CN102147845A - Process monitoring method - Google Patents
Process monitoring method Download PDFInfo
- Publication number
- CN102147845A CN102147845A CN2011100966530A CN201110096653A CN102147845A CN 102147845 A CN102147845 A CN 102147845A CN 2011100966530 A CN2011100966530 A CN 2011100966530A CN 201110096653 A CN201110096653 A CN 201110096653A CN 102147845 A CN102147845 A CN 102147845A
- Authority
- CN
- China
- Prior art keywords
- file
- ntcreatesection
- monitoring method
- api
- process monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a process monitoring method, relating to the field of a process monitoring technology. The method comprises the following steps: S1: obtaining the API (application programming interface) address of NtCreateSection and replacing the original NtCreateSection with DetourNtCreateSection; S2: monitoring processes to be created according to the DetourNtCreateSection. The method provided by the invention can be used for intercepting the processes being created in the process of creation rather than after creation, thus enabling the system to be more secure. As the hooked sites are unavoidable paths for process creation, and can not be easily bypassed by Trojans, virus and the like. As a result, the safety can be ensured. In addition, the method is not as complicated as the HOOK ObReferenceObjectByHandle method, and only one API is hooked in the whole process, thus causing the process to be clear and easily understood. The NtCreateSection used in the method provided the invention is placed at a high inner core level and only intercepts processes being created, thus not affecting other valid processes in operation in the system.
Description
Technical field
The present invention relates to the process monitoring technical field, relate in particular to a kind of process monitoring method.
Background technology
At present the common practices of process monitoring all is the call back function by Accreditation System, when system has detected process and is created, will call the call back function of having registered.At this moment just can obtain process ID according to the parameter in the call back function, even information such as process title and process path.
But the defective of this method be when we when obtaining the information of this process, this process has been created success, if viral process or wooden horse process, has begun to endanger our software, system or computer.If we will destroy this process also will be in the API that utilizes some Microsofts to provide (Application Programming Interface, application programming interface).Implement cumbersome, and be not easy the operation.
At the problems referred to above, the method that has proposed another is the monitoring that HOOKObReferenceObjectByHandle comes implementation process, can reach the purpose of process monitoring equally.Compare with last a kind of method, the method for HOOK ObReferenceObjectByHandle, when intercepting process creation, process is not created successfully.So needn't worry the process of this Hacking Run works the mischief to our software, system or computer.
But, because this API of ObReferenceObjectByHandle is the function of system bottom, so when carrying out HOOK ObReferenceObjectByHandle, some irrelevant processes at system kernel also have been blocked together, cause infringement to system, and the method for HOOK ObReferenceObjectByHandle to implement also be loaded down with trivial details, be unfavorable for applying.
Summary of the invention
(1) technical matters that will solve
The technical problem to be solved in the present invention is, at above-mentioned defective, how a kind of process monitoring method is provided, it can tackle the process of creating, the illegal process that greatly reduces establishment to system work the mischief may, and only tackle the process of creating, can other the legal processes moved in the system not impacted.
(2) technical scheme
For solving the problems of the technologies described above, the invention provides a kind of process monitoring method, described process monitoring method comprises step:
S1: obtain the API address of NtCreateSection, replace original NtCreateSection with DetourNtCreateSection;
S2: the process that will create is monitored according to DetourNtCreateSection.
Preferably, described step S1 specifically comprises:
Step S11: the service ID number of obtaining NtCreateSection;
Step S12: the API address that number calculates described NtCreateSection according to the service ID of the NtCreateSection that is obtained;
Step S13: replace original NtCreateSection with DetourNtCreateSection.
Preferably, after step S12, also further comprise the step that API address, source is recorded a global variable.
Preferably, before step S13, also further comprise the step that makes IRQ level IRQL rise to deferred procedure call DPC level.
Preferably, described step S2 specifically comprises:
Step S21: utilize ObReferenceObject API to obtain the file object FileObject of the process that will create according to last the parameter F ileHandle among the DetourNtCreateSection;
Step S22: judge that file object is empty? if file object is empty, then enter step S27, otherwise, enter step S23;
Step S23: the filename of being created process by IoQueryFileDosDeviceName API according to FileObject;
Step S24: judge that according to described filename the described file of creating process is the .exe file? if, enter step S25, otherwise, step S27 entered;
Step S25: judge that this file of creating process is in white list? if, enter step S27, otherwise, step S26 entered;
Step S26: call ObDereferenceObjectAPI the counting of this file object is subtracted 1 and return STATUS_ACCESS_DENIED and represent this process creation failure;
Step S27: call original NtCreateSecion.
Preferably, before described step S25, further comprise the step that obtains file path according to file handle; Does then step S25 specifically comprise: judge that according to filename and file path this file of creating process is in white list? if, enter step S27, otherwise, step S26 entered.
(3) beneficial effect
The present invention proposes the method for the process monitoring in a kind of windows system, it can tackle this process of creating in the process creation process, rather than after process creation, makes system safer.Because the place of hook is the only way which must be passed of process creation, so can not walked around easily by wooden horse, virus etc., can reach safe effect.And the method for the invention do not have HOOK ObReferenceObjectByHandle method loaded down with trivial details like that yet, whole process has been HOOK API, and clear process is understandable.The NtCreateSection that the present invention uses is in the kernel hierarchical position that compares higher in the system, and the process that its interception is being created can not impact other the legal processes moved in the system.
Description of drawings
Fig. 1 is the process flow diagram of the described process monitoring method of the embodiment of the invention;
Fig. 2 is the process flow diagram of step S1 in the described process monitoring method of the embodiment of the invention;
Fig. 3 is the process flow diagram of step S2 in the described process monitoring method of the embodiment of the invention.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.Following examples are used to illustrate the present invention, but are not used for limiting the scope of the invention.
The process creation method may further comprise the steps in the existing windows system:
1: open executable file;
In this step, need obtain the FILE_EXECUTE access rights;
2: load executable image (Executable image) in internal memory;
3: the process of setting up is carried out object (Process Executive Object);
In this step, described process execution object comprises EPROCESS, KPROCESS and PEB structure.
4: be the new course allocation address space of creating;
5: the thread execution object (Thread ExecutiveObject) of setting up the main thread of process;
In this step, described thread execution object comprises ETHREAD, KTHREAD and TEB structure;
6: the storehouse of setting up main thread;
7: the execution context (Execution context) of setting up main thread;
8: the new progress information of notice Win32 subsystem.
The successful execution in any step all requires its institute before all must complete successfully in steps in the above-mentioned steps.Therefore, if we determine to stop any step in the above-mentioned steps, ensuing operation can be failed too, and process creation will be terminated like this.All these steps all will be called corresponding primary (native) api function.
Process monitoring method of the present invention only considers to create under the user model Windows system process such as CreateProcess and manual creation process or the like, loads and need move such as application layer at the kernel high level because kernel is created process driving before.Therefore the process that can created from application layer.
Fig. 1 is the process flow diagram of the described process monitoring method of the embodiment of the invention; As described in Figure 1, described process monitoring method comprises step:
S1: obtain the API address of NtCreateSection, replace original NtCreateSection with DetourNtCreateSection;
Fig. 2 is the process flow diagram of step S1 in the described process monitoring method of the embodiment of the invention; As described in Figure 2, step S1 specifically comprises:
Step S11: the service ID number of obtaining NtCreateSection;
In this step, can use some general aids, instruments such as Kernel Detective or the IceSword service ID 0X54 number for example that sees the SSDT (System Services Descriptor Table, system service descriptor table) of NtCreateSection in the Windows system in real time for example;
Step S12: the API address that number calculates described NtCreateSection according to the service ID of the NtCreateSection that is obtained;
In this step, use the agent list first address of SSDT to add 0X54*4, obtain the API address of NtCreateSection;
After this step, also can further comprise the step that API address, this source is recorded a global variable, go back so that unloading time is replaced API address, source;
Step S13: replace original NtCreateSection address with DetourNtCreateSection;
Before this step, can further include, make IRQL (Interrupt ReQuest Level, IRQ level) rise to the step of DPC (Deferred Procedure Call, deferred procedure call) level, prevent to be interrupted by other courses;
Replace original NtCreateSection with DetourNtCreateSection then, realize HOOK NtCreateSection.
S2: the process that will create is monitored according to DetourNtCreateSection;
Fig. 3 is the process flow diagram of step S2 in the described process monitoring method of the embodiment of the invention; As described in Figure 3, step S2 specifically comprises:
Step S21: utilize ObReferenceObject API can obtain the file object (FileObject) of the process that will create according to last the parameter F ileHandle among the DetourNtCreateSection;
Step S22: judge that file object is empty? if file object is empty, then enter step S27, otherwise, enter step S23;
Step S23: the filename of being created process by IoQueryFileDosDeviceName API according to FileObject;
Step S24: judge that according to described filename the described file of creating process is the .exe file? if, enter step S25, otherwise, step S27 entered;
Step S25: judge that this file of creating process is in white list (allowing the listed files of establishment process)? if, enter step S27, otherwise, step S26 entered;
Before this step, can also comprise the step that obtains file path according to file handle, does then this step specifically comprise: judge that according to filename and file path this file of creating process is in white list? if, enter step S27, otherwise, step S26 entered;
Step S26: call ObDereferenceObject API the counting of this file object is subtracted 1 and return STATUS_ACCESS_DENIED and represent this process creation failure, realize monitoring to this process.
In this step, when the counting of described file object reduced to 0, this file object can be released.
Step S27: call original NtCreateSecion.
In sum, the invention discloses the process monitoring method in a kind of Windows system, according to the method applied in the present invention, it can tackle this process of creating in the process creation process, rather than after process creation, make system safer.Because the place of hook is the only way which must be passed of process creation, so can not walked around easily by wooden horse, virus etc., can reach safe effect.And the method for the invention do not have the HOOKObReferenceObjectByHandle method loaded down with trivial details like that yet, whole process has been HOOK API, and clear process is understandable.The NtCreateSection that the present invention uses is in the kernel hierarchical position that compares higher in the system, and the process that its interception is being created can not impact other the legal processes moved in the system.
Above embodiment only is used to illustrate the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; under the situation that does not break away from the spirit and scope of the present invention; can also make various variations and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (6)
1. a process monitoring method is characterized in that, described process monitoring method comprises step:
S1: obtain the API address of NtCreateSection, replace original NtCreateSection with DetourNtCreateSection;
S2: the process that will create is monitored according to DetourNtCreateSection.
2. process monitoring method according to claim 1 is characterized in that, described step S1 specifically comprises:
Step S11: the service ID number of obtaining NtCreateSection;
Step S12: the API address that number calculates described NtCreateSection according to the service ID of the NtCreateSection that is obtained;
Step S13: replace original NtCreateSection with DetourNtCreateSection.
3. process monitoring method according to claim 2 is characterized in that, also further comprises the step that API address, source is recorded a global variable after step S12.
4. process monitoring method according to claim 2 is characterized in that, also further comprises the step that makes IRQ level IRQL rise to deferred procedure call DPC level before step S13.
5. process monitoring method according to claim 1 is characterized in that, described step S2 specifically comprises:
Step S21: utilize ObReferenceObject API to obtain the file object FileObject of the process that will create according to last the parameter F ileHandle among the DetourNtCreateSection;
Step S22: judge that file object is empty? if file object is empty, then enter step S27, otherwise, enter step S23;
Step S23: the filename of being created process by IoQueryFileDosDeviceName API according to FileObject;
Step S24: judge that according to described filename the described file of creating process is the .exe file? if, enter step S25, otherwise, step S27 entered;
Step S25: judge that this file of creating process is in white list? if, enter step S27, otherwise, step S26 entered;
Step S26: call ObDereferenceObjectAPI the counting of this file object is subtracted 1 and return STATUS_ACCESS_DENIED and represent this process creation failure;
Step S27: call original NtCreateSecion.
6. process monitoring method according to claim 5 is characterized in that, further comprises the step that obtains file path according to file handle before described step S25; Does then step S25 specifically comprise: judge that according to filename and file path this file of creating process is in white list? if, enter step S27, otherwise, step S26 entered.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100966530A CN102147845A (en) | 2011-04-18 | 2011-04-18 | Process monitoring method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100966530A CN102147845A (en) | 2011-04-18 | 2011-04-18 | Process monitoring method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102147845A true CN102147845A (en) | 2011-08-10 |
Family
ID=44422107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100966530A Pending CN102147845A (en) | 2011-04-18 | 2011-04-18 | Process monitoring method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102147845A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102855138A (en) * | 2012-07-20 | 2013-01-02 | 腾讯科技(深圳)有限公司 | Application program interface (API) intercepting method and device and mobile terminal |
| CN102890641A (en) * | 2012-08-30 | 2013-01-23 | 北京奇虎科技有限公司 | Process behavior control method and device |
| CN105068916A (en) * | 2015-08-28 | 2015-11-18 | 福建六壬网安股份有限公司 | Kernel hook based process behavior monitoring method |
| CN106096391A (en) * | 2016-06-02 | 2016-11-09 | 北京金山安全软件有限公司 | Process control method and user terminal |
| CN106127031A (en) * | 2016-06-23 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for protecting process and electronic equipment |
| CN106156610A (en) * | 2016-06-29 | 2016-11-23 | 北京金山安全软件有限公司 | Process path acquisition method and device and electronic equipment |
| CN106209734A (en) * | 2015-04-30 | 2016-12-07 | 阿里巴巴集团控股有限公司 | The identity identifying method of process and device |
| CN106203093A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Process protection method and device and terminal |
| CN106415584A (en) * | 2014-03-11 | 2017-02-15 | 赛门铁克公司 | Systems and methods for pre-installation detection of malware on mobile devices |
| CN106778243A (en) * | 2016-11-28 | 2017-05-31 | 北京奇虎科技有限公司 | Kernel Hole Detection document protection method and device based on virtual machine |
| CN106775960A (en) * | 2016-12-30 | 2017-05-31 | 武汉斗鱼网络科技有限公司 | A kind of unique marker method and system to Windows processes |
| CN106897618A (en) * | 2015-12-21 | 2017-06-27 | 珠海市君天电子科技有限公司 | Webpage access method and device |
| CN109831420A (en) * | 2018-05-04 | 2019-05-31 | 360企业安全技术(珠海)有限公司 | The determination method and device of kernel process permission |
| CN111310180A (en) * | 2020-02-18 | 2020-06-19 | 上海迅软信息科技有限公司 | Computer process anti-counterfeiting method for enterprise information security |
| CN114138369A (en) * | 2021-12-02 | 2022-03-04 | 北京江民新科技术有限公司 | Progress protection method and system for windows whole system |
| CN115543463A (en) * | 2022-10-26 | 2022-12-30 | 安芯网盾(北京)科技有限公司 | Method and system for detecting puppet process creation |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1266223A (en) * | 1999-03-08 | 2000-09-13 | 英业达股份有限公司 | Method for monitoring and controlling program process |
| CN101290587A (en) * | 2008-06-12 | 2008-10-22 | 中兴通讯股份有限公司 | Realization progress start-up and control process |
-
2011
- 2011-04-18 CN CN2011100966530A patent/CN102147845A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1266223A (en) * | 1999-03-08 | 2000-09-13 | 英业达股份有限公司 | Method for monitoring and controlling program process |
| CN101290587A (en) * | 2008-06-12 | 2008-10-22 | 中兴通讯股份有限公司 | Realization progress start-up and control process |
Non-Patent Citations (2)
| Title |
|---|
| EJOYWX: "《Hook NtCreateSection最终版》", 18 October 2009 * |
| 陈畅频: "进程创建拦截技术及其在软件实验中的应用", 《计算机工程与设计》 * |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102855138A (en) * | 2012-07-20 | 2013-01-02 | 腾讯科技(深圳)有限公司 | Application program interface (API) intercepting method and device and mobile terminal |
| WO2014012504A1 (en) * | 2012-07-20 | 2014-01-23 | Tencent Technology (Shenzhen) Company Limited | Method, device, and mobile terminal for api interception |
| CN102855138B (en) * | 2012-07-20 | 2015-12-09 | 腾讯科技(深圳)有限公司 | The hold-up interception method of a kind of API, device and mobile terminal |
| CN102890641A (en) * | 2012-08-30 | 2013-01-23 | 北京奇虎科技有限公司 | Process behavior control method and device |
| CN102890641B (en) * | 2012-08-30 | 2015-02-11 | 北京奇虎科技有限公司 | Process behavior control method and device |
| CN106415584B (en) * | 2014-03-11 | 2019-07-12 | 赛门铁克公司 | The pre-installation detection system and method for mobile device Malware |
| CN106415584A (en) * | 2014-03-11 | 2017-02-15 | 赛门铁克公司 | Systems and methods for pre-installation detection of malware on mobile devices |
| CN106209734A (en) * | 2015-04-30 | 2016-12-07 | 阿里巴巴集团控股有限公司 | The identity identifying method of process and device |
| US11146554B2 (en) | 2015-04-30 | 2021-10-12 | Alibaba Group Holding Limited | System, method, and apparatus for secure identity authentication |
| CN106209734B (en) * | 2015-04-30 | 2019-07-19 | 阿里巴巴集团控股有限公司 | The identity identifying method and device of process |
| CN105068916B (en) * | 2015-08-28 | 2017-12-08 | 福建六壬网安股份有限公司 | A kind of process behavior monitoring method based on kernel hook |
| CN105068916A (en) * | 2015-08-28 | 2015-11-18 | 福建六壬网安股份有限公司 | Kernel hook based process behavior monitoring method |
| CN106897618A (en) * | 2015-12-21 | 2017-06-27 | 珠海市君天电子科技有限公司 | Webpage access method and device |
| CN106096391A (en) * | 2016-06-02 | 2016-11-09 | 北京金山安全软件有限公司 | Process control method and user terminal |
| CN106096391B (en) * | 2016-06-02 | 2019-05-03 | 珠海豹趣科技有限公司 | A kind of course control method and user terminal |
| CN106127031A (en) * | 2016-06-23 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for protecting process and electronic equipment |
| CN106156610B (en) * | 2016-06-29 | 2019-02-12 | 珠海豹趣科技有限公司 | A kind of process path acquisition methods, device and electronic equipment |
| CN106156610A (en) * | 2016-06-29 | 2016-11-23 | 北京金山安全软件有限公司 | Process path acquisition method and device and electronic equipment |
| CN106203093A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Process protection method and device and terminal |
| CN106778243A (en) * | 2016-11-28 | 2017-05-31 | 北京奇虎科技有限公司 | Kernel Hole Detection document protection method and device based on virtual machine |
| CN106778243B (en) * | 2016-11-28 | 2020-06-09 | 北京奇虎科技有限公司 | Virtual machine-based kernel vulnerability detection file protection method and device |
| CN106775960A (en) * | 2016-12-30 | 2017-05-31 | 武汉斗鱼网络科技有限公司 | A kind of unique marker method and system to Windows processes |
| CN106775960B (en) * | 2016-12-30 | 2020-04-10 | 武汉斗鱼网络科技有限公司 | Unique marking method and system for Windows process |
| CN109831420A (en) * | 2018-05-04 | 2019-05-31 | 360企业安全技术(珠海)有限公司 | The determination method and device of kernel process permission |
| CN109831420B (en) * | 2018-05-04 | 2021-10-22 | 360企业安全技术(珠海)有限公司 | Method and device for determining kernel process permission |
| CN111310180A (en) * | 2020-02-18 | 2020-06-19 | 上海迅软信息科技有限公司 | Computer process anti-counterfeiting method for enterprise information security |
| CN114138369A (en) * | 2021-12-02 | 2022-03-04 | 北京江民新科技术有限公司 | Progress protection method and system for windows whole system |
| CN115543463A (en) * | 2022-10-26 | 2022-12-30 | 安芯网盾(北京)科技有限公司 | Method and system for detecting puppet process creation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102147845A (en) | Process monitoring method | |
| US8650578B1 (en) | System and method for intercepting process creation events | |
| EP3036623B1 (en) | Method and apparatus for modifying a computer program in a trusted manner | |
| KR101671795B1 (en) | Computer system and method for preventing dynamic link library injection attack | |
| US20140304819A1 (en) | Systems, methods and apparatuses for protection of antivirus software | |
| US9208313B2 (en) | Protecting anti-malware processes | |
| US8413253B2 (en) | Protecting persistent secondary platform storage against attack from malicious or unauthorized programs | |
| CN110188547B (en) | Trusted encryption system and method | |
| CN104268471A (en) | Method and device for detecting return-oriented programming attack | |
| US20160004859A1 (en) | Method and system for platform and user application security on a device | |
| CN103246849A (en) | Safe running method based on ROST under Windows | |
| CN102156834B (en) | Method for realizing program killing prevention | |
| US11416611B2 (en) | Countering malware detection evasion techniques | |
| US20200233953A1 (en) | Enclave handling on an execution platform | |
| Fedler et al. | Native code execution control for attack mitigation on android | |
| CN106411814B (en) | policy management method and system | |
| CN107657170B (en) | Trusted loading starting control system and method supporting intelligent repair | |
| KR101097590B1 (en) | Method for defending against dll injection without hooking | |
| KR20200041639A (en) | In-vehicle software update system and method for controlling the same | |
| US20190073471A1 (en) | Information processing apparatus, information processing method, and computer program product | |
| WO2018049977A1 (en) | Method and device for guaranteeing system security | |
| CN105740697A (en) | Address space layout randomization method and device in XP | |
| US8601584B1 (en) | Protection of computers against argument switch attacks | |
| JP5392494B2 (en) | File check device, file check program, and file check method | |
| CN105871942B (en) | A kind of IaaS management platform and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110810 |