Summary of the invention
The problem that the present invention will solve is: existing virus killing technology is carried out killing to virus in the dependovirus storehouse mostly; Take resource for computer system; And virus base is upgrading regularly, and computer system is passive to the protection of Virus, and newborn virus is not had defensive ability/resistance ability in the very first time.
Technical scheme of the present invention is: a kind of computer virus automatic protection method; With human immune system is model; Make up guard process and be installed in the computing machine, said guard process through keep watch on new procedures, engineering reverse, judge the diffusivity copy-statement and obtain and duplicate destination path, create high authority antibody file, the process that the BCR homology among the simulation human immune system is judged, MHC II offers the peptide section, the B cell discharges antibody automatically; Realize the immunity of computing machine to Virus; The running environment of said guard process is unit, and operating system is all Windows systems of version after Windows2000 reaches, may further comprise the steps:
1) keep watch on new procedures: guard process is provided with registration table; With any COM, EXE program with said guard process as unfolding mode; Activate guard process when opening COM, EXE program; Know the file path title of the program of opening through the Command start-up parameter; Be stored among the variable filepath, subsequently guard process through the Wintrust.dll that calls the Windows system and carry judge COM, the EXE program of new operation whether have legal, not by that distort, not out of date digital signature, if through then discharging operation; If not through then temporarily being detained program, do not allow this COM, EXE program run as suspicious program, the Program path of the COM that will hang up subsequently, EXE program in the guard process internal delivery, gets into next treatment scheme through DDE message;
2) engineering is reverse: the shelling program is set supplies guard process to call; Guard process with the filepath that receives as start-up parameter; Call outside shelling program; The shelling program is returned suspicious program and is separated address that shell deposits in addition to guard process, and said address is stored among the variable UnpackedPath, and guard process is changed the OPCODE sign indicating number of the suspicious program of variable UnpackedPath record with corresponding assembler code; Realization is to the dis-assembling of suspicious program; The automatically interim storage of dis-assembling result, guard process is searched for all " CALL DWORD PTR [XXXXXXX] " statements automatically in the dis-assembling result, promptly search for all subprocess statements that call in the dis-assembling code of the suspicious program that is shelled; Wherein [XXXXXXX] representes assembly code; Whenever search a place " CALL DWORD PTR [XXXXXXX] " statement, automatically above this assembly instruction up on seek " Push " statement in " CALL DWORD PTR [XXXXXXX] " interval, if call in the subprocess statement interval at two; Find double Push statement, then definite two Push statements being found are formed copy-statement jointly with first " CALL DWORD PTR [XXXXXXX] " statement that searches; Guard process is carried out record respectively to the address of said two push statements; These two Push statements are carried out Push destination address location respectively; Confirm 16 scale coding data of the suspicious program corresponding subsequently with the address according to the push destination address; And be the plaintext form of Unicode sign indicating number with 16 system data-switching, obtain said Unicode sign indicating number and it is kept among the array push (n) according to the order in suspicious program successively;
Guard process judges, if the array push (n) that returns is the program file path form of standard, judges that then the copy-statement that searches is to duplicate carrying out program file; Carry out the doubtful copy command of above-mentioned intercepting to call subprocedure call statement-switch target address be 16 systems and further convert Unicode sign indicating number-judge whether in the process into copy-statement into; The dis-assembling code of the suspicious program of traversal retrieval sums up the copy-statement that all run into; Preserve push (n), be for further processing;
3) diffusivity is duplicated judgement: define an initial value and be 0 branch number variable Count, and in push (n) array, the character of per two Push destination addresses, previous is original path, a back destination path for duplicating; Original path of every appearance is the self-path of suspicious program, and Count+10, destination path of every appearance are movable equipment or LAN storage, belongs to obvious diffusion propagation and duplicates Count+40; Destination path of every appearance is the Windows system directory, and it is resident to belong to internal system, Count+5;
