CN102779030A - Execution method and device for registry operation - Google Patents
Execution method and device for registry operation Download PDFInfo
- Publication number
- CN102779030A CN102779030A CN2011101211788A CN201110121178A CN102779030A CN 102779030 A CN102779030 A CN 102779030A CN 2011101211788 A CN2011101211788 A CN 2011101211788A CN 201110121178 A CN201110121178 A CN 201110121178A CN 102779030 A CN102779030 A CN 102779030A
- Authority
- CN
- China
- Prior art keywords
- kernel
- registration table
- registry
- routine
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000006870 function Effects 0.000 claims description 62
- 238000001514 detection method Methods 0.000 claims description 32
- 238000011084 recovery Methods 0.000 claims description 21
- 238000012795 verification Methods 0.000 claims description 21
- 230000008859 change Effects 0.000 claims description 18
- 230000007246 mechanism Effects 0.000 claims description 14
- 230000008439 repair process Effects 0.000 claims description 14
- 238000012217 deletion Methods 0.000 claims description 7
- 230000037430 deletion Effects 0.000 claims description 7
- 230000003139 buffering effect Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000008485 antagonism Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000008676 import Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 206010011968 Decreased immune responsiveness Diseases 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides an execution method for registry operation, which comprises the steps that a registry operation request is acquired, wherein the request comprises a caller input parameter; kernel executing logics of a registry are set according to the caller input parameter, wherein the kernel executing logics include a tampering point detecting and restoring logic and a registry function calling logic; the tampering point detecting and restoring logic is executed, more specifically, a preset kernel executing flow tampering point is detected, and the original value of the kernel executing flow tampering point is restored when the original value of the kernel executing flow tampering point is changed; and a corresponding registry function is called by the registry function calling logic. According to the method and the device disclosed by the invention, the counterforce of defending a driving stage malicious program can be enhanced, and potential possibility of incompatibility of security software caused by registry operation interference is avoided.
Description
Technical field
The present invention relates to the technical field that operating system penetrates, particularly relate to a kind of actuating unit of manner of execution and a kind of registry operations of registry operations.
Background technology
When facing challenge; People tend to adopt the method for dividing and rule to cut apart, dwindle the scope of problem; This point also is like this in the design of operating system; Windows operating system solves complicated problems by the design philosophy of layering, and this way has been brought advantages such as portability, extensibility.But, owing on design theory, exist security flaw (for example lack of complete property verification scheme etc.), the system that also means on the other hand of enhanced scalability exists a large amount of quilts to distort possibility.For example; Fail-safe software is when the registration table key assignments of operation (create, open, enumerate, read and write, deletion etc.) self, system or rogue program; The real process of often hoping visit is credible, but the hierachical structure of the Windows of Microsoft operating system has determined the risk that exists data stream to be distorted on its call chain.Therefore, guarantee a basic demand that truly, has reliably become fail-safe software of registry operations process.See that from the angle of operating system the implementation of registry operations exists following potential distorting a little:
The synoptic diagram that flows is carried out in operating system registration table operation with reference to shown in Figure 1, adopts the mode of calling like lower leaf in the execution registry operations:
See that from the angle of operating system registry operations is carried out stream and existed following potential distorting a little:
1) user's attitude IAT Hook of kernel interface layer (Import Address Table Hook imports the table hook)/EAT Hook (Export Address Table Hook, derived table hook);
2) user's attitude Inline Hook (inline hook) of kernel interface layer;
Int 2E (interruption)/SysEnter Hook when 3) the kernel interface layer calls the kernel execution level (user's attitude gets into the kernel state hook);
4) the Native API SSDT Hook of kernel execution level (System Service Dispatch Table Hook, system service dispatch table hook);
5) the Native API Inline Hook of kernel execution level;
6) registration table is resolved the Object Parse Routine Hook (object is resolved the routine hook) of routine;
7) the Cm* registration table is realized the Cm*Routine Hook of routine;
8) Cm* registration table realization routine 105 is called the CmpCallBack callback mechanism that the third party drives at 106 o'clock;
9) HvpGetCellPaged/HvpGetCellMapped Object Routine Hook (object routine hook).
Though conventional security software vendor has recognized all registry operations and has called the possibility of being held as a hostage; But existing solution has only been considered the abduction risk of operating system user's attitude mostly; In the attacking and defending of operating system nucleus attitude, often embody comparatively significantly anergy, driving stage rogue program (Rootkit) antagonism is on the weak side.
Therefore; Need the urgent technical matters that solves of those skilled in the art to be exactly at present: the execution mechanism that proposes a kind of registry operations; With the antagonism of enhancing and the attacking and defending of driving stage rogue program, and avoid causing producing between fail-safe software incompatible potential possibility because of the registry operations interference.
Summary of the invention
Technical matters to be solved by this invention provides a kind of manner of execution of registry operations, with the antagonism of enhancing and the attacking and defending of driving stage rogue program, and avoids causing producing between fail-safe software incompatible potential possibility because of the registry operations interference.
The present invention also provides a kind of actuating unit of registry operations, in order to guarantee application and the realization of said method in reality.
In order to address the above problem, the embodiment of the invention discloses a kind of manner of execution of registry operations, comprising:
Obtain the registry operations request, comprise the caller input parameter in the described request;
According to said caller input parameter registration table kernel actuating logic is set, said kernel actuating logic comprises: distort a detection and repair logic and registry functions calling logic;
Carry out said distort to detect repair a logic, be specially, detect the kernel that presets and carry out stream and distort a little, and when said kernel is carried out stream and distorted a little original value and change, recover said kernel and carry out to flow and distort original value a little;
Adopt said registry functions calling logic, call corresponding registry functions.
Preferably, described method also comprises:
After having called the function of said registration table, change back changing value with the original value that said kernel execution stream is distorted a little.
Preferably, the said kernel that presets is carried out to flow to distort a little and is comprised:
Registry objects is resolved the routine hook;
CmpCallBack callback mechanism when Cm* registration table realization routine call third party drives;
The inline hook of Cm* registry functions;
HvpGetCellPaged/HvpGetCellMapped object routine hook.
Preferably, kernel that said detection is preset is carried out stream and is distorted a little, and the said step of distorting an original value of recovery specifically comprises when kernel is carried out stream and distorted a little original value and change:
Whether the original value that substep S1, detection registry objects are resolved the routine hook changes, if, then carry out substep S2, otherwise, substep S3 carried out;
Substep S2, the said registry objects of recovery are resolved the original value of routine hook, rotor step S3;
Substep S3, call the Cm* registration table and realize routine, whether the original value that detects the inline hook of Cm* registry functions changes, if, then carry out substep S4, otherwise, substep S5 carried out;
The original value of substep S4, the inline hook of the said Cm* registry functions of recovery, rotor step S5;
Substep S5, blocking-up CmpCallBack callback mechanism, rotor step S6;
Whether the original value of substep S6, detection HvpGetCellPaged/HvpGetCellMapped object routine hook changes, if then carry out substep S7, otherwise finish;
The original value of substep S7, the said HvpGetCellPaged/HvpGetCellMapped object routine hook of recovery.
Preferably, the original value that said kernel execution stream is distorted a little obtains when initialization, and the changing value that said kernel execution stream is distorted a little is buffered in the kernel internal memory.
Preferably, before obtaining the registry operations request, also comprise:
Caller is initiated the registry operations request, calls corresponding registry operations interface program; Wherein, comprise the caller input parameter in the described request;
Type according to system platform makes up the kernel state structural parameters, generates corresponding registry operations control code according to said kernel state structural parameters, and is sent to the operating system nucleus attitude.
Preferably, each registry operations interface program comprises narrow character routine and wide character routine, and before making up the kernel state structural parameters, described method also comprises:
The narrow character routine of said registry operations interface converts the ANSI correlation parameter in the caller input parameter into the UNICODE type, and calls corresponding registry operations interface wide character routine.
Preferably, before registration table kernel actuating logic was set, described method also comprised:
According to said registry operations request verification caller input parameter,, then carry out the step that registration table kernel actuating logic is set if verification is passed through.
Preferably, said caller input parameter has user's attitude address; Before registration table kernel actuating logic was set, described method also comprised:
The said user's attitude of reconstruct address is to the kernel state memory headroom.
Preferably, described method also comprises:
If call the function success of said registration table, then return corresponding handle;
If call the function failure of said registration table, generation error sign indicating number and return user's attitude then.
Preferably; Said registry operations interface program is consistent with WINDOWS standard A PI, comprising: registry key is created routine BRegCreateKey, registration table and is strengthened key and create routine BRegCreateKeyEx, registry key and open routine BRegOpenKey, registration table and strengthen key and open routine BRegOpenKeyEx, registration table and strengthen Query Value routine BRegQueryValueEx, registration table settings routine BRegSetValueEx, registration table and enumerate key routine BRegEnumKey, registration table and strengthen and enumerate key routine BRegEnumKeyEx, registration table enumerated value routine BRegEnumValue, registration table delete key routine BRegDeleteKey, registration table and strengthen delete key routine BRegDeleteKeyEx, registration table deletion value routine BRegDeleteValue and/or registration table and close handle routine BRegCloseKey.
Preferably, said control code comprises: registration table is created control code REGCTL_CREATE_KEY, registration table and is opened control code REGCTL_OPEN_KEY, registry query value control code REGCTL_QUERY_VALUE_KEY, registration table settings control code REGCTL_SET_VALUE_KEY, registration table and enumerate key control sign indicating number REGCTL_ENUMERATE_KEY, registration table enumerated value control code REGCTL_ENUMERATE_VALUE_KEY, registration table delete key control code REGCTL_DELETE_KEY and/or registration table deletion value control code REGCTL_DELETE_VALUE_KEY.
The embodiment of the invention also discloses a kind of actuating unit of registry operations, comprising:
The acquisition request module is used to obtain the registry operations request, comprises the caller input parameter in the described request;
The kernel actuating logic is provided with module, is used for according to said caller input parameter registration table kernel actuating logic being set, and said kernel actuating logic comprises: distort a detection and repair logic and registry functions calling logic;
Distort a detection and repair the logic execution module; Be used to carry out a said detection reparation logic of distorting, be specially, detect the kernel execution stream that presets and distort a little; And when said kernel is carried out stream and distorted a little original value and change, recover said kernel and carry out to flow and distort original value a little;
Registry functions calling logic execution module is used to adopt said registry functions calling logic, calls corresponding registry functions.
Preferably, described device also comprises:
Distort a write-back module, be used for after having called the function of said registration table, change back changing value the original value that said kernel execution stream is distorted a little.
Preferably, the said kernel that presets is carried out to flow to distort a little and is comprised:
Registry objects is resolved the routine hook;
CmpCallBack callback mechanism when Cm* registration table realization routine call third party drives;
The inline hook of Cm* registry functions;
HvpGetCellPaged/HvpGetCellMapped object routine hook.
Preferably, the original value that said kernel execution stream is distorted a little obtains when initialization, and the changing value that said kernel execution stream is distorted a little is buffered in the kernel internal memory.
Preferably, described device also comprises:
User's attitude request sending module is used to initiate the registry operations request, calls corresponding registry operations interface program; Wherein, comprise the caller input parameter in the described request;
The control code sending module is used for making up the kernel state structural parameters according to the type of system platform, generates corresponding registry operations control code according to said kernel state structural parameters, and is sent to the operating system nucleus attitude.
Preferably, described device also comprises:
The parameter verification module is used for according to said registry operations request verification caller input parameter, if verification is passed through, then calls the kernel actuating logic module is set.
Preferably, said caller input parameter has user's attitude address; Described device also comprises:
The address reconstructed module is used for the said user's attitude of reconstruct address to the kernel state memory headroom.
Preferably, described device also comprises:
Handle returns module, is used for when the function success of calling said registration table, returning corresponding handle;
Error code returns module, is used for when the function failure of calling said registration table, and the generation error sign indicating number also returns user's attitude.
Compared with prior art, the application has the following advantages:
The Life cycle that the present invention is based on the registration table behavior makes up the trusted context of registry operations; Call the storehouse in the complete realization one cover registry operations of operating system user attitude interface; Kernel state drives and receives also verification from the request of user's attitude; Through the behavior of oneself simulation kernel execution level, methods such as kernel registration table callback mechanism are resolved and link up with, blocked to detections/recoverys object, the third party driven penetrated (or to be referred to as bypass; Bypass), thus guarantee the true, credible of registry operations request environment.And the kernel synchronization call is returned user's attitude handle information and is called state.The present invention proposes the total solution that a kind of registration table penetrates operation; The attacking and defending of operating system user's attitude not only is provided; The attacking and defending of operating system nucleus attitude also further is provided, and this scheme can effectively be avoided causing producing between fail-safe software incompatible potential possibility because of the registry operations interference on the one hand; On the other hand, this scheme can effectively strengthen the antagonism with the attacking and defending of driving stage rogue program.
Description of drawings
Fig. 1 is a kind of synoptic diagram of operating system registration table operation implementation;
Fig. 2 is the flow chart of steps of the manner of execution embodiment 1 of a kind of registry operations of the present invention;
Fig. 3 is that detection/recovery kernel execution stream is distorted flow chart of steps a little among the present invention;
Fig. 4 is the flow chart of steps of the manner of execution embodiment 2 of a kind of registry operations of the present invention;
Fig. 5 is the structured flowchart of the actuating unit embodiment of a kind of registry operations of the present invention.
Embodiment
For make above-mentioned purpose of the present invention, feature and advantage can be more obviously understandable, below in conjunction with accompanying drawing and embodiment the present invention done further detailed explanation.
One of core idea of the embodiment of the invention is; Make up the trusted context of registry operations based on the Life cycle of registration table behavior; Call the storehouse in the complete realization one cover registry operations of operating system user attitude interface, kernel state drives and receives also verification from the request of user's attitude, simulates the behavior of kernel execution level through oneself; Detection/recovery object is resolved methods such as hook, blocking-up kernel registration table callback mechanism; The third party is driven penetrated (or be referred to as bypass, bypass), thereby guarantee the true, credible of registry operations request environment.And the kernel synchronization call is returned user's attitude handle information and is called state.The present invention proposes the total solution that a kind of registration table penetrates operation; The attacking and defending of operating system user's attitude not only is provided; The attacking and defending of operating system nucleus attitude also further is provided, and this scheme can effectively be avoided causing producing between fail-safe software incompatible potential possibility because of the registry operations interference on the one hand; On the other hand, this scheme can effectively strengthen the antagonism with the attacking and defending of driving stage rogue program.
With reference to figure 2, show the flow chart of steps of the manner of execution embodiment 1 of a kind of registry operations of the present invention, specifically can may further comprise the steps:
Step 201, obtain the registry operations request, comprise the caller input parameter in the described request;
Step 202, the said caller input parameter of foundation are provided with registration table kernel actuating logic, and said kernel actuating logic comprises: distort a detection and repair a logic and a registry functions calling logic;
In concrete the realization; When getting access to the registry operations request; Can carry out verification to the caller input parameter that comprises in the request,, then can the registry functions calling logic be set through structure _ PARSE_CONTEXT (context parsing) structure if verification is passed through; And, be arranged on registry functions and call a detection reparation logic of distorting of carrying out before.Promptly through initiatively removing " simulation " kernel execution level, oneself removes calling system bottom function after realizing structure _ PARSE_CONTEXT structure to present embodiment again.
In another kind of preferred embodiment of the present invention; Can also be through the method for " forgery " kernel; Hint obliquely at internal memory to the kernel file on the disk; After reorientation, the complete relevant execution level function (because be complete extraction, so its inside comprises " structure _ PARSE_CONTEXT structure ") that extracts.
Certainly, the above-mentioned method that registration table kernel actuating logic is set is only as example, and it all is feasible that those skilled in the art adopt any mode that registration table kernel actuating logic is set according to actual conditions, and the present invention does not limit this.
Step 203, carry out said distort to detect repair a logic, be specially, detect the kernel that presets and carry out stream and distort a little, and when said kernel is carried out stream and distorted a little original value and change, recover said kernel and carry out to flow and distort original value a little;
In concrete the realization, the said kernel that presets is carried out stream and distorted a little and can comprise: registry objects is resolved the routine hook; CmpCallBack callback mechanism when Cm* registration table realization routine call third party drives; The inline hook of Cm* registry functions; And, HvpGetCellPaged/HvpGetCellMapped object routine hook.The original value that each kernel execution stream is distorted a little can obtain when system initialization.
Certainly, above-mentioned kernel is carried out to flow to distort and a little only is used as example, and the said kernel that presets is carried out stream and distorted a little and can be provided with arbitrarily according to actual demand by those skilled in the art, and the present invention need not this to limit.
With reference to figure 3, in a kind of preferred embodiment of the present invention, kernel that said detection is preset is carried out stream and is distorted a little, and the said step of distorting an original value of recovery specifically can comprise following substep when kernel is carried out stream and distorted a little original value and change:
Whether the original value that substep S1, detection registry objects are resolved the routine hook changes, if, then carry out substep S2, otherwise, substep S3 carried out;
Substep S2, the said registry objects of recovery are resolved the original value of routine hook, rotor step S3;
Substep S3, call the Cm* registration table and realize routine, whether the original value that detects the inline hook of Cm* registry functions changes, if, then carry out substep S4, otherwise, substep S5 carried out;
The original value of substep S4, the inline hook of the said Cm* registry functions of recovery, rotor step S5;
Substep S5, blocking-up CmpCallBack callback mechanism, rotor step S6;
Whether the original value of substep S6, detection HvpGetCellPaged/HvpGetCellMapped object routine hook changes, if then carry out substep S7, otherwise finish;
The original value of substep S7, the said HvpGetCellPaged/HvpGetCellMapped object routine hook of recovery.
In concrete the realization, as detect certain kernel and carry out stream and distort a little and change, then can write down its changing value at the kernel state memory headroom, so that after registry functions is called completion, carry out write-back.
Certainly; Above-mentioned detection and the restorative procedure of distorting a little only is used as example; It all is feasible that those skilled in the art are provided with said detection and reparation operating process of distorting a little arbitrarily according to actual demand, for example, can unify earlier to detect; Unified recovery of distorting to changing again, the present invention does not limit this.
Step 204, the said registry functions calling logic of employing call corresponding registry functions.
In concrete the realization, the embodiment of the invention can also comprise the steps:
Step 205, after having called the function of said registration table, said kernel is carried out the original value that stream distorts a little changes back changing value.
In reality; It a little is because of being rewritten by other fail-safe software and changing that some kernel execution stream is distorted; So after the realization function call of system bottom registration table is accomplished,, need carry out to flow to distort to said kernel and a little carry out write-back for guaranteeing the normal operation of other fail-safe software; Specifically can from the kernel state memory headroom, be extracted in the changing value of preserving in the recovery original value process, the kernel of correspondence carried out to flow to distort a little writing back this changing value.
After registry functions is called completion; Registry operations is carried out stream and is resolved routine with continuing to call registration table; Resolve routine call Cm* registration table by registration table again and realize routine, Cm* registration table realization routine is directly called the HvpGetCellPaged/HvpGetCellMapped object routine; Because the CmpCallBack callback mechanism is blocked, will no longer call the third party and drive so the Cm* registration table is realized routine, penetrated thereby make the third party drive (other fail-safe softwares, driving stage rogue program).
With reference to figure 4, show the flow chart of steps of the manner of execution embodiment 2 of a kind of registry operations of the present invention, specifically can comprise:
Step 401, loading registry operations interface program obtain the kernel execution stream that presets and distort original value a little;
Be well known that routine is the functional interface that externally provides of certain system or the set of service.Such as the API of operating system, service etc. is exactly routine.
As a kind of example of concrete application, said registry operations interface program can comprise: registry key is created routine BRegCreateKey, registration table and is strengthened key and create routine BRegCreateKeyEx, registry key and open routine BRegOpenKey, registration table and strengthen key and open routine BRegOpenKeyEx, registration table and strengthen Query Value routine BRegQueryValueEx, registration table settings routine BRegSetValueEx, registration table and enumerate key routine BRegEnumKey, registration table and strengthen and enumerate key routine BRegEnumKeyEx, registration table enumerated value routine BRegEnumValue, registration table delete key routine BRegDeleteKey, registration table and strengthen delete key routine BRegDeleteKeyEx, registration table deletion value routine BRegDeleteValue and/or registration table and close handle routine BRegCloseKey.The setting of said registry operations interface program, consistent like calling convention, call parameters with corresponding WINDOWS standard A PI.Above-mentioned each routine includes narrow character routine and wide character routine; For example for BRegCreateKey; Comprise narrow character routine BRegCreateKeyA and wide character routine BRegCreateKeyW; It is the UNICODE type that BRegCreateKeyA can change input parameter, the actual completion of BRegCreateKeyW Parameters Transformation, control code communication etc.
Step 402, caller are initiated the registry operations request, call corresponding registry operations interface program; Wherein, comprise the caller input parameter in the described request;
Step 403, if said registry operations interface program is narrow character routine, then convert the ANSI correlation parameter in the caller input parameter into the UNICODE type, and call corresponding registry operations interface wide character routine;
Be well known that the character among the ANSI adopts 8bit, and the character among the UNICODE adopts 16bit.(ANSI deposits English character with byte for character, deposits characters such as Chinese with double byte, and under the Unicode, English character with Chinese is all deposited with double byte).
Certainly, be the wide character routine as if what in reality, directly call, then need not to carry out this step.
Step 404, make up the kernel state structural parameters, generate corresponding registry operations control code according to said kernel state structural parameters, and be sent to the operating system nucleus attitude according to the type of system platform;
The type of said system platform comprises 32,64 and 32 compatibility modes.As the example of a kind of concrete application of the present invention, comprise with the corresponding control code of said registry operations interface program: registration table is created control code REGCTL_CREATE_KEY, registration table and is opened control code REGCTL_OPEN_KEY, registry query value control code REGCTL_QUERY_VALUE_KEY, registration table settings control code REGCTL_SET_VALUE_KEY, registration table and enumerate key control sign indicating number REGCTL_ENUMERATE_KEY, registration table enumerated value control code REGCTL_ENUMERATE_VALUE_KEY, registration table delete key control code REGCTL_DELETE_KEY and/or registration table deletion value control code REGCTL_DELETE_VALUE_KEY.Said control code has defined operating system user attitude and kernel state and has driven unified sign the when communicate by letter.
In reality, operating system user's attitude drives when communicating by letter with kernel state and imports, output buffer can adopt the METHOD_BUFFERED mode to transmit.The METHOD_BUFFERED mode is: first distributing buffer, again from these buffering copy data, buffer size is bigger that in space between input buffering and output buffering.Read to cushion by copy to new buffering.Before returning, just the copy rreturn value is to identical buffering.Rreturn value is placed to IO_STATUS_BLOCK, and IO manager copy data are to the output buffering.
Step 405, operating system nucleus attitude are obtained the registry operations request, verification caller input parameter, and the said user's attitude of reconstruct (Captured) address is to the kernel state memory headroom;
Step 406, if the input parameter verification is passed through, then according to said caller input parameter structure _ PARSE_CONTEXT structure, so that the registry functions calling logic to be set, and registration table kernel actuating logic is set;
Step 407, carry out said distort to detect repair a logic, be specially, detect the kernel that presets and carry out stream and distort a little, and when said kernel is carried out stream and distorted a little original value and change, recover said kernel and carry out to flow and distort original value a little;
Step 408, the said registry functions calling logic of employing call corresponding registry functions; If call success, then execution in step 409; If malloc failure malloc, then execution in step 410;
Step 409, return corresponding handle;
Step 410, generation error sign indicating number also return user's attitude;
In concrete the realization, if malloc failure malloc, user's attitude interface can be provided with the corresponding error sign indicating number, and like this, the caller thread can obtain detailed error message through the GetLastError routine.
Step 411, after having called the function of said registration table, said kernel is carried out the original value that stream distorts a little changes back changing value.
For making those skilled in the art understand the present invention better, below through being that example specifies the present invention with the registration table constructive process.
(1) the caller process is initiated the BRegCreateKeyA registration table and is created request;
(2) BRegCreateKeyA routine conversion ANSI correlation parameter is the UNICODE type and calls the BRegCreateKeyW routine;
(3) the BRegCreateKeyW routine judges that system platform (32,64 or 32 compatibility modes) makes up structural parameters, sends also synchronous wait of control code REGCTL_CREATE_KEY and returns;
(4) BRegCreateKeyW routine kernel portion receives the request of user's attitude, the verification input parameter, and the Captured address is to the kernel internal memory;
(5) BRegCreateKeyW routine structure _ PARSE_CONTEXT structure, calling system bottom registration table is realized function; Distort a detection below before calling, carrying out and repair operation:
A1, detection, the potential registry objects of recovery are resolved routine hook problem;
A2, detection, the potential CmpCallback kernel readjustment problem of recovery;
A3, detection, the potential inline hook problem of Cm* level registry functions of recovery;
A4, detection, the potential HvpGetCellPaged/HvpGetCellMapped object routine hook problem of recovery.
(6) then return corresponding handle as calling success; Like the routine call mistake, drive and return user's attitude corresponding error sign indicating number.
(7) synchronization request is returned, if malloc failure malloc, user's attitude interface is provided with the corresponding error sign indicating number, and like this, the caller thread can obtain detailed error message through the GetLastError routine.
Need to prove; For method embodiment, for simple description, so it all is expressed as a series of combination of actions; But those skilled in the art should know; The present invention does not receive the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in the instructions all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.
With reference to figure 5, show the structured flowchart of the actuating unit embodiment of a kind of registry operations of the present invention, specifically can comprise with lower module:
The kernel actuating logic is provided with module 52, is used for according to said caller input parameter registration table kernel actuating logic being set, and said kernel actuating logic comprises: distort a detection and repair logic and registry functions calling logic;
Distort a detection and repair logic execution module 53; Be used to carry out a said detection reparation logic of distorting, be specially, detect the kernel execution stream that presets and distort a little; And when said kernel is carried out stream and distorted a little original value and change, recover said kernel and carry out to flow and distort original value a little;
Registry functions calling logic execution module 54 is used to adopt said registry functions calling logic, calls corresponding registry functions.
In concrete the realization, described device can also comprise with lower module:
Distort a write-back module 55, be used for after having called the function of said registration table, change back changing value the original value that said kernel execution stream is distorted a little.
In a kind of preferred embodiment of the present invention, the said kernel that presets is carried out stream and is distorted a little and can comprise:
Registry objects is resolved the routine hook;
CmpCallBack callback mechanism when Cm* registration table realization routine call third party drives;
The inline hook of Cm* registry functions;
HvpGetCellPaged/HvpGetCellMapped object routine hook.
In reality, the original value that said kernel execution stream is distorted a little can obtain when initialization, and the changing value that said kernel execution stream is distorted a little can be buffered in the kernel internal memory.
In a kind of preferred embodiment of the present invention, described device can also comprise with lower module:
User's attitude request sending module is used to initiate the registry operations request, calls corresponding registry operations interface program; Wherein, comprise the caller input parameter in the described request;
The control code sending module is used for making up the kernel state structural parameters according to the type of system platform, generates corresponding registry operations control code according to said kernel state structural parameters, and is sent to the operating system nucleus attitude.
In concrete the realization, described device can also comprise with lower module:
The parameter verification module is used for according to said registry operations request verification caller input parameter, if verification is passed through, then calls the kernel actuating logic module is set.
As a kind of example of concrete application, said caller input parameter has user's attitude address; Described device can also comprise with lower module:
The address reconstructed module is used for the said user's attitude of reconstruct address to the kernel state memory headroom.
In concrete the realization, described device can also comprise with lower module:
Handle returns module, is used for when the function success of calling said registration table, returning corresponding handle;
Error code returns module, is used for when the function failure of calling said registration table, and the generation error sign indicating number also returns user's attitude.
Because said device embodiment is basically corresponding to earlier figures 2 and method embodiment shown in Figure 4, so not detailed part in the description of present embodiment can just not given unnecessary details at this referring to the related description in the previous embodiment.
The present invention can be used in numerous general or special purpose computingasystem environment or the configuration.For example: personal computer, server computer, handheld device or portable set, plate equipment, multicomputer system, the system based on microprocessor, set top box, programmable consumer-elcetronics devices, network PC, small-size computer, mainframe computer, comprise DCE of above any system or equipment or the like.
The present invention can describe in the general context of the computer executable instructions of being carried out by computing machine, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract, program, object, assembly, data structure or the like.Also can in DCE, put into practice the present invention, in these DCEs, by through communication network connected teleprocessing equipment execute the task.In DCE, program module can be arranged in this locality and the remote computer storage medium that comprises memory device.
More than the manner of execution of a kind of registry operations provided by the present invention and a kind of actuating unit of registry operations have been carried out detailed introduction; Used concrete example among this paper principle of the present invention and embodiment are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that on embodiment and range of application, all can change, in sum, this description should not be construed as limitation of the present invention.
Claims (20)
1. the manner of execution of a registry operations is characterized in that, comprising:
Obtain the registry operations request, comprise the caller input parameter in the described request;
According to said caller input parameter registration table kernel actuating logic is set, said kernel actuating logic comprises: distort a detection and repair logic and registry functions calling logic;
Carry out said distort to detect repair a logic, be specially, detect the kernel that presets and carry out stream and distort a little, and when said kernel is carried out stream and distorted a little original value and change, recover said kernel and carry out to flow and distort original value a little;
Adopt said registry functions calling logic, call corresponding registry functions.
2. the method for claim 1 is characterized in that, also comprises:
After having called the function of said registration table, change back changing value with the original value that said kernel execution stream is distorted a little.
3. according to claim 1 or claim 2 method is characterized in that, the said kernel that presets is carried out stream and distorted a little and comprise:
Registry objects is resolved the routine hook;
CmpCallBack callback mechanism when Cm* registration table realization routine call third party drives;
The inline hook of Cm* registry functions;
HvpGetCellPaged/HvpGetCellMapped object routine hook.
4. method as claimed in claim 3 is characterized in that, kernel that said detection is preset is carried out stream and distorted a little, and the said step of distorting an original value of recovery specifically comprises when kernel is carried out stream and distorted a little original value and change:
Whether the original value that substep S1, detection registry objects are resolved the routine hook changes, if, then carry out substep S2, otherwise, substep S3 carried out;
Substep S2, the said registry objects of recovery are resolved the original value of routine hook, rotor step S3;
Substep S3, call the Cm* registration table and realize routine, whether the original value that detects the inline hook of Cm* registry functions changes, if, then carry out substep S4, otherwise, substep S5 carried out;
The original value of substep S4, the inline hook of the said Cm* registry functions of recovery, rotor step S5;
Substep S5, blocking-up CmpCallBack callback mechanism, rotor step S6;
Whether the original value of substep S6, detection HvpGetCellPaged/HvpGetCellMapped object routine hook changes, if then carry out substep S7, otherwise finish;
The original value of substep S7, the said HvpGetCellPaged/HvpGetCellMapped object routine hook of recovery.
5. method as claimed in claim 4 is characterized in that, the original value that said kernel execution stream is distorted a little obtains when initialization, and the changing value that said kernel execution stream is distorted a little is buffered in the kernel internal memory.
6. according to claim 1 or claim 2 method is characterized in that, before obtaining the registry operations request, also comprises:
Caller is initiated the registry operations request, calls corresponding registry operations interface program; Wherein, comprise the caller input parameter in the described request;
Type according to system platform makes up the kernel state structural parameters, generates corresponding registry operations control code according to said kernel state structural parameters, and is sent to the operating system nucleus attitude.
7. method as claimed in claim 6 is characterized in that, each registry operations interface program comprises narrow character routine and wide character routine, and before making up the kernel state structural parameters, described method also comprises:
The narrow character routine of said registry operations interface converts the ANSI correlation parameter in the caller input parameter into the UNICODE type, and calls corresponding registry operations interface wide character routine.
8. method as claimed in claim 7 is characterized in that, before registration table kernel actuating logic was set, described method also comprised:
According to said registry operations request verification caller input parameter,, then carry out the step that registration table kernel actuating logic is set if verification is passed through.
9. method as claimed in claim 8 is characterized in that, said caller input parameter has user's attitude address; Before registration table kernel actuating logic was set, described method also comprised:
The said user's attitude of reconstruct address is to the kernel state memory headroom.
10. like claim 7,8 or 9 described methods, it is characterized in that, also comprise:
If call the function success of said registration table, then return corresponding handle;
If call the function failure of said registration table, generation error sign indicating number and return user's attitude then.
11. method as claimed in claim 10; It is characterized in that; Said registry operations interface program is consistent with WINDOWS standard A PI, comprising: registry key is created routine BRegCreateKey, registration table and is strengthened key and create routine BRegCreateKeyEx, registry key and open routine BRegOpenKey, registration table and strengthen key and open routine BRegOpenKeyEx, registration table and strengthen Query Value routine BRegQueryValueEx, registration table settings routine BRegSetValueEx, registration table and enumerate key routine BRegEnumKey, registration table and strengthen and enumerate key routine BRegEnumKeyEx, registration table enumerated value routine BRegEnumValue, registration table delete key routine BRegDeleteKey, registration table and strengthen delete key routine BRegDeleteKeyEx, registration table deletion value routine BRegDeleteValue and/or registration table and close handle routine BRegCloseKey.
12. method as claimed in claim 11; It is characterized in that said control code comprises: registration table is created control code REGCTL_CREATE_KEY, registration table and is opened control code REGCTL_OPEN_KEY, registry query value control code REGCTL_QUERY_VALUE_KEY, registration table settings control code REGCTL_SET_VALUE_KEY, registration table and enumerate key control sign indicating number REGCTL_ENUMERATE_KEY, registration table enumerated value control code REGCTL_ENUMERATE_VALUE_KEY, registration table delete key control code REGCTL_DELETE_KEY and/or registration table deletion value control code REGCTL_DELETE_VALUE_KEY.
13. the actuating unit of a registry operations is characterized in that, comprising:
The acquisition request module is used to obtain the registry operations request, comprises the caller input parameter in the described request;
The kernel actuating logic is provided with module, is used for according to said caller input parameter registration table kernel actuating logic being set, and said kernel actuating logic comprises: distort a detection and repair logic and registry functions calling logic;
Distort a detection and repair the logic execution module; Be used to carry out a said detection reparation logic of distorting, be specially, detect the kernel execution stream that presets and distort a little; And when said kernel is carried out stream and distorted a little original value and change, recover said kernel and carry out to flow and distort original value a little;
Registry functions calling logic execution module is used to adopt said registry functions calling logic, calls corresponding registry functions.
14. device as claimed in claim 13 is characterized in that, also comprises:
Distort a write-back module, be used for after having called the function of said registration table, change back changing value the original value that said kernel execution stream is distorted a little.
15., it is characterized in that the said kernel that presets is carried out to flow to distort a little and comprised like claim 13 or 14 described devices:
Registry objects is resolved the routine hook;
CmpCallBack callback mechanism when Cm* registration table realization routine call third party drives;
The inline hook of Cm* registry functions;
HvpGetCellPaged/HvpGetCellMapped object routine hook.
16. device as claimed in claim 15 is characterized in that, the original value that said kernel execution stream is distorted a little obtains when initialization, and the changing value that said kernel execution stream is distorted a little is buffered in the kernel internal memory.
17. like claim 13 or 14 described devices, it is characterized in that, also comprise:
User's attitude request sending module is used to initiate the registry operations request, calls corresponding registry operations interface program; Wherein, comprise the caller input parameter in the described request;
The control code sending module is used for making up the kernel state structural parameters according to the type of system platform, generates corresponding registry operations control code according to said kernel state structural parameters, and is sent to the operating system nucleus attitude.
18. device as claimed in claim 17 is characterized in that, also comprises:
The parameter verification module is used for according to said registry operations request verification caller input parameter, if verification is passed through, then calls the kernel actuating logic module is set.
19. device as claimed in claim 18 is characterized in that, said caller input parameter has user's attitude address; Described device also comprises:
The address reconstructed module is used for the said user's attitude of reconstruct address to the kernel state memory headroom.
20. like claim 18 or 19 described devices, it is characterized in that, also comprise:
Handle returns module, is used for when the function success of calling said registration table, returning corresponding handle;
Error code returns module, is used for when the function failure of calling said registration table, and the generation error sign indicating number also returns user's attitude.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110121178.8A CN102779030B (en) | 2011-05-11 | 2011-05-11 | A kind of manner of execution of registry operations and device |
| PCT/CN2012/075155 WO2012152212A1 (en) | 2011-05-11 | 2012-05-07 | Method and device for executing registry operation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110121178.8A CN102779030B (en) | 2011-05-11 | 2011-05-11 | A kind of manner of execution of registry operations and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102779030A true CN102779030A (en) | 2012-11-14 |
| CN102779030B CN102779030B (en) | 2015-08-19 |
Family
ID=47123952
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110121178.8A Active CN102779030B (en) | 2011-05-11 | 2011-05-11 | A kind of manner of execution of registry operations and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102779030B (en) |
| WO (1) | WO2012152212A1 (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105653955A (en) * | 2015-12-30 | 2016-06-08 | 北京金山安全软件有限公司 | Malicious software processing method and device |
| CN106844081A (en) * | 2017-01-11 | 2017-06-13 | 深圳软牛科技有限公司 | The system that a kind of intelligence repairs iTunes failures |
| CN107122164A (en) * | 2017-03-31 | 2017-09-01 | 腾讯科技(深圳)有限公司 | Function address obtains and applied its method, device, equipment and storage medium |
| CN103577237B (en) * | 2013-11-15 | 2017-09-05 | 北京奇虎科技有限公司 | The control method and device of application program launching |
| CN107818034A (en) * | 2016-09-14 | 2018-03-20 | 华为技术有限公司 | The method and device of the running space of process in monitoring calculation machine equipment |
| CN108920220A (en) * | 2018-06-06 | 2018-11-30 | 北京奇虎科技有限公司 | A kind of method, apparatus and terminal of function call |
| CN112214757A (en) * | 2020-07-23 | 2021-01-12 | 国家工业信息安全发展研究中心 | Terminal registry security protection method and system based on windows driving technology |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11663333B2 (en) | 2020-08-11 | 2023-05-30 | Beijing Didi Infinity Technology And Development Co., Ltd. | Cloud-based systems and methods for detecting and removing rootkit |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080127344A1 (en) * | 2006-11-08 | 2008-05-29 | Mcafee, Inc. | Method and system for detecting windows rootkit that modifies the kernel mode system service dispatch table |
| CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7448084B1 (en) * | 2002-01-25 | 2008-11-04 | The Trustees Of Columbia University In The City Of New York | System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses |
| JP2008535117A (en) * | 2005-04-07 | 2008-08-28 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Software protection |
-
2011
- 2011-05-11 CN CN201110121178.8A patent/CN102779030B/en active Active
-
2012
- 2012-05-07 WO PCT/CN2012/075155 patent/WO2012152212A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080127344A1 (en) * | 2006-11-08 | 2008-05-29 | Mcafee, Inc. | Method and system for detecting windows rootkit that modifies the kernel mode system service dispatch table |
| CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
Non-Patent Citations (2)
| Title |
|---|
| 左黎明: "windows内核恶意代码分析与检测技术研究", 《计算机技术与发展》, vol. 18, no. 9, 30 September 2008 (2008-09-30), pages 145 - 147 * |
| 李珂泂,宁超: "恶意脚本程序研究以及基于API HOOK的注册表监控技术", 《计算机应用》, vol. 29, no. 12, 31 December 2009 (2009-12-31), pages 3197 - 3200 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103577237B (en) * | 2013-11-15 | 2017-09-05 | 北京奇虎科技有限公司 | The control method and device of application program launching |
| CN105653955A (en) * | 2015-12-30 | 2016-06-08 | 北京金山安全软件有限公司 | Malicious software processing method and device |
| CN105653955B (en) * | 2015-12-30 | 2019-05-10 | 珠海豹趣科技有限公司 | A kind of Malware processing method and processing device |
| CN107818034A (en) * | 2016-09-14 | 2018-03-20 | 华为技术有限公司 | The method and device of the running space of process in monitoring calculation machine equipment |
| CN107818034B (en) * | 2016-09-14 | 2021-02-12 | 华为技术有限公司 | Method and device for monitoring running space of process in computer equipment |
| CN106844081A (en) * | 2017-01-11 | 2017-06-13 | 深圳软牛科技有限公司 | The system that a kind of intelligence repairs iTunes failures |
| CN106844081B (en) * | 2017-01-11 | 2020-07-03 | 深圳软牛科技有限公司 | System for intelligent repair iTunes trouble |
| CN107122164A (en) * | 2017-03-31 | 2017-09-01 | 腾讯科技(深圳)有限公司 | Function address obtains and applied its method, device, equipment and storage medium |
| CN108920220A (en) * | 2018-06-06 | 2018-11-30 | 北京奇虎科技有限公司 | A kind of method, apparatus and terminal of function call |
| CN108920220B (en) * | 2018-06-06 | 2021-11-30 | 北京奇虎科技有限公司 | Function calling method, device and terminal |
| CN112214757A (en) * | 2020-07-23 | 2021-01-12 | 国家工业信息安全发展研究中心 | Terminal registry security protection method and system based on windows driving technology |
| CN112214757B (en) * | 2020-07-23 | 2022-08-02 | 国家工业信息安全发展研究中心 | Terminal registry security protection method and system based on windows driving technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102779030B (en) | 2015-08-19 |
| WO2012152212A1 (en) | 2012-11-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102779030A (en) | Execution method and device for registry operation | |
| CN102254111B (en) | Malicious site detection method and device | |
| US9996338B2 (en) | Synchronization of configuration changes between applications and their platforms | |
| CN104375872B (en) | A kind of Android system realizes the method and device of quick turn-on | |
| CN108491199A (en) | A kind of method and terminal automatically generating interface | |
| CN102779244B (en) | Method and device for carrying out file operation | |
| CN101458754B (en) | Method and apparatus for monitoring application program action | |
| US9275238B2 (en) | Method and apparatus for data security reading | |
| CN106020932B (en) | A kind of safety protecting method and system for KVM virtual machine system | |
| CN103902265A (en) | Application implementation method and application implementation device | |
| CN105637478A (en) | Computer-aided development of native mobile application code | |
| JP2014515858A (en) | Method and apparatus for recombining executing instructions | |
| CN106648569A (en) | Target serialization achieving method and device | |
| US9330266B2 (en) | Safe data storage method and device | |
| CN110362341A (en) | Business management method, device, equipment and storage medium based on micro services framework | |
| CN108228308A (en) | The monitoring method and device of virtual machine | |
| US9558060B1 (en) | End use self-help delivery system | |
| US20080154574A1 (en) | Application emulation on a non-production computer system | |
| CN103500109A (en) | Method and device for achieving file collection and software package automatic installation | |
| CN104239112A (en) | Device driver installation method and device | |
| CN102446252A (en) | Method and device for showing off-limit files | |
| Yu et al. | Design and Deployment of Django-based Housing Information Management System | |
| CN107015787B (en) | Method and device for designing interactive application framework | |
| CN108270832A (en) | A kind of failure playback method and device | |
| CN103207972A (en) | Device and method for recovering and analyzing login password of computer operation system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20150901 Owner name: BEIJING QIHU TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20150901 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20150901 Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Qizhi software (Beijing) Co.,Ltd. Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220401 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |
|
| TR01 | Transfer of patent right |