CN102629308A - Method and device for preventing login information from being stealed - Google Patents
Method and device for preventing login information from being stealed Download PDFInfo
- Publication number
- CN102629308A CN102629308A CN2012100619648A CN201210061964A CN102629308A CN 102629308 A CN102629308 A CN 102629308A CN 2012100619648 A CN2012100619648 A CN 2012100619648A CN 201210061964 A CN201210061964 A CN 201210061964A CN 102629308 A CN102629308 A CN 102629308A
- Authority
- CN
- China
- Prior art keywords
- target process
- state
- log
- message
- window
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a method and a device for preventing login information from being stealed to solve the problem that the prior art cannot search and kill malicious softwares after variation timely when characteristics of the malicious softwares change. The method includes triggering and establishing monitoring threads by starting a target process, wherein the target process is used to input login information to complete login; monitoring the state of the thread detection target process before completing login; and performing operations of cleaning malicious softwares if the state of the target process is detected abnormal. The method and the device for preventing login information from being stealed are based on the method of malicious softwares stealing user login information, and aiming at the characteristics that malicious softwares use identical obtaining method with different characteristics to obtain user login information illegally, The method and the device play a defensive roll fundamentally, and prevent login information from being stealed. In addition, detection is conducted each time the target process is started, so that the safety of the user login information is guaranteed perfectly.
Description
Technical field
The application relates to network security technology, particularly relates to a kind of method and device that prevents that log-on message is stolen.
Background technology
Many business on the computing machine all need be logined through the input log-on message, connect the operation that just can be correlated with in the internet then.But if user's log-on message known by hacker's unauthorized person of etc.ing, just might issue or carry out some unlawful activities, so how prevent that log-on message is stolen and also more and more cause people's attention with this user's name.
Unauthorized person is stolen log-on message through in computing machine, implanting Malware, for example steals the wooden horse of log-on message.Wherein Malware all is that the method for taking to cheat is obtained log-on message usually, wherein can regard client that needs log-on message to land and webpage as target process.For example; Malware covers the layer of transparent window above real log-on message input window; Letting the user when starting target process input log-on message, think has imported log-on message in the real log-on message input window; In fact but be to be input in the transparent window that Malware creates, thereby make the unauthorized person to have obtained this user's number of the account and password.
And for example, the true main window that Malware at first will comprise the log-on message input window moves on to the position that the user can't see, and creates a false main window in the position of originally true main window then.After the user started target process, what see was exactly false main window, therefore also just log-on message had been imported in the false log-on message input window, thereby had been made unauthorized person obtain this user's log-on message.
Malware is entered in the real log-on message input window after obtaining log-on message again, makes the user to land normally, and does not know the incident that log-on message has been stolen.
The method that common antivirus software is taked is when Malware gets into system, to carry out the characteristic killing, just can carry out killing but this method must obtain the characteristic of Malware.But Malware can use different character to identical acquisition methods, in case therefore unauthorized person has been known the characteristic of antivirus software killing, Malware is made amendment just can avoid this Malware by the problem of killing.
The characteristic of Malware can be Protean, and therefore above-mentioned method can't be carried out killing to the Malware after changing timely when the characteristic of Malware changes.
Summary of the invention
The application provides a kind of method and device that prevents that log-on message is stolen, to solve prior art when the characteristic of Malware changes, the problem that can't carry out killing to the Malware after changing timely.
In order to address the above problem, the application discloses a kind of method that prevents that log-on message is stolen, and comprising:
Trigger and create monitoring thread through starting target process, wherein said target process is used to import log-on message and accomplishes login;
Before accomplishing login, monitoring thread detects the state of target process;
Occur unusually if detect the state of target process, then carry out the operation of cleaning Malware.
Preferably, said monitoring thread detects the state of target process, comprising:
Monitoring thread regularly detects the state of target process through the calling system interface, and the state of the target process that wherein obtains comprises following at least one:
The coordinate of the size of main window, the transparency of main window and main window.
Preferably, described method also comprises:
In the log-on message input window, obtain at least one reference point;
Detect whether there are other windows on the said reference point through the calling system interface;
If be coated with other windows on the log-on message input window, then the state of target process occurs unusual.
Preferably, if the size of main window is less than magnitude range, then the state of target process occurs unusual.
Preferably, if the transparency of main window is transparent for fully, then the state of target process occurs unusual.
Preferably, if the coordinate setover scope of main window, then the state of target process occurs unusual.
Preferably, after the said state that detects target process occurred unusually, described method comprised:
Inquiry causes whether the process of the abnormal state of target process is white process;
If not, it is unusual then to warn said target process to occur.
Preferably, the said target process of said warning also comprises after occurring unusually:
Whether inquiry need clear up Malware;
If confirm cleaning, then carry out the operation of cleaning Malware;
Otherwise continuation detects the state of target process.
Accordingly, disclosed herein as well is a kind of device that prevents that log-on message is stolen, comprising:
Create module, be used for triggering and create monitoring thread through starting target process, wherein said target process is used to import log-on message and accomplishes login;
Detection module was used for before accomplishing login, and monitoring thread detects the state of target process;
The cleaning module is used for then carrying out the operation of cleaning Malware if detecting the state of target process occurs unusually.
Preferably, said detection module comprises:
Obtain the state subgroup module, be used for monitoring thread and regularly detect the state of target process through the calling system interface, the state of the target process that wherein obtains comprises following at least one: the coordinate of the size of main window, the transparency of main window and main window.
Preferably, said detection module also comprises:
Obtain the reference point submodule, be used in the log-on message input window, obtaining at least one reference point;
The detection window submodule is used for detecting whether there are other windows on the said reference point through the calling system interface;
Window is judged submodule, is used for if be coated with other windows on the log-on message input window, and then the state of target process occurs unusual.
Preferably, said detection module also comprises:
Size is judged submodule, be used for if the size of main window less than magnitude range, then the state of target process occurs unusual.
Transparency is judged submodule, is used for if the transparency of main window is transparent for fully, and then the state of target process occurs unusual.
The position judgment submodule is used for the coordinate setover scope as if main window, and then the state of target process occurs unusual.
Preferably, said cleaning module comprises:
Bai Jincheng judges submodule, and whether the process that is used to inquire about the abnormal state that causes target process is white process;
The abnormality warnings submodule, it is unusual to be used to warn said target process to occur.
Preferably, said cleaning module also comprises:
The inquiry submodule is used for inquiry and whether need clears up Malware;
The cleaning submodule is used to carry out the operation of cleaning Malware.
Compared with prior art, the application comprises following advantage:
At first, Malware all is that the method for taking to cheat is obtained log-on message usually, and it is unusual that which kind of deception gimmick all can cause the state of target process to occur; The application triggers and creates monitoring thread as starting point through starting target process, and wherein said target process is used to import log-on message and accomplishes login; Before the user accomplishes login; Monitoring thread regularly detects the state of target process, occurs unusually if detect the target process state, then carries out the operation of cleaning Malware.The method that the application steals user login information with Malware is a foundation; Use different character but identical acquisition methods illegally obtains the characteristics of user login information to Malware; Fundamentally play the effect of defence, prevented the problem that log-on message is stolen.And start target process at every turn and all detect, the safety of assurance user login information that can be more perfect.
Secondly; Monitoring thread regularly detects the state of target process through the calling system interface; The state of the target process that wherein obtains comprises multiple, like the size of window, the transparency of window and the coordinate of window etc., also comprises detecting on the log-on message input window whether cover other windows.Therefore according to the characteristic of the different conditions of target process, can detect multiple different deception and steal user login information, thereby more comprehensively guarantee user's the number of the account and the safety of password.
Once more, the application occurs can carrying out abnormal alarm when unusual at the state that detects target process, in the killing that obtains just carrying out after the user confirms Malware, has reduced the problem of wrong report.
Description of drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention; The accompanying drawing of required use is done to introduce simply in will describing embodiment below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is that the application steals the log-on message synoptic diagram for said first kind;
Fig. 2 is that the application steals the log-on message synoptic diagram for said second kind;
Fig. 3 is the said a kind of method flow diagram that prevents that log-on message is stolen of the application embodiment;
Fig. 4 is the said a kind of method flow diagram that prevents that log-on message is stolen of the application's preferred embodiment;
Fig. 5 is the said a kind of structure drawing of device that prevents that log-on message is stolen of the application embodiment.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
Many business on the computing machine all need be logined through the input log-on message, connect the operation that just can be correlated with in the internet then, for example client (as MSN) and some webpage (like social network sites, shopping website etc.).Unauthorized person is stolen log-on message through in computing machine, implanting Malware, for example steals the wooden horse of log-on message.Wherein Malware all is that the method for taking to cheat is obtained log-on message usually.Wherein, will be called target process through the process that the input log-on message is logined; The window that target process is created is called main window, comprises the sign (like MSN, some friend-making website or group buying websites etc.), log-on message input window of target process etc. in the said main window.
Wherein, said Malware can refer to deliberately on computer system, carry out virus, worm and the wooden horse etc. of malice task.The described Malware of the application comprises the program that intention is stolen user login information.
Be example below with the client, discuss the method that several kinds of Malwares are stolen log-on message.
With reference to Fig. 1, provided the application and stolen the log-on message synoptic diagram for said first kind.
A representes the main window of customer end A among Fig. 1, and b representes real log-on message input window, and c representes false log-on message input window.
Malware covers the false log-on message input window of one deck above real log-on message input window; Wherein, The log-on message input window of said falseness is transparent window, therefore just can let the user when starting target process input log-on message, thinks log-on message has been imported in the real log-on message input window; In fact but be to be input in the transparent window that Malware creates, thereby make the unauthorized person to have obtained this user's number of the account and password.
With reference to Fig. 2, provided the application and stolen the log-on message synoptic diagram for said second kind.
A representes true main window, a among Fig. 2
1Represent real log-on message input window, b representes false main window, b
1The log-on message input window that expression is false.
In the method that second kind is stolen log-on message, the true main window that Malware at first will comprise the log-on message input window moves on to the position that the user can't see, and creates a false main window in the position of originally true main window then.After the user started target process, what see was exactly false main window, therefore also just log-on message had been imported in the false log-on message input window, thereby had been made unauthorized person obtain this user's log-on message.
Certainly, in the actual treatment, also comprise other and steal the method for log-on message that for example Malware is modified as true main window transparent, covers the log-on message that the false main window of one deck is stolen the user then in the above.And for example, Malware with true main window contract minimum, may let the user can't see, create the log-on message that a false main window is stolen the user in the position of true main window originally then.
The method that common antivirus software is taked is when Malware gets into system, to carry out the characteristic killing, just can carry out killing but this method must obtain the characteristic of Malware.But Malware can use different character to identical acquisition methods, in case therefore unauthorized person has been known the characteristic of antivirus software killing, Malware is made amendment just can avoid by the problem of killing.
The characteristic of Malware can be Protean, and therefore above-mentioned method can't be carried out killing to the Malware after changing timely when the characteristic of Malware changes.
The application sets about from the origin that Malware is stolen user login information, detects the method for stealing user login information.Use different character but identical acquisition methods illegally obtains the characteristics of user login information to Malware; Steal the method for user login information from Malware; Can fundamentally play the effect of defence, prevent the problem that log-on message is stolen.And start target process at every turn and all detect, the safety of assurance user login information that can be more perfect.
With reference to Fig. 3, provided the said a kind of method flow diagram that prevents that log-on message is stolen of the application embodiment.
Therefore the startup of target process can trigger the establishment of monitoring thread, when user's click needs target process that log-on message logins, can learn the message of said target process establishment through the Accreditation System callback interface, and then can trigger the establishment monitoring thread.
Wherein, said target process can comprise client and the webpage of needs through the log-on message login.Said log-on message can comprise lands number of the account and login password.
Start to the time period that target process is accomplished login from target process; It also is the time period that Malware is stolen user login information; Therefore before the user accomplishes login; Monitoring thread can regularly detect the state of target process, and whether monitoring objective process state before the user accomplishes login is normal.
For example, monitoring process whenever detected a target process at a distance from 1 second state being set, is normal if the current time monitoring thread detects target process.If 1 second user still accomplishes login, then whether monitoring thread can to detect target process again normal.
Occur just can carrying out the operation of cleaning Malware unusually if monitoring thread when target process is monitored, detects the state of target process, be stolen with the log-on message that prevents the user.
In sum; Malware all is that the method for taking to cheat is obtained log-on message usually, and it is unusual that which kind of deception gimmick all can cause the state of target process to occur, and the application is as starting point; Trigger and create monitoring thread through starting target process; Wherein said target process is used to import log-on message and accomplishes login, and before the user accomplished login, monitoring thread regularly detected the state of target process; Occur unusually if detect the target process state, then carry out the operation of cleaning Malware.The method that the application steals user login information with Malware is a foundation; Use different character but identical acquisition methods illegally obtains the characteristics of user login information to Malware; Fundamentally play the effect of defence, prevented the problem that log-on message is stolen.And start target process at every turn and all detect, the safety of assurance user login information that can be more perfect.
With reference to Fig. 4, provided the said a kind of method flow diagram that prevents that log-on message is stolen of the application's preferred embodiment.
Step 201 triggers and creates monitoring thread through starting target process, and wherein said target process is used to import log-on message and accomplishes login;
For example, when target process A starts, trigger and created monitoring thread A ', wherein said target process can be accomplished login through the input log-on message.
Start to the time period that target process is accomplished login from target process; It also is the time period that Malware is stolen user login information; Therefore before the user accomplishes login; Monitoring thread meeting calling system interface, timing detects the state of target process, and whether monitoring objective process state before the user accomplishes login is normal.
Usually target process is when operation; Target process is created main window; The sign that can show this target process in the main window; For example can show in the client main window of MSN that it is designated MSN, its sign of meeting demonstration in the main window of social network sites (as, some friend-making website or group buying websites, Sina's microblogging etc.).Main window can be created subwindow, like the log-on message input window, can import log-on message, and said log-on message just can be used said target process through verifying the back user.
The state that the application's monitoring thread can be obtained target process comprises following at least one: the coordinate of the size of main window, the transparency of main window and main window.Certainly can also obtain other states of target process, not enumerate one by one here, should not be construed as is the restriction to the application.
For example, above-mentioned monitoring thread A ' obtains the state of target process A through the calling system interface, and the size that comprises main window is a * b, the transparency b of main window and the coordinate of main window (x1, y1), (x2, y2), (x3, y3) with (x4, y4).
Step 203 is obtained at least one reference point in the log-on message input window;
Comprise the log-on message input window in the main window of target process, so monitoring thread can be obtained at least one reference point among the application in the log-on message input window, characterize the position of log-on message input window with said reference point.
For example, above-mentioned monitoring thread A ' in the log-on message input window, appoint get a reference point (x0, y0).And for example, the log-on message input window is a quadrilateral normally, and quadrilateral comprises four summits, therefore also can obtain four apex coordinates of log-on message input window.
Step 204 detects whether there are other windows on the said reference point through the calling system interface;
Behind the above-mentioned reference point that gets access in the log-on message input window; Monitoring thread can detect whether also be coated with other windows on the said reference point by the calling system interface; Promptly detect on reference point respective coordinates position and have several windows, if only have a window, then this window is the main window of target process; If there is a unnecessary window, explain that then the main window top of target process is coated with other windows.
For example, above-mentioned monitoring thread A ' can detect whether there are other windows on the said reference point through the calling system interface.And for example, above-mentioned four apex coordinates that obtain the log-on message input window through the position of said apex coordinate sign log-on message input window, judge on the log-on message input window, whether to be coated with other windows.
Got access to the state of target process in the above-mentioned steps, can whether judge unusually the target process state then.
If then execution in step 209; If not, execution in step 206 then.
The application is provided with the magnitude range of the main window of target process in advance, and wherein, said magnitude range is the minimum indication range of log-on message input window.For example, the minimum indication range of log-on message input window is 1cm * 1cm, and then the magnitude range of said main window is 1cm * 1cm.
Monitoring thread can compare the size and the said magnitude range of the main window of the target process that obtains; If the size of the main window of target process is less than said magnitude range; Then possibly can't normally import log-on message, therefore the risk that therefore possibly exist log-on message to be stolen wants execution in step 209; Otherwise, execution in step 206.
For example, a kind of method that Malware is stolen log-on message be with true main window contract minimum, the user may can't see, and creates the log-on message that a false main window is stolen the user in the position of originally true main window then.This moment if the size of main window less than said magnitude range, the risk that just possibly exist log-on message to be stolen.
For example, the magnitude range that presets is [a1 * b1, a2 * b2], if above-mentioned monitoring thread A ' judges big or small a * b<[a1 * b1, the a2 * b2] of main window, the risk that then possibly exist log-on message to be stolen, follow-up execution in step 209.If above-mentioned monitoring thread A ' judges the big or small a * b ∈ [a1 * b1, a2 * b2] of main window, then continue to judge other states of target process, follow-up execution in step 206.
Step 206 judges whether the transparency of main window is transparent for fully;
If then execution in step 209; If not, execution in step 207 then.
Monitoring thread can detect the transparency of said main window, for example is provided with fully that transparent transparency is 0, otherwise transparency is for being 1, wherein, said complete transparent can refer to main window on system desktop but the user can't see.If the transparency of said main window is 0, follow-up execution in step 209, if the transparency of said main window is 1, follow-up execution in step 207.
For example, a kind of mode that Malware is stolen user login information is modified as true main window transparent, covers the log-on message that the false main window of one deck is stolen the user then in the above.This transparency as if main window is transparent for fully, the risk that then possibly exist log-on message to be stolen.
For example; If above-mentioned monitoring thread A ' detects the transparency b=0 of the main window that obtains; The risk that then possibly exist log-on message to be stolen, follow-up execution in step 209 is if above-mentioned monitoring thread A ' detects the transparency b=1 of the main window that obtains; Then continue to judge other states of target process, follow-up execution in step 207.
If then execution in step 209; If not, execution in step 208 then.
The application is provided with the position range of target process main window in advance, and wherein, said position range is the coordinate range of system desktop.
Monitoring thread can compare the coordinate and the said position range of the main window that obtains, if the coordinate of main window surpasses said position range, therefore the risk that then possibly exist log-on message to be stolen wants execution in step 209, otherwise, execution in step 206.For example, main window is quadrilateral normally, and quadrilateral comprises four summits, if any two apex coordinates in the main window outside the system desktop coordinate, can think then that the coordinate of main window surpasses said position range.
In the practical implementation, during the coordinate setover scope of said main window, do not limit and surpass for being greater than or less than, but decide according to concrete coordinate.For example the apex coordinate with the lower left corner of system desktop is origin (0,0), and the coordinate on four summits of system desktop is respectively (0; 0), (16,0), (0,9) and (16; 9), the scope of horizontal ordinate is 0~16 in the then said position range, and the scope of ordinate is 0~9.
If four apex coordinates in the main window are respectively (2,0) (3,0) (2; 3) (3,3), the scope of the horizontal ordinate of main window are-2~3; The scope of ordinate is 0~3; Wherein, two apex coordinates in the lower left corner and the upper left corner can be thought the coordinate setover scope of main window outside system desktop.
If four apex coordinates in the main window are respectively (15,8) (20,8) (15; 11) (20,11), the scope of the horizontal ordinate of main window are 15~20; The scope of ordinate is 8~11; Wherein, three apex coordinates in the upper left corner, the lower right corner and the upper right corner can be thought the coordinate setover scope of main window outside system desktop.
For example, a kind of mode that Malware is stolen user login information is that the true main window that comprises the log-on message input window is moved on to the position that the user can't see, and outside system desktop, creates a false main window in the position of originally true main window then.The scope that said position range is the system desktop place can be set this moment, if the coordinate setover scope of main window, the risk that then possibly exist log-on message to be stolen.
Step 208 judges whether be coated with other windows on the log-on message input window;
If then execution in step 209; If not, execution in step 202 then.
Monitoring thread is through detecting whether be coated with other windows on the log-on message input window in the above-mentioned step; If, the risk that then possibly exist log-on message to be stolen, follow-up execution in step 209; If not; Then through the deterministic process of last step 205 to step 208, execution in step 202 continues regularly monitoring objective state of a process.
For example; A kind of mode that Malware is stolen user login information is above real log-on message input window, to cover the false log-on message input window of one deck; Wherein, The log-on message input window of said falseness is transparent window, therefore just can let the user when starting target process input log-on message, thinks log-on message has been imported in the real log-on message input window; In fact but be to be input in the transparent window that Malware creates, thereby make the unauthorized person to have obtained this user's number of the account and password.Therefore, if whether be coated with other windows, the risk that then can exist log-on message to be stolen on the log-on message input window.
At this moment; When obtaining log-on message through on the log-on message input window, covering other windows; Said other windows are false log-on message input window, and wherein false log-on message input window has two kinds with the mode that log-on message is input to real log-on message input window: a kind of is through calling some system interface input log-on message; A kind of is to transmit through father and son's window.
When wherein transmitting through father and son's window; The log-on message input window of meeting falseness is set to parent window; Real log-on message input window is set to subwindow; When parent window input log-on message, can in subwindow, import and login, so the user can not perceive the incident that log-on message is stolen.
Above-mentioned steps 205 all is to judge whether target process unusual step occurs to step 208; Only be used for discussing for example the method that log-on message is stolen that prevents here; In actual treatment, do not limit the processing sequence of the abnormality judgment method of target process described in step 205, step 206, step 207 and the step 208.
If then execution in step 202; If not, execution in step 210 then;
Therefore, if detect the abnormal state of target process, then can cause whether the process of the abnormal state of target process is white process in the backstage inquiry.Wherein, said white process can be a process of not having dangerous normal software generation by known.
For example; Window as if on the log-on message input window that covers target process is the system prompt window, and then said system prompt window is white process, the danger that does not exist log-on message to be stolen; Follow-up execution in step 202 continues regularly monitoring objective state of a process.
If cover the window on the log-on message input window of target process, be the parent window of creating by malicious software process, said malicious software process is not white process, the danger that exists log-on message to be stolen, then execution in step 210.
If then execution in step 211, if not, then execution in step 202.
If the above-mentioned process that detects the abnormal state that causes target process is not white process, then can the said target process of warning users exist unusually this moment, inform simultaneously that certainly which kind of to occur with said target process unusual; As, the main window of target process is transparent, is coated with other windows on the log-on message input window; The main window of target process has been moved to beyond the system desktop; Or the main window size of target process is too small etc., and whether the inquiry user need clear up Malware.
If it is not that Malware causes that the user confirms to cause the process of the abnormal state of target process; Other windows that for example cover on the log-on message input window are that the user is set; The danger that does not then exist log-on message to be stolen; Need not clear up Malware, follow-up execution in step 202 continues regularly monitoring objective state of a process.
If the user need to confirm cleaning Malware, then follow-up execution in step 211.
Can be according to user's affirmation; Carry out the operation of cleaning Malware, wherein, inquired the process that causes the unusual Malware correspondence of target process; The cleaning Malware can be regarded as the process that finishes said Malware correspondence, removes relevant file simultaneously and starts item.
For example, if inquire cause target process unusual be that intention is stolen the wooden horse process of log-on message, just can clear up wooden horse process, relevant file and start item.
In sum; Monitoring thread regularly detects the state of target process through the calling system interface; The state of the target process that wherein obtains comprises multiple, like the size of window, the transparency of window and the coordinate of window etc., also comprises detecting on the log-on message input window whether cover other windows.Therefore according to the characteristic of the different conditions of target process, can detect multiple different deception and steal user login information, thereby more comprehensively guarantee user's the number of the account and the safety of password.
Secondly, the application occurs can carrying out abnormal alarm when unusual at the state that detects target process, in the killing that obtains just carrying out after the user confirms Malware, has reduced the problem of wrong report.
With reference to Fig. 5, provided the said a kind of structure drawing of device that prevents that log-on message is stolen of the application embodiment.
Accordingly, the application also provides a kind of device that prevents that log-on message is stolen, comprise creating module 11, detection module 12 and cleaning Malware module 13, wherein,
Create module 11, be used for triggering and create monitoring thread through starting target process, wherein said target process is used to import log-on message and accomplishes login;
Said detection module 12 comprises:
Obtain state subgroup module 121, be used for monitoring thread and regularly detect the state of target process through the calling system interface, the state of the target process that wherein obtains comprises following at least one: the coordinate of the size of main window, the transparency of main window and main window;
Obtain reference point submodule 122, be used in the log-on message input window, obtaining at least a reference point;
Detection window submodule 123 is used for detecting whether there are other windows on the said reference point through the calling system interface;
Window is judged submodule 124, is used for if be coated with other windows on the log-on message input window, and then the state of target process occurs unusual.
Size is judged submodule 125, be used for if the size of main window less than magnitude range, then the state of target process occurs unusual.
Transparency is judged submodule 126, is used for if the transparency of main window is transparent for fully, and then the state of target process occurs unusual.
Position judgment submodule 127 is used for the coordinate setover scope as if main window, and then the state of target process occurs unusual.
Said cleaning module 13 comprises:
Bai Jincheng judges submodule 131, and whether the process that is used to inquire about the abnormal state that causes target process is white process;
If, then return detection module 12, if not, then get into abnormality warnings submodule 132.
Abnormality warnings submodule 132, it is unusual to be used to warn said target process to occur;
Inquiry submodule 133 is used for inquiry and whether need clears up Malware;
If need cleaning, then get into Malware cleaning submodule 134, otherwise return detection module 12.
Cleaning submodule 134 is used to carry out the operation of cleaning Malware.
In sum; Malware all is that the method for taking to cheat is obtained log-on message usually, and it is unusual that which kind of deception gimmick all can cause the state of target process to occur, and the application is as starting point; Trigger and create monitoring thread through starting target process; Wherein said target process is used to import log-on message and accomplishes login, and before the user accomplished login, monitoring thread regularly detected the state of target process; Occur unusually if detect the target process state, then carry out the operation of cleaning Malware.The method that the application steals user login information with Malware is a foundation; Use different character but identical acquisition methods illegally obtains the characteristics of user login information to Malware; Fundamentally play the effect of defence, prevented the problem that log-on message is stolen.And start target process at every turn and all detect, the safety of assurance user login information that can be more perfect.
Secondly; Monitoring thread regularly detects the state of target process through the calling system interface; The state of the target process that wherein obtains comprises multiple, like the size of window, the transparency of window and the coordinate of window etc., also comprises detecting on the log-on message input window whether cover other windows.Therefore according to the characteristic of the different conditions of target process, can detect multiple different deception and steal user login information, thereby more comprehensively guarantee user's the number of the account and the safety of password.
Once more, the application occurs can carrying out abnormal alarm when unusual at the state that detects target process, in the killing that obtains just carrying out after the user confirms Malware, has reduced the problem of wrong report.
For device embodiment, because it is similar basically with method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and what each embodiment stressed all is and the difference of other embodiment that identical similar part is mutually referring to getting final product between each embodiment.
The application can describe in the general context of the computer executable instructions of being carried out by computing machine, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract, program, object, assembly, data structure or the like.Also can in DCE, put into practice the application, in these DCEs, by through communication network connected teleprocessing equipment execute the task.In DCE, program module can be arranged in this locality and the remote computer storage medium that comprises memory device.
At last; Also need to prove; In this article; Relational terms such as first and second grades only is used for an entity or operation are made a distinction with another entity or operation, and not necessarily requires or hint relation or the order that has any this reality between these entities or the operation.And; Term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability; Thereby make and comprise that process, method, commodity or the equipment of a series of key elements not only comprise those key elements; But also comprise other key elements of clearly not listing, or also be included as this process, method, commodity or equipment intrinsic key element.Under the situation that do not having much more more restrictions, the key element that limits by statement " comprising ... ", and be not precluded within process, method, commodity or the equipment that comprises said key element and also have other identical element.
More than to a kind of method and device that prevents that log-on message is stolen that the application provided; Carried out detailed introduction; Used concrete example among this paper the application's principle and embodiment are set forth, the explanation of above embodiment just is used to help to understand the application's method and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to the application's thought, the part that on embodiment and range of application, all can change, in sum, this description should not be construed as the restriction to the application.
Claims (14)
1. a method that prevents that log-on message is stolen is characterized in that, comprising:
Trigger and create monitoring thread through starting target process, wherein said target process is used to import log-on message and accomplishes login;
Before accomplishing login, monitoring thread detects the state of target process;
Occur unusually if detect the state of target process, then carry out the operation of cleaning Malware.
2. method according to claim 1 is characterized in that, said monitoring thread detects the state of target process, comprising:
Monitoring thread regularly detects the state of target process through the calling system interface, and the state of the target process that wherein obtains comprises following at least one:
The coordinate of the size of main window, the transparency of main window and main window.
3. method according to claim 2 is characterized in that, also comprises:
In the log-on message input window, obtain at least one reference point;
Detect whether there are other windows on the said reference point through the calling system interface;
If be coated with other windows on the log-on message input window, then the state of target process occurs unusual.
4. method according to claim 2 is characterized in that, also comprises:
If the size of main window is less than magnitude range, then the state of target process occurs unusual.
5. method according to claim 2 is characterized in that, also comprises:
If the transparency of main window is transparent for fully, then the state of target process occurs unusual.
6. method according to claim 2 is characterized in that, also comprises:
If the coordinate setover scope of main window, then the state of target process occurs unusual.
7. according to the arbitrary described method of claim 3 to 6, it is characterized in that after the said state that detects target process occurred unusually, described method comprised:
Inquiry causes whether the process of the abnormal state of target process is white process;
If not, it is unusual then to warn said target process to occur.
8. method according to claim 7 is characterized in that, the said target process of said warning also comprises after occurring unusually:
Whether inquiry need clear up Malware;
If confirm cleaning, then carry out the operation of cleaning Malware;
Otherwise continuation detects the state of target process.
9. a device that prevents that log-on message is stolen is characterized in that, comprising:
Create module, be used for triggering and create monitoring thread through starting target process, wherein said target process is used to import log-on message and accomplishes login;
Detection module was used for before accomplishing login, and monitoring thread detects the state of target process;
The cleaning module is used for then carrying out the operation of cleaning Malware if detecting the state of target process occurs unusually.
10. device according to claim 9 is characterized in that, said detection module comprises:
Obtain the state subgroup module, be used for monitoring thread and regularly detect the state of target process through the calling system interface, the state of the target process that wherein obtains comprises following at least one: the coordinate of the size of main window, the transparency of main window and main window.
11. device according to claim 10 is characterized in that, said detection module also comprises:
Obtain the reference point submodule, be used in the log-on message input window, obtaining at least one reference point;
The detection window submodule is used for detecting whether there are other windows on the said reference point through the calling system interface;
Window is judged submodule, is used for if be coated with other windows on the log-on message input window, and then the state of target process occurs unusual.
12. device according to claim 10 is characterized in that, said detection module also comprises:
Size is judged submodule, be used for if the size of main window less than magnitude range, then the state of target process occurs unusual.
Transparency is judged submodule, is used for if the transparency of main window is transparent for fully, and then the state of target process occurs unusual.
The position judgment submodule is used for the coordinate setover scope as if main window, and then the state of target process occurs unusual.
13., it is characterized in that said cleaning module comprises according to the arbitrary described device of claim 11 to 12:
Bai Jincheng judges submodule, and whether the process that is used to inquire about the abnormal state that causes target process is white process;
The abnormality warnings submodule, it is unusual to be used to warn said target process to occur.
14. device according to claim 13 is characterized in that, said cleaning module also comprises:
The inquiry submodule is used for inquiry and whether need clears up Malware;
The cleaning submodule is used to carry out the operation of cleaning Malware.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210061964.8A CN102629308B (en) | 2012-03-09 | 2012-03-09 | Method and device for preventing login information from being stealed |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210061964.8A CN102629308B (en) | 2012-03-09 | 2012-03-09 | Method and device for preventing login information from being stealed |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102629308A true CN102629308A (en) | 2012-08-08 |
| CN102629308B CN102629308B (en) | 2015-02-18 |
Family
ID=46587566
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210061964.8A Active CN102629308B (en) | 2012-03-09 | 2012-03-09 | Method and device for preventing login information from being stealed |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102629308B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103019778A (en) * | 2012-11-30 | 2013-04-03 | 北京奇虎科技有限公司 | Startups cleaning method and device |
| CN103034513A (en) * | 2012-11-30 | 2013-04-10 | 北京奇虎科技有限公司 | Method and system for processing starting-up process |
| CN103488947A (en) * | 2013-10-11 | 2014-01-01 | 北京金山网络科技有限公司 | Method and device for identifying instant messaging client-side account number stealing Trojan horse program |
| CN103793648A (en) * | 2012-10-26 | 2014-05-14 | 珠海市君天电子科技有限公司 | Anti-theft method and anti-theft system for instant messaging tool |
| CN103795684A (en) * | 2012-10-26 | 2014-05-14 | 珠海市君天电子科技有限公司 | Method and system for preventing transparent window virus from stealing account password of instant messaging tool |
| CN103825866A (en) * | 2012-11-19 | 2014-05-28 | 腾讯科技(深圳)有限公司 | Login safety detection method and device |
| WO2014153680A1 (en) * | 2013-03-27 | 2014-10-02 | Irdeto B.V. | Protecting software application |
| CN104091124A (en) * | 2014-07-03 | 2014-10-08 | 利诚服装集团股份有限公司 | Data safety processing method |
| CN104598806A (en) * | 2014-11-24 | 2015-05-06 | 北京奇虎科技有限公司 | Method and device for registering detecting |
| CN104881319A (en) * | 2015-05-14 | 2015-09-02 | 北京奇虎科技有限公司 | Method and device for trans-progress data processing |
| CN105357169A (en) * | 2014-08-20 | 2016-02-24 | 阿里巴巴集团控股有限公司 | Method and system for identifying account number |
| CN105631334A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Application security detecting method and system |
| WO2016150313A1 (en) * | 2015-03-20 | 2016-09-29 | 阿里巴巴集团控股有限公司 | Method and apparatus for detecting suspicious process |
| CN106022131A (en) * | 2016-05-24 | 2016-10-12 | 北京金山安全软件有限公司 | Instruction processing method and device |
| CN108027854A (en) * | 2015-09-21 | 2018-05-11 | 威斯科数据安全国际有限公司 | Multi-user's strong authentication token |
| CN112162913A (en) * | 2020-10-30 | 2021-01-01 | 珠海格力电器股份有限公司 | Operation execution method and device, storage medium and electronic device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101178761A (en) * | 2007-12-05 | 2008-05-14 | 珠海金山软件股份有限公司 | Apparatus and method for preventing virus dynamic state attack program |
| CN101577696A (en) * | 2008-05-07 | 2009-11-11 | 谭力 | Method for preventing from stealing passwords |
| CN102394859A (en) * | 2011-07-27 | 2012-03-28 | 哈尔滨安天科技股份有限公司 | Method and system for detecting file stealing Trojan based on thread behavior |
-
2012
- 2012-03-09 CN CN201210061964.8A patent/CN102629308B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101178761A (en) * | 2007-12-05 | 2008-05-14 | 珠海金山软件股份有限公司 | Apparatus and method for preventing virus dynamic state attack program |
| CN101577696A (en) * | 2008-05-07 | 2009-11-11 | 谭力 | Method for preventing from stealing passwords |
| CN102394859A (en) * | 2011-07-27 | 2012-03-28 | 哈尔滨安天科技股份有限公司 | Method and system for detecting file stealing Trojan based on thread behavior |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793648A (en) * | 2012-10-26 | 2014-05-14 | 珠海市君天电子科技有限公司 | Anti-theft method and anti-theft system for instant messaging tool |
| CN103795684A (en) * | 2012-10-26 | 2014-05-14 | 珠海市君天电子科技有限公司 | Method and system for preventing transparent window virus from stealing account password of instant messaging tool |
| CN103825866B (en) * | 2012-11-19 | 2016-11-09 | 腾讯科技(深圳)有限公司 | A kind of login safety detection method and device |
| CN103825866A (en) * | 2012-11-19 | 2014-05-28 | 腾讯科技(深圳)有限公司 | Login safety detection method and device |
| CN103034513B (en) * | 2012-11-30 | 2016-05-25 | 北京奇虎科技有限公司 | The processing method of start process and system |
| CN103034513A (en) * | 2012-11-30 | 2013-04-10 | 北京奇虎科技有限公司 | Method and system for processing starting-up process |
| CN103019778A (en) * | 2012-11-30 | 2013-04-03 | 北京奇虎科技有限公司 | Startups cleaning method and device |
| CN103019778B (en) * | 2012-11-30 | 2016-05-25 | 北京奇虎科技有限公司 | The method for cleaning of starting up's item and device |
| WO2014153680A1 (en) * | 2013-03-27 | 2014-10-02 | Irdeto B.V. | Protecting software application |
| US10013553B2 (en) | 2013-03-27 | 2018-07-03 | Irdeto B.V. | Protecting software application |
| CN103488947A (en) * | 2013-10-11 | 2014-01-01 | 北京金山网络科技有限公司 | Method and device for identifying instant messaging client-side account number stealing Trojan horse program |
| CN104091124A (en) * | 2014-07-03 | 2014-10-08 | 利诚服装集团股份有限公司 | Data safety processing method |
| CN105357169A (en) * | 2014-08-20 | 2016-02-24 | 阿里巴巴集团控股有限公司 | Method and system for identifying account number |
| CN108881235B (en) * | 2014-08-20 | 2020-12-11 | 创新先进技术有限公司 | Method and system for identifying account |
| CN108881235A (en) * | 2014-08-20 | 2018-11-23 | 阿里巴巴集团控股有限公司 | Identify the method and system of account |
| CN105357169B (en) * | 2014-08-20 | 2018-06-05 | 阿里巴巴集团控股有限公司 | Identify the method and system of account |
| CN104598806A (en) * | 2014-11-24 | 2015-05-06 | 北京奇虎科技有限公司 | Method and device for registering detecting |
| WO2016150313A1 (en) * | 2015-03-20 | 2016-09-29 | 阿里巴巴集团控股有限公司 | Method and apparatus for detecting suspicious process |
| CN104881319A (en) * | 2015-05-14 | 2015-09-02 | 北京奇虎科技有限公司 | Method and device for trans-progress data processing |
| CN104881319B (en) * | 2015-05-14 | 2018-07-27 | 北京奇虎科技有限公司 | A kind of data processing method and device of striding course |
| CN108027854A (en) * | 2015-09-21 | 2018-05-11 | 威斯科数据安全国际有限公司 | Multi-user's strong authentication token |
| CN108027855A (en) * | 2015-09-21 | 2018-05-11 | 威斯科数据安全国际有限公司 | Multi-user's strong authentication token |
| CN105631334A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Application security detecting method and system |
| CN106022131A (en) * | 2016-05-24 | 2016-10-12 | 北京金山安全软件有限公司 | Instruction processing method and device |
| CN106022131B (en) * | 2016-05-24 | 2019-03-15 | 珠海豹趣科技有限公司 | A kind of command processing method and device |
| CN112162913A (en) * | 2020-10-30 | 2021-01-01 | 珠海格力电器股份有限公司 | Operation execution method and device, storage medium and electronic device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102629308B (en) | 2015-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102629308A (en) | Method and device for preventing login information from being stealed | |
| US11875342B2 (en) | Security broker | |
| US10027708B2 (en) | Login failure sequence for detecting phishing | |
| US11689552B2 (en) | Multi-tenant cloud security threat detection | |
| JP5956570B2 (en) | Network access control system and method | |
| Saleem et al. | A state of the art survey-Impact of cyber attacks on SME's | |
| US20200028876A1 (en) | Phishing detection and targeted remediation system and method | |
| CN105631334A (en) | Application security detecting method and system | |
| CN103118026A (en) | Method and device for displaying web address security identification information | |
| CN102970360A (en) | System for controlling browser user login | |
| CN103218561A (en) | Tamper-proof method and device for protecting browser | |
| CN103825866A (en) | Login safety detection method and device | |
| CN101222481B (en) | Method and client terminal for safely submitting user information | |
| CN115242608A (en) | Method, device and equipment for generating alarm information and storage medium | |
| CN105160256A (en) | Web page vulnerability detection method and system | |
| Wedutenko | Cyber attacks: Get your governance in order | |
| US11449605B2 (en) | Systems and methods for detecting a prior compromise of a security status of a computer system | |
| CFE et al. | Will hackers win the battle? | |
| Bodhani | Feeling lucky [cybersecurity] | |
| Khalili et al. | Software engineering issues regarding securing ICS: an industrial case study | |
| CN113536314A (en) | Network security service system | |
| Emm | Patching human vulnerabilities | |
| CN111950040A (en) | Environment sensing method and device of terminal equipment, computer equipment and storage medium | |
| Oxford Analytica | Mix of machines and human skills boosts cybersecurity | |
| Lawal et al. | Forensic implication of a cyber-enabled fraud taking advantage of an offline Adversary-in-the-Middle (AiTM) attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING QIHU TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20121101 Owner name: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20121101 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100016 CHAOYANG, BEIJING TO: 100088 XICHENG, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20121101 Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant after: Qizhi software (Beijing) Co.,Ltd. Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Applicant before: Qizhi software (Beijing) Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220725 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |