | 福建升腾资讯有限公司 | Registry transparent penetration method under disc protection system |
| CN103164668A (en) * | 2011-12-08 | 2013-06-19 | 北大方正集团有限公司 | Method and device for protecting safety of electronic exhibition equipment |
| CN104156653A (en) * | 2014-08-07 | 2014-11-19 | 深圳鼎瑄通讯科技有限公司 | Application protection method and device of mobile terminal |
| CN106020895A (en) * | 2016-05-27 | 2016-10-12 | 北京金山安全软件有限公司 | Application program starting method and user terminal |
-
2007
- 2007-07-19 CN CNB2007100252430A patent/CN100520796C/en not_active Expired - Fee Related
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103164668A (en) * | 2011-12-08 | 2013-06-19 | 北大方正集团有限公司 | Method and device for protecting safety of electronic exhibition equipment |
| CN102968359A (en) * | 2012-11-13 | 2013-03-13 | 福建升腾资讯有限公司 | Registry transparent penetration method under disc protection system |
| CN102968359B (en) * | 2012-11-13 | 2015-11-04 | 福建升腾资讯有限公司 | Registration table transparent penetration method under disk operating system |
| CN104156653A (en) * | 2014-08-07 | 2014-11-19 | 深圳鼎瑄通讯科技有限公司 | Application protection method and device of mobile terminal |
| CN106020895A (en) * | 2016-05-27 | 2016-10-12 | 北京金山安全软件有限公司 | Application program starting method and user terminal |
| CN106020895B (en) * | 2016-05-27 | 2020-04-03 | 珠海豹趣科技有限公司 | Application program starting method and user terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100520796C (en) | 2009-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2318929B1 (en) | Application restore points | |
| CN102236764B (en) | Method and monitoring system for Android system to defend against desktop information attack | |
| CN100407638C (en) | Method for software upgrading and withdrawing | |
| CN100520796C (en) | Computer safety proxy self-guard method | |
| CN102455954A (en) | Power-failure-preventing upgrading method of Linux system | |
| CN102163167A (en) | Method and device for rescuing system | |
| CN108845875B (en) | Resident process keep-alive system and method | |
| CN111708660B (en) | Backup system, recovery system and method based on container sandbox | |
| CN103049343B (en) | Operating system blue screen restoration methods and device | |
| CN101996083A (en) | Mirror image updating method and device | |
| CN103593616A (en) | System and method for preventing and controlling USB flash disk viruses in enterprise information network | |
| CN113094210A (en) | Windows platform process and file guarding method and system | |
| CN102831031A (en) | Recovery method and system for operating system | |
| CN102156834A (en) | Method for realizing program killing prevention | |
| CN113467919B (en) | Block chain-based flow management method, system and storage medium | |
| CN101145983A (en) | A self-diagnosis and self-discovery subsystem and method of network management system | |
| WO2007088605A1 (en) | Component information restoring method, component information managing method and electronic apparatus | |
| US8132047B2 (en) | Restoring application upgrades using an application restore point | |
| CN101996254A (en) | Software rollback method based on file system layer | |
| CN109165506A (en) | A kind of method of industry control fault-tolerant server online checking and killing virus and antivirus protection | |
| CN109086625A (en) | A kind of method that cloud platform Host Security is reinforced | |
| CN102902913A (en) | Preservation method for preventing software in computer from being damaged maliciously | |
| CN102111427B (en) | Device management session recovery method and system | |
| CN110716903A (en) | Log file cleaning method and device | |
| CN106708660A (en) | System and method for automatically backing up modification file in K-UX operation system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: NANJING LIANCHUANG TECHNOLOGY (GROUP) STOCK CO., L Free format text: FORMER OWNER: NANJING LIANCHUANG NETWORKS TECHNOLOGY CO., LTD. Effective date: 20100521 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 211100 NO.68 TUSHAN ROAD, JIANGNING DISTRICT, NANJING CITY, JIANGSU PROVINCE TO: 210013 16/F, NO.12, DINGHUAIMEN, NANJING CITY, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20100521 Address after: 210013, No. 12, Huai gate, 16 floor, Nanjing, Jiangsu Patentee after: Nanjing City Linkage System Integration Co., Ltd. Address before: 211100, 68, Tu Shan Road, Jiangning District, Jiangsu, Nanjing Patentee before: Nanjing Lianchuang Network Science & Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090729 Termination date: 20210719 |