If Count is higher than 100, calculated by 100 minutes;
The threshold value that diffusivity is duplicated is set, and threshold value is corresponding with the level of security of guard process, and the level of security of the more little then protection of threshold value is high more, if Count is higher than threshold value less than 100, then has been judged to diffusivity and has duplicated; Otherwise Count then duplicates for no diffusivity less than threshold value, and releasing is freezed related suspicious program, allows its operation;
Be judged to the diffusivity version and got into next step processing immediately;
4) high authority folder of the same name is created: guard process is created the file operation; Duplicate destination path in these all diffusivitys that possess the diffusivity version and create file; The file that duplicates destination path of said file and suspicious program is of the same name; Method through revised file attribute among the VB is provided with file for hiding, and passes through the API Calls of advapi32 and Kernel32, sets up system for computer authority user " SysUser " temporarily; The hidden folder of just having set up is set to " SysUser " authority, i.e. system user authority;
5) virus is made mistakes and is withdrawed from: execution of step 4), remove being detained freezing of suspicious program, allow its operation; When then having suspicious program that diffusivity duplicates and implementing the file copy instruction, just meet the file of the same name that step 4) is created, just high authority antibody file; The RuntimeError mistake occurs, eject all kinds of dialog boxes of makeing mistakes, after ejection makes mistakes dialog box; Suspicious program is because the characteristic of microsoft operation system, makes mistakes and finished by operating system;
Through above step, realize the automatic protection of computing machine to Virus.
In the step 3), judge removable memory, the network storage mechanism of duplicating in the target through traversal hard disc of computer drive name or Kernel32API.
Step 4) is carried out the suspicious program temporary file of guard process deletion through shelling.
The present invention adopts the human immune system to the immunization method model of bacterium with virus, Computer Organization Principles such as the dis-assembling through computer program, code conversion, PE file analysis, run-time error, based on the human immune system to the immunization method of bacterium with virus; Realize virus-free feature database, pure unit framework, the upgrading of need not networking; Can be as human immune system MHC II, intelligent analysis Virus, and imitation B cell; Automatically generate the antibody file; Cause computer virus and mistake occurs, finished, make unit possess self-immunocompetence by operating system.
The compared with prior art virus-free storehouse of the present invention need not manual scanning, need not networking and upgrades virus base, makes antibody automatically to computer rogue program (being commonly called as virus), effectively tackles computer rogue program, makes computing machine possess initiatively defence capability to virus.Through test, can reach more than 99.7% to the viral interception rate of survey; Among the authentication checks result of software product inspection center of the Jiangsu Province Information Industry Department, can use the computer virus of all on-the-spot test of the inventive method written program interception.
Embodiment
Like Fig. 1 and Fig. 2; The present invention is model with human immune system; Make up guard process and be installed in the computing machine, said guard process through keep watch on new procedures, engineering reverse, judge the diffusivity copy-statement and obtain and duplicate destination path, create high authority antibody file, the process that the BCR homology among the simulation human immune system is judged, MHC II offers the peptide section, the B cell discharges antibody automatically; Realize the immunity of computing machine, may further comprise the steps Virus:
1) keep watch on new procedures: guard process is provided with registration table; With any COM, EXE program with said guard process as unfolding mode; Activate guard process when opening COM, EXE program; When guard process is installed, through the mode of file association the unfolding mode of * .Exe and * .Com is set automatically, registration entry value is revised as related guard process path.With this, all EXE and COM can not be moved through the operating system system, and all through the guard process operation, the guard process oneself get rid of, and can directly open through operating system.
For example, any COM, EXE program unfolding mode are associated as the path of guard process:
Detailed process: revise: " my computer HKEY_LOCAL-MACHINE command acquiescence " with " my computer HKEY_LOCAL-MACHINE command give tacit consent to " is: the guard process path: " XXX guard process name .exe ";
Next, know through the Command start-up parameter to be stored in the file path title of the program of opening among the variable filepath that the Command start-up parameter is the capable argument section of return command, is the basic function of the program of VB exploitation; Subsequently guard process through the Wintrust.dll that calls the Windows system and carry judge COM, the EXE program of new operation whether have legal, not by that distort, not out of date digital signature, if through then discharging operation; If not through then temporarily being detained program, do not allow this COM, EXE program run as suspicious program, the Program path of the COM that will hang up subsequently, EXE program in the guard process internal delivery, gets into next treatment scheme through DDE message;
2) engineering is reverse: the shelling program is set supplies guard process to call; Guard process with the filepath that receives as start-up parameter; Call outside shelling program; The shelling program is returned suspicious program and is separated address that shell deposits in addition to guard process, and said address is stored among the variable UnpackedPath, and guard process is changed the OPCODE sign indicating number of the suspicious program of variable UnpackedPath record with corresponding assembler code; Realization is to the dis-assembling of suspicious program; The automatically interim storage of dis-assembling result, guard process is searched for all " CALL DWORD PTR [XXXXXXX] " statements automatically in the dis-assembling result, promptly search for all subprocess statements that call in the dis-assembling code of the suspicious program that is shelled; Wherein [XXXXXXX] representes assembly code; Whenever search a place " CALL DWORD PTR [XXXXXXX] " statement, automatically above this assembly instruction up on seek " Push " statement in " CALL DWORD PTR [XXXXXXX] " interval, if call in the subprocess statement interval at two; Find double Push statement, then definite two Push statements being found are formed copy-statement jointly with first " CALL DWORD PTR [XXXXXXX] " statement that searches; Guard process is carried out record respectively to the address of said two push statements; The address of these two Push statements is carried out Push destination address location respectively; Confirm 16 scale coding data of the suspicious program corresponding subsequently with the address according to the push destination address; And be the plaintext form of Unicode sign indicating number with 16 system data-switching, obtain said Unicode sign indicating number and it is kept among the array push (n) according to the order in suspicious program successively;
Guard process judges, if the array push (n) that returns is the program file path form of standard, judges that then the copy-statement that searches is to duplicate carrying out program file; Carry out the doubtful copy command of above-mentioned intercepting to call subprocedure call statement-switch target address be 16 systems and further convert Unicode sign indicating number-judge whether in the process into copy-statement into; The dis-assembling code of the suspicious program of traversal retrieval sums up the copy-statement that all run into; Preserve push (n), be for further processing;
3) diffusivity is duplicated judgement: define an initial value and be 0 branch number variable Count, and in push (n) array, the character of per two Push destination addresses, previous is original path, a back destination path for duplicating; Original path of every appearance is the self-path of suspicious program, and Count+10, destination path of every appearance are movable equipment or LAN storage, belongs to obvious diffusion propagation and duplicates Count+40; Destination path of every appearance is the Windows system directory, and it is resident to belong to internal system, Count+5;
If Count is higher than 100, calculated by 100 minutes;
The threshold value that diffusivity is duplicated is set, and threshold value is corresponding with the level of security of guard process, and the level of security of the more little then protection of threshold value is high more, if Count is higher than threshold value less than 100, then has been judged to diffusivity and has duplicated; Otherwise Count then duplicates for no diffusivity less than threshold value, and releasing is freezed related suspicious program, allows its operation;
Be judged to the diffusivity version and got into next step processing immediately;
4) high authority folder of the same name is created: guard process is created the file operation; Duplicate destination path in these all diffusivitys that possess the diffusivity version and create file, the file that duplicates destination path of said file and suspicious program is of the same name, for example; The suspicious program of being found by guard process is called Virus.exe; If certain bar diffusivity copy-statement for copy to from " Virus.exe " " windows ", the file destination path of duplicating so be exactly " windows ", then according to " windows " establishment file; Folder name is 2.exe, windows under.After file is created; Method through revised file attribute among the VB is provided with file for hiding; And the API Calls through advapi32 and Kernel32; Set up system for computer authority user " SysUser ", the hidden folder of just having set up is set to " SysUser " authority, i.e. system user authority temporarily;
5) virus is made mistakes and is withdrawed from: execution of step 4), remove being detained freezing of suspicious program, allow its operation; When then having suspicious program that diffusivity duplicates and implementing the file copy instruction, just meet the file of the same name that step 4) is created, just high authority antibody file; The RuntimeError mistake occurs, eject all kinds of dialog boxes of makeing mistakes, after ejection makes mistakes dialog box; Suspicious program is because the characteristic of microsoft operation system, makes mistakes and finished by operating system;
Through above step, realize the automatic protection of computing machine to Virus.
Wherein, in the step 3), judge removable memory, network storage mechanism through traversal hard disc of computer or Kernel32API.
Further, step 4) is carried out the suspicious program temporary file of guard process deletion through shelling.
With an embodiment practical implementation of the present invention is described below, in the present embodiment, guard process called after Behold.com of the present invention is the COM program.
1, certain Panda burning incense Virus Sample Setup.exe double-clicked by the user and to open;
2, Setup.exe is moved as unfolding mode with Behold.com automatically;
3, Behold.com by operating system with " Setup.exe " activate operation as the Command start-up parameter;
4, among the Behold.com SignatureCheck function to " Setup.exe " carry out digital signature and judge the nil signature;
5, Behold.com will " Setup.exe " send to guard process PCIS|FormDDE interface;
6, guard process obtains the Program path hung up through DDE (PCIS|FormDDE interface), will " Setup.exe " as start-up parameter, start virtual machine shelling SDK (VMUnpackerSDK) automatically;
7, virtual machine shelling SDK (VMUnpackerSDK) returns UnpackedPath=" Setup~.exe~" to guard process DDE (PCIS|FormDDE interface);
8, guard process is called the clsDisAssemble generic module through disassembler clsDisAssemble.DisAssemble (" Setup~.exe~", 0) and is carried out dis-assembling;
9, guard process begins search " CALL DWORD PTR " among the Result as a result in dis-assembling;
9-1, guard process search " CALL DWORD PTRDS: [〈 &KERNEL32.GetStartup>" as a result among the Result in dis-assembling;
9-1-1, guard process begin in " CALL DWORD PTR DS: [〈 &KERNEL32.GetStartup>" top, call subprocess statement below search " push " statement up to last one;
9-1-2, guard process do not search;
9-1-3, abandon and continue;
9-2, guard process search " CALL DWORD PTR SS: [EBP+14] " as a result among the Result in dis-assembling;
9-2-1, guard process begin in " CALL DWORD PTR SS: [EBP+14] " top, call subprocess statement below search " push " statement up to last one;
9-2-2, guard process search " PUSH EBX ", " PUSH ESI ", " PUSH EDI ";
9-2-3, abandon and continue;
9-3, guard process search " CALL DWORD PTRDS: [〈 &KERNEL32.copyfile>" as a result among the Result in dis-assembling;
9-3-1, guard process begin in " CALL DWORD PTR DS: [〈 &KERNEL32.copyfile>" top, call subprocess statement below search " push " statement up to last one;
9-3-2, guard process search " PUSH setup.0041A2D9 ", " PUSH setup1.0041A282 ";
9-3-3, guard process are Unicode through GetHex2Unicode (0041A2D9), GetHex2Unicode (0041A282) with the Hex code conversion of the address of the Push of institute; Push (0)=" Setup.exe ", push (1)=" windows ".
9-3-4, guard process are judged simply, think that Push (0), Push (1) are file path.
9-n, carry out cyclic search, judgement by above-mentioned regular guard process, final guard process is always handled Push (n).
10, according to the accumulation algorithm of Count in " diffusivity is duplicated judgement " chapters and sections in the literary composition, final Count=100.
11, guard process exists " windows " etc. the file path place of push (n) (n is an odd number) create file, and improve the folder management authority, be set to invisible.
12, guard process through Shell " Setup.exe ", vbNormalFocus, remove to " Setup.exe " freeze, allow its operation.
13, " Setup.exe " when normally moving to copy-statement, run into RuntimeError53 and eject error box, withdraw from subsequently.