CN101388061A - Progress protection technology based on Windows system remote thread monitor - Google Patents
Progress protection technology based on Windows system remote thread monitor Download PDFInfo
- Publication number
- CN101388061A CN101388061A CN 200810158471 CN200810158471A CN101388061A CN 101388061 A CN101388061 A CN 101388061A CN 200810158471 CN200810158471 CN 200810158471 CN 200810158471 A CN200810158471 A CN 200810158471A CN 101388061 A CN101388061 A CN 101388061A
- Authority
- CN
- China
- Prior art keywords
- thread
- protection
- remote thread
- progress
- windows system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Selective Calling Equipment (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a process protection technique based on Windows system remote thread supervisory, namely a process protection mechanism of the InforGuard webpage anti-tamper system middleware, which is based on the thread injection technique. The process protection mechanism comprises steps of firstly, performing remote thread injection, secondly, applying the process control. The invention provides a technical scheme of smartly applying the hidden property of remote thread injection to process protection, which solves the problem of hidden property in application of the process protection, and simultaneously takes the problems of technical difficulty and stability of realization into consideration.
Description
Technical field
The present invention relates to a kind of progress protection technology based on the Windows system remote thread monitor, promptly InforGuard webpage tamper resistant systems middleware is based on the Process Protection mechanism of thread implantttion technique.
Background technology
In the Windows system, common nonsystematic process can be by system management facility or other common process hard closings.For safety product, need Process Protection sometimes with oneself, prevent that it from being closed by malice.
Based on the progress protection technology of Windows system, brief analysis is as follows at present:
1. two process is guarded mechanism
Start two processes in same system, finish each other and guard, one when withdrawing from unusually, another restarts it.This mechanism is having the certain significance aspect the system exception processing, but pin is not act in the process destruction of malice.
2. desktop process mechanism
By revising the login routine library of Windows, can before system login, start application program, this type of process is called the desktop process.The desktop process belongs to system process with respect to consumer process, can not closed by force by usual manners such as task managers.But this method realizes complicated, and easily in system-level generation destruction.
3. drive hidden process mechanism
This mode is by writing and carry out driver, to revise the system process chained list at kernel mode, the progress information that needs protection being hidden.The protection effect of this mode is fine, but realizes the technical difficulty height, causes system crash because of failure easily.
Summary of the invention
Purpose of the present invention is exactly at above-mentioned deficiency; provide a kind of disguised flexible Application of dexterously remote thread being injected in the scheme of Process Protection; this programme has solved the disguised problem in the Process Protection application, takes into account the technical difficulty and the stability problem of realization simultaneously.
This invention at first is by Windows system API Calls, realizes the code of remote thread is injected, and promptly one section code of user's appointment, operates in other process spaces that existed in the thread mode, to reach the purpose that code is hidden.Then,, guard protected target process,, then restart target process in case find that target process is destroyed by this code of hiding.
The present invention realizes by following technology: a kind of progress protection technology based on the Windows system remote thread monitor comprises the steps:
The first step: implement long-range line traffic control and inject;
Second step: application process control.
The long-range line traffic control of described enforcement is injected and is realized as follows:
At first, carrying out remote thread injects; When implementing process (or the protected process self) startup of protection; in current system, seek and to carry out host's process that remote thread injects; this is this in-process one section code that is defined as remote thread, starts to be the thread in host's process space, and this process is called remote thread and injects.Host's process must be the process of lasting operation, otherwise in a single day host's process withdraw from, and injects thread and will finish.
Then, protection information is set, the protection process by writing the mode of remote thread data field, is informed progress information and corresponding strategies that remote thread needs protection after starting remote thread, as the assay intervals time, and protected process initiation failure retry strategy or the like;
At last, finish protection, protection process state out of service, only the remote thread operation is so that the implementation process defencive function; When no longer needing protection function, the protection process starts once more, and notice remote thread end operation, thereby finishes protection.
Described enforcement remote thread injects to be realized as follows:
At first, create the thread function body, fill in thread parameter and code;
Then, thread code is copied in the target process address space or other host's processes can be carried out local (as: shared drive map section); Select host's process copy thread body the time, need to use the VirtualAllocEx function in host's process, apply for a storage area, and then thread code write in host's process by the WriteProcessMemory function.
At last, in host's process, use CreateRemoteThread function creation remote thread.
Realize that described application process control realizes as follows:
At first, detect and carry out existence, remote thread moves always, and regularly detects protected running state of a process, mainly is to utilize system function EnumProcesses to enumerate the process list of current system, checks whether protected process exists;
Secondly, the detection procedure state of a control is obtained the protected process status of Set For Current, and is judged from the thread-data district;
At last, according to process status and thread-data control process, if the current running status of above-mentioned judgement be " startup ", and the Set For Current state is " startup ", then carries out start-up course; If current running status is " startup ", and the Set For Current state is " start ", then carries out stopped process; Otherwise the processing of not executing the task.
The present invention is used for remote thread protected running state of a process is detected, and can control protected running state of a process neatly according to the process status of outer setting.This Process Protection method combines the confidentiality of remote thread and process status control dexterously, has satisfied the security needs of Process Protection.The remote thread implantttion technique realizes easy, and security is controlled easily, but its hiding property is fine, destroys at the process of malice, can reach the purpose of protection process.
Description of drawings
Fig. 1 carries out long-range line traffic control to inject process flow diagram in the embodiment of the invention;
Fig. 2 is an application process control flow chart in the embodiment of the invention.
Embodiment
To be elaborated to embodiments of the present invention below.
A kind of progress protection technology based on the Windows system remote thread monitor, realize as follows: can be divided into two steps altogether, one for implementing long-range line traffic control injection, and as Fig. 1, two for application process control, as Fig. 2.
Wherein, as shown in Figure 1, the realization first step is implemented long-range line traffic control injection and is realized as follows:
At first begin step 101, carry out remote thread and inject.Described execution remote thread injects to be realized as follows:
At first, create the thread function body, fill in thread parameter and code.
Then, thread code is copied in the target process address space to (this address must be that page properties is the page of PAGE_EXECUTE_READWRITE) or other host's processes and can carry out local (as: shared drive map section).Select host's process copy thread body the time, need to use the VirtualAllocEx function in host's process, apply for a storage area, and then thread code write in host's process by the WriteProcessMemory function.
At last, in host's process, use CreateRemoteThread function creation remote thread.
Carry out step 102 then, protection information is set, the protection process by writing the mode of remote thread data field, is informed progress information and corresponding strategies that remote thread needs protection after starting remote thread.As the assay intervals time, protected process initiation failure retry strategy or the like.
Carry out step 103 at last, finish protection.Protection process state out of service, only the remote thread operation is so that the implementation process defencive function; When no longer needing protection function, the protection process starts once more, and notice remote thread end operation, thereby finishes protection.
As shown in Figure 2, application process control realizes as follows:
At first begin step 201, detect and carry out existence, remote thread moves always, and regularly detects protected running state of a process.
Carry out step 202 then, the detection procedure state of a control is obtained the protected process status of Set For Current, and is judged from the thread-data district.
Carry out step 203 at last, according to process status and thread-data control process, if the current running status of above-mentioned judgement be " startup ", and the Set For Current state is " startup ", then carries out start-up course; If current running status is " startup ", and the Set For Current state is " start ", then carries out stopped process; Otherwise the processing of not executing the task.
Claims (5)
1. the progress protection technology based on the Windows system remote thread monitor is characterized in that comprising the steps:
The first step: implement long-range line traffic control and inject;
Second step: application process control.
2. the progress protection technology of Windows system remote thread monitor according to claim 1 is characterized in that the long-range line traffic control injection of described enforcement realizes as follows:
At first, carrying out remote thread injects;
Then, protection information is set, the protection process by writing the mode of remote thread data field, is informed progress information and corresponding strategies that remote thread needs protection after starting remote thread;
At last, finish protection, protection process state out of service, only the remote thread operation is so that the implementation process defencive function; When no longer needing protection function, the protection process starts once more, and notice remote thread end operation, thereby finishes protection.
