CN102855430A - Process blacklist and whitelist control method based on Windows system - Google Patents
Process blacklist and whitelist control method based on Windows system Download PDFInfo
- Publication number
- CN102855430A CN102855430A CN2012103039682A CN201210303968A CN102855430A CN 102855430 A CN102855430 A CN 102855430A CN 2012103039682 A CN2012103039682 A CN 2012103039682A CN 201210303968 A CN201210303968 A CN 201210303968A CN 102855430 A CN102855430 A CN 102855430A
- Authority
- CN
- China
- Prior art keywords
- blacklist
- strategy
- control program
- list
- initiation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a process blacklist and whitelist control method based on a Windows system. A PsSetCreateProcessNotifyRoutine registered process notification callback function is used and NtCreateSection, NtClose, NtCreateProcess functions are linked up for intercepting and monitoring a process creation process; at the same time, NtCreateProcess and NtCreateProcessEx functions which are executed during process creation are needed to be intercepted for judging whether a created process is allowed to run or not, so as to intercept illegal process creation; and when a system calls the process notification callback function, the process under creation is judged again to guarantee to accurately obtain a username corresponding to the process, so as to realize the goal of controlling the process to run or not according to users. The process blacklist and whitelist control method provided by the invention is high-efficiency.
Description
[technical field]
The present invention relates to a kind of process black and white lists control method based on the Windows system.
[background technology]
The process monitoring technology adopts PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine registration procedure establishment readjustment and mirror image loading readjustment to realize mostly in the Windows system at present, or adopts Hook NtCreateSection or NtCreateProcess to realize.
PsSetCreateProcessNotifyRoutine is by the monitoring of registered callbacks function implementation process, and this moment, process was in fact moved, can't before the process operation, the prevention process move, PsSetLoadImageNotifyRoutine and NtCreateSection in the situation that non-establishment process also can be called, therefore to current whether be that the judgement of establishment process seems cumbersome, user that also can't the current establishment process of Obtaining Accurate can't control by the user rights of using of process.Interception NtCreateProcess utilizes this mode obtaining not necessarily real process path of process path, has larger limitation.This mode generally just judges parent process, can't correctly identify modification of program token situation is next.
In view of this, the inventor furthers investigate for the defective of prior art, and has this case to produce.
[summary of the invention]
Technical matters to be solved by this invention is to provide a kind of efficient process black and white lists control method based on the Windows system.
The present invention solves the problems of the technologies described above by the following technical solutions:
Process black and white lists control method based on the Windows system comprises the steps:
Step 1: adopt PsSetCreateProcessNotifyRoutine registration procedure notification callback function;
Step 2: use SSDT Hook that NtCreateSection, NtCreateProcess, NtCreateProcessEx, NtClose function are linked up with, make it to be blocked;
Step 3: control program sends to event flag in the interception driving;
Step 4: the user opens program;
Step 5: system call NtCreateSection, call original flow process, and the corresponding relation between record Section and the FileObject;
Step 6: system call NtCreateProcess creates process, and obtain corresponding FileObject according to Section and obtain file path this moment, and namely the process complete trails obtains parent process user SID, and with data buffer storage in buffer zone;
Step 7: notification event is set, waits for that control program judges, if wait timeout execution in step 11 then;
Step 8: control program drives the buffering from interception and obtains progress information;
Step 9: control program is according to process complete trails calculation procedure eigenwert, by obtaining process PE structure, and the data segment partial data, calculate md5, and user name, and carry out strategy comparison; If program inhibition starts, then execution in step 10, and log, if program allows to start, then execution in step 11;
Described strategy relatively comprises:
If current strategy is the white list pattern, then compare the complete trails of process, if the complete trails of process is then forbidden process initiation not in the white list tabulation, otherwise allow process initiation;
If current strategy is the blacklist pattern, judge that first whether the process title is in blacklist list, if the process title is then forbidden process initiation in blacklist list, and record the process MD5 value, if the process title is not in blacklist list, continue then to judge whether the md5 value of process is protected in blacklist list, if in blacklist list, then forbid process initiation; Then allow process initiation in the time of not in the tabulation of black and white;
Step 10: interception drives returns STATUS_ACCESS_DENIED;
Step 11: interception drives calls original NtCreateProcess, allows process initiation;
Step 12: the call back function of registering in the system call step 1, if the establishment process, execution in step 13; If the end process is not then processed;
Step 13: obtain process PID, process path, user SID under the process, and notification control program is judged;
Step 14: control program is according to process complete trails calculation procedure eigenwert, by obtaining process PE structure, and the data segment partial data, calculate md5 and user name, and carry out strategy relatively, in case the process No starting, then call TerminateProcess and finish process, and log;
Step 15: system call NtClose releasing resource, the relation of releasing Section FileObject is called original NtClose function.
