CN102779030A - Execution method and device for registry operation - Google Patents

Execution method and device for registry operation Download PDF

Info

Publication number
CN102779030A
CN102779030A CN2011101211788A CN201110121178A CN102779030A CN 102779030 A CN102779030 A CN 102779030A CN 2011101211788 A CN2011101211788 A CN 2011101211788A CN 201110121178 A CN201110121178 A CN 201110121178A CN 102779030 A CN102779030 A CN 102779030A
Authority
CN
China
Prior art keywords
registry
routine
kernel
value
logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011101211788A
Other languages
Chinese (zh)
Other versions
CN102779030B (en
Inventor
王宇
郑文彬
潘剑锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qizhi Business Consulting Co ltd
Beijing Qihoo Technology Co Ltd
360 Digital Security Technology Group Co Ltd
Original Assignee
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qizhi Software Beijing Co Ltd filed Critical Qizhi Software Beijing Co Ltd
Priority to CN201110121178.8A priority Critical patent/CN102779030B/en
Priority to PCT/CN2012/075155 priority patent/WO2012152212A1/en
Publication of CN102779030A publication Critical patent/CN102779030A/en
Application granted granted Critical
Publication of CN102779030B publication Critical patent/CN102779030B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

本发明提供了一种注册表操作的执行方法,包括:获取注册表操作请求,所述请求中包括调用者输入参数;依据所述调用者输入参数设置注册表内核执行逻辑,所述内核执行逻辑包括:篡改点检测修复逻辑和注册表函数调用逻辑;执行所述篡改点检测修复逻辑,具体为,检测预置的内核执行流篡改点,并在所述内核执行流篡改点的原始值发生变化时,恢复所述内核执行流篡改点的原始值;采用所述注册表函数调用逻辑,调用对应的注册表函数。本发明可以增强和驱动级恶意程序攻防的对抗能力,并避免因注册表操作干扰而导致安全软件间产生不兼容的潜在可能性。

The present invention provides a method for executing a registry operation, comprising: acquiring a registry operation request, the request including caller input parameters; setting registry kernel execution logic according to the caller input parameters, and the kernel execution logic Including: tampering point detection and repair logic and registry function call logic; executing the tampering point detection and repairing logic, specifically, detecting a preset kernel execution flow tampering point, and changing the original value of the kernel execution flow tampering point , restore the original value of the kernel execution flow tampering point; use the registry function call logic to call the corresponding registry function. The invention can enhance the attack and defense against driver-level malicious programs, and avoid the potential possibility of incompatibility between safety software caused by registry operation interference.

Description

一种注册表操作的执行方法及装置Method and device for executing registry operation

技术领域 technical field

本发明涉及操作系统穿透的技术领域,特别是涉及一种注册表操作的执行方法和一种注册表操作的执行装置。The invention relates to the technical field of operating system penetration, in particular to a registry operation execution method and a registry operation execution device.

背景技术 Background technique

在面对复杂问题的时候,人们往往会采用分而治之的方法分割、缩小问题的范围,这一点在操作系统的设计中亦是如此,Windows操作系统借助分层的设计思想解决复杂的问题,这一做法带来了可移植性、可扩展性等优点。不过,由于在设计理论上存在着安全性缺陷(例如缺乏完整性校验机制等),高可扩展性的另一方面也意味着系统存在大量的被篡改可能。例如,安全软件在操作(创建、打开、枚举、读写、删除等)自身、系统或恶意程序的注册表键值时,往往希望访问的过程真实可信,但是微软Windows操作系统的分层式结构决定了其调用链上存在数据流被篡改的风险。因此,保证注册表操作过程的真实、可靠成了安全软件的一个基本要求。从操作系统的角度看,注册表操作的执行过程存在着如下潜在的篡改点:When faced with complex problems, people tend to use the method of divide and conquer to divide and narrow the scope of the problem. This is also the case in the design of the operating system. This approach brings advantages such as portability and scalability. However, due to the security flaws in the design theory (for example, the lack of an integrity verification mechanism, etc.), another aspect of high scalability also means that there are a large number of possibilities for the system to be tampered with. For example, when security software operates (creates, opens, enumerates, reads and writes, deletes, etc.) the registry key values of itself, the system, or malicious programs, it often hopes that the access process is authentic and credible, but the layering of the Microsoft Windows operating system The formula structure determines that there is a risk of data flow tampering in its call chain. Therefore, ensuring the authenticity and reliability of the registry operation process has become a basic requirement of security software. From the perspective of the operating system, there are potential tampering points in the execution process of registry operations as follows:

参考图1所示的操作系统注册表操作执行流的示意图,在执行注册表操作采用如下分层调用的方式:Referring to the schematic diagram of the operating system registry operation execution flow shown in Figure 1, the following layered calling method is used to execute the registry operation:

调用者101调用内核接口层102,内核接口层102调用内核执行层103,内核执行层103调用注册表解析例程104,注册表解析例程104调用Cm*注册表实现例程105,Cm*注册表实现例程105调用第三方驱动106和HvpGetCellPaged/HvpGetCellMapped对象例程等107。其中,调用者101和内核接口层102属于操作系统用户态,内核执行层103、注册表解析例程104、Cm*注册表实现例程105、第三方驱动106和HvpGetCellPaged/HvpGetCellMapped对象例程等107属于操作系统内核态。The caller 101 calls the kernel interface layer 102, the kernel interface layer 102 calls the kernel execution layer 103, the kernel execution layer 103 calls the registry parsing routine 104, and the registry parsing routine 104 calls the Cm* registry implementation routine 105, and the Cm* registration The table implementation routine 105 calls the third-party driver 106 and the HvpGetCellPaged/HvpGetCellMapped object routine 107 . Wherein, the caller 101 and the kernel interface layer 102 belong to the user state of the operating system, the kernel execution layer 103, the registry analysis routine 104, the Cm* registry implementation routine 105, the third-party driver 106 and the HvpGetCellPaged/HvpGetCellMapped object routine etc. 107 It belongs to the kernel state of the operating system.

从操作系统的角度看,注册表操作执行流存在着如下潜在的篡改点:From the perspective of the operating system, there are the following potential tampering points in the registry operation execution flow:

1)内核接口层的用户态IAT Hook(Import Address Table Hook,导入表钩挂)/EAT Hook(Export Address Table Hook,导出表钩挂);1) User mode IAT Hook (Import Address Table Hook, import table hook)/EAT Hook (Export Address Table Hook, export table hook) in the kernel interface layer;

2)内核接口层的用户态Inline Hook(内联钩挂);2) User-mode Inline Hook at the kernel interface layer (inline hook);

3)内核接口层调用内核执行层时的Int 2E(中断)/SysEnter Hook(用户态进入内核态钩挂);3) Int 2E (interrupt)/SysEnter Hook (hook when user mode enters kernel mode) when the kernel interface layer calls the kernel execution layer;

4)内核执行层的Native API SSDT Hook(System Service DispatchTable Hook,系统服务分派表钩挂);4) Native API SSDT Hook (System Service DispatchTable Hook) of the kernel execution layer;

5)内核执行层的Native API Inline Hook;5) Native API Inline Hook of the kernel execution layer;

6)注册表解析例程的Object Parse Routine Hook(对象解析例程钩挂);6) Object Parse Routine Hook of registry parsing routine (object parsing routine hook);

7)Cm*注册表实现例程的Cm*Routine Hook;7) The Cm* registry implements the Cm*Routine Hook of the routine;

8)Cm*注册表实现例程105调用第三方驱动106时的CmpCallBack回调机制;8) The Cm* registry implements the CmpCallBack callback mechanism when the routine 105 calls the third-party driver 106;

9)HvpGetCellPaged/HvpGetCellMapped Object Routine Hook(对象例程钩挂)。9) HvpGetCellPaged/HvpGetCellMapped Object Routine Hook (object routine hook).

传统安全软件厂商虽然意识到了种种注册表操作调用被劫持的可能性,但是现有的解决方案大多只考虑了操作系统用户态的劫持风险,在操作系统内核态的攻防上往往体现出较为明显的能力缺失,驱动级恶意程序(Rootkit)对抗能力偏弱。Although traditional security software vendors are aware of the possibility of various registry operations being hijacked, most of the existing solutions only consider the hijacking risk of the user state of the operating system, and the attack and defense of the kernel state of the operating system often show a more obvious The ability is lacking, and the ability to resist driver-level malicious programs (Rootkit) is relatively weak.

因此,目前需要本领域技术人员迫切解决的一个技术问题就是:提出一种注册表操作的执行机制,以增强和驱动级恶意程序攻防的对抗能力,并避免因注册表操作干扰而导致安全软件间产生不兼容的潜在可能性。Therefore, a technical problem that needs to be urgently solved by those skilled in the art is: to propose an execution mechanism for registry operations to enhance the ability to resist attacks and defenses against driver-level malicious programs, and to avoid interference between security software due to registry operation interference. Potential for incompatibility.

发明内容 Contents of the invention

本发明所要解决的技术问题是提供一种注册表操作的执行方法,以增强和驱动级恶意程序攻防的对抗能力,并避免因注册表操作干扰而导致安全软件间产生不兼容的潜在可能性。The technical problem to be solved by the present invention is to provide a method for executing registry operations, so as to enhance the ability to resist attack and defense against driver-level malicious programs, and to avoid potential incompatibility between security software caused by registry operation interference.

本发明还提供了一种注册表操作的执行装置,用以保证上述方法在实际中的应用及实现。The present invention also provides an execution device for registry operation to ensure the practical application and realization of the above method.

为了解决上述问题,本发明实施例公开了一种注册表操作的执行方法,包括:In order to solve the above problems, the embodiment of the present invention discloses a registry operation execution method, including:

获取注册表操作请求,所述请求中包括调用者输入参数;Obtaining a registry operation request, the request including caller input parameters;

依据所述调用者输入参数设置注册表内核执行逻辑,所述内核执行逻辑包括:篡改点检测修复逻辑和注册表函数调用逻辑;Registry kernel execution logic is set according to the input parameters of the caller, and the kernel execution logic includes: tampering point detection and repair logic and registry function call logic;

执行所述篡改点检测修复逻辑,具体为,检测预置的内核执行流篡改点,并在所述内核执行流篡改点的原始值发生变化时,恢复所述内核执行流篡改点的原始值;Executing the tampering point detection and repair logic, specifically, detecting the preset kernel execution flow tampering point, and restoring the original value of the kernel execution flow tampering point when the original value of the kernel execution flow tampering point changes;

采用所述注册表函数调用逻辑,调用对应的注册表函数。Using the registry function call logic, call the corresponding registry function.

优选的是,所述的方法还包括:Preferably, the method also includes:

在调用完所述注册表的函数后,将所述内核执行流篡改点的原始值改回变化值。After the function of the registry is called, the original value of the kernel execution flow tampering point is changed back to the changed value.

优选的是,所述预置的内核执行流篡改点包括:Preferably, the preset kernel execution flow tampering points include:

注册表对象解析例程钩挂;Registry object parsing routine hook;

Cm*注册表实现例程调用第三方驱动时的CmpCallBack回调机制;The Cm* registry implements the CmpCallBack callback mechanism when the routine calls the third-party driver;

Cm*注册表函数内联挂钩;Cm* registry function inline hooks;

HvpGetCellPaged/HvpGetCellMapped对象例程钩挂。HvpGetCellPaged/HvpGetCellMapped object routine hooks.

优选的是,所述检测预置的内核执行流篡改点,并在内核执行流篡改点的原始值发生变化时恢复所述篡改点原始值的步骤具体包括:Preferably, the step of detecting the preset kernel execution flow tampering point, and restoring the original value of the tampering point when the original value of the kernel execution flow tampering point changes specifically includes:

子步骤S1、检测注册表对象解析例程钩挂的原始值是否发生改变,若是,则执行子步骤S2,否则,执行子步骤S3;Sub-step S1, detecting whether the original value hooked by the registry object parsing routine has changed, if so, execute sub-step S2, otherwise, execute sub-step S3;

子步骤S2、恢复所述注册表对象解析例程钩挂的原始值,转子步骤S3;Sub-step S2, restore the original value hooked by the registry object parsing routine, rotor step S3;

子步骤S3、调用Cm*注册表实现例程,检测Cm*注册表函数内联挂钩的原始值是否发生改变,若是,则执行子步骤S4,否则,执行子步骤S5;Sub-step S3, calling the Cm* registry implementation routine to detect whether the original value of the Cm* registry function inline hook has changed, if so, execute sub-step S4, otherwise, execute sub-step S5;

子步骤S4、恢复所述Cm*注册表函数内联挂钩的原始值,转子步骤S5;Sub-step S4, restore the original value of the Cm* registry function inline hook, rotor step S5;

子步骤S5、阻断CmpCallBack回调机制,转子步骤S6;Sub-step S5, blocking the CmpCallBack callback mechanism, rotor step S6;

子步骤S6、检测HvpGetCellPaged/HvpGetCellMapped对象例程钩挂的原始值是否发生改变,若是,则执行子步骤S7,否则结束;Sub-step S6, detecting whether the original value hooked by the HvpGetCellPaged/HvpGetCellMapped object routine has changed, if so, execute sub-step S7, otherwise end;

子步骤S7、恢复所述HvpGetCellPaged/HvpGetCellMapped对象例程钩挂的原始值。Sub-step S7, restore the original value hooked by the HvpGetCellPaged/HvpGetCellMapped object routine.

优选的是,所述内核执行流篡改点的原始值在初始化时获得,所述内核执行流篡改点的变化值缓存在内核内存中。Preferably, the original value of the kernel execution flow tampering point is obtained during initialization, and the change value of the kernel execution flow tampering point is cached in the kernel memory.

优选的是,在获取注册表操作请求之前,还包括:Preferably, before obtaining the registry operation request, it also includes:

调用者发起注册表操作请求,调用对应的注册表操作接口例程;其中,所述请求中包括调用者输入参数;The caller initiates a registry operation request, and calls the corresponding registry operation interface routine; wherein, the request includes caller input parameters;

依据系统平台的类型构建内核态结构参数,依据所述内核态结构参数生成相应的注册表操作控制码,并发送至操作系统内核态。Construct the kernel state structural parameters according to the type of the system platform, generate corresponding registry operation control codes according to the kernel state structural parameters, and send them to the operating system kernel state.

优选的是,各注册表操作接口例程包括窄字符例程和宽字符例程,在构建内核态结构参数之前,所述的方法还包括:Preferably, each registry operation interface routine includes a narrow character routine and a wide character routine, and before building the kernel mode structure parameter, the method also includes:

所述注册表操作接口窄字符例程将调用者输入参数中的ANSI相关参数转换为UNICODE类型,并调用对应的注册表操作接口宽字符例程。The registry operation interface narrow character routine converts the ANSI related parameters in the caller input parameters into UNICODE type, and calls the corresponding registry operation interface wide character routine.

优选的是,在设置注册表内核执行逻辑之前,所述的方法还包括:Preferably, before setting the registry kernel to execute the logic, the method also includes:

依据所述注册表操作请求校验调用者输入参数,若校验通过,则执行设置注册表内核执行逻辑的步骤。Verifying the input parameters of the caller according to the registry operation request, and if the verification is passed, then execute the step of setting the registry core execution logic.

优选的是,所述调用者输入参数具有用户态地址;在设置注册表内核执行逻辑之前,所述的方法还包括:Preferably, the caller input parameter has a user mode address; before setting the registry kernel execution logic, the method also includes:

重构所述用户态地址至内核态内存空间。Reconstructing the user mode address to the kernel mode memory space.

优选的是,所述的方法,还包括:Preferably, the method also includes:

若调用所述注册表的函数成功,则返回相应的句柄;If calling the function of the registry is successful, then return the corresponding handle;

若调用所述注册表的函数失败,则生成错误码并返回用户态。If calling the function of the registry fails, an error code is generated and the user state is returned.

优选的是,所述注册表操作接口例程与WINDOWS标准API一致,包括:注册表键创建例程BRegCreateKey、注册表增强键创建例程BRegCreateKeyEx、注册表键打开例程BRegOpenKey、注册表增强键打开例程BRegOpenKeyEx、注册表增强查询值例程BRegQueryValueEx、注册表设置值例程BRegSetValueEx、注册表枚举键例程BRegEnumKey、注册表增强枚举键例程BRegEnumKeyEx、注册表枚举值例程BRegEnumValue、注册表删除键例程BRegDeleteKey、注册表增强删除键例程BRegDeleteKeyEx、注册表删除值例程BRegDeleteValue和/或注册表关闭句柄例程BRegCloseKey。Preferably, the registry operation interface routine is consistent with the WINDOWS standard API, including: registry key creation routine BRegCreateKey, registry enhancement key creation routine BRegCreateKeyEx, registry key opening routine BRegOpenKey, registry enhancement key opening Routine BRegOpenKeyEx, registry enhanced query value routine BRegQueryValueEx, registry set value routine BRegSetValueEx, registry enumeration key routine BRegEnumKey, registry enhanced enumeration key routine BRegEnumKeyEx, registry enumeration value routine BRegEnumValue, register Table delete key routine BRegDeleteKey, registry enhanced delete key routine BRegDeleteKeyEx, registry delete value routine BRegDeleteValue, and/or registry close handle routine BRegCloseKey.

优选的是,所述控制码包括:注册表创建控制码REGCTL_CREATE_KEY、注册表打开控制码REGCTL_OPEN_KEY、注册表查询值控制码REGCTL_QUERY_VALUE_KEY、注册表设置值控制码REGCTL_SET_VALUE_KEY、注册表枚举键控制码REGCTL_ENUMERATE_KEY、注册表枚举值控制码REGCTL_ENUMERATE_VALUE_KEY、注册表删除键控制码REGCTL_DELETE_KEY和/或注册表删除值控制码REGCTL_DELETE_VALUE_KEY。Preferably, the control codes include: registry creation control code REGCTL_CREATE_KEY, registry opening control code REGCTL_OPEN_KEY, registry query value control code REGCTL_QUERY_VALUE_KEY, registry setting value control code REGCTL_SET_VALUE_KEY, registry enumeration key control code REGCTL_ENUMERATE_KEY, registration Table enumeration value control code REGCTL_ENUMERATE_VALUE_KEY, registry delete key control code REGCTL_DELETE_KEY and/or registry delete value control code REGCTL_DELETE_VALUE_KEY.

本发明实施例还公开了一种注册表操作的执行装置,包括:The embodiment of the present invention also discloses a registry operation execution device, including:

请求获取模块,用于获取注册表操作请求,所述请求中包括调用者输入参数;The request obtaining module is used to obtain a registry operation request, and the request includes caller input parameters;

内核执行逻辑设置模块,用于依据所述调用者输入参数设置注册表内核执行逻辑,所述内核执行逻辑包括:篡改点检测修复逻辑和注册表函数调用逻辑;The core execution logic setting module is used to set the registry core execution logic according to the caller input parameters, and the kernel execution logic includes: tampering point detection and repair logic and registry function call logic;

篡改点检测修复逻辑执行模块,用于执行所述篡改点检测修复逻辑,具体为,检测预置的内核执行流篡改点,并在所述内核执行流篡改点的原始值发生变化时,恢复所述内核执行流篡改点的原始值;The tamper point detection and repair logic execution module is used to execute the tamper point detection and repair logic, specifically, to detect the preset kernel execution flow tamper point, and when the original value of the kernel execution flow tamper point changes, restore all The original value of the kernel execution flow tampering point;

注册表函数调用逻辑执行模块,用于采用所述注册表函数调用逻辑,调用对应的注册表函数。The registry function call logic execution module is used to use the registry function call logic to call the corresponding registry function.

优选的是,所述的装置还包括:Preferably, the device also includes:

篡改点回写模块,用于在调用完所述注册表的函数后,将所述内核执行流篡改点的原始值改回变化值。The tampering point write-back module is used to change the original value of the kernel execution flow tampering point back to a changed value after the function of the registry is called.

优选的是,所述预置的内核执行流篡改点包括:Preferably, the preset kernel execution flow tampering points include:

注册表对象解析例程钩挂;Registry object parsing routine hook;

Cm*注册表实现例程调用第三方驱动时的CmpCallBack回调机制;The Cm* registry implements the CmpCallBack callback mechanism when the routine calls the third-party driver;

Cm*注册表函数内联挂钩;Cm* registry function inline hooks;

HvpGetCellPaged/HvpGetCellMapped对象例程钩挂。HvpGetCellPaged/HvpGetCellMapped object routine hooks.

优选的是,所述内核执行流篡改点的原始值在初始化时获得,所述内核执行流篡改点的变化值缓存在内核内存中。Preferably, the original value of the kernel execution flow tampering point is obtained during initialization, and the change value of the kernel execution flow tampering point is cached in the kernel memory.

优选的是,所述的装置还包括:Preferably, the device also includes:

用户态请求发送模块,用于发起注册表操作请求,调用对应的注册表操作接口例程;其中,所述请求中包括调用者输入参数;A user state request sending module, configured to initiate a registry operation request and call a corresponding registry operation interface routine; wherein, the request includes caller input parameters;

控制码发送模块,用于依据系统平台的类型构建内核态结构参数,依据所述内核态结构参数生成相应的注册表操作控制码,并发送至操作系统内核态。The control code sending module is used to construct kernel state structural parameters according to the type of the system platform, generate corresponding registry operation control codes according to the kernel state structural parameters, and send them to the operating system kernel state.

优选的是,所述的装置还包括:Preferably, the device also includes:

参数校验模块,用于依据所述注册表操作请求校验调用者输入参数,若校验通过,则调用内核执行逻辑设置模块。The parameter verification module is used to verify the input parameters of the caller according to the registry operation request, and if the verification is passed, call the kernel to execute the logic setting module.

优选的是,所述调用者输入参数具有用户态地址;所述的装置还包括:Preferably, the caller input parameter has a user mode address; the device also includes:

地址重构模块,用于重构所述用户态地址至内核态内存空间。The address reconstruction module is used to reconstruct the user mode address to the kernel mode memory space.

优选的是,所述的装置还包括:Preferably, the device also includes:

句柄返回模块,用于在调用所述注册表的函数成功时,返回相应的句柄;The handle return module is used to return the corresponding handle when calling the function of the registry successfully;

错误码返回模块,用于在调用所述注册表的函数失败时,生成错误码并返回用户态。The error code return module is used to generate an error code and return to the user state when calling the function of the registry fails.

与现有技术相比,本申请具有以下优点:Compared with the prior art, the present application has the following advantages:

本发明基于注册表行为的全生命周期构建注册表操作的可信环境,在操作系统用户态接口完整实现一套注册表操作调用库,内核态驱动接收并校验来自用户态的请求,通过自己模拟内核执行层的行为,检测/恢复对象解析挂钩、阻断内核注册表回调机制等方法,使第三方驱动被穿透(或称之为旁路,bypass),从而保证注册表操作请求环境的真实、可信。并且,内核同步调用返回用户态句柄信息以及调用状态。本发明提出了一种注册表穿透操作的整体解决方案,不仅提供了操作系统用户态的攻防,还进一步提供了操作系统内核态的攻防,该方案一方面可有效避免因注册表操作干扰而导致安全软件间产生不兼容的潜在可能性;另一方面,该方案能有效增强和驱动级恶意程序攻防的对抗能力。The present invention builds a trusted environment for registry operations based on the full life cycle of registry behaviors, fully implements a set of registry operation call libraries in the user state interface of the operating system, and kernel state drivers receive and verify requests from user state, and pass their own Simulate the behavior of the kernel execution layer, detect/recover object parsing hooks, block the kernel registry callback mechanism and other methods, so that the third-party driver can be penetrated (or called bypass, bypass), so as to ensure the integrity of the registry operation request environment Authentic and believable. Moreover, the kernel synchronous call returns the user mode handle information and call status. The present invention proposes an overall solution for the penetration operation of the registry, which not only provides the attack and defense of the user state of the operating system, but also further provides the attack and defense of the kernel state of the operating system. On the one hand, this solution can effectively avoid It may lead to the potential incompatibility between security software; on the other hand, this solution can effectively enhance the ability to resist the attack and defense of driver-level malicious programs.

附图说明 Description of drawings

图1是一种操作系统注册表操作执行过程的示意图;FIG. 1 is a schematic diagram of an operating system registry operation execution process;

图2是本发明的一种注册表操作的执行方法实施例1的步骤流程图;Fig. 2 is a flow chart of the steps of Embodiment 1 of an execution method of a registry operation of the present invention;

图3是本发明中检测/恢复内核执行流篡改点的步骤流程图;Fig. 3 is a flow chart of the steps of detection/recovery kernel execution flow tampering point in the present invention;

图4是本发明的一种注册表操作的执行方法实施例2的步骤流程图;FIG. 4 is a flow chart of the steps of Embodiment 2 of an execution method of a registry operation of the present invention;

图5是本发明的一种注册表操作的执行装置实施例的结构框图。Fig. 5 is a structural block diagram of an embodiment of a registry operation execution device of the present invention.

具体实施方式 Detailed ways

为使本发明的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本发明作进一步详细的说明。In order to make the above objects, features and advantages of the present invention more comprehensible, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

本发明实施例的核心构思之一在于,基于注册表行为的全生命周期构建注册表操作的可信环境,在操作系统用户态接口完整实现一套注册表操作调用库,内核态驱动接收并校验来自用户态的请求,通过自己模拟内核执行层的行为,检测/恢复对象解析挂钩、阻断内核注册表回调机制等方法,使第三方驱动被穿透(或称之为旁路,bypass),从而保证注册表操作请求环境的真实、可信。并且,内核同步调用返回用户态句柄信息以及调用状态。本发明提出了一种注册表穿透操作的整体解决方案,不仅提供了操作系统用户态的攻防,还进一步提供了操作系统内核态的攻防,该方案一方面可有效避免因注册表操作干扰而导致安全软件间产生不兼容的潜在可能性;另一方面,该方案能有效增强和驱动级恶意程序攻防的对抗能力。One of the core concepts of the embodiments of the present invention is to build a trusted environment for registry operations based on the entire life cycle of registry behaviors, and implement a set of registry operation call libraries in the user mode interface of the operating system. Inspect the request from the user state, simulate the behavior of the kernel execution layer, detect/recover the object resolution hook, block the kernel registry callback mechanism, etc., so that the third-party driver can be penetrated (or called bypass, bypass) , so as to ensure the authenticity and credibility of the registry operation request environment. Moreover, the kernel synchronous call returns the user mode handle information and call status. The present invention proposes an overall solution for the penetration operation of the registry, which not only provides the attack and defense of the user state of the operating system, but also further provides the attack and defense of the kernel state of the operating system. On the one hand, this solution can effectively avoid It may lead to the potential incompatibility between security software; on the other hand, this scheme can effectively enhance the ability to resist the attack and defense of driver-level malicious programs.

参考图2,示出了本发明的一种注册表操作的执行方法实施例1的步骤流程图,具体可以包括以下步骤:Referring to FIG. 2 , it shows a flow chart of the steps of Embodiment 1 of a registry operation execution method of the present invention, which may specifically include the following steps:

步骤201、获取注册表操作请求,所述请求中包括调用者输入参数;Step 201, obtain a registry operation request, the request includes caller input parameters;

步骤202、依据所述调用者输入参数设置注册表内核执行逻辑,所述内核执行逻辑包括:篡改点检测修复逻辑和注册表函数调用逻辑;Step 202, setting the registry kernel execution logic according to the caller input parameters, the kernel execution logic includes: tamper point detection and repair logic and registry function call logic;

在具体实现中,当获取到注册表操作请求,会对请求中包含的调用者输入参数进行校验,若校验通过,则可以通过构建_PARSE_CONTEXT(上下文解析)结构来设置注册表函数调用逻辑,以及,设置在注册表函数调用之前执行的篡改点检测修复逻辑。本实施例即通过主动去“模拟”内核执行层,自己实现构建_PARSE_CONTEXT结构后,再去调用系统底层函数。In the specific implementation, when the registry operation request is obtained, the caller input parameters contained in the request will be verified. If the verification is passed, the registry function call logic can be set by constructing the _PARSE_CONTEXT (context analysis) structure , and, set the tamper point detection and repair logic executed before the registry function call. In this embodiment, by actively "simulating" the kernel execution layer, the _PARSE_CONTEXT structure is constructed by itself, and then the underlying functions of the system are called.

在本发明的另一种优选实施例中,还可以通过“伪造”内核的方法,把磁盘上的内核文件影射到内存,结合重定位后,完整的提取出相关执行层函数(因为是完整提取,所以其内部包括“构建_PARSE_CONTEXT结构”)。In another preferred embodiment of the present invention, it is also possible to map the kernel file on the disk to the memory by "falsifying" the kernel, and after combining relocation, completely extract the relevant execution layer functions (because it is a complete extraction) , so its interior includes "build_PARSE_CONTEXT structure").

当然,上述设置注册表内核执行逻辑的方法仅仅用作示例,本领域技术人员根据实际情况采用任一种方式设置注册表内核执行逻辑均是可行的,本发明对此不作限制。Of course, the above method for setting the execution logic of the registry kernel is only used as an example, and it is feasible for those skilled in the art to set the execution logic of the registry kernel in any way according to the actual situation, and the present invention is not limited thereto.

步骤203、执行所述篡改点检测修复逻辑,具体为,检测预置的内核执行流篡改点,并在所述内核执行流篡改点的原始值发生变化时,恢复所述内核执行流篡改点的原始值;Step 203, execute the tamper point detection and repair logic, specifically, detect the preset kernel execution flow tampering point, and restore the kernel execution flow tampering point when the original value of the kernel execution flow tampering point changes Original value;

在具体实现中,所述预置的内核执行流篡改点可以包括:注册表对象解析例程钩挂;Cm*注册表实现例程调用第三方驱动时的CmpCallBack回调机制;Cm*注册表函数内联挂钩;以及,HvpGetCellPaged/HvpGetCellMapped对象例程钩挂。各内核执行流篡改点的原始值可以在系统初始化时获得。In a specific implementation, the preset kernel execution flow tampering point may include: registry object parsing routine hooking; link hook; and, HvpGetCellPaged/HvpGetCellMapped object routine hook. The original value of the execution flow tampering point of each kernel can be obtained during system initialization.

当然,上述内核执行流篡改点仅仅用作示例,所述预置的内核执行流篡改点可以由本领域技术人员按照实际需求任意设置,本发明对此无需加以限制。Certainly, the above kernel execution flow tampering point is only used as an example, and the preset kernel execution flow tampering point can be set arbitrarily by those skilled in the art according to actual needs, and the present invention does not need to limit this.

参考图3,在本发明的一种优选实施例中,所述检测预置的内核执行流篡改点,并在内核执行流篡改点的原始值发生变化时恢复所述篡改点原始值的步骤具体可以包括以下子步骤:Referring to FIG. 3, in a preferred embodiment of the present invention, the step of detecting the preset kernel execution flow tampering point and restoring the original value of the tampering point when the original value of the kernel execution flow tampering point changes is specific The following sub-steps can be included:

子步骤S1、检测注册表对象解析例程钩挂的原始值是否发生改变,若是,则执行子步骤S2,否则,执行子步骤S3;Sub-step S1, detecting whether the original value hooked by the registry object parsing routine has changed, if so, execute sub-step S2, otherwise, execute sub-step S3;

子步骤S2、恢复所述注册表对象解析例程钩挂的原始值,转子步骤S3;Sub-step S2, restore the original value hooked by the registry object parsing routine, rotor step S3;

子步骤S3、调用Cm*注册表实现例程,检测Cm*注册表函数内联挂钩的原始值是否发生改变,若是,则执行子步骤S4,否则,执行子步骤S5;Sub-step S3, calling the Cm* registry implementation routine to detect whether the original value of the Cm* registry function inline hook has changed, if so, execute sub-step S4, otherwise, execute sub-step S5;

子步骤S4、恢复所述Cm*注册表函数内联挂钩的原始值,转子步骤S5;Sub-step S4, restore the original value of the Cm* registry function inline hook, rotor step S5;

子步骤S5、阻断CmpCallBack回调机制,转子步骤S6;Sub-step S5, blocking the CmpCallBack callback mechanism, rotor step S6;

子步骤S6、检测HvpGetCellPaged/HvpGetCellMapped对象例程钩挂的原始值是否发生改变,若是,则执行子步骤S7,否则结束;Sub-step S6, detecting whether the original value hooked by the HvpGetCellPaged/HvpGetCellMapped object routine has changed, if so, execute sub-step S7, otherwise end;

子步骤S7、恢复所述HvpGetCellPaged/HvpGetCellMapped对象例程钩挂的原始值。Sub-step S7, restore the original value hooked by the HvpGetCellPaged/HvpGetCellMapped object routine.

在具体实现中,如检测到某个内核执行流篡改点发生变化,则可记录其变化值在内核态内存空间,以便在注册表函数调用完成后进行回写。In a specific implementation, if it is detected that a certain kernel execution flow tampering point changes, the changed value can be recorded in the kernel state memory space, so that it can be written back after the registry function call is completed.

当然,上述篡改点的检测及修复方法仅仅用作示例,本领域技术人员依据实际需求任意设置所述篡改点的检测及修复操作过程都是可行的,例如,可以先统一检测,再对发生变化的篡改点统一恢复,本发明对此不作限制。Certainly, the detection and repair method of the above-mentioned tampering point is only used as an example, and it is feasible for those skilled in the art to arbitrarily set the detection and repairing operation process of the tampering point according to actual needs. The tampering points are restored uniformly, which is not limited by the present invention.

步骤204、采用所述注册表函数调用逻辑,调用对应的注册表函数。Step 204, using the registry function call logic to call the corresponding registry function.

在具体实现中,本发明实施例还可以包括如下步骤:In a specific implementation, the embodiment of the present invention may also include the following steps:

步骤205、在调用完所述注册表的函数后,将所述内核执行流篡改点的原始值改回变化值。Step 205 , after the function of the registry is called, the original value of the tampering point of the kernel execution flow is changed back to a changed value.

在实际中,某些内核执行流篡改点是因为被其它的安全软件改写而发生变化,故在系统底层注册表的实现函数调用完成后,为保证其它安全软件的正常运行,需要对所述内核执行流篡改点进行回写,具体可以从内核态内存空间中提取在恢复原始值过程中保存的变化值,将对应的内核执行流篡改点写回该变化值。In practice, some kernel execution flow tampering points are changed because they are rewritten by other security software. Therefore, after the implementation function call of the registry at the bottom of the system is completed, in order to ensure the normal operation of other security software, it is necessary to modify the kernel Execution flow tampering points are written back. Specifically, the changed value saved in the process of restoring the original value can be extracted from the kernel state memory space, and the corresponding kernel execution flow tampering point is written back to the changed value.

当注册表函数调用完成后,注册表操作执行流将继续调用注册表解析例程,再由注册表解析例程调用Cm*注册表实现例程,Cm*注册表实现例程直接调用HvpGetCellPaged/HvpGetCellMapped对象例程;由于CmpCallBack回调机制被阻断,故Cm*注册表实现例程将不再调用第三方驱动,从而使得第三方驱动(其他安全软件、驱动级恶意程序)被穿透。After the registry function call is completed, the registry operation execution flow will continue to call the registry analysis routine, and then the registry analysis routine will call the Cm* registry implementation routine, and the Cm* registry implementation routine will directly call HvpGetCellPaged/HvpGetCellMapped Object routines; since the CmpCallBack callback mechanism is blocked, the Cm* registry implementation routine will no longer call third-party drivers, thus allowing third-party drivers (other security software, driver-level malicious programs) to be penetrated.

参考图4,示出了本发明的一种注册表操作的执行方法实施例2的步骤流程图,具体可以包括:Referring to FIG. 4 , it shows a flow chart of the steps of Embodiment 2 of a registry operation execution method of the present invention, which may specifically include:

步骤401、加载注册表操作接口例程,获取预置的内核执行流篡改点的原始值;Step 401, load the registry operation interface routine, and obtain the original value of the preset kernel execution flow tampering point;

公知的是,例程是某个系统对外提供的功能接口或服务的集合。比如操作系统的API、服务等就是例程。As is well known, a routine is a collection of functional interfaces or services provided by a certain system. For example, APIs and services of the operating system are routines.

作为具体应用的一种示例,所述注册表操作接口例程可以包括:注册表键创建例程BRegCreateKey、注册表增强键创建例程BRegCreateKeyEx、注册表键打开例程BRegOpenKey、注册表增强键打开例程BRegOpenKeyEx、注册表增强查询值例程BRegQueryValueEx、注册表设置值例程BRegSetValueEx、注册表枚举键例程BRegEnumKey、注册表增强枚举键例程BRegEnumKeyEx、注册表枚举值例程BRegEnumValue、注册表删除键例程BRegDeleteKey、注册表增强删除键例程BRegDeleteKeyEx、注册表删除值例程BRegDeleteValue和/或注册表关闭句柄例程BRegCloseKey。所述注册表操作接口例程的设置,如调用约定、调用参数和对应的WINDOWS标准API一致。上述每个例程均包括窄字符例程和宽字符例程,例如对于BRegCreateKey而言,包括窄字符例程BRegCreateKeyA和宽字符例程BRegCreateKeyW,BRegCreateKeyA会转换输入参数为UNICODE类型,BRegCreateKeyW实际完成参数转换、控制码通信等。As an example of a specific application, the registry operation interface routine may include: registry key creation routine BRegCreateKey, registry enhancement key creation routine BRegCreateKeyEx, registry key opening routine BRegOpenKey, registry enhancement key opening routine The routine BRegOpenKeyEx, the registry enhanced query value routine BRegQueryValueEx, the registry set value routine BRegSetValueEx, the registry enumeration key routine BRegEnumKey, the registry enhanced enumeration key routine BRegEnumKeyEx, the registry enumeration value routine BRegEnumValue, the registry The delete key routine BRegDeleteKey, the registry enhanced delete key routine BRegDeleteKeyEx, the registry delete value routine BRegDeleteValue, and/or the registry close handle routine BRegCloseKey. The settings of the registry operation interface routine, such as calling conventions and calling parameters, are consistent with the corresponding WINDOWS standard API. Each of the above routines includes narrow character routines and wide character routines. For example, for BRegCreateKey, it includes narrow character routines BRegCreateKeyA and wide character routines BRegCreateKeyW. BRegCreateKeyA will convert input parameters to UNICODE types, and BRegCreateKeyW will actually complete parameter conversion and control code communication, etc.

步骤402、调用者发起注册表操作请求,调用对应的注册表操作接口例程;其中,所述请求中包括调用者输入参数;Step 402, the caller initiates a registry operation request, and calls the corresponding registry operation interface routine; wherein, the request includes caller input parameters;

步骤403、若所述注册表操作接口例程为窄字符例程,则将调用者输入参数中的ANSI相关参数转换为UNICODE类型,并调用对应的注册表操作接口宽字符例程;Step 403, if the registry operation interface routine is a narrow character routine, then convert the ANSI related parameters in the caller input parameters to UNICODE type, and call the corresponding registry operation interface wide character routine;

公知的是,ANSI中的字符采用8bit,而UNICODE中的字符采用16bit。(对于字符来说ANSI以单字节存放英文字符,以双字节存放中文等字符,而Unicode下,英文和中文的字符都以双字节存放)。It is well known that characters in ANSI use 8 bits, while characters in UNICODE use 16 bits. (For characters, ANSI stores English characters in single bytes, and Chinese characters in double bytes, while under Unicode, both English and Chinese characters are stored in double bytes).

当然,若在实际中直接调用的是宽字符例程,则无需执行本步骤。Of course, if the wide-character routine is directly called in practice, this step does not need to be performed.

步骤404、依据系统平台的类型构建内核态结构参数,依据所述内核态结构参数生成相应的注册表操作控制码,并发送至操作系统内核态;Step 404, constructing kernel state structural parameters according to the type of the system platform, generating corresponding registry operation control codes according to the kernel state structural parameters, and sending them to the operating system kernel state;

所述系统平台的类型包括32位、64位以及32位兼容模式。作为本发明一种具体应用的示例,与所述注册表操作接口例程对应的控制码包括:注册表创建控制码REGCTL_CREATE_KEY、注册表打开控制码REGCTL_OPEN_KEY、注册表查询值控制码REGCTL_QUERY_VALUE_KEY、注册表设置值控制码REGCTL_SET_VALUE_KEY、注册表枚举键控制码REGCTL_ENUMERATE_KEY、注册表枚举值控制码REGCTL_ENUMERATE_VALUE_KEY、注册表删除键控制码REGCTL_DELETE_KEY和/或注册表删除值控制码REGCTL_DELETE_VALUE_KEY。所述控制码定义了操作系统用户态和内核态驱动通信时的统一标识。The types of the system platform include 32-bit, 64-bit and 32-bit compatibility modes. As an example of a specific application of the present invention, the control codes corresponding to the registry operation interface routine include: registry creation control code REGCTL_CREATE_KEY, registry opening control code REGCTL_OPEN_KEY, registry query value control code REGCTL_QUERY_VALUE_KEY, registry setting Value control code REGCTL_SET_VALUE_KEY, registry enumeration key control code REGCTL_ENUMERATE_KEY, registry enumeration value control code REGCTL_ENUMERATE_VALUE_KEY, registry deletion key control code REGCTL_DELETE_KEY, and/or registry deletion value control code REGCTL_DELETE_VALUE_KEY. The control code defines a unified identification when the operating system user state and the kernel state driver communicate.

在实际中,操作系统用户态和内核态驱动通信时输入、输出缓冲区可以采用METHOD_BUFFERED方式传输。METHOD_BUFFERED方式为:先分配缓冲,再从这个缓冲copy数据,缓冲区大小是输入缓冲和输出缓冲间空间较大的那个。读缓冲被copy到新的缓冲。在返回前,只是copy返回值到相同的缓冲。返回值被放到IO_STATUS_BLOCK,IO管理器copy数据到输出缓冲。In practice, the input and output buffers can be transmitted in the METHOD_BUFFERED mode when the operating system user mode communicates with the kernel mode driver. The METHOD_BUFFERED method is: allocate a buffer first, and then copy data from this buffer. The size of the buffer is the one with the larger space between the input buffer and the output buffer. The read buffer is copied to the new buffer. Just copy the return value to the same buffer before returning. The return value is put into IO_STATUS_BLOCK, and the IO manager copies the data to the output buffer.

步骤405、操作系统内核态获取注册表操作请求,校验调用者输入参数,并重构(Captured)所述用户态地址至内核态内存空间;Step 405, the operating system kernel state obtains the registry operation request, checks the caller input parameters, and reconstructs (Captured) the user state address to the kernel state memory space;

步骤406、若输入参数校验通过,则依据所述调用者输入参数构建_PARSE_CONTEXT结构,以设置注册表函数调用逻辑,并设置注册表内核执行逻辑;Step 406, if the input parameter verification is passed, construct a _PARSE_CONTEXT structure according to the caller input parameters to set the registry function call logic, and set the registry kernel execution logic;

步骤407、执行所述篡改点检测修复逻辑,具体为,检测预置的内核执行流篡改点,并在所述内核执行流篡改点的原始值发生变化时,恢复所述内核执行流篡改点的原始值;Step 407: Execute the tampering point detection and repair logic, specifically, detect the preset kernel execution flow tampering point, and restore the kernel execution flow tampering point when the original value of the kernel execution flow tampering point changes Original value;

步骤408、采用所述注册表函数调用逻辑,调用对应的注册表函数;若调用成功,则执行步骤409;若调用失败,则执行步骤410;Step 408, using the registry function call logic to call the corresponding registry function; if the call is successful, then perform step 409; if the call fails, then perform step 410;

步骤409、返回相应的句柄;Step 409, return the corresponding handle;

步骤410、生成错误码并返回用户态;Step 410, generating an error code and returning to the user state;

在具体实现中,如果调用失败,用户态接口可以设置相应的错误码,这样,调用者线程可以通过GetLastError例程得到详细的错误信息。In a specific implementation, if the call fails, the user mode interface can set a corresponding error code, so that the caller thread can obtain detailed error information through the GetLastError routine.

步骤411、在调用完所述注册表的函数后,将所述内核执行流篡改点的原始值改回变化值。Step 411 , after the function of the registry is called, the original value of the tampering point of the kernel execution flow is changed back to a changed value.

为使本领域技术人员更好地理解本发明,以下通过以注册表创建过程为例详细说明本发明。In order to enable those skilled in the art to better understand the present invention, the present invention will be described in detail below by taking the registry creation process as an example.

(1)调用者进程发起BRegCreateKeyA注册表创建请求;(1) The caller process initiates a BRegCreateKeyA registry creation request;

(2)BRegCreateKeyA例程转换ANSI相关参数为UNICODE类型并调用BRegCreateKeyW例程;(2) BRegCreateKeyA routine converts ANSI related parameters to UNICODE type and calls BRegCreateKeyW routine;

(3)BRegCreateKeyW例程判断系统平台(32位、64位或32位兼容模式)构建结构参数,发送控制码REGCTL_CREATE_KEY并同步等待返回;(3) The BRegCreateKeyW routine judges the system platform (32-bit, 64-bit or 32-bit compatibility mode) to build structure parameters, sends the control code REGCTL_CREATE_KEY and waits for the return synchronously;

(4)BRegCreateKeyW例程内核部分接收用户态请求,校验输入参数,Captured地址到内核内存;(4) The kernel part of the BRegCreateKeyW routine receives the user mode request, verifies the input parameters, and sends the captured address to the kernel memory;

(5)BRegCreateKeyW例程构建_PARSE_CONTEXT结构,调用系统底层注册表实现函数;在调用之前执行以下篡改点检测修复操作:(5) The BRegCreateKeyW routine constructs the _PARSE_CONTEXT structure and calls the underlying system registry implementation function; perform the following tampering point detection and repair operations before calling:

A1、检测、恢复潜在的注册表对象解析例程挂钩问题;A1. Detect and restore potential registry object parsing routine hooking problems;

A2、检测、恢复潜在的CmpCallback内核回调问题;A2. Detect and restore potential CmpCallback kernel callback problems;

A3、检测、恢复潜在的Cm*级注册表函数内联挂钩问题;A3. Detect and recover potential Cm*-level registry function inline hooking issues;

A4、检测、恢复潜在的HvpGetCellPaged/HvpGetCellMapped对象例程挂钩问题。A4. Detect and restore potential HvpGetCellPaged/HvpGetCellMapped object routine hooking problems.

(6)如调用成功则返回相应的句柄;如例程调用错误,驱动返回用户态相应的错误码。(6) If the call is successful, the corresponding handle will be returned; if the routine call is wrong, the driver will return the corresponding error code in the user mode.

(7)同步请求返回,如果调用失败,用户态接口设置相应的错误码,这样,调用者线程可以通过GetLastError例程得到详细的错误信息。(7) The synchronous request returns. If the call fails, the user mode interface sets the corresponding error code, so that the caller thread can obtain detailed error information through the GetLastError routine.

需要说明的是,对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述的动作顺序的限制,因为依据本发明,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本发明所必须的。It should be noted that, for the method embodiment, for the sake of simple description, it is expressed as a series of action combinations, but those skilled in the art should know that the present invention is not limited by the described action order, because according to this According to the invention, certain steps may be performed in other order or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification belong to preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.

参考图5,示出了本发明的一种注册表操作的执行装置实施例的结构框图,具体可以包括以下模块:Referring to FIG. 5 , it shows a structural block diagram of an implementation device embodiment of a registry operation of the present invention, which may specifically include the following modules:

请求获取模块51,用于获取注册表操作请求,所述请求中包括调用者输入参数;A request obtaining module 51, configured to obtain a registry operation request, the request including caller input parameters;

内核执行逻辑设置模块52,用于依据所述调用者输入参数设置注册表内核执行逻辑,所述内核执行逻辑包括:篡改点检测修复逻辑和注册表函数调用逻辑;Kernel execution logic setting module 52 is used to set the registry kernel execution logic according to the caller input parameters, and the kernel execution logic includes: tampering point detection repair logic and registry function call logic;

篡改点检测修复逻辑执行模块53,用于执行所述篡改点检测修复逻辑,具体为,检测预置的内核执行流篡改点,并在所述内核执行流篡改点的原始值发生变化时,恢复所述内核执行流篡改点的原始值;The tamper point detection and repair logic execution module 53 is used to execute the tamper point detection and repair logic, specifically, to detect the preset kernel execution flow tamper point, and when the original value of the kernel execution flow tamper point changes, restore the raw value of the kernel execution flow tamper point;

注册表函数调用逻辑执行模块54,用于采用所述注册表函数调用逻辑,调用对应的注册表函数。The registry function call logic execution module 54 is configured to use the registry function call logic to call the corresponding registry function.

在具体实现中,所述的装置还可以包括以下模块:In a specific implementation, the device may also include the following modules:

篡改点回写模块55,用于在调用完所述注册表的函数后,将所述内核执行流篡改点的原始值改回变化值。The tampering point write-back module 55 is configured to change the original value of the kernel execution flow tampering point back to a changed value after the function of the registry is called.

在本发明的一种优选实施例中,所述预置的内核执行流篡改点可以包括:In a preferred embodiment of the present invention, the preset kernel execution flow tampering point may include:

注册表对象解析例程钩挂;Registry object parsing routine hook;

Cm*注册表实现例程调用第三方驱动时的CmpCallBack回调机制;The Cm* registry implements the CmpCallBack callback mechanism when the routine calls the third-party driver;

Cm*注册表函数内联挂钩;Cm* registry function inline hooks;

HvpGetCellPaged/HvpGetCellMapped对象例程钩挂。HvpGetCellPaged/HvpGetCellMapped object routine hooks.

在实际中,所述内核执行流篡改点的原始值可以在初始化时获得,所述内核执行流篡改点的变化值可以缓存在内核内存中。In practice, the original value of the kernel execution flow tampering point can be obtained during initialization, and the changed value of the kernel execution flow tampering point can be cached in the kernel memory.

在本发明的一种优选实施例中,所述的装置还可以包括以下模块:In a preferred embodiment of the present invention, the device may also include the following modules:

用户态请求发送模块,用于发起注册表操作请求,调用对应的注册表操作接口例程;其中,所述请求中包括调用者输入参数;A user state request sending module, configured to initiate a registry operation request and call a corresponding registry operation interface routine; wherein, the request includes caller input parameters;

控制码发送模块,用于依据系统平台的类型构建内核态结构参数,依据所述内核态结构参数生成相应的注册表操作控制码,并发送至操作系统内核态。The control code sending module is used to construct kernel state structural parameters according to the type of the system platform, generate corresponding registry operation control codes according to the kernel state structural parameters, and send them to the operating system kernel state.

在具体实现中,所述的装置还可以包括以下模块:In a specific implementation, the device may also include the following modules:

参数校验模块,用于依据所述注册表操作请求校验调用者输入参数,若校验通过,则调用内核执行逻辑设置模块。The parameter verification module is used to verify the input parameters of the caller according to the registry operation request, and if the verification is passed, call the kernel to execute the logic setting module.

作为具体应用的一种示例,所述调用者输入参数具有用户态地址;所述的装置还可以包括以下模块:As an example of a specific application, the caller input parameter has a user mode address; the device may also include the following modules:

地址重构模块,用于重构所述用户态地址至内核态内存空间。The address reconstruction module is used to reconstruct the user mode address to the kernel mode memory space.

在具体实现中,所述的装置还可以包括以下模块:In a specific implementation, the device may also include the following modules:

句柄返回模块,用于在调用所述注册表的函数成功时,返回相应的句柄;The handle return module is used to return the corresponding handle when calling the function of the registry successfully;

错误码返回模块,用于在调用所述注册表的函数失败时,生成错误码并返回用户态。The error code return module is used to generate an error code and return to the user state when calling the function of the registry fails.

由于所述装置实施例基本相应于前述图2和图4所示的方法实施例,故本实施例的描述中未详尽之处,可以参见前述实施例中的相关说明,在此就不赘述了。Since the device embodiment basically corresponds to the method embodiment shown in Figure 2 and Figure 4 above, for details not described in this embodiment, you can refer to the relevant description in the previous embodiment, and will not go into details here .

本发明可用于众多通用或专用的计算系统环境或配置中。例如:个人计算机、服务器计算机、手持设备或便携式设备、平板型设备、多处理器系统、基于微处理器的系统、置顶盒、可编程的消费电子设备、网络PC、小型计算机、大型计算机、包括以上任何系统或设备的分布式计算环境等等。The invention is applicable to numerous general purpose and special purpose computing system environments or configurations. Examples: personal computers, server computers, handheld or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set-top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, including A distributed computing environment for any of the above systems or devices, etc.

本发明可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本发明,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including storage devices.

以上对本发明所提供的一种注册表操作的执行方法和一种注册表操作的执行装置进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。Above, a kind of execution method of registry operation and a kind of execution device of registry operation provided by the present invention have been introduced in detail. In this paper, specific examples have been used to illustrate the principle and implementation of the present invention. The above embodiments The description is only used to help understand the method of the present invention and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present invention, there will be changes in the specific implementation and scope of application. In summary , the contents of this specification should not be construed as limiting the present invention.

Claims (20)

1.一种注册表操作的执行方法,其特征在于,包括:1. An execution method of a registry operation, characterized in that, comprising: 获取注册表操作请求,所述请求中包括调用者输入参数;Obtaining a registry operation request, the request including caller input parameters; 依据所述调用者输入参数设置注册表内核执行逻辑,所述内核执行逻辑包括:篡改点检测修复逻辑和注册表函数调用逻辑;Registry kernel execution logic is set according to the input parameters of the caller, and the kernel execution logic includes: tampering point detection and repair logic and registry function call logic; 执行所述篡改点检测修复逻辑,具体为,检测预置的内核执行流篡改点,并在所述内核执行流篡改点的原始值发生变化时,恢复所述内核执行流篡改点的原始值;Executing the tampering point detection and repair logic, specifically, detecting the preset kernel execution flow tampering point, and restoring the original value of the kernel execution flow tampering point when the original value of the kernel execution flow tampering point changes; 采用所述注册表函数调用逻辑,调用对应的注册表函数。Using the registry function call logic, call the corresponding registry function. 2.如权利要求1所述的方法,其特征在于,还包括:2. The method of claim 1, further comprising: 在调用完所述注册表的函数后,将所述内核执行流篡改点的原始值改回变化值。After the function of the registry is called, the original value of the kernel execution flow tampering point is changed back to the changed value. 3.如权利要求1或2所述的方法,其特征在于,所述预置的内核执行流篡改点包括:3. The method according to claim 1 or 2, wherein the preset kernel execution flow tampering point comprises: 注册表对象解析例程钩挂;Registry object parsing routine hook; Cm*注册表实现例程调用第三方驱动时的CmpCallBack回调机制;The Cm* registry implements the CmpCallBack callback mechanism when the routine calls the third-party driver; Cm*注册表函数内联挂钩;Cm* registry function inline hooks; HvpGetCellPaged/HvpGetCellMapped对象例程钩挂。HvpGetCellPaged/HvpGetCellMapped object routine hooks. 4.如权利要求3所述的方法,其特征在于,所述检测预置的内核执行流篡改点,并在内核执行流篡改点的原始值发生变化时恢复所述篡改点原始值的步骤具体包括:4. The method according to claim 3, wherein the step of detecting the preset kernel execution flow tampering point, and restoring the original value of the tampering point when the original value of the kernel execution flow tampering point changes is specific include: 子步骤S1、检测注册表对象解析例程钩挂的原始值是否发生改变,若是,则执行子步骤S2,否则,执行子步骤S3;Sub-step S1, detecting whether the original value hooked by the registry object parsing routine has changed, if so, execute sub-step S2, otherwise, execute sub-step S3; 子步骤S2、恢复所述注册表对象解析例程钩挂的原始值,转子步骤S3;Sub-step S2, restore the original value hooked by the registry object parsing routine, rotor step S3; 子步骤S3、调用Cm*注册表实现例程,检测Cm*注册表函数内联挂钩的原始值是否发生改变,若是,则执行子步骤S4,否则,执行子步骤S5;Sub-step S3, calling the Cm* registry implementation routine to detect whether the original value of the Cm* registry function inline hook has changed, if so, execute sub-step S4, otherwise, execute sub-step S5; 子步骤S4、恢复所述Cm*注册表函数内联挂钩的原始值,转子步骤S5;Sub-step S4, restore the original value of the Cm* registry function inline hook, rotor step S5; 子步骤S5、阻断CmpCallBack回调机制,转子步骤S6;Sub-step S5, blocking the CmpCallBack callback mechanism, rotor step S6; 子步骤S6、检测HvpGetCellPaged/HvpGetCellMapped对象例程钩挂的原始值是否发生改变,若是,则执行子步骤S7,否则结束;Sub-step S6, detecting whether the original value hooked by the HvpGetCellPaged/HvpGetCellMapped object routine has changed, if so, execute sub-step S7, otherwise end; 子步骤S7、恢复所述HvpGetCellPaged/HvpGetCellMapped对象例程钩挂的原始值。Sub-step S7, restore the original value hooked by the HvpGetCellPaged/HvpGetCellMapped object routine. 5.如权利要求4所述的方法,其特征在于,所述内核执行流篡改点的原始值在初始化时获得,所述内核执行流篡改点的变化值缓存在内核内存中。5. The method according to claim 4, wherein the original value of the kernel execution flow tampering point is obtained during initialization, and the change value of the kernel execution flow tampering point is cached in the kernel memory. 6.如权利要求1或2所述的方法,其特征在于,在获取注册表操作请求之前,还包括:6. The method according to claim 1 or 2, wherein, before obtaining the registry operation request, further comprising: 调用者发起注册表操作请求,调用对应的注册表操作接口例程;其中,所述请求中包括调用者输入参数;The caller initiates a registry operation request, and calls the corresponding registry operation interface routine; wherein, the request includes caller input parameters; 依据系统平台的类型构建内核态结构参数,依据所述内核态结构参数生成相应的注册表操作控制码,并发送至操作系统内核态。Construct the kernel state structural parameters according to the type of the system platform, generate corresponding registry operation control codes according to the kernel state structural parameters, and send them to the operating system kernel state. 7.如权利要求6所述的方法,其特征在于,各注册表操作接口例程包括窄字符例程和宽字符例程,在构建内核态结构参数之前,所述的方法还包括:7. The method according to claim 6, wherein each registry operation interface routine includes a narrow character routine and a wide character routine, and before building the kernel mode structure parameter, the described method also includes: 所述注册表操作接口窄字符例程将调用者输入参数中的ANSI相关参数转换为UNICODE类型,并调用对应的注册表操作接口宽字符例程。The registry operation interface narrow character routine converts the ANSI related parameters in the caller input parameters into UNICODE type, and calls the corresponding registry operation interface wide character routine. 8.如权利要求7所述的方法,其特征在于,在设置注册表内核执行逻辑之前,所述的方法还包括:8. The method according to claim 7, wherein, before setting the registry kernel execution logic, the method also includes: 依据所述注册表操作请求校验调用者输入参数,若校验通过,则执行设置注册表内核执行逻辑的步骤。Verifying the input parameters of the caller according to the registry operation request, and if the verification is passed, then execute the step of setting the registry core execution logic. 9.如权利要求8所述的方法,其特征在于,所述调用者输入参数具有用户态地址;在设置注册表内核执行逻辑之前,所述的方法还包括:9. The method according to claim 8, wherein the caller's input parameter has a user state address; before the registry kernel execution logic is set, the method also includes: 重构所述用户态地址至内核态内存空间。Reconstructing the user mode address to the kernel mode memory space. 10.如权利要求7、8或9所述的方法,其特征在于,还包括:10. The method of claim 7, 8 or 9, further comprising: 若调用所述注册表的函数成功,则返回相应的句柄;If calling the function of the registry is successful, then return the corresponding handle; 若调用所述注册表的函数失败,则生成错误码并返回用户态。If calling the function of the registry fails, an error code is generated and the user state is returned. 11.如权利要求10所述的方法,其特征在于,所述注册表操作接口例程与WINDOWS标准API一致,包括:注册表键创建例程BRegCreateKey、注册表增强键创建例程BRegCreateKeyEx、注册表键打开例程BRegOpenKey、注册表增强键打开例程BRegOpenKeyEx、注册表增强查询值例程BRegQueryValueEx、注册表设置值例程BRegSetValueEx、注册表枚举键例程BRegEnumKey、注册表增强枚举键例程BRegEnumKeyEx、注册表枚举值例程BRegEnumValue、注册表删除键例程BRegDeleteKey、注册表增强删除键例程BRegDeleteKeyEx、注册表删除值例程BRegDeleteValue和/或注册表关闭句柄例程BRegCloseKey。11. method as claimed in claim 10 is characterized in that, described registry operation interface routine is consistent with WINDOWS standard API, comprises: registry key creates routine BRegCreateKey, registry enhanced key creates routine BRegCreateKeyEx, registry Key open routine BRegOpenKey, registry enhanced key open routine BRegOpenKeyEx, registry enhanced query value routine BRegQueryValueEx, registry set value routine BRegSetValueEx, registry enumeration key routine BRegEnumKey, registry enhanced enumeration key routine BRegEnumKeyEx , a registry enumeration value routine BRegEnumValue, a registry delete key routine BRegDeleteKey, a registry enhanced delete key routine BRegDeleteKeyEx, a registry delete value routine BRegDeleteValue, and/or a registry close handle routine BRegCloseKey. 12.如权利要求11所述的方法,其特征在于,所述控制码包括:注册表创建控制码REGCTL_CREATE_KEY、注册表打开控制码REGCTL_OPEN_KEY、注册表查询值控制码REGCTL_QUERY_VALUE_KEY、注册表设置值控制码REGCTL_SET_VALUE_KEY、注册表枚举键控制码REGCTL_ENUMERATE_KEY、注册表枚举值控制码REGCTL_ENUMERATE_VALUE_KEY、注册表删除键控制码REGCTL_DELETE_KEY和/或注册表删除值控制码REGCTL_DELETE_VALUE_KEY。12. The method according to claim 11, wherein the control codes include: registry creation control code REGCTL_CREATE_KEY, registry opening control code REGCTL_OPEN_KEY, registry query value control code REGCTL_QUERY_VALUE_KEY, registry setting value control code REGCTL_SET_VALUE_KEY , registry enumeration key control code REGCTL_ENUMERATE_KEY, registry enumeration value control code REGCTL_ENUMERATE_VALUE_KEY, registry deletion key control code REGCTL_DELETE_KEY and/or registry deletion value control code REGCTL_DELETE_VALUE_KEY. 13.一种注册表操作的执行装置,其特征在于,包括:13. An execution device for registry operation, characterized in that, comprising: 请求获取模块,用于获取注册表操作请求,所述请求中包括调用者输入参数;The request obtaining module is used to obtain a registry operation request, and the request includes caller input parameters; 内核执行逻辑设置模块,用于依据所述调用者输入参数设置注册表内核执行逻辑,所述内核执行逻辑包括:篡改点检测修复逻辑和注册表函数调用逻辑;The core execution logic setting module is used to set the registry core execution logic according to the caller input parameters, and the kernel execution logic includes: tampering point detection and repair logic and registry function call logic; 篡改点检测修复逻辑执行模块,用于执行所述篡改点检测修复逻辑,具体为,检测预置的内核执行流篡改点,并在所述内核执行流篡改点的原始值发生变化时,恢复所述内核执行流篡改点的原始值;The tamper point detection and repair logic execution module is used to execute the tamper point detection and repair logic, specifically, to detect the preset kernel execution flow tamper point, and when the original value of the kernel execution flow tamper point changes, restore all The original value of the kernel execution flow tampering point; 注册表函数调用逻辑执行模块,用于采用所述注册表函数调用逻辑,调用对应的注册表函数。The registry function call logic execution module is used to use the registry function call logic to call the corresponding registry function. 14.如权利要求13所述的装置,其特征在于,还包括:14. The apparatus of claim 13, further comprising: 篡改点回写模块,用于在调用完所述注册表的函数后,将所述内核执行流篡改点的原始值改回变化值。The tampering point write-back module is used to change the original value of the kernel execution flow tampering point back to a changed value after the function of the registry is called. 15.如权利要求13或14所述的装置,其特征在于,所述预置的内核执行流篡改点包括:15. The device according to claim 13 or 14, wherein the preset kernel execution stream tampering points include: 注册表对象解析例程钩挂;Registry object parsing routine hook; Cm*注册表实现例程调用第三方驱动时的CmpCallBack回调机制;The Cm* registry implements the CmpCallBack callback mechanism when the routine calls the third-party driver; Cm*注册表函数内联挂钩;Cm* registry function inline hooks; HvpGetCellPaged/HvpGetCellMapped对象例程钩挂。HvpGetCellPaged/HvpGetCellMapped object routine hooks. 16.如权利要求15所述的装置,其特征在于,所述内核执行流篡改点的原始值在初始化时获得,所述内核执行流篡改点的变化值缓存在内核内存中。16. The device according to claim 15, wherein the original value of the kernel execution flow tampering point is obtained during initialization, and the change value of the kernel execution flow tampering point is cached in a kernel memory. 17.如权利要求13或14所述的装置,其特征在于,还包括:17. The device of claim 13 or 14, further comprising: 用户态请求发送模块,用于发起注册表操作请求,调用对应的注册表操作接口例程;其中,所述请求中包括调用者输入参数;A user state request sending module, configured to initiate a registry operation request and call a corresponding registry operation interface routine; wherein, the request includes caller input parameters; 控制码发送模块,用于依据系统平台的类型构建内核态结构参数,依据所述内核态结构参数生成相应的注册表操作控制码,并发送至操作系统内核态。The control code sending module is used to construct kernel state structural parameters according to the type of the system platform, generate corresponding registry operation control codes according to the kernel state structural parameters, and send them to the operating system kernel state. 18.如权利要求17所述的装置,其特征在于,还包括:18. The apparatus of claim 17, further comprising: 参数校验模块,用于依据所述注册表操作请求校验调用者输入参数,若校验通过,则调用内核执行逻辑设置模块。The parameter verification module is used to verify the input parameters of the caller according to the registry operation request, and if the verification is passed, call the kernel to execute the logic setting module. 19.如权利要求18所述的装置,其特征在于,所述调用者输入参数具有用户态地址;所述的装置还包括:19. The device according to claim 18, wherein the caller input parameter has a user mode address; the device further comprises: 地址重构模块,用于重构所述用户态地址至内核态内存空间。The address reconstruction module is used to reconstruct the user mode address to the kernel mode memory space. 20.如权利要求18或19所述的装置,其特征在于,还包括:20. The device of claim 18 or 19, further comprising: 句柄返回模块,用于在调用所述注册表的函数成功时,返回相应的句柄;The handle return module is used to return the corresponding handle when calling the function of the registry successfully; 错误码返回模块,用于在调用所述注册表的函数失败时,生成错误码并返回用户态。The error code return module is used to generate an error code and return to the user state when calling the function of the registry fails.
CN201110121178.8A 2011-05-11 2011-05-11 A kind of manner of execution of registry operations and device Active CN102779030B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110121178.8A CN102779030B (en) 2011-05-11 2011-05-11 A kind of manner of execution of registry operations and device
PCT/CN2012/075155 WO2012152212A1 (en) 2011-05-11 2012-05-07 Method and device for executing registry operation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110121178.8A CN102779030B (en) 2011-05-11 2011-05-11 A kind of manner of execution of registry operations and device

Publications (2)

Publication Number Publication Date
CN102779030A true CN102779030A (en) 2012-11-14
CN102779030B CN102779030B (en) 2015-08-19

Family

ID=47123952

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110121178.8A Active CN102779030B (en) 2011-05-11 2011-05-11 A kind of manner of execution of registry operations and device

Country Status (2)

Country Link
CN (1) CN102779030B (en)
WO (1) WO2012152212A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105653955A (en) * 2015-12-30 2016-06-08 北京金山安全软件有限公司 Malicious software processing method and device
CN106844081A (en) * 2017-01-11 2017-06-13 深圳软牛科技有限公司 The system that a kind of intelligence repairs iTunes failures
CN107122164A (en) * 2017-03-31 2017-09-01 腾讯科技(深圳)有限公司 Function address obtains and applied its method, device, equipment and storage medium
CN103577237B (en) * 2013-11-15 2017-09-05 北京奇虎科技有限公司 Application program startup control method and device
CN107818034A (en) * 2016-09-14 2018-03-20 华为技术有限公司 The method and device of the running space of process in monitoring calculation machine equipment
CN108920220A (en) * 2018-06-06 2018-11-30 北京奇虎科技有限公司 A kind of method, apparatus and terminal of function call
CN112214757A (en) * 2020-07-23 2021-01-12 国家工业信息安全发展研究中心 Terminal registry security protection method and system based on windows driving technology

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11663333B2 (en) 2020-08-11 2023-05-30 Beijing Didi Infinity Technology And Development Co., Ltd. Cloud-based systems and methods for detecting and removing rootkit

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080127344A1 (en) * 2006-11-08 2008-05-29 Mcafee, Inc. Method and system for detecting windows rootkit that modifies the kernel mode system service dispatch table
CN101414341A (en) * 2007-10-15 2009-04-22 北京瑞星国际软件有限公司 Software self-protection method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7448084B1 (en) * 2002-01-25 2008-11-04 The Trustees Of Columbia University In The City Of New York System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses
CN101151617A (en) * 2005-04-07 2008-03-26 皇家飞利浦电子股份有限公司 Software protection

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080127344A1 (en) * 2006-11-08 2008-05-29 Mcafee, Inc. Method and system for detecting windows rootkit that modifies the kernel mode system service dispatch table
CN101414341A (en) * 2007-10-15 2009-04-22 北京瑞星国际软件有限公司 Software self-protection method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
左黎明: "windows内核恶意代码分析与检测技术研究", 《计算机技术与发展》, vol. 18, no. 9, 30 September 2008 (2008-09-30), pages 145 - 147 *
李珂泂,宁超: "恶意脚本程序研究以及基于API HOOK的注册表监控技术", 《计算机应用》, vol. 29, no. 12, 31 December 2009 (2009-12-31), pages 3197 - 3200 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103577237B (en) * 2013-11-15 2017-09-05 北京奇虎科技有限公司 Application program startup control method and device
CN105653955A (en) * 2015-12-30 2016-06-08 北京金山安全软件有限公司 Malicious software processing method and device
CN105653955B (en) * 2015-12-30 2019-05-10 珠海豹趣科技有限公司 A kind of Malware processing method and processing device
CN107818034A (en) * 2016-09-14 2018-03-20 华为技术有限公司 The method and device of the running space of process in monitoring calculation machine equipment
CN107818034B (en) * 2016-09-14 2021-02-12 华为技术有限公司 Method and device for monitoring running space of process in computer equipment
CN106844081A (en) * 2017-01-11 2017-06-13 深圳软牛科技有限公司 The system that a kind of intelligence repairs iTunes failures
CN106844081B (en) * 2017-01-11 2020-07-03 深圳软牛科技有限公司 System for intelligent repair iTunes trouble
CN107122164A (en) * 2017-03-31 2017-09-01 腾讯科技(深圳)有限公司 Function address obtains and applied its method, device, equipment and storage medium
CN108920220A (en) * 2018-06-06 2018-11-30 北京奇虎科技有限公司 A kind of method, apparatus and terminal of function call
CN108920220B (en) * 2018-06-06 2021-11-30 北京奇虎科技有限公司 Function calling method, device and terminal
CN112214757A (en) * 2020-07-23 2021-01-12 国家工业信息安全发展研究中心 Terminal registry security protection method and system based on windows driving technology
CN112214757B (en) * 2020-07-23 2022-08-02 国家工业信息安全发展研究中心 Terminal registry security protection method and system based on windows driving technology

Also Published As

Publication number Publication date
WO2012152212A1 (en) 2012-11-15
CN102779030B (en) 2015-08-19

Similar Documents

Publication Publication Date Title
CN102779030B (en) A kind of manner of execution of registry operations and device
US9383934B1 (en) Bare-metal computer security appliance
CN104137057B (en) Generation and cache software code
CN105745626B (en) Diagnosis production application based on process snapshot
US9405899B2 (en) Software protection mechanism
CN100489728C (en) Method for establishing trustable operational environment in a computer
US8844048B2 (en) Systems and methods for the prevention of unauthorized use and manipulation of digital content
US20080059726A1 (en) Dynamic measurement of an operating system in a virtualized system
CN111881453B (en) Container escape detection method, device and electronic equipment
JP6791134B2 (en) Analytical systems, analytical methods, analyzers and computer programs
US9396082B2 (en) Systems and methods of analyzing a software component
CN102779244B (en) Method and device for carrying out file operation
AU2002305490A1 (en) Systems and methods for the prevention of unauthorized use and manipulation of digital content
CN111782416A (en) Data reporting method, device, system, terminal and computer-readable storage medium
CN114254304A (en) Container security intrusion detection method and device, computer equipment and storage medium
CN101446915B (en) Method and device for recording BIOS level logs
US10007785B2 (en) Method and apparatus for implementing virtual machine introspection
CN106453509A (en) Method and system for processing abnormal closure of browser, browser and server
JP7404223B2 (en) System and method for preventing unauthorized memory dump modification
CN102841785B (en) A kind of method of file handle shutoff operation and device
CN102831334B (en) Positioning method and positioning system for target address
WO2024032209A1 (en) Block chain transaction verification method and apparatus, storage medium, and electronic device
CN104899512A (en) Windows system service descriptor table tamper-proofing apparatus and method
CN109977665A (en) Cloud Server start-up course Anti-theft and tamper resistant method based on TPCM
CN108345789B (en) Method and device for recording memory fetch operation information

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: QIZHI SOFTWARE (BEIJING) CO., LTD.

Effective date: 20150901

Owner name: BEIJING QIHU TECHNOLOGY CO., LTD.

Free format text: FORMER OWNER: QIZHI SOFTWARE (BEIJING) CO., LTD.

Effective date: 20150901

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20150901

Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Qizhi software (Beijing) Co.,Ltd.

Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C

Patentee before: Qizhi software (Beijing) Co.,Ltd.

CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Beijing Qizhi Business Consulting Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220401

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Beijing Qizhi Business Consulting Co.,Ltd.