3. the progress protection technology of Windows system remote thread monitor according to claim 1 and 2 is characterized in that described execution remote thread injection realizes as follows:
At first, create the thread function body, fill in thread parameter and code;
Then, thread code is copied in the target process address space or other host's processes can be carried out local;
At last, in host's process, use CreateRemoteThread function creation remote thread.
4. the progress protection technology of Windows system remote thread monitor according to claim 3 is characterized in that: the described target address space is that page properties is the page of PAGE_EXECUTE_READWRITE.
5. the progress protection technology of Windows system remote thread monitor according to claim 1 is characterized in that realizing that described application process control realizes as follows:
At first, detect and carry out existence, remote thread moves always, and regularly detects protected running state of a process;
Secondly, the detection procedure state of a control is obtained the protected process status of Set For Current, and is judged from the thread-data district;
At last, according to process status and thread-data control process, if the current running status of above-mentioned judgement be " startup ", and the Set For Current state is " startup ", then carries out start-up course; If current running status is " startup ", and the Set For Current state is " start ", then carries out stopped process; Otherwise the processing of not executing the task.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810158471 CN101388061B (en) | 2008-11-05 | 2008-11-05 | Progress protection technology based on Windows system remote thread monitor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810158471 CN101388061B (en) | 2008-11-05 | 2008-11-05 | Progress protection technology based on Windows system remote thread monitor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101388061A true CN101388061A (en) | 2009-03-18 |
| CN101388061B CN101388061B (en) | 2011-02-09 |
Family
ID=40477477
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810158471 Active CN101388061B (en) | 2008-11-05 | 2008-11-05 | Progress protection technology based on Windows system remote thread monitor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101388061B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102436404A (en) * | 2011-08-24 | 2012-05-02 | 苏州阔地网络科技有限公司 | Daemon implementing method |
| CN101630351B (en) * | 2009-06-04 | 2012-10-03 | 中国人民解放军理工大学指挥自动化学院 | Method for enhancing safety of Oracle database server by utilizing progress infusion and TNS protocol analysis |
| CN103699498A (en) * | 2013-11-25 | 2014-04-02 | 南京大学 | Application key data protection system and protection method |
| WO2014153998A1 (en) * | 2013-03-25 | 2014-10-02 | Tencent Technology (Shenzhen) Company Limited | Method for controlling process of application and computer system |
| CN106293967A (en) * | 2016-08-03 | 2017-01-04 | 武汉斗鱼网络科技有限公司 | A kind of method and system of long-range injecting codes |
| CN106682512A (en) * | 2016-11-25 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Method, device and system for preventing programs from being corrected |
| CN106708556A (en) * | 2016-07-19 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Data displaying method and device |
| CN107194248A (en) * | 2017-04-21 | 2017-09-22 | 百度在线网络技术(北京)有限公司 | Crack down upon evil forces objective abduction method, device, equipment and the storage medium of automatic driving vehicle |
| CN109190412A (en) * | 2018-09-17 | 2019-01-11 | 杭州安恒信息技术股份有限公司 | The detection method and device of webpage tamper |
| CN110855705A (en) * | 2019-11-23 | 2020-02-28 | 赣南师范大学 | Non-port hidden communication method facing network attack and protection |
| CN114816546A (en) * | 2022-04-28 | 2022-07-29 | 合肥高维数据技术有限公司 | Client application program multi-keep-alive method and system |
-
2008
- 2008-11-05 CN CN 200810158471 patent/CN101388061B/en active Active
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101630351B (en) * | 2009-06-04 | 2012-10-03 | 中国人民解放军理工大学指挥自动化学院 | Method for enhancing safety of Oracle database server by utilizing progress infusion and TNS protocol analysis |
| CN102436404B (en) * | 2011-08-24 | 2013-08-14 | 苏州阔地网络科技有限公司 | Daemon implementing method |
| CN102436404A (en) * | 2011-08-24 | 2012-05-02 | 苏州阔地网络科技有限公司 | Daemon implementing method |
| WO2014153998A1 (en) * | 2013-03-25 | 2014-10-02 | Tencent Technology (Shenzhen) Company Limited | Method for controlling process of application and computer system |
| CN103699498A (en) * | 2013-11-25 | 2014-04-02 | 南京大学 | Application key data protection system and protection method |
| CN103699498B (en) * | 2013-11-25 | 2016-08-31 | 南京大学 | A kind of application program critical data protection system and guard method thereof |
| CN106708556A (en) * | 2016-07-19 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Data displaying method and device |
| CN106293967A (en) * | 2016-08-03 | 2017-01-04 | 武汉斗鱼网络科技有限公司 | A kind of method and system of long-range injecting codes |
| CN106682512A (en) * | 2016-11-25 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Method, device and system for preventing programs from being corrected |
| CN106682512B (en) * | 2016-11-25 | 2020-07-28 | 腾讯科技(深圳)有限公司 | Method, device and system for preventing program from being modified |
| CN107194248A (en) * | 2017-04-21 | 2017-09-22 | 百度在线网络技术(北京)有限公司 | Crack down upon evil forces objective abduction method, device, equipment and the storage medium of automatic driving vehicle |
| CN109190412A (en) * | 2018-09-17 | 2019-01-11 | 杭州安恒信息技术股份有限公司 | The detection method and device of webpage tamper |
| CN110855705A (en) * | 2019-11-23 | 2020-02-28 | 赣南师范大学 | Non-port hidden communication method facing network attack and protection |
| CN114816546A (en) * | 2022-04-28 | 2022-07-29 | 合肥高维数据技术有限公司 | Client application program multi-keep-alive method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101388061B (en) | 2011-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101388061B (en) | Progress protection technology based on Windows system remote thread monitor | |
| CN102103676B (en) | Method for protecting Java program progress based on inheritance relationship among progresses | |
| CN103530118B (en) | Method and device for loading user-defined DLL into target progress | |
| CN1795439B (en) | Security system and method for computer operating systems | |
| US8468522B2 (en) | Virtual machine system, system for forcing policy, method for forcing policy, and virtual machine control program | |
| US9298474B2 (en) | System and method for managing a floating window | |
| CA2444685A1 (en) | System and method for improving the efficiency, comfort, and/or reliability in operating systems, such as for example windows | |
| CN102592077A (en) | Providing a security boundary | |
| US20110023007A1 (en) | Associating Workflows With Code Sections In A Document Control System | |
| CN1506813A (en) | Reliably and safelf refreshing and recovering firmware from large scale memory equipment | |
| CN100472464C (en) | Data back-up system and method and system load-bearing apparatus | |
| CN104715209A (en) | Outgoing document encryption protection method | |
| US10007785B2 (en) | Method and apparatus for implementing virtual machine introspection | |
| CN103002342A (en) | Method and system for protecting television camera | |
| WO2015112094A2 (en) | Method of file system design and failure recovery with non-volatile memory | |
| CN102722663A (en) | Handheld smart device data security protection method | |
| CN103885869A (en) | Substrate management controller safety protection system and method | |
| CN102147751B (en) | Communication method among multiple processes | |
| CN1936853A (en) | Data cut-off protection and repairing method of inlaid apparatus | |
| CN101236499A (en) | Method for embedding inner core drive program in Window operation system by USB apparatus start-up | |
| JP2010129095A (en) | Data protection method and computer apparatus | |
| CN101236498B (en) | Method for embedding inner core drive program in Window operation system by PCI card start-up | |
| CN113296654B (en) | Data processing method, device, electronic equipment and storage medium | |
| CN106155713B (en) | Startup information management method and device | |
| CN109902490B (en) | Linux kernel level file system tamper-proof application method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |