Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
In order to be that method of the present invention is more convenient for understanding, first the application briefly introduces the process that virus and Malware distort browser homepage.Browser in the present invention comprises: the IE(InternetExplorer of windows) browser, 360 secure browsers, red fox browser etc.The application is for the IE(InternetExplorer of windows) browser is introduced.
The configuration (as: IE home address, level of security, cache file deposit path etc.) of IE is stored in the registration table of Windows.In program development process, virus, Malware, the in addition network security software easily realize by the registration table revising Windows the homepage revising IE.The registration table application program interface function (such as: RegSetValue) of usual use Windows specifies the information such as item and value of the major key of registration table, sub-key, amendment.When " homepage " button of client terminal start-up IE or click IE toolbar being detected, the API of process (as iexplore.exe) the meeting calling system of browser goes to inquire about the key assignments that in registration table, browser homepage is corresponding, then connect the Website page that the key-value pair that obtains is answered, and show this page.The Website page now jumped to may be the page after virus or Malware are distorted.
In order to reach the object of locking IE homepage, stop virus or Malware distorting IE homepage, enable IE start or " homepage " button of corresponding click IE toolbar time connect and show the Website page pre-set, the method for the application adopts the realization of flow process as shown in Figure 1 to prevent from distorting webpage.
Step 101, the process transfer of the detecting module preset detecting browser, described process transfer comprises the system function that browser calls Query Browser home address.
The detecting module preset in the present embodiment comprises function library and this module runs the rear data file set up.Comprise the program code preventing webpage tamper in described function library, be stored in the data file of this module foundation after the browser home address encryption pre-set.When browser starts, first start detecting module.
After the detecting module preset starts, the process transfer of detecting real-time browser.
Step 102, when detecting described process transfer, tackles this process transfer, and will pre-set and the browser home address being stored in detecting module feeds back to described process transfer by described system function, for connecting and/or show the homepage preset.The process transfer of browser, after obtaining the Query Result of home address, can be connected to the website that this home address is corresponding, and shows this Website page, thus reaches the browser homepage of display setting, prevents malicious code from distorting the object of web page address.
Described default detecting module arranges Hook Function by the process transfer inquiry registration table at browser with the position of the function obtaining browser homepage key assignments, realizes the interception of the process transfer query function to browser.When the process transfer system function of browser, if the Hook Function of this function detected, then first call Hook Function, Hook Function is further calling system function again.Hook Function inside adds interception code, and the browser home address that system function can be returned is revised as the browser home address being stored in detecting module pre-set.Detecting module can arrange Hook Function in the position of the multiple system function of the process transfer of browser, to reach safer, stable interception result.
A kind of concrete technical scheme locking the method for IE homepage of the application is described with an IE specific embodiment below.
When IE starts, first want initialization com object, play up interface.Concrete function call process is as example below:
Call the main window message processing function of IE;
IEWinMain;
Call window main thread message processing function when IE starts;
BrowserThreadProc;
Call IE and play up interface main thread message processing function,
IEFrameWndProc;
CShellBrowser2::OnCreate function, creates and plays up interface.
Then, IE inquires about registration table, obtaining the station address of IE homepage, for being connected to this website, and showing corresponding Website page.Specifically call example as follows:
CShellBrowser2::ReplaceCmdLine, obtains related command line parameter when IE starts;
GetStdLocation, obtains start-up parameter further;
URLSubRegQueryW, the registration table homepage started for inquiring about IE is correlated with key assignments;
SHRegGetUSValueW, the registration table homepage started for inquiring about IE is correlated with key assignments;
RegQueryValueExA, the registration table homepage started for inquiring about IE is correlated with key assignments;
RegQueryValueExW, the registration table homepage started for inquiring about IE is correlated with key assignments;
After executing aforesaid operations, obtain the key assignments of the homepage of IE in the HIVE structure of process internal memory from registration table of the inquiry registration table of IE, i.e. home address, the home address herein obtained is used for connect, and shows corresponding Website page.
But, the homepage key assignments in HIVE structure may be have modified due to virus or Malware, therefore, what obtain may be the home address be tampered, if the home address obtained is used for connect herein, and showing corresponding Website page, the homepage of browser display will be the Website page that virus or Malware are arranged, and the use sense having had a strong impact on user is subject to.
The position of the functions such as CShellBrowser2::ReplaceCmdLine arranges intercept point, tackle this to call, and the IE home address pre-set is fed back to the process calling this system function, as Query Result, website corresponding to this home address is connected to for browser, and show this Website page, thus reach and prevent Malware from distorting webpage, the object of locking IE homepage.The position of RegQueryValueExW function arranges the hidden hook of IATHook(), realize interception function call, and default IE First page information is returned to the process of the browser calling this system function.RegQueryValueExW function place arranges IATHook, comparatively other function calls more bottom, not easily by malicious virus or other software perceives, stability and reliability higher.Detecting module is herein Safemon.dll.The browser home address pre-set is stored in detecting module after encryption, can effectively preventing malicious virus or the cracking and distorting of software, and reliability is higher.The Hook Function of RegQueryValueExW.
But if IE is under the management of other network security softwares or management software, then other network security softwares or management software may revise the IE homepage that detecting module returns when calling upper system function.Webpage is distorted in order to prevent Malware, effective locking IE homepage, detecting module is tackled the system function calling process of iexplore.exe further, in the position of upper strata function call, intercept point is set, as arranged intercept point in the position of calling URLSubRegQueryW function, interception iexplore.exe calls URLSubRegQueryW function.URLSubRegQueryW function setup InlineHook (inline hook), when URLSubRegQueryW function is called, default IE home address is returned to the process calling this system function, as Query Result by detecting module.
The all operations relevant with homepage of IE are all through URLSubRegQueryW function call, and this calls than other network management softwares closer to upper strata, therefore can obtain good interception result.The Hook Function of URLSubRegQueryW function.
Equally, after IE starts, when receiving the instruction of click " homepage " button, the process (as iexplore.exe) of IE also will be inquired about registration table and be obtained IE home address.Concrete querying flow is:
IEWinMain;
InternalCallWinProc function, creates IE inner window calling routine;
CInternetToolbar::SizableWndProc function, initialization IE toolbar related linear program;
CIEFrameAuto::GoHome function, the instruction of " homepage " button is clicked in response;
Then, calling system function, inquiry registration table, obtain the station address of IE homepage, for being connected to this website, and show corresponding Website page, concrete invoked procedure is:
SDHGetPageLocation, to be correlated with key assignments for registration table homepage when clicking " homepage " button;
URLSubRegQueryW, to be correlated with key assignments for registration table homepage when inquiring about click " homepage " button;
SHRegGetUSValueW function, to be correlated with key assignments for registration table homepage when inquiring about click " homepage " button;
RegQueryValueExA, to be correlated with key assignments for registration table homepage when inquiring about click " homepage " button;
RegQueryValueExW function, to be correlated with key assignments for registration table homepage when inquiring about click " homepage " button.
The hidden hook of RegQueryValueExW function setup IATHook(), realize interception function call, and default IE homepage is returned to this system function call.But if IE is under the management of other network security softwares or management software, then other network security softwares or management software may revise the IE homepage that detecting module returns when calling upper system function.In order to effectively lock IE homepage, detecting module is tackled the system function invoked procedure of iexplore.exe further, intercept point is set on upper strata, as at URLSubRegQueryW function setup intercept point, tackles iexplore.exe and call URLSubRegQueryW function.URLSubRegQueryW function setup InlineHook (inline hook), when URLSubRegQueryW function is called, default IE First page information is returned to this system function and calls by detecting module.
Just describe the implementation process of the method for locking IE homepage above for IE software version, based on same principle, for the IE software design patterns intercept point of different editions.RegQueryValueExW arranges the hidden hook of IATHook(), realize interception function call; RegQueryValueExW arranges the hidden hook of IATHook(), realize interception function call.When browser starts, first detecting module reads the version information of IE, according to different browser versions, arranges intercept point in the position of corresponding process transfer system function.
The position of CShellBrowser2::ReplaceCmdLine function arranges intercept point, the process inquiry IE homepage of deeper interception inquiry IE homepage, for locking IE homepage when IE starts, effectively can avoid virus and Malware distorting IE homepage, improving Consumer's Experience.
Detecting module arranges multiple intercept point, and the operation of browser process being called to the system function of inquiry IE First page information is tackled, and effectively can lock the homepage of IE, security is higher.
Corresponding, present invention also provides a kind of device preventing webpage tamper, as shown in Figure 2, comprising: detecting module 201 and locking module 202, wherein:
Detecting module 201, for detecting the process transfer of browser, described process transfer comprises: browser calls the system function of Query Browser home address;
Locking module 202, for when detecting described process transfer, tackle this process transfer, and will to pre-set and the browser home address being stored in detecting module feeds back to the process of described browser by described system function, for connecting and/or show the homepage preset.The process transfer of browser, after obtaining the Query Result of home address, can be connected to the website that this home address is corresponding, and shows this Website page, thus reaches the browser homepage of display setting, prevents malicious code from distorting the object of web page address.
Wherein, described detecting module pre-sets at least one intercept point, calls the process transfer of inquiry home address for tackling browser.The present invention pre-sets intercept point at the process transfer inquiry registration table of browser with the position of the function obtaining browser homepage key assignments, tackle this process transfer, and the browser home address pre-set is fed back to the process transfer calling this system function, as Query Result, for being connected to website corresponding to this home address for browser, and show this Website page, thus reach the browser homepage of display setting, prevent malicious code from distorting the object of web page address.
One or more in CShellBrowser2::ReplaceCmdLine.
The set-up mode of at least one intercept point described is Hook Function.When the process transfer of browser is provided with the system function of hook, Hook Function runs, and just the browser home address pre-set can be turned back to the process transfer of described browser, for display or connection, thus realizes locking main browser page.
URLSubRegQueryW function setup InlineHook.IATHook is set not easily by malicious virus or other software perceives, stability and reliability higher; On upper strata, function call place arranges intercept point, can tackle virus and Malware distorting IE homepage; Simultaneously at upper system function and the first floor system function setup intercept point of inquiry IE First page information, can the operation of comprehensive interception IE process inquiry IE home address, the more safe and reliable homepage preventing Malware from distorting browser.Described detecting module can read the version information of browser, according to different browser versions, arranges intercept point in the position of corresponding call function.
The Hook Function of RegQueryValueExW function.The Hook Function of URLSubRegQueryW function.
Each embodiment in this instructions generally adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually see.
The application can describe in the general context of computer executable instructions, such as program module or unit.Usually, program module or unit can comprise the routine, program, object, assembly, data structure etc. that perform particular task or realize particular abstract data type.In general, program module or unit can be realized by software, hardware or both combinations.Also can put into practice the application in a distributed computing environment, in these distributed computing environment, be executed the task by the remote processing devices be connected by communication network.In a distributed computing environment, program module or unit can be arranged in the local and remote computer-readable storage medium comprising memory device.
Finally, also it should be noted that, in this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, commodity or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, commodity or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, commodity or the equipment comprising described key element and also there is other identical element.
Apply specific case herein to set forth the principle of the application and embodiment, the explanation of above embodiment is just for helping method and the main thought thereof of understanding the application; Meanwhile, for one of ordinary skill in the art, according to the thought of the application, all will change in specific embodiments and applications, in sum, this description should not be construed as the restriction to the application.