CN102110214A - Method and device for preventing viruses in mobile memory from infecting computer - Google Patents
Method and device for preventing viruses in mobile memory from infecting computer Download PDFInfo
- Publication number
- CN102110214A CN102110214A CN2011100907509A CN201110090750A CN102110214A CN 102110214 A CN102110214 A CN 102110214A CN 2011100907509 A CN2011100907509 A CN 2011100907509A CN 201110090750 A CN201110090750 A CN 201110090750A CN 102110214 A CN102110214 A CN 102110214A
- Authority
- CN
- China
- Prior art keywords
- program
- removable memory
- file
- onrelease
- button
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for preventing viruses in a mobile memory from infecting a computer. A running main program, an injection program and an event processing program are set; and after the mobile memory is connected to the computer, the running main program automatically runs, and the injection program intercepts portable executable (PE) file program running modes of a computer system and guides all running PE files to run through the event processing program so as to control the running modes of all the PE files. The method and the device are used for preventing the possible virus files in the mobile memory from infecting the computer and preventing the viruses from being diffused and propagated together with the mobile memory; a single machine runs in the method and the device, networking update is not needed, and full-automatic virus protection is realized for the mobile memory; and at least one mobile memory and the device are connected together with the computer, so the viruses in the mobile memory cannot infect/be propagated to the local computer or destroy the program of the invention no matter the viruses automatically run or are manually activated/opened/operated.
Description
Technical field
The invention belongs to field of computer technology, relate to the protection of computer virus, be a kind of virus infections computer method and device that prevents in the removable memory.
Background technology
Removable memory is widely used, and computer virus is also extensively propagated by removable memory, brings about great losses.Existing antivirus protection technology at movable equipment has:
In sum, the antivirus protection technology that relates to movable equipment mainly contains:
1. install in advance at the condition code antivirus software and the HIPS antivirus software of movable equipment in this locality or kidnap the fail-safe software of local function, have respectively that the condition code virus killing needs to upgrade, the virus that lags behind and mistake interception, leak interception rate height, the problem of inconvenient operation; 2. handle in advance, write in advance file, revise the automatic playing function of the method shielding USB storage of firmware by single-chip microcomputer, can only prevent that virus from moving automatically by autorun.inf, can not stop the USB flash disk inner virus directly to move; 3. by the hardware system that has display the whole executable files in the USB flash disk are carried out rename, prevent that specific file from writing.This invention equipment is huge, and too wide at face, the rate of manslaughtering is too high, brings inconvenience.
Invention at the computer virus infection movable equipment is by moving the specific program in the USB movable storage device on computers automatically, forbid that computing machine writes executable program to the USB movable storage device, realization prevents the computer virus infection USB flash disk, can't normally read and write but a lot of programs can occur, influence is normally used.
Also have in the prior art by antivirus software being written to read-only USB storage and automatic operation is set, reaching the purpose of killing virus, but this mode is subjected to the restriction of virus base too to the killing of virus.
Summary of the invention
The problem to be solved in the present invention is: existing antivirus protection technology at movable equipment, can only prevent that based on the software of autorun.inf killing virus virus from moving automatically by autorun.inf, and can not stop the removable memory inner virus directly to move; Based on the software of the condition code killing removable memory virus renewal virus base of need networking, and complicated operation, software and hardware is required to differ, can not effectively prevent the virus disseminating of removable memory.
Technical scheme of the present invention is: the virus infections computer method that prevents removable memory, the operation master routine is set, injecting program and button.onrelease, after having detected removable memory connection computing machine, the operation master routine moves automatically, the operation master routine duplicates injecting program to the computing machine temp directory, kidnap the PE file routine method of operation of computer system, injecting program guides the PE file of all operations to move by button.onrelease, button.onrelease is differentiated the PE file from the computing machine local storage, then with the method for operation of PE file by the computer system acquiescence, the operation of operation authority; Button.onrelease is differentiated the PE file from removable memory, then the PE file is proceeded following processing:
1), differentiate the PE file and whether bear the signature, satisfy signature condition and then allow mode and the authority operation of program, do not satisfy entering step 2 by former setting);
2) setting program magnitude value, the PE file size that is received is then forbidden operation less than the sensitivity value, then moves with the elemental user authority greater than the sensitivity value;
Removable memory is connected disconnection with computing machine after, the method for operation of operation restoring main program PE file, and out of service.
In the button.onrelease, whether the described signature condition of step 1) comprise whether signature legal, distorted, whether expired; Step 2) the responsive value of program size is 0.3Mb.
Preferred operation master routine, injecting program and button.onrelease are stored in the CDROM district of external equipment, and operation master routine and button.onrelease are in the operation of CDROM district, and injecting program is discharged into computer run.
The device that is used for said method comprises main control chip and CDROM district, and described device connects computing machine, and main control chip is used to control the reading and writing data of whole device, and the CDROM district is used for embedding operation master routine, injecting program and button.onrelease.
Described device is connected between computing machine and the removable memory.
Described device and removable memory are connected to computing machine respectively.
The present invention is used for preventing that the virus disseminating of removable memory is to computing machine, apparatus of the present invention only are ROM (read-only memory), the ability that need not possess the operation computer program, antivirus protection technology between existing computing machine and the removable memory, the means of mainly taking are included in the removable memory and install, the operation virus base, or stop computing machine to write file to USB flash disk, and the technical program is the operation authority by interception, judgement, reduction program, plays the effect that stops the operation of removable memory virus.
The present invention is used to prevent the infection to computing machine of virus document that removable memory may exist, prevent that virus is with removable memory diffusion propagation, unit operation of the present invention, need not virus base, need not networking upgrades, removable memory is realized full-automatic antivirus protection, at least one USB storage is connected computing machine jointly with the present invention, no matter automatically virus in the removable memory operation or manually activate/open/move viral, all can not infect/be transmitted to local computer, also can not destroy program of the present invention.
Description of drawings
Fig. 1 is a principle of the invention synoptic diagram.
Fig. 2 is the process flow diagram of button.onrelease of the present invention.
Fig. 3 is the structural representation of apparatus of the present invention.
Embodiment
The CDROM partitioned memory (hardware) that the present invention includes computer program (software) and have AutoPlay function.Its core is a kind of anti-infection method of removable memory virus, the computer program write especially will be stored, CDROM equipment and removable memory with AutoPlay function insert computing machine jointly, as Fig. 2, the described computer program of writing especially comprises the operation master routine, injecting program and button.onrelease, the operation master routine is operation automatically in the CDROM subregion, the operation master routine duplicates injecting program to local temp directory, and injecting program is injected into the Kernel32.dll of operating system, the CreateProcessInternalW function of kernel32.dll is replaced with alternative functions in the injecting program, to kidnap the program run mode of computer system, the PE file that guides all operations is by the operation of the button.onrelease in the CDROM subregion, to judge, judged result is the trust file with normal authority operation local file and removable memory, or with the apocrypha than low rights operation removable memory.Thereby the operating right of restriction removable memory virus prevents that effectively computer virus from propagating into local computer from removable memory.Based on the device of the inventive method, can be integrated into the usb hub of the anti-extraneous storer virus of unit, the USB extended line of the anti-extraneous storer virus of unit, the USB interface of the anti-extraneous storer virus of unit etc.
Button.onrelease is differentiated the PE file from the computing machine local storage, then with the method for operation, the operation authority operation of PE file by the computer system acquiescence; Button.onrelease is differentiated the PE file from removable memory, then the PE file is proceeded following processing, as Fig. 2:
1), differentiate the PE file and whether bear the signature, satisfy signature condition and then allow mode and the authority operation of program by former setting, described signature condition comprises whether signature legal, do not distorted, not out of date, do not satisfy entering step 2);
2) setting program magnitude value, according to the actual conditions analysis, therefore most of viruses are made as 0.3Mb with the responsive value of program size less than 0.3Mb, and the PE file size that is received is then forbidden operation less than the sensitivity value, then moves with the elemental user authority greater than the sensitivity value;
The operation master routine is injected into injecting program in this suspicious program process, and promptly injecting program becomes the part of suspicious program process, and the operation master routine limits suspicious program by communication function requirement injecting program and moves with the elemental user authority.Injecting program has two functions among the present invention, and the one, inject Kernel32.dll and kidnap PE running paper mode; The 2nd, inject suspicious program process restriction operation authority.
Removable memory is connected disconnection with computing machine after, the hook program of Kernel32.dll and injection suspicious process is injected in the unloading of operation master routine, the method for operation of reduction PE file, and out of service.
If the Rule of judgment of button.onrelease is the severeest, the operation that all is under an embargo of any program by button.onrelease operation can be forbidden all viruses, but can forbid normal procedure by mistake; If service condition is the loosest, any program by the button.onrelease operation is all moved with normal mode, normal authority, can allow all viruses and normal procedure.Among the present invention, the normal procedure that satisfies the signature requirement can be allowed to, the program that possesses conventional virus characteristic all can be under an embargo, all the other may be that virus also may be that the program of normal procedure can be by with the operation of normal mode, elemental user authority, the elemental user authority is a kind of user right between system manager and limitation account, the Standard User in the Vista system for example, can read and write the HKEY_CURRENT_USER field of registration table, but can't revise the HKEY_LOCAL_MACHINE field, a lot of system folders are not had access right.If virus then under the restricted rights restriction, can't normally be moved, destroys and propagate at all, most viruses are directly made mistakes and are withdrawed from; If normal procedure then can not be subjected to too many restriction, generally can normally carry out correlation function.The present invention according to actual demand for security, is limiting to greatest extent and is forbidding that virus and Min. mistake limits and forbids obtaining between the normal procedure optimum balance when the Rule of judgment of button.onrelease is set.
The present invention moves master routine, injecting program and button.onrelease and is stored in the CDROM district, and after removable memory connected computing machine, the operation of operation master routine discharged injecting program to the local temp directory of computing machine.
Can be present in respectively when above-mentioned operation master routine, injecting program, button.onrelease work in local computer or other and the equipment that local computer is connected, for example master routine is present in external equipment, injecting program is present in computing machine, and button.onrelease is present in computing machine; As preferably, the device of the inventive method such as Fig. 3, comprise main control chip and CDROM district, described device connects computing machine, main control chip is used to control the reading and writing data of whole device, the CDROM district is used for embedding the operation master routine, injecting program and button.onrelease, through operation master routine copy, injecting program is present in the local temp directory of computing machine, and operation master routine and button.onrelease operate in the CDROM district all the time, do not copy local runtime to, and the mode that adopts this external equipment is a top efficiency, the most stable, copy injecting program to this locality, help preventing to read the system crash that causes suddenly because of movable equipment; Operation master routine and button.onrelease operate in read-only CDROM district all the time, have guaranteed that operation master routine and button.onrelease do not distorted, destroy by virus.Described device can be connected between computing machine and the removable memory, perhaps is connected to computing machine respectively with removable memory.
Among the present invention, computing machine is preferentially carried out the master routine in the CDROM district, program in the CDROM district necessarily preferentially runs on the program in the removable memory, comprise Virus, therefore, the connected mode of removable memory and apparatus of the present invention and computing machine is not limit, can be with apparatus of the present invention with after computing machine be connected, connect removable memory again, also can removable memory with after computing machine is connected, again device of the present invention is connected computing machine.Wherein, if before device of the present invention inserts, inserted viruliferous equipment (no matter moving not automatically), do not had protection of the present invention this moment, virus can be moved, infect computers; In case the access present device then can normally be kidnapped operations such as PE file, initialization, the virus in the removable memory can not be reruned.But the virus for operation before inserting is not handled.
With a specific embodiment enforcement of the present invention is described below:
1.0 apparatus of the present invention insert computing machine
1.1 computing machine reads the CDROM subregion, example, and the distribution drive is G, and the operation master routine;
2.0 operation master routine copy injecting program is to local computer temp directory, example " C: windows temp inject.dll ";
2.0.1 injecting program is injected into the Kernel32.dll of operating system, the CreateProcessInternalW function of kernel32.dll is replaced with alternative functions in the injecting program, to kidnap the program run mode of computer system, the not clear program that guides all operations is by the button.onrelease in the CDROM subregion " G: control.exe " operation;
2.0.2 the operation master routine keeps operation;
3.0 a USB storage and equipment insert computing machine
3.0.1 computing machine reads USB storage, example: the distribution drive is H;
3.1.1USB have in the storer one by name " Example.exe " and virus by " Autorun.inf " operation automatically;
3.1.2 " H: Example.exe " when operation, be operated system bootstrap with " G: control.exe " move as the method for operation;
3.1.3 " G: control.exe " judgement " and H: Example.exe " from removable memory, be for further processing;
3.1.4 button.onrelease is at first denied " H: Example.exe " satisfy the signature requirement, be for further processing;
3.1.5 button.onrelease is confirmed " H: Example.exe " satisfy less than 0.3Mb, forbid " H: Example.exe " operation;
3.2.1 as in user's manual unlocking USB storage one by name " ExampleII.exe " and the application program of bound virus;
During " 3.2.3 H: Example II.exe " operation, be operated system bootstrap with " G: control.exe " move as the method for operation;
3.2.4 " G: control.exe " judgement " and H: Example II.exe " from removable memory, be for further processing;
3.2.5 button.onrelease is at first denied " H: Example II.exe " satisfy the signature requirement, be for further processing;
3.2.6 button.onrelease is denied " H: Example II.exe " satisfy less than 0.3Mb, be for further processing;
3.2.7 button.onrelease will " H: ExampleII.exe " move with the elemental user authority;
3.2.8 " H: Example II.exe " because of having no right read-write system sensitizing range file, have no right to write HKEY_LOCAL_MACHINE, can't carry out the operation of virus, but application program need not the read-write system sensitizing range, can normally move;
3.3.1 in user's manual unlocking USB storage one by name " ExampleIII.exe " and the program that digital signature is arranged;
During " 3.3.2 H: ExampleIII.exe " operation, be operated system bootstrap with " G: control.exe " move as the method for operation;
3.3.3 " G: control.exe " judgement " and H: ExampleIII.exe " from removable memory, be for further processing;
3.3.4 button.onrelease is at first confirmed " H: ExampleIII.exe " satisfy the signature requirement, allow " H: ExampleIII.exe " with normal mode, normal authority operation;
3.4.1 as in user's manual unlocking local disk one by name " ExampleIV.exe " and program, example " C: ExampleIV.exe ";
During " 3.4.2 C: ExampleIV.exe " operation, be operated system bootstrap with " G: control.exe " move as the method for operation;
3.4.3 " G: control.exe " judgement " and C: ExampleIV.exe " from local disk, allow " and C: ExampleIV.exe " with normal mode, normal authority operation;
4.0 apparatus of the present invention are pulled out computing machine
4.1 the operation master routine captures the message that device is pulled out;
4.2 the operation master routine unloads all hook programs, and PE running paper mode is reduced;
4.3 the operation master routine withdraws from.
Claims (6)
1. prevent the virus infections computer method in the removable memory, it is characterized in that being provided with the operation master routine, injecting program and button.onrelease, after having detected removable memory connection computing machine, the operation master routine moves automatically, the operation master routine duplicates injecting program to the computing machine temp directory, kidnap the PE file routine method of operation of computer system, injecting program guides the PE file of all operations to move by button.onrelease, button.onrelease is differentiated the PE file from the computing machine local storage, then with the method for operation of PE file by the computer system acquiescence, the operation of operation authority; Button.onrelease is differentiated the PE file from removable memory, then the PE file is proceeded following processing:
1), differentiate the PE file and whether bear the signature, satisfy signature condition and then allow mode and the authority operation of program, do not satisfy entering step 2 by former setting);
2) setting program magnitude value, the PE file size that is received is then forbidden operation less than the sensitivity value, then moves with the elemental user authority greater than the sensitivity value;
Removable memory is connected disconnection with computing machine after, the method for operation of operation restoring main program PE file, and out of service.
2. the virus infections computer method that prevents in the removable memory according to claim 1 is characterized in that in the button.onrelease, and whether whether the described signature condition of step 1) comprise whether signature is legal, distorted, expired; Step 2) the responsive value of program size is 0.3Mb.
3. the virus infections computer method that prevents in the removable memory according to claim 1 and 2, it is characterized in that moving the CDROM district that master routine, injecting program and button.onrelease are stored in external equipment, operation master routine and button.onrelease are in the operation of CDROM district, and injecting program is discharged into computer run.
4. be used for each described device that prevents the virus infections computer method of removable memory of claim 1-3, it is characterized in that comprising main control chip and CDROM district, described device connects computing machine, main control chip is used to control the reading and writing data of whole device, and the CDROM district is used for embedding operation master routine, injecting program and button.onrelease.
5. device according to claim 4 is characterized in that device is connected between computing machine and the removable memory.
6. device according to claim 4 is characterized in that device and removable memory are connected to computing machine respectively.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100907509A CN102110214B (en) | 2011-04-12 | 2011-04-12 | Method and device for preventing viruses in mobile memory from infecting computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100907509A CN102110214B (en) | 2011-04-12 | 2011-04-12 | Method and device for preventing viruses in mobile memory from infecting computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102110214A true CN102110214A (en) | 2011-06-29 |
| CN102110214B CN102110214B (en) | 2013-05-01 |
Family
ID=44174369
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100907509A Expired - Fee Related CN102110214B (en) | 2011-04-12 | 2011-04-12 | Method and device for preventing viruses in mobile memory from infecting computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102110214B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102915418A (en) * | 2012-05-28 | 2013-02-06 | 北京金山安全软件有限公司 | computer security protection method and device and computer |
| CN107016285A (en) * | 2016-10-17 | 2017-08-04 | 深圳市安之天信息技术有限公司 | One kind propagates malicious code Activity recognition method and system using move media |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1797337A (en) * | 2004-12-29 | 2006-07-05 | 北京软通科技有限责任公司 | Method for installing software of computer automatically |
| US20080148060A1 (en) * | 2006-12-19 | 2008-06-19 | Per Thorell | Maintaining Code Integrity in a Central Software Development System |
| CN101499114A (en) * | 2008-02-03 | 2009-08-05 | 汪家祥 | Computer protection method for creating user program operation permission and security check mechanism |
-
2011
- 2011-04-12 CN CN2011100907509A patent/CN102110214B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1797337A (en) * | 2004-12-29 | 2006-07-05 | 北京软通科技有限责任公司 | Method for installing software of computer automatically |
| US20080148060A1 (en) * | 2006-12-19 | 2008-06-19 | Per Thorell | Maintaining Code Integrity in a Central Software Development System |
| CN101499114A (en) * | 2008-02-03 | 2009-08-05 | 汪家祥 | Computer protection method for creating user program operation permission and security check mechanism |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102915418A (en) * | 2012-05-28 | 2013-02-06 | 北京金山安全软件有限公司 | computer security protection method and device and computer |
| CN102915418B (en) * | 2012-05-28 | 2015-07-15 | 北京金山安全软件有限公司 | computer security protection method and device |
| CN107016285A (en) * | 2016-10-17 | 2017-08-04 | 深圳市安之天信息技术有限公司 | One kind propagates malicious code Activity recognition method and system using move media |
| CN107016285B (en) * | 2016-10-17 | 2019-11-05 | 深圳市安之天信息技术有限公司 | It is a kind of to propagate malicious code Activity recognition method and system using move media |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102110214B (en) | 2013-05-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8484736B2 (en) | Storage device having an anti-malware protection | |
| CN101359355B (en) | Method for raising user's authority for limitation account under Windows system | |
| US8417969B2 (en) | Storage volume protection supporting legacy systems | |
| US10289860B2 (en) | Method and apparatus for access control of application program for secure storage area | |
| WO2009155805A1 (en) | Method and system for detection of malicious codes | |
| US10162965B2 (en) | Portable media system with virus blocker and method of operation thereof | |
| KR101883713B1 (en) | Apparatus and method for blocking ransome ware using access control to the contents file | |
| EP2902937A1 (en) | Method, apparatus, and system for triggering virtual machine introspection | |
| CN100419620C (en) | Method for command interaction and two-way data transmission on USB mass storage equipment by program and USB mass storage equipment | |
| US10146461B2 (en) | Automatic back-up system with verification key and method of operation thereof | |
| US20090119772A1 (en) | Secure file access | |
| CN106874232B (en) | Charging method, device and terminal of Universal Serial Bus (USB) | |
| CN105122260A (en) | Context based switching to a secure operating system environment | |
| US6907524B1 (en) | Extensible firmware interface virus scan | |
| WO2018212474A1 (en) | Auxiliary memory having independent recovery area, and device applied with same | |
| CN105335197A (en) | Starting control method and device for application program in terminal | |
| CN102110214B (en) | Method and device for preventing viruses in mobile memory from infecting computer | |
| KR101321479B1 (en) | Method and Apparatus for preventing illegal copy of application software using access control of process | |
| CN106951790B (en) | USB storage medium transparent encryption method | |
| CN104361280A (en) | Method for carrying out credible certification on USB storage device through SMI interrupt | |
| CN102214279A (en) | Method and device for controlling host user rights by using external memory equipment | |
| CN101159001A (en) | Anti-virus virus USB mobile memory apparatus | |
| WO2009029450A1 (en) | Method of restoring previous computer configuration | |
| JP2009169868A (en) | Storage area access device and method for accessing storage area | |
| CN112052477B (en) | Isolation method and system based on portable operating system disk |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130501 Termination date: 20180412 |