Further, also comprise step 16: the control program update strategy:
When carrying out the strategy change, carry out policy update by control program;
If strategy is the white list pattern, then the process path with white list is written in the white list tabulation;
If strategy is the blacklist pattern, then the process path in the blacklist, process name are written in the blacklist list.
The invention has the advantages that: can effectively control program by the identification of process feature.By monitoring calling of above kernel function, can effectively realize by user's management and control process, the present invention obtains progress information on the process creation readjustment again, thereby guaranteed to obtain the validity of progress information, complexity and the compatibility of having avoided independent employing NtCreateSenction to load in the program that determines whether, non-establishment process is judged as the process creation behavior by mistake.The present invention is by to the process management and control, guarantees that the process of only being trusted could move in client computer, greatly reduces the probability of virus in the client computer or illegal invasion, ensured the security of client machine system.
[description of drawings]
The invention will be further described in conjunction with the embodiments with reference to the accompanying drawings.
Fig. 1 is the process black and white lists control sequential chart in the course of work of the present invention.
Fig. 2 is each module relation figure among the present invention.
[embodiment]
The present invention adopts PsSetCreateProcessNotifyRoutine registration procedure notice readjustment, and NtCreateSection, NtClose, NtCreateProcess function are linked up with, and is used for interception and monitoring process constructive process.The purpose of interception NtCreateSection and NtClose function is in order to guarantee to obtain the correctness of process path.Also need tackle simultaneously the function NtCreateProcess, the NtCreateProcessEx that when the process of establishment, carry out, be used for judging whether the process that is created allows operation, and illegal process creation is tackled.When system call " process notification callback function ", then can again judge the process that is creating, to guarantee obtaining the accurately corresponding user name of this process, realize whether control process by the user allows operation.To sum up analyze, in order to realize effective process management and control, need to link up with, also need the registration procedure notification callback function to NtCreateSection, NtClose, NtCreateProcess, NtCreateProcessEx function, the limitation that causes to solve existing monotechnics management and control process.
The below sees also Fig. 1 and Fig. 2, describes concrete steps in detail:
Step 1: adopt PsSetCreateProcessNotifyRoutine registration procedure notification callback function;
Step 2: use SSDT Hook that NtCreateSection, NtCreateProcess, NtCreateProcessEx, NtClose function are linked up with, make it to be blocked;
Step 3: control program sends to event flag in the interception driving;
Step 4: the user opens program;
Step 5: system call NtCreateSection, call original flow process, and the corresponding relation between record Section and the FileObject;
Step 6: system call NtCreateProcess creates process, and obtain corresponding FileObject according to Section and obtain file path this moment, and namely the process complete trails obtains parent process user SID, and with data buffer storage in buffer zone;
Step 7: notification event is set, waits for that control program judges, if wait timeout execution in step 11 then;
Step 8: control program drives the buffering from interception and obtains progress information;
Step 9: control program is according to process complete trails calculation procedure eigenwert, by obtaining process PE structure, and the data segment partial data, calculate md5, and user name, and carry out strategy comparison; If program inhibition starts, then execution in step 10, and log, if program allows to start, then execution in step 11;
Described strategy relatively comprises:
If current strategy is the white list pattern, then compare the complete trails of process, if the complete trails of process is then forbidden process initiation not in the white list tabulation, otherwise allow process initiation;
If current strategy is the blacklist pattern, judge that first whether the process title is in blacklist list, if the process title is then forbidden process initiation in blacklist list, and record the process MD5 value, if the process title is not in blacklist list, continue then to judge whether the md5 value of process is protected in blacklist list, if in blacklist list, then forbid process initiation; Then allow process initiation in the time of not in the tabulation of black and white;
Step 10: interception drives returns STATUS_ACCESS_DENIED;
Step 11: interception drives calls original NtCreateProcess, allows process initiation;
Step 12: the call back function of registering in the system call step 1, if the establishment process, execution in step 13; If the end process is not then processed;
Step 13: obtain process PID, process path, user SID under the process, and notification control program is judged;
Step 14: control program is according to process complete trails calculation procedure eigenwert, by obtaining process PE structure, and the data segment partial data, calculate md5 and user name, and carry out strategy relatively, in case the process No starting, then call TerminateProcess and finish process, and log;
Step 15: system call NtClose releasing resource, the relation of releasing Section FileObject is called original NtClose function.
Further, can also comprise step 16: the control program update strategy:
When carrying out the strategy change, carry out policy update by control program;
If strategy is the white list pattern, then the process path with white list is written in the white list tabulation;
If strategy is the blacklist pattern, then the process path in the blacklist, process name are written in the blacklist list.
The above only is better enforcement use-case of the present invention, is not for limiting protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of doing, be equal to and replace and improvement etc., all should be included within protection scope of the present invention.
Claims (2)
1. based on the process black and white lists control method of Windows system, it is characterized in that: comprise the steps:
Step 1: adopt PsSetCreateProcessNotifyRoutine registration procedure notification callback function;
Step 2: use SSDT Hook that NtCreateSection, NtCreateProcess, NtCreateProcessEx, NtClose function are linked up with, make it to be blocked;
Step 3: control program sends to event flag in the interception driving;
Step 4: the user opens program;
Step 5: system call NtCreateSection, call original flow process, and the corresponding relation between record Section and the FileObject;
Step 6: system call NtCreateProcess creates process, and obtain corresponding FileObject according to Section and obtain file path this moment, and namely the process complete trails obtains parent process user SID, and with data buffer storage in buffer zone;
Step 7: notification event is set, waits for that control program judges, if wait timeout execution in step 11 then;
Step 8: control program drives the buffering from interception and obtains progress information;
Step 9: control program is according to process complete trails calculation procedure eigenwert, by obtaining process PE structure, and the data segment partial data, calculate md5, and user name, and carry out strategy comparison; If program inhibition starts, then execution in step 10, and log, if program allows to start, then execution in step 11;
Described strategy relatively comprises:
If current strategy is the white list pattern, then compare the complete trails of process, if the complete trails of process is then forbidden process initiation not in the white list tabulation, otherwise allow process initiation;
If current strategy is the blacklist pattern, judge that first whether the process title is in blacklist list, if the process title is then forbidden process initiation in blacklist list, and record the process MD5 value, if the process title is not in blacklist list, continue then to judge whether the md5 value of process is protected in blacklist list, if in blacklist list, then forbid process initiation; Then allow process initiation in the time of not in the tabulation of black and white;
Step 10: interception drives returns STATUS_ACCESS_DENIED;
Step 11: interception drives calls original NtCreateProcess, allows process initiation;
Step 12: the call back function of registering in the system call step 1, if the establishment process, execution in step 13; If the end process is not then processed;
Step 13: obtain process PID, process path, user SID under the process, and notification control program is judged;
Step 14: control program is according to process complete trails calculation procedure eigenwert, by obtaining process PE structure, and the data segment partial data, calculate md5 and user name, and carry out strategy relatively, in case the process No starting, then call TerminateProcess and finish process, and log;
Step 15: system call NtClose releasing resource, the relation of releasing Section FileObject is called original NtClose function.
2. the process black and white lists control method based on the Windows system as claimed in claim 1 is characterized in that: also comprise:
Step 16: control program update strategy:
When carrying out the strategy change, carry out policy update by control program;
If strategy is the white list pattern, then the process path with white list is written in the white list tabulation;
If strategy is the blacklist pattern, then the process path in the blacklist, process name are written in the blacklist list.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210303968.2A CN102855430B (en) | 2012-08-23 | 2012-08-23 | Process blacklist and whitelist control method based on Windows system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210303968.2A CN102855430B (en) | 2012-08-23 | 2012-08-23 | Process blacklist and whitelist control method based on Windows system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102855430A true CN102855430A (en) | 2013-01-02 |
CN102855430B CN102855430B (en) | 2015-04-15 |
Family
ID=47402013
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210303968.2A Active CN102855430B (en) | 2012-08-23 | 2012-08-23 | Process blacklist and whitelist control method based on Windows system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102855430B (en) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104461725A (en) * | 2014-12-30 | 2015-03-25 | 小米科技有限责任公司 | Application process starting control method and device |
CN105183504A (en) * | 2015-08-12 | 2015-12-23 | 北京威努特技术有限公司 | Software server based process white-list updating method |
CN105303107A (en) * | 2014-06-06 | 2016-02-03 | 中兴通讯股份有限公司 | Abnormal process detection method and apparatus |
CN105631310A (en) * | 2014-10-30 | 2016-06-01 | 黄晓芳 | Efficient trusted process authentication scheme |
CN105893000A (en) * | 2014-10-28 | 2016-08-24 | 北京确安科技股份有限公司 | Method for preventing system time of test machine from being illegally modified |
CN106127031A (en) * | 2016-06-23 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for protecting process and electronic equipment |
CN106127029A (en) * | 2016-06-22 | 2016-11-16 | 北京金山安全软件有限公司 | Starting method and device of security application program and electronic equipment |
CN106156622A (en) * | 2016-07-04 | 2016-11-23 | 北京金山安全软件有限公司 | Service process registration method and device and terminal equipment |
CN106778242A (en) * | 2016-11-28 | 2017-05-31 | 北京奇虎科技有限公司 | kernel leak detection method and device based on virtual machine |
CN106778284A (en) * | 2016-11-28 | 2017-05-31 | 北京奇虎科技有限公司 | The method and device of kernel leak rear end detection |
CN107194244A (en) * | 2017-04-13 | 2017-09-22 | 福建省天奕网络科技有限公司 | The guard method of VR game memory data and its system |
CN107643945A (en) * | 2017-08-16 | 2018-01-30 | 南京南瑞集团公司 | A kind of method that monitoring process is created and destroyed under Windows xp systems |
CN107844341A (en) * | 2017-11-21 | 2018-03-27 | 广东欧珀移动通信有限公司 | Management-control method, device and the storage medium and mobile terminal of process initiation |
CN108377307A (en) * | 2017-02-01 | 2018-08-07 | 柯尼卡美能达株式会社 | The image processing apparatus of communication process is carried out via network |
CN108959927A (en) * | 2018-06-27 | 2018-12-07 | 杭州安恒信息技术股份有限公司 | A kind of device and method of the safe across comparison analysis of Internet of Things |
CN110086932A (en) * | 2019-04-24 | 2019-08-02 | 努比亚技术有限公司 | A kind of process initiation control method, wearable device and storage medium |
CN110472409A (en) * | 2019-08-06 | 2019-11-19 | 长沙学院 | A kind of process management method and system based on white list mechanism |
CN110955895A (en) * | 2019-11-29 | 2020-04-03 | 珠海豹趣科技有限公司 | Operation interception method and device and computer readable storage medium |
CN111176236A (en) * | 2019-12-31 | 2020-05-19 | 四川红华实业有限公司 | Industrial control safety protection system of centrifugal plant and safety protection operation method thereof |
CN111368293A (en) * | 2020-03-05 | 2020-07-03 | 深信服科技股份有限公司 | Process management method, device, system and computer readable storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101226570A (en) * | 2007-09-05 | 2008-07-23 | 江启煜 | Method for monitoring and eliminating generalized unknown virus |
CN101650786A (en) * | 2008-08-12 | 2010-02-17 | 福光企业股份有限公司 | Counting and detecting device of thread rolling machine |
US20110145924A1 (en) * | 2009-12-11 | 2011-06-16 | Mitja Kolsek | Method for detection and prevention of loading executable files from the current working directory |
CN102646173A (en) * | 2012-02-29 | 2012-08-22 | 成都新云软件有限公司 | Safety protection control method and system based on white and black lists |
-
2012
- 2012-08-23 CN CN201210303968.2A patent/CN102855430B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101226570A (en) * | 2007-09-05 | 2008-07-23 | 江启煜 | Method for monitoring and eliminating generalized unknown virus |
CN101650786A (en) * | 2008-08-12 | 2010-02-17 | 福光企业股份有限公司 | Counting and detecting device of thread rolling machine |
US20110145924A1 (en) * | 2009-12-11 | 2011-06-16 | Mitja Kolsek | Method for detection and prevention of loading executable files from the current working directory |
CN102646173A (en) * | 2012-02-29 | 2012-08-22 | 成都新云软件有限公司 | Safety protection control method and system based on white and black lists |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105303107A (en) * | 2014-06-06 | 2016-02-03 | 中兴通讯股份有限公司 | Abnormal process detection method and apparatus |
CN105893000A (en) * | 2014-10-28 | 2016-08-24 | 北京确安科技股份有限公司 | Method for preventing system time of test machine from being illegally modified |
CN105631310A (en) * | 2014-10-30 | 2016-06-01 | 黄晓芳 | Efficient trusted process authentication scheme |
CN104461725B (en) * | 2014-12-30 | 2018-05-08 | 小米科技有限责任公司 | The method and device for controlling application process to start |
CN104461725A (en) * | 2014-12-30 | 2015-03-25 | 小米科技有限责任公司 | Application process starting control method and device |
CN105183504B (en) * | 2015-08-12 | 2018-10-23 | 北京威努特技术有限公司 | Process white list updating method based on software server |
CN105183504A (en) * | 2015-08-12 | 2015-12-23 | 北京威努特技术有限公司 | Software server based process white-list updating method |
CN106127029A (en) * | 2016-06-22 | 2016-11-16 | 北京金山安全软件有限公司 | Starting method and device of security application program and electronic equipment |
CN106127029B (en) * | 2016-06-22 | 2019-03-22 | 珠海豹趣科技有限公司 | A kind of the starting method, apparatus and electronic equipment of security application |
CN106127031A (en) * | 2016-06-23 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for protecting process and electronic equipment |
CN106156622A (en) * | 2016-07-04 | 2016-11-23 | 北京金山安全软件有限公司 | Service process registration method and device and terminal equipment |
CN106778242A (en) * | 2016-11-28 | 2017-05-31 | 北京奇虎科技有限公司 | kernel leak detection method and device based on virtual machine |
CN106778284A (en) * | 2016-11-28 | 2017-05-31 | 北京奇虎科技有限公司 | The method and device of kernel leak rear end detection |
CN106778284B (en) * | 2016-11-28 | 2021-03-26 | 北京奇虎科技有限公司 | Method and device for detecting kernel vulnerability back end |
CN108377307A (en) * | 2017-02-01 | 2018-08-07 | 柯尼卡美能达株式会社 | The image processing apparatus of communication process is carried out via network |
CN108377307B (en) * | 2017-02-01 | 2020-05-19 | 柯尼卡美能达株式会社 | Image processing apparatus for performing communication processing via network |
CN107194244A (en) * | 2017-04-13 | 2017-09-22 | 福建省天奕网络科技有限公司 | The guard method of VR game memory data and its system |
CN107643945A (en) * | 2017-08-16 | 2018-01-30 | 南京南瑞集团公司 | A kind of method that monitoring process is created and destroyed under Windows xp systems |
CN107844341A (en) * | 2017-11-21 | 2018-03-27 | 广东欧珀移动通信有限公司 | Management-control method, device and the storage medium and mobile terminal of process initiation |
CN108959927A (en) * | 2018-06-27 | 2018-12-07 | 杭州安恒信息技术股份有限公司 | A kind of device and method of the safe across comparison analysis of Internet of Things |
CN108959927B (en) * | 2018-06-27 | 2020-10-27 | 杭州安恒信息技术股份有限公司 | Device and method for transverse comparison and analysis of safety of Internet of things |
CN110086932A (en) * | 2019-04-24 | 2019-08-02 | 努比亚技术有限公司 | A kind of process initiation control method, wearable device and storage medium |
CN110086932B (en) * | 2019-04-24 | 2021-05-25 | 努比亚技术有限公司 | Process starting control method, wearable device and storage medium |
CN110472409A (en) * | 2019-08-06 | 2019-11-19 | 长沙学院 | A kind of process management method and system based on white list mechanism |
CN110955895A (en) * | 2019-11-29 | 2020-04-03 | 珠海豹趣科技有限公司 | Operation interception method and device and computer readable storage medium |
CN110955895B (en) * | 2019-11-29 | 2022-03-29 | 珠海豹趣科技有限公司 | Operation interception method and device and computer readable storage medium |
CN111176236A (en) * | 2019-12-31 | 2020-05-19 | 四川红华实业有限公司 | Industrial control safety protection system of centrifugal plant and safety protection operation method thereof |
CN111368293A (en) * | 2020-03-05 | 2020-07-03 | 深信服科技股份有限公司 | Process management method, device, system and computer readable storage medium |
CN111368293B (en) * | 2020-03-05 | 2022-11-22 | 深信服科技股份有限公司 | Process management method, device, system and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN102855430B (en) | 2015-04-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102855430B (en) | Process blacklist and whitelist control method based on Windows system | |
US8413230B2 (en) | API checking device and state monitor | |
US10565378B1 (en) | Exploit of privilege detection framework | |
US9990490B2 (en) | Generic privilege escalation prevention | |
US20100100929A1 (en) | Apparatus and method for security managing of information terminal | |
CN104217161B (en) | A kind of virus scan method and system, terminal unit | |
CN105095746A (en) | Method and device for application program starting authentication | |
CA2797880C (en) | Method and apparatus for implementing real-time protection | |
KR20140057467A (en) | System and method for securing virtual computing environments | |
CN104268454A (en) | Management method and device of application program of terminal | |
CN108605264B (en) | Method and apparatus for network management | |
CN111709023B (en) | Application isolation method and system based on trusted operating system | |
US11983266B2 (en) | Systems and methods for event-based application control | |
CN105094996A (en) | Security-enhancing method and system of Android system based on dynamic authority verification | |
CN105631311A (en) | Application program authority management method and device as well as terminal | |
CN111259421A (en) | Privacy authority anti-disclosure processing method and device, electronic equipment and storage medium | |
CN106211164A (en) | Terminal network changing method, terminal network switching device and terminal | |
CN103559437A (en) | Access control method and system for Android operation system | |
CN102355519A (en) | Malicious call dialing prevention method for mobile intelligent terminal and system thereof | |
CN107992745A (en) | Kidnap countermeasure in a kind of interface based on Android platform | |
CN102497479B (en) | Method for smart phone to judge Trojprograms according to application software behaviors | |
CN110138780A (en) | A method of internet-of-things terminal threat detection is realized based on probe technique | |
CN105701415B (en) | A kind of mobile terminal kernel Rights Management System and method | |
CN106022105B (en) | A kind of command processing method and device | |
CN106020866A (en) | Blue screen processing method and device and terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |