CN102156834B - Method for realizing program killing prevention - Google Patents
Method for realizing program killing prevention Download PDFInfo
- Publication number
- CN102156834B CN102156834B CN2011100966545A CN201110096654A CN102156834B CN 102156834 B CN102156834 B CN 102156834B CN 2011100966545 A CN2011100966545 A CN 2011100966545A CN 201110096654 A CN201110096654 A CN 201110096654A CN 102156834 B CN102156834 B CN 102156834B
- Authority
- CN
- China
- Prior art keywords
- obreferenceobjectbyhandle
- detourobreferenceobjectbyhandle
- program
- byte
- bytes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method for realizing program killing prevention, relating to the technical field of program monitoring. The method comprises the following steps of: 1, applying for a five-byte global array, and substituting the previous five bytes of ObreferenceObjectByHandle with the five-byte global array, wherein the first byte represents a jump (JMP) instruction, and the next four bytes represent size of jump; and 2, realizing program killing prevention according to DetourObreferenceObjectByHandle. By applying the method provided by the invention, since the ObreferenceObjectByHandle is opposite to a comparison bottom layer, the ObreferenceObjectByHandle is called to convert a handle into a File_Object during any illegal program closing and normal program closing and then the program is closed. Therefore, the program to be closed can be intercepted by hooking the ObreferenceObjectByHandle, and then whether the program is a normally closed program is judged, so that the program cannot be easily bypassed and can be protected from being illegally closed well.
Description
Technical field
The present invention relates to the process monitoring technical field, relate in particular to a kind of method of realizing program killing prevention.
Background technology
Process is anti-to be exactly to protect user's process illegally not killed extremely; if user's process is stopped by accident; may cause the computer system fluctuation of service; when especially computing machine is encroached on by rogue programs such as viruses; some crucial processes are killed, and may bring very large economic loss to the user.Process important in the system also needs to have self-protection ability, so just can avoid occurring the process quilt extremely and the situation that the user knows nothing.
At present, hacker's purpose of generally reaching the destruction system and steal system documentation by task manager or hacker software rev down process rev.For example, when the hacker will endanger a system, it can log in, and whether then check has some known processes monitoring it.If have, it will kill its process of monitoring.If this function process has been killed, the hacker just can do at will, if but the hacker does not fall this function process extremely, then can record the hacker does in this system anything, be conducive to arrest the hacker.At present kill the implementation processes such as normal operation hook NtOpenProcess and NtTerminateProcess protection in the technology based on the process of Windows system is anti-, but above method may be walked around by a lot of evil methods (such as clear 0, PspTerminateProcess, PspExitThread etc.).
Therefore, industry is needed the anti-method of killing of a kind of process that can not be walked around easily badly.
Summary of the invention
The technical matters that (one) will solve
The technical problem to be solved in the present invention is, for defects, how to provide a kind of process that can not be walked around easily the anti-method of killing, and it can protect process illegally not closed better.
(2) technical scheme
For solving the problems of the technologies described above, the invention provides a kind of method of realizing program killing prevention, described method comprises step:
S1: the overall array of five bytes of application, first byte represents redirect JMP instruction, and rear four bytes represent the size of redirect, replace the first five byte of ObReferenceObjectByHandle with the overall array of described five bytes;
S2: according to the DetourObReferenceObjectByHandle realizing program killing prevention.
Preferably, before described step S1, further comprise: with the step of the first five byte records to one global variable of ObReferenceObjectByHandle.
Preferably, before described step S1, further comprise: make IRQ level IRQL rise to the step of deferred procedure call DPC level.
Preferably, described step S2 specifically comprises:
Step S21: in DetourObReferenceObjectByHandle, call the ObReferenceObjectByHandle that the first five original byte has been replaced and rear five bytes that jump to described ObReferenceObjectByHandle;
Step S22: judge according to the ObReferenceObjectByHandle return results, if malloc failure malloc then enters step S27; Otherwise, enter step S23;
Does step S23: first parameter ObjectType according to DetourObReferenceObjectByHandle judge that the routine that will carry out is process type? if so, enter step S24; Otherwise enter step S27;
Step S24: judge that according to the second parameter ACESS_MASK of DetourObReferenceObjectByHandle what will carry out is that process creation or process are destroyed, if process is destroyed, enters step S25; Otherwise, enter step S27;
Step S25: is the process that the judgement process of will carrying out is destroyed in white list? if, then enter step S26, otherwise, step S27 entered;
Step S26: return state STATUS_INVALID_HANDLE, the failure of expression cancellation process;
Step S27: call the state that ObReferenceObjectByHandle returns.
Preferably, further comprised the step that obtains the path of this process according to the handle of DetourObReferenceObjectByHandle before described step S25, then described step S25 specifically comprises:
Does path according to the process that will carry out the process destruction judge that described process is in white list? if, then enter step S26, otherwise, step S27 entered.
Preferably, the size of described redirect is DetourObReferenceObjectByHandle-ObReferenceObjectByHandl e-5.
Preferably, the value of described first byte is 0XE9.
(3) beneficial effect
The present invention proposes a kind of method of realizing program killing prevention, because ObReferenceObjectByHandle is with respect to comparing bottom, so any illegal process is closed and normal process is closed Shi Douhui and called ObReferenceObjectByHandle handle is converted into File_Object, then process is closed.So we can tackle the process that will close by HOOKObReferenceObjectByHandle, then determine whether normal rev down process rev, it can not walked around easily, can protect well process illegally not closed.
Description of drawings
Fig. 1 is the method flow diagram of the described realizing program killing prevention of the embodiment of the invention;
Fig. 2 is the process flow diagram of step S2 in the method for the described realizing program killing prevention of the embodiment of the invention.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.Following examples are used for explanation the present invention, but are not used for limiting the scope of the invention.
Fig. 1 is the method flow diagram of the described realizing program killing prevention of the embodiment of the invention; As described in Figure 1, the method for described realizing program killing prevention comprises step:
S1: the overall array of five bytes of application, first byte represents redirect (JMP) instruction, for example be 0XE9, rear four bytes represent the size of redirect, and the size of described redirect is DetourObReferenceObjectByHandle-ObReferenceObjectByHandl e-5; Replace the first five byte of ObReferenceObjectByHandle with the overall array of described five bytes;
In this step, then jump to DetourObReferenceObjectByHandle as long as run to like this ObReferenceObjectByHandle, i.e. our relay function function.
Before this step, further comprise the step with the first five byte records to one global variable of ObReferenceObjectByHandle, carry out anti-HOOK when unloading, recover original contents.
Before this step, can further include, make IRQL (Interrupt ReQuest Level, IRQ level) rise to the step of DPC (Deferred Procedure Call, deferred procedure call) level, prevent from being interrupted by other courses;
S2: according to the DetourObReferenceObjectByHandle realizing program killing prevention;
Fig. 2 is the process flow diagram of step S2 in the method for the described realizing program killing prevention of the embodiment of the invention; As described in Figure 2, step S2 specifically comprises:
Step S21: in DetourObReferenceObjectByHandle, call the ObReferenceObjectByHandle that the first five original byte has been replaced and rear five bytes that jump to described ObReferenceObjectByHandle;
Step S22: judge according to the ObReferenceObjectByHandle return results, if malloc failure malloc then enters step S27; Otherwise, enter step S23;
Does step S23: first parameter ObjectType according to DetourObReferenceObjectByHandle judge that the routine that will carry out is process type? if so, enter step S24; Otherwise enter step S27;
Step S24: judge that according to the second parameter ACESS_MASK of DetourObReferenceObjectByHandle what will carry out is that process creation or process are destroyed, because what the present invention was concerned about is that process is extremely anti-, so what we paid close attention to is that process is destroyed, that is to say when second parameter is 1, enter step S25; Otherwise, enter step S27;
Step S25: is the process that the judgement process of will carrying out is destroyed in white list (requiring the anti-listed files that kills of process)? if, then enter step S26, otherwise, step S27 entered;
Before this step, can also comprise the step that obtains the path of this process according to the handle of DetourObReferenceObjectByHandle, does then this step specifically comprises: the path according to the process that will carry out the process destruction judge that this process is in white list? if, then enter step S26, otherwise, enter step S27;
Step S26: return state STATUS_INVALID_HANDLE, the failure of expression cancellation process;
Step S27: call the state that ObReferenceObjectByHandle returns.
In sum, the invention discloses the method for the realizing program killing prevention in a kind of Windows system, according to the method applied in the present invention, utilizing ObReferenceObjectByHandle to do process anti-is because it compares bottom extremely, normally the closing and illegally close all and will be converted into FILE_OBJECT by handle (handle) first of any program, and this conversion is finished by ObReferenceObjectByHandle, and we just can monitor operation that all processes are closed so link up with this ObReferenceObjectByHandle.The benefit of linking up with this API is than many such as HookZwSetInformationFile and hook NtOpenProcess and NtTerminateProcess safety of other API, such as when some illegal processes are closed, ZwSetInformationFile can't detect, even much hacker software can be walked around NtOpenProcess, but can't walk around ObReferenceObjectByHandle.And the method for the invention do not have hookNtOpenProcess and NtTerminateProcess method loaded down with trivial details like that yet, whole process has been HOOK API, and clear process is understandable.The ObReferenceObjectByHandle that the present invention uses can obtain the information that we need, and such as the handle of process, then can obtain process ID by handle, and then obtains the information such as process path.And it goes without doing too many extra work.
Above embodiment only is used for explanation the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; in the situation that does not break away from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (6)
1. the method for a realizing program killing prevention is characterized in that, described method comprises step:
S1: the overall array of five bytes of application, first byte represents redirect JMP instruction, and rear four bytes represent the size of redirect, replace the first five byte of ObReferenceObjectByHandle with the overall array of described five bytes;
S2: according to the DetourObReferenceObjectByHandle realizing program killing prevention, wherein
Described step S2 specifically comprises:
Step S21: in DetourObReferenceObjectByHandle, call the ObReferenceObjectByHandle that the first five original byte has been replaced and rear five bytes that jump to described ObReferenceObjectByHandle;
Step S22: judge according to the ObReferenceObjectByHandle return results, if malloc failure malloc then enters step S27; Otherwise, enter step S23;
Does step S23: first parameter ObjectType according to DetourObReferenceObjectByHandle judge that the routine that will carry out is process type? if so, enter step S24; Otherwise enter step S27;
Step S24: judge that according to the second parameter ACESS_MASK of DetourObReferenceObjectByHandle what will carry out is that process creation or process are destroyed, if process is destroyed, enters step S25; Otherwise, enter step S27;
Step S25: is the process that the judgement process of will carrying out is destroyed in white list? if, then enter step S26, otherwise, step S27 entered;
Step S26: return state STATUS_INVALID_HANDLE, the failure of expression cancellation process;
Step S27: call the state that ObReferenceObjectByHandle returns.
2. method according to claim 1 is characterized in that, further comprises before described step S1: with the step of the first five byte records to one global variable of ObReferenceObjectByHandle.
3. method according to claim 1 is characterized in that, further comprises before described step S1: make IRQ level IRQL rise to the step of deferred procedure call DPC level.
4. method according to claim 1 is characterized in that, further comprises the step that obtains the path of this process according to the handle of DetourObReferenceObjectByHandle before described step S25, and then described step S25 specifically comprises:
Does path according to the process that will carry out the process destruction judge that described process is in white list? if, then enter step S26, otherwise, step S27 entered.
5. each described method is characterized in that according to claim 1-4, and the size of described redirect is DetourObReferenceObjectByHandle-ObReferenceObjectByHandl e-5.
6. each described method is characterized in that according to claim 1-4, and the value of described first byte is 0XE9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100966545A CN102156834B (en) | 2011-04-18 | 2011-04-18 | Method for realizing program killing prevention |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100966545A CN102156834B (en) | 2011-04-18 | 2011-04-18 | Method for realizing program killing prevention |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102156834A CN102156834A (en) | 2011-08-17 |
| CN102156834B true CN102156834B (en) | 2013-04-24 |
Family
ID=44438326
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100966545A Expired - Fee Related CN102156834B (en) | 2011-04-18 | 2011-04-18 | Method for realizing program killing prevention |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102156834B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103116724B (en) * | 2013-03-14 | 2015-08-12 | 北京奇虎科技有限公司 | The method of locator(-ter) sample hazardous act and device |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102768720B (en) * | 2012-03-20 | 2019-02-22 | 新奥特(北京)视频技术有限公司 | A kind of method of Process Protection |
| CN102799493A (en) * | 2012-06-21 | 2012-11-28 | 北京伸得纬科技有限公司 | Method for intercepting target progress with self-protection |
| CN106682493B (en) * | 2015-11-06 | 2019-08-27 | 珠海豹趣科技有限公司 | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment |
| CN106886691B (en) * | 2015-12-15 | 2020-01-14 | 珠海豹趣科技有限公司 | Interception method and device for ending process operation and electronic equipment |
| CN106469272A (en) * | 2016-08-31 | 2017-03-01 | 北京力鼎创软科技有限公司 | A kind of windows process protection method and system |
| CN109711153B (en) * | 2018-12-26 | 2021-03-19 | 北京北信源信息安全技术有限公司 | Windows process protection method and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| NO20050564D0 (en) * | 2005-02-02 | 2005-02-02 | Tore Lysemose Hansen | Program monitor to identify unauthorized intrusion into computer systems |
| CN100504904C (en) * | 2007-12-25 | 2009-06-24 | 北京大学 | Windows concealed malevolence software detection method |
| CN101304409B (en) * | 2008-06-28 | 2011-04-13 | 成都市华为赛门铁克科技有限公司 | Method and system for detecting malice code |
-
2011
- 2011-04-18 CN CN2011100966545A patent/CN102156834B/en not_active Expired - Fee Related
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103116724B (en) * | 2013-03-14 | 2015-08-12 | 北京奇虎科技有限公司 | The method of locator(-ter) sample hazardous act and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102156834A (en) | 2011-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102156834B (en) | Method for realizing program killing prevention | |
| KR102307534B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| JP6212548B2 (en) | Kernel-level security agent | |
| AU2006210698B2 (en) | Intrusion detection for computer programs | |
| US20090177883A1 (en) | Method and device for online secure logging-on | |
| CN101902481B (en) | Real-time monitoring method and device for webpage Trojan horse | |
| US9542557B2 (en) | Snoop-based kernel integrity monitoring apparatus and method thereof | |
| CN101013461A (en) | Method of computer protection based on program behavior analysis | |
| US11120106B2 (en) | Hardware—assisted system and method for detecting and analyzing system calls made to an operating system kernel | |
| JP2019521400A (en) | Detecting speculative exploit attempts | |
| CN106055385A (en) | System and method for monitoring virtual machine process, and method for filtering page fault anomaly | |
| CN102831356A (en) | Software dynamic credibility authentication method based on software fingerprint | |
| CN101599113A (en) | Driven malware defence method and device | |
| US20160246590A1 (en) | Priority Status of Security Patches to RASP-Secured Applications | |
| CN113051034A (en) | Container access control method and system based on kprobes | |
| CN105426751A (en) | Method and device for preventing system time from being tampered | |
| CN113395694A (en) | Intelligent security defense system and defense method based on 5G and local area base station | |
| CN101604370A (en) | A kind of method of monitoring Windows kernel function call of highly compatible | |
| CN103353930A (en) | Method and device for preventing infectious virus infection | |
| CN102081720B (en) | Method and system for detecting process creation during real-time protection | |
| KR101580624B1 (en) | Method of Penalty-based Unknown Malware Detection and Response | |
| CN106557693A (en) | A kind of malice Hook behavioral value method and system | |
| CN102819703A (en) | Method and equipment used for preventing webpage attack | |
| EP3831031A1 (en) | Listen mode for application operation whitelisting mechanisms | |
| CN109033821A (en) | A kind of Stack Smashing Protection System and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Method for realizing program killing prevention Effective date of registration: 20131226 Granted publication date: 20130424 Pledgee: Bank of Communications Ltd. Beijing Zhongguancun Park sub branch Pledgor: STRONGUNION TECHNOLOGY Co.,Ltd. Registration number: 2013990001026 |
|
| PLDC | Enforcement, change and cancellation of contracts on pledge of patent right or utility model | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20150203 Granted publication date: 20130424 Pledgee: Bank of Communications Ltd. Beijing Zhongguancun Park sub branch Pledgor: STRONGUNION TECHNOLOGY Co.,Ltd. Registration number: 2013990001026 |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130424 Termination date: 20210418 |