CN102214134B - A kind of computer processes termination system and method - Google Patents
A kind of computer processes termination system and method Download PDFInfo
- Publication number
- CN102214134B CN102214134B CN201010150156.XA CN201010150156A CN102214134B CN 102214134 B CN102214134 B CN 102214134B CN 201010150156 A CN201010150156 A CN 201010150156A CN 102214134 B CN102214134 B CN 102214134B
- Authority
- CN
- China
- Prior art keywords
- termination
- module
- program process
- security
- stopped
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention provides a kind of computer processes termination system and method.This system comprises application layer procedure termination module, safety detection module and kernel level procedure termination module; Described application layer procedure termination module, the program process for treating termination performs the operation of application layer mode ends; Described safety detection module, carries out security detection for the program process grading journey of application being stopped to end-of-module failure; Described kernel level procedure termination module, for the security testing result according to safety detection module, judges whether to perform the operation of kernel level pattern forced termination to the program process of this termination failure.Application the present invention can ensure that computer system can be run with security and stability.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of computer processes termination system and method.
Background technology
The Intel X 86 processor of current widespread use to be conducted interviews control by Permission Levels, and its Permission Levels are specifically divided into level Four: Ring0, Ring1, Ring2 and Ring3.Wherein, Ring0 level has the highest access rights, and Ring3 level has minimum access rights.The operating systems such as such as Windows only use two ranks, i.e. Ring0 and Ring3, Ring0 level deposit operation system data, the kernel level program being operated in Ring0 rank has the authority same with operating system, can access the data of all ranks, performs the instruction of all ranks, and general application layer program can only be operated in Ring3 rank, be subject to the restriction of operating system, the data of Ring3 rank can only be accessed, perform the instruction of Ring3 rank.
Current procedure termination system has application layer procedure termination system and kernel level procedure termination system.Application layer procedure termination system can stop the process of the application layer program being operated in Ring3, cannot stop the process of the kernel level program being operated in Ring0 level.Kernel level procedure termination system can stop the program of any ranks such as kernel level program, but if finish the process that should not be moved to end in operating system, whole operating system will be caused to paralyse.
Under kernel level program operates in the Ring0 environment that operating system trusts, can access and control all system resource, at present the rogue program majority such as virus and wooden horse all belongs to kernel level program, has very strong destructiveness and disguise.
Terminate rogue program process and can play certain protective effect to computing machine; but; because most rogue program is kernel level program; therefore application layer procedure termination system is adopted cannot to terminate rogue program process; if adopt kernel level procedure termination system; easily again finish the non-malicious program process such as operating system process due to user, and cause systemic breakdown, be unfavorable for the stable operation of operating system.
Summary of the invention
In view of this, the invention provides a kind of computer processes termination system and method, to ensure that computer system can be run with security and stability.
A kind of computer processes termination system, this system comprises application layer procedure termination module, safety detection module and kernel level procedure termination module;
Described application layer procedure termination module, the program process for treating termination performs the operation of application layer mode ends;
Described safety detection module, carries out security detection for the program process grading journey of application being stopped to end-of-module failure;
Described kernel level procedure termination module, for the security testing result according to safety detection module, judges whether to perform the operation of kernel level pattern forced termination to the program process of this termination failure.
A kind of computer processes terminating method, the method comprises:
The program process utilizing application layer procedure termination system to treat termination performs the operation of application layer mode ends, when terminating operation failure, security detection is carried out to this program process to be stopped, according to security testing result, kernel level procedure termination module is utilized to perform the operation of kernel level pattern forced termination to this program process.
As seen from the above technical solution, first the present invention utilizes application layer procedure termination end-of-module program process, security detection is carried out for the failed program process of termination, then the unsafe process of kernel level procedure termination end-of-module is utilized according to security testing result, on the one hand viral wooden horse etc. is operated in the rogue program of kernel level, when application layer procedure termination module cannot stop this rogue program, can be detected by security and learn that it is rogue program, thus utilize kernel level to stop this rogue program of end-of-module, ensure that the security of computer system, in addition, for the program process of application layer, can stop owing to adopting application layer procedure termination module, therefore do not need to start kernel level procedure termination module, thus decrease and utilize kernel level procedure termination module error and the problem such as systemic breakdown caused, improve the stability of computer system.
It should be noted that in addition, because most of rogue program is all operated in kernel level, therefore application layer procedure termination module is first utilized to terminate program process to be stopped, if this program process cannot be stopped, then also can judge that this program is that the probability of rogue program is larger, therefore application layer procedure termination end-of-module program process role is first utilized to be not only the program process terminating application layer, it also serves treats the effect that terminator carries out security detection, recycle safety detection module on this basis and security detection is carried out to program, also the accuracy of security testing result can be improved.
In a word, the computer processes termination system that the present invention relates to, provides a kind of safe and reliable kernel level procedure termination module, reaches control completely system process, the dangerous process of forced termination kernel level effectively, can ensure again the stability of operating system simultaneously to greatest extent.
Accompanying drawing explanation
Fig. 1 is computer processes termination system structural drawing provided by the invention.
Fig. 2 is the preferred embodiment structural drawing of computer processes termination system provided by the invention.
Fig. 3 is the process flow diagram of computer processes terminating method provided by the invention.
Embodiment
The invention provides a kind of safe and reliable computer processes termination system, application layer mode ends process is preferentially adopted when the process of termination, if run into the kernel level process that application layer pattern cannot stop, confirm through process security detection and user interactions, kernel level pattern forced termination process can be adopted, reach the object effectively stopping the dangerous process of kernel level, the stability of system cloud gray model can be ensured again simultaneously to greatest extent.Device embodiment and the embodiment of the method for this technical scheme will be described in detail below.
Fig. 1 is computer processes termination system structural drawing provided by the invention.
As shown in Figure 1, this system comprises application layer procedure termination module 101, safety detection module 102 and kernel level procedure termination module 103.
Application layer procedure termination module 101, the program process for treating termination performs the operation of application layer mode ends.
Safety detection module 102, carries out security detection for stopping failed program process to application grading journey termination module 101.
Kernel level procedure termination module 103, for the security testing result according to safety detection module 102, judges whether to perform the operation of kernel level pattern forced termination to the program process of this termination failure.
This system can further include user interactive module, the order of program process to be stopped is selected for receiving user, the instruction to this program process executive termination to be stopped operation is sent to application layer procedure termination module, and export or the testing result of display safety detection module, receive the order of user's whether this program process of forced termination.
Correspondingly, described kernel level procedure termination module, for the security testing result according to safety detection module, and the order that user interactive module receives, judge whether to perform the operation of kernel level pattern forced termination to the program process of this termination failure.
This system can further include Process Details configuration file, for storage process title and process descriptor, the level of security of process and the corresponding relation of suggestion operations.
Correspondingly, described safety detection module, for the program process title that basis is to be stopped, according to the corresponding relation in Process Details configuration file, lookup process descriptor, and the level of security judging this program process to be stopped, and the suggestion operations to this program process to be stopped.
Particularly, the level of security in described Process Details configuration file comprises critical processes, security procedure and suspicious process, and corresponding suggestion operations is respectively can not stop critical processes, suggestion does not stop security procedure and suggestion stops suspicious process.
Correspondingly, described kernel level procedure termination module, that this is when the program process stopped is the critical processes of operating system in the security testing result of safety detection module, kernel level procedure termination module judges not operate this program process executive termination to be stopped, that this is when the program process stopped is not the critical processes of operating system in the security testing result of safety detection module, if the order that user interactive module receives stops this program process, the operation of kernel level pattern forced termination is performed to this program process, if the order that user interactive module receives does not stop this program process, the operation of kernel level pattern forced termination is not performed to this program process.
This system can further include process enumeration module, for forming process list according to the current process status run, and upgrades process list according to procedure termination situation.
Fig. 2 is the preferred embodiment structural drawing of computer processes termination system provided by the invention.
As shown in Figure 2, in the preferred embodiment, this computer processes termination system comprises process enumeration module 201, application layer procedure termination module 202, safety detection module 203, Process Details configuration file memory module 204, user interactive module 205 and kernel level procedure termination module 206.
Process enumeration module 201, for enumerating the current process run, forms process list, and upgrades process list according to procedure termination situation.The selected process needing to stop in the process list that user can be formed at process enumeration module 201.
Application layer procedure termination module 202, the operation of application layer mode ends is performed for selecting the process needing to stop to user, if stop unsuccessfully, then safety detection module 203 carries out security detection to the process of this termination failure, specifically according to the descriptor of the configuration file of storage and this process of process name lookup of this termination failure in Process Details configuration file memory module 204, detect the level of security of this process, and exported the relevant information of this process by user interactive module 205 according to testing result, suggestion user performs corresponding operation, such as, if testing result is critical processes, then this process of user is pointed out not allow to be terminated by user interactive module 205, if testing result is security procedure, then user is pointed out to advise not stopping this process by user interactive module 205, if testing result is suspicious process, then user is pointed out to advise stopping this process by user interactive module 205.Kernel level procedure termination module 206 performs corresponding operation according to the user instruction that the testing result of safety detection module 203 and user interactive module 205 receive, such as, when the testing result of safety detection module 203 is critical processes, what kind of the user command no matter user interactive module 205 receives is, kernel level procedure termination module 206 does not stop this critical processes, the testing result of safety detection module 203 be security procedure or suspicious process time, perform corresponding operation according to the user command that user interactive module 205 receives.
Fig. 3 is the process flow diagram of computer processes terminating method provided by the invention.
As shown in Figure 3, this flow process comprises:
Step 301, according to the program process that user is selected in process list, adopts application layer procedure termination end-of-module program process.
Step 302, whether determining program process stops successfully, if so, performs step 310, if not, performs step 303.
Step 303, detects the security of the process of this termination failure.
According to testing result, step 304, judges whether this process is critical processes, if so, perform step 305, if not, performs step 306.
Step 305, this critical processes of prompting user can not be terminated, process ends.
Step 306, points out the information of this process and the operation of suggestion to user.
In this step, if safety detection result is security procedure for this process, then point out user's suggestion not stop this process, if safety detection result is suspicious process for this process, then point out user to advise stopping this process.
Step 307, judges whether user allows to adopt pressure mode to stop this process, if so, performs step 308, otherwise process ends.
Step 308, adopts this process of kernel level procedure termination module forced termination.
Step 309, judges whether this process stops successfully, if so, performs step 310, otherwise process ends.
Step 310, upgrades process list.
Visible, procedure termination system of the present invention comprises kernel level procedure termination mode, can reach the control completely to process, effectively stops the kernel level process to systemic adverse.
Before execution kernel level procedure termination module forced termination process; procedure termination System Priority of the present invention adopts application layer procedure termination end-of-module process; and protect the system core process of kernel level not to be terminated; the final forced termination being selected whether executive process again by user; while effectively stopping the dangerous process of kernel level, system stable operation can be ensured to greatest extent.
After adopting the failure of application layer procedure termination end-of-module process, then the process of carrying out security detection, accordingly user operation is pointed out, avoid user to select the blindness operated.Meanwhile, owing to not needing to perform security detection, there is higher execution efficiency when stopping application layer process.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (4)
1. a computer processes termination system, is characterized in that, this system comprises application layer procedure termination module, safety detection module and kernel level procedure termination module;
Described application layer procedure termination module, the program process for treating termination performs the operation of application layer mode ends;
Described safety detection module, carries out security detection for the program process grading journey of application being stopped to end-of-module failure;
Described kernel level procedure termination module, for the security testing result according to safety detection module, judges whether to perform the operation of kernel level pattern forced termination to the program process of this termination failure; This system comprises user interactive module further;
Described user interactive module, receive the order that user selectes program process to be stopped, the instruction to this program process executive termination to be stopped operation is sent to application layer procedure termination module, and export or the testing result of display safety detection module, receive the order of user's whether this program process of forced termination;
Described kernel level procedure termination module, for the security testing result according to safety detection module, and the order that user interactive module receives, judge whether to perform the operation of kernel level pattern forced termination to the program process of this termination failure; While effectively stopping the dangerous process of kernel level, ensure system stable operation;
This system comprises Process Details configuration file further;
Described Process Details configuration file, for storage process title and process descriptor, the level of security of process and the corresponding relation of suggestion operations; Described level of security comprises critical processes, security procedure and suspicious process, and corresponding suggestion operations is respectively can not stop critical processes, suggestion does not stop security procedure and suggestion stops suspicious process;
Described safety detection module, for according to program process title to be stopped, according to the corresponding relation in Process Details configuration file, lookup process descriptor, and judge the level of security of this program process to be stopped, and the suggestion operations to this program process to be stopped;
Described kernel level procedure termination module, that this is when the program process stopped is the critical processes of operating system in the security testing result of safety detection module, kernel level procedure termination module judges not operate this program process executive termination to be stopped, that this is when the program process stopped is not the critical processes of operating system in the security testing result of safety detection module, if the order that user interactive module receives stops this program process, the operation of kernel level pattern forced termination is performed to this program process, if the order that user interactive module receives does not stop this program process, the operation of kernel level pattern forced termination is not performed to this program process.
2. system according to claim 1, is characterized in that, this system comprises process enumeration module further;
Described process enumeration module, forms process list according to the current process status run, and upgrades process list according to procedure termination situation.
3. a computer processes terminating method, is characterized in that, the method comprises:
Receive the order that user selectes program process to be stopped, the program process utilizing application layer procedure termination system to treat termination performs the operation of application layer mode ends, when terminating operation failure, security detection is carried out to this program process to be stopped, export or display testing result, receive the order of user's whether this program process of forced termination, according to the order of security testing result and reception, kernel level procedure termination module is utilized to perform the operation of kernel level pattern forced termination to this program process; While effectively stopping the dangerous process of kernel level, ensure system stable operation;
Described to this program process to be stopped carry out security detect comprise:
Detect the title of program process to be stopped, according to the corresponding relation of the title of program process preset, descriptor and level of security, judge the level of security of program process to be stopped;
Described level of security comprises critical processes, security procedure and suspicious process, the described order according to security testing result and reception, utilizes kernel level procedure termination module to comprise this program process executive termination operation:
Detect when the program process stopped is critical processes, judge not stop this critical processes;
Detect wait the program process stopped be security procedure or suspicious process time, if user command instruction stops this program process, then utilize kernel level procedure termination module to perform the operation of kernel level pattern forced termination to this program process.
4. method according to claim 3, is characterized in that, the method comprises further:
Downloaded stored has the configuration file of the title of program process and the corresponding relation of process descriptor, level of security and suggestion operations.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010150156.XA CN102214134B (en) | 2010-04-12 | 2010-04-12 | A kind of computer processes termination system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010150156.XA CN102214134B (en) | 2010-04-12 | 2010-04-12 | A kind of computer processes termination system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102214134A CN102214134A (en) | 2011-10-12 |
| CN102214134B true CN102214134B (en) | 2015-08-12 |
Family
ID=44745454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010150156.XA Active CN102214134B (en) | 2010-04-12 | 2010-04-12 | A kind of computer processes termination system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102214134B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103581152B (en) | 2012-08-08 | 2018-06-15 | 腾讯科技(深圳)有限公司 | Update the method and device of scanning rule |
| CN102982283B (en) * | 2012-11-27 | 2015-07-22 | 蓝盾信息安全技术股份有限公司 | System and method for killing protected malicious computer process |
| CN105183656B (en) * | 2015-09-30 | 2018-03-30 | 北京金山安全软件有限公司 | Method, system and device for detecting package stop failure of application program |
| CN106815523B (en) * | 2015-11-27 | 2019-10-15 | 珠海豹趣科技有限公司 | A kind of malware defence method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101226570A (en) * | 2007-09-05 | 2008-07-23 | 江启煜 | Method for monitoring and eliminating generalized unknown virus |
| JP2008546077A (en) * | 2005-05-26 | 2008-12-18 | ユナイテッド パーセル サービス オブ アメリカ インコーポレイテッド | Software process monitor |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100386740C (en) * | 2002-12-12 | 2008-05-07 | 有限状态机实验室公司 | Systems and methods for detecting a security breach in a computer system |
-
2010
- 2010-04-12 CN CN201010150156.XA patent/CN102214134B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008546077A (en) * | 2005-05-26 | 2008-12-18 | ユナイテッド パーセル サービス オブ アメリカ インコーポレイテッド | Software process monitor |
| CN101226570A (en) * | 2007-09-05 | 2008-07-23 | 江启煜 | Method for monitoring and eliminating generalized unknown virus |
Non-Patent Citations (1)
| Title |
|---|
| 《从系统进程的角度防治病毒》;杨玉兰;《计算机安全》;20060731(第7期);第68-69页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102214134A (en) | 2011-10-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3694170B1 (en) | Method and device for withstanding denial-of-service attack | |
| EP3779745B1 (en) | Code pointer authentication for hardware flow control | |
| CN104115125B (en) | The error handle of safety | |
| US9135435B2 (en) | Binary translator driven program state relocation | |
| CN105260659B (en) | A kind of kernel level code reuse type attack detection method based on QEMU | |
| US9449157B2 (en) | Mechanisms to secure data on hard reset of device | |
| CN102214134B (en) | A kind of computer processes termination system and method | |
| US8892904B2 (en) | Hardware enforced security governing access to an operating system | |
| CN105468980A (en) | Security control method, device and system | |
| CN104700026A (en) | Detecting JAVA sandbox escaping attacks based on JAVA bytecode instrumentation and JAVA method hooking | |
| CN102930202A (en) | Operation executing method in Linux system | |
| CN101414339A (en) | Method for protecting proceeding internal memory and ensuring drive program loading safety | |
| CN108388793B (en) | Virtual machine escape protection method based on active defense | |
| WO2017053997A1 (en) | Techniques for radio frequency identification (rfid) input/output (i/o) port management | |
| CN110414217B (en) | Safe operation method and device of application program, electronic equipment and storage medium | |
| CN108062486A (en) | A kind of storage protection device for dereference storage control | |
| CN102122330B (en) | 'In-VM' malicious code detection system based on virtual machine | |
| CN108573153B (en) | Vehicle-mounted operating system and using method thereof | |
| CN104361280B (en) | A kind of method realizing carrying out authentic authentication to USB storage device by SMI interrupt | |
| JP2014193690A (en) | Vehicle controller | |
| US20190102541A1 (en) | Apparatus and method for defending against unauthorized modification of programs | |
| CN106372538A (en) | Firmware protection method based on SoC (System on Chip) | |
| CN102122331B (en) | Method for constructing ''In-VM'' malicious code detection framework | |
| CN114510751A (en) | Hardware replacement prevention device and method based on processor security kernel | |
| US20180322072A1 (en) | Method for operating a microcontroller |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |