CN102867141B - The method that Main Boot Record rogue program is processed and device - Google Patents
The method that Main Boot Record rogue program is processed and device Download PDFInfo
- Publication number
- CN102867141B CN102867141B CN201210380353.XA CN201210380353A CN102867141B CN 102867141 B CN102867141 B CN 102867141B CN 201210380353 A CN201210380353 A CN 201210380353A CN 102867141 B CN102867141 B CN 102867141B
- Authority
- CN
- China
- Prior art keywords
- disk
- driver
- boot record
- read
- safe driver
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000005192 partition Methods 0.000 claims abstract description 29
- 238000012544 monitoring process Methods 0.000 claims abstract description 14
- 230000008569 process Effects 0.000 claims description 25
- 238000001514 detection method Methods 0.000 claims description 3
- 230000006378 damage Effects 0.000 abstract description 5
- 241000700605 Viruses Species 0.000 description 10
- 230000006870 function Effects 0.000 description 10
- 230000000694 effects Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000007689 inspection Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 210000002845 virion Anatomy 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000009849 deactivation Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Abstract
The invention discloses method and device that Main Boot Record rogue program is processed, described method comprises: in the registration table of operating system, safe driver is registered as system reservation types, so that operating system is in start-up course, when carrying out kernel initialization, load safe driver; Described safe driver is called after hard disk initialization terminates; After described safe driver is called, monitored by the read operation of described safe driver to disk; When the read/write operations monitoring disk occurs, the data of read/write are detected, if detect in the data of described read/write and comprise malicious code, returning disk reads unsuccessfully, to block contacting between rogue program in Main Boot Record and the malice driver in disk partition.By the present invention, can effectively stop Main Boot Record rogue program to the destruction of computing machine.
Description
Technical field
The present invention relates to computer security technique field, particularly relate to method and device that Main Boot Record rogue program is processed.
Background technology
The Main Boot Record of disk (MasterBootRecord is called for short MBR) is 0 magnetic head 0 magnetic track 1 sector being positioned at disk, has one piece of storage area of fixed size, is to access the first region that disk reads after computer booting.Main Boot Record generally comprises three parts: main bootstrap program, disk partition table and end mark word.Wherein, main bootstrap program is used for checking that when computer starting whether partition table is correct, and control is given the system bootstrap routine on disk after system hardware completes self-inspection.Main bootstrap program in MBR has the independence relative to operating system, this independence is embodied in the start-up course of computing machine: general calculating start-up course performs self-inspection after computing machine energising, when determining by Basic Input or Output System (BIOS), MBR to be read in internal memory using disk behind startup source, control gives main bootstrap program wherein, partition table is checked by main bootstrap program, find movable subregion, then control is given the system bootstrap routine of active partition, by system bootstrap routine load operation system.In whole process, the loading of main bootstrap program and the loading of operating system are two relatively independent processes, therefore the main bootstrap program in MBR has the independence relative to operating system, namely the main bootstrap program in MBR loads prior to operating system, and does not rely on, also do not belong to operating system.
Just because of this independence relative to operating system of the main bootstrap program in MBR, MBR region becomes the object that some rogue programs utilize, and " ghost " virus is representative wherein.This virus is deposited in the Main Boot Record of disk, can prior to os starting after computer booting, and infected computing machine can be made when system starts to load through meticulously hiding another malice driver B, after malice driver B successfully loads, can implement to close antivirus software, download the operations such as other rogue programs, to realize stealing user profile, destroying the lawbreaking activitiess such as subscriber computer.Because this virus is deposited in magnetic disc main boot record, after its successful operation, usually can not find any exception in an operating system, simultaneously because the Main Boot Record of disk can not rewrite because reinstalling usually, cause this virus even still can exist after user reinstalls operating system, and still can play a role after computer starting, as seen the obstinate degree of this virus.Therefore, the technical matters solved in the urgent need to those skilled in the art is just how effectively to stop this type of rogue program to the destruction of computer system.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or the method processed Main Boot Record rogue program solved the problem at least in part and the device processed Main Boot Record rogue program accordingly.
According to one aspect of the present invention, provide a kind of method that Main Boot Record rogue program is processed, comprising:
In the process started the operating system, when carrying out kernel initialization, load safe driver;
Described safe driver is called after hard disk initialization terminates;
Monitored by the read operation of described safe driver to disk;
When the read/write operations monitoring disk occurs, the data of read/write are detected, if detect in the data of described read/write and comprise malicious code, returning disk reads unsuccessfully, to block contacting between rogue program in Main Boot Record and the malice driver in disk partition.
Alternatively, described in the process of start-up simulation machine, when system carries out kernel initialization, load safe driver and comprise:
In the registration table of operating system, safe driver is registered as system reservation types, so that operating system is in start-up course, when carrying out kernel initialization, loads safe driver.
Alternatively, describedly after hard disk initialization terminate, call described safe driver comprise:
When described safe driver is loaded, to system registry call back function, so that described safe driver is called by operating system after hard disk initialization terminates.
Alternatively, also comprise:
Rogue program in described Main Boot Record is removed.
Alternatively, describedly removing is carried out to the rogue program in described Main Boot Record comprise:
Rebuild Main Boot Record.
Alternatively, also comprise:
Malice driver in described disk partition is deleted.
According to a further aspect in the invention, provide a kind of device that Main Boot Record rogue program is processed, comprising:
Loading unit, in the process started the operating system, when carrying out kernel initialization, loads safe driver;
Call unit, for calling described safe driver after hard disk initialization terminates;
Monitoring unit, for monitoring by the read operation of described safe driver to disk;
Detecting unit, during for occurring when the read/write operations monitoring disk, the data of read/write are detected, if detect in the data of described read/write and comprise malicious code, returning disk reads unsuccessfully, to block contacting between rogue program in Main Boot Record and the malice driver in disk partition.
Alternatively, described loading unit comprises:
Registration table writing unit, for safe driver being registered as system reservation types in the registration table of operating system, so that operating system is in start-up course, when carrying out kernel initialization, loads safe driver.
Alternatively, described call unit comprises:
Call back function registering unit, for when described safe driver is loaded, to system registry call back function, so that described safe driver is called by operating system after hard disk initialization terminates.
Alternatively, also comprise:
Clearing cell, for removing the rogue program in described Main Boot Record.
Alternatively, described clearing cell comprises:
Rebuild subelement, for rebuilding Main Boot Record.
Alternatively, also comprise:
Delete cells, for deleting the malice driver in described disk partition.
According to a further aspect in the invention, provide a kind of equipment that Main Boot Record rogue program is processed, comprise the device that Main Boot Record rogue program is processed described in aforementioned any one.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
According to the method that processes Main Boot Record rogue program of the present invention and device, the commitment that can start in system, MBR, BOOTLOADER, after the initialization such as BOOTMGR are good, system is when initialization kernel, load safe driver, then the operation of HOOK system read-write disk, in time comprising malicious code in the sector of reading, return failure, thus malice driving cannot be loaded, cut off completely MBR and and malice drive between contact, make MBR rogue program complete failure, and then residual MBR virion can be processed easily, this type of rogue program of effective prevention is to the destruction of computer system.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows the process flow diagram of method according to an embodiment of the invention; And
Fig. 2 shows the schematic diagram of an apparatus in accordance with one embodiment of the invention.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
See Fig. 1, what the embodiment of the present invention provided comprises the following steps the method that Main Boot Record rogue program processes:
S101: in the process started the operating system, when carrying out kernel initialization, loads safe driver;
In modern operating system, application program can not direct access hardware, but uses hardware by the interface that call operation system provides, and operating system relies on kernel spacing and manages and dispatch these application.Kernel spacing is made up of four major parts, respectively: management of process (being responsible for distributing CPU time), file access (become file system apparatus preparing, and provide accordant interface for upper strata routine call), security control (be responsible for the concrete authority of each process of mandatory provision and independent memory range, avoid clashing between each process) and memory management (to the distribution of memory source, use, release and recovery when being responsible for process operation).Kernel is a kind of data structure, and Rootkit technology comes the process of other programs hiding, file, network communication and other relevant information (such as registration table and the system journal etc. that may produce because of amendment) by revising the data structure of kernel.
Bootkit is more senior Rootkit, the Bootkit mode by infection MBR (MasterBootRecord, magnetic disc main boot record), realizes walking around interior nuclear inspection and starting stealthy, and namely Bootkit is a kind of Rootkit based on MBR.Can think, all technology more more early than Windows kernel loading when starting shooting, realizing kernel abduction, can be referred to as Bootkit, such as BIOSRootkit, VBootkit, SMMRootkit etc. afterwards.Because MBR virus (MBRBOOTKIT) colonizes in MBR, the driver of virus release, can destroy most of security tool and system supplymentary instrument, when system is restarted again, this Virus can load in advance early than operating system nucleus.
In order to this MBR virus can be resisted, just need, before MBR virus loading malice drives, to load safe driver.In order to reach this object, in embodiments of the present invention, just can load safe driver before hard drive initialization, during specific implementation, can after the initialization such as MBR, BOOTLOADER, BOOTMGR be good, system, when initialization NTKERNEL, just loads safe driver, obtains and perform before the malice driver loading to Gan MBR district.
Wherein, BOOTLOADER is exactly the one section of system bootstrap routine run before operating system nucleus runs.By this section of system bootstrap routine, can initiating hardware equipment, set up memory headroom mapping graph, thus take the hardware environment of system to a proper states, to get out correct environment for final call operation system kernel.In embedded systems, usually not as BIOS (BasicInputOutputSystem, Basic Input or Output System (BIOS)) such firmware program (embedded type CPU had also can the start-up routine of embedded a section short and small), therefore the loading initiating task of whole system is just complete has been come by BootLoader.BOOTMGR is the abbreviation of BootManager, is the startup manager used in WindowsVista and Windows7, similar functions, also has the startup manager-NTLDR in Windowsxp, etc.NTKERNEL is system kernel.
For Windows7 system, under normal circumstances, the start process of computer system is:
--boot sequence that > mainboard BIOS is specified according to user starts from floppy disk, hard disk or CD-ROM drive, and--Master Boot Record is read in internal memory by > system bios--> control gives main bootstrap program--, and > main bootstrap program checks partition table state in start POST, control is given the leader record of active partition by the subregion of searching activity--> main bootstrap program, by leader record load operation System startup files.
As from the foregoing, MBR is that computer expert establishes machine by cable, after System self-test completes, by the position that first reads, be positioned at 0 magnetic head 0 magnetic track 1 sector of hard disk, its size is 512 bytes, do not belong to any one operating system, the disk commands that can not provide by operating system reads.
After computer powers up, first be start bios program, after BIOS self-inspection, find the Master Boot Record on hard disk, DPT (DiskPartitionTable is read by MBR, hard disk partition table), therefrom find out movable main partition, then PBR (the PartitionBootRecord in reading activity main partition, partition boot record), searched the startup manager file BOOTMGR in subregion again by PBR, after BOOTMGR is found, control has just given BOOTMGR.By BOOTMGR read BOOT BCD file (BCD=BootConfigurationData, start configuration data), if there is multiple operating system and select the stand-by period of operating system not to be 0, the selection interface of operating system at this moment will be shown over the display.If select to start after Windows7, BOOTMGR will deactivation dish find WINDOWS system32 winload.exe, then load Windows7 kernel by winload.exe, thus start whole Windows7 system.In a word, in Windows7 operating system, this process can be summarised as simply: BIOS--> MBR--> DPT--> PBR--> BOOTMGR--> BCD--> Winload.exe--> kernel loads--the whole windows7 system of >.After kernel loads, when starting whole windows7 system, need first to carry out initialization to kernel, then initialization is carried out to hard disk, and in embodiments of the present invention, carry out in initialized link above-mentioned to kernel exactly, load safe driver.
During specific implementation, in order to ensure in the process that starts the operating system, when carrying out kernel initialization, load safe driver, in the registration table of operating system, safe driver can be registered as system reservation types (being also namely registered as systemreserved), system can be made like this can to load this safe driver the earliest.In addition, the system of the simple file read-write that internal system carries, has just passed through INT13 file reading in real mode in internal memory, has then accessed in protected mode.So it is 0 be driven in internal memory that system automatically can load BOOTTYPE in registration table, and without the need to by disk drive and file driving.
S102: call described safe driver after hard disk initialization terminates;
After safe driver is loaded, to need by running program to call this safe driver, relevant operation could be performed, given play to real effect.For this reason, during specific implementation, can, when safe driver is loaded, to system registry call back function, this makes it possible to after hard drive initialization terminates, operating system calls safe driver at once, and safe driver is run immediately.
Why will to system registry call back function, be because, safe driver needs the operation linking up with hard drive, but this operation could perform after also will waiting hard drive initialization well, so need to system registry call back function, so that after hard drive initialization, safe driver can obtain executable operations in time.
S103: after described safe driver is called, monitored by the read/write operations of described safe driver to disk;
Safe driver, after acquisition performs, just can be monitored the read operation of disk.Rogue program due to MBR district wants to get in touch with the malice driver in disk partition, the malice in disk partition is just needed to drive code to read in internal memory, thus load operating malice driver, and driving code to read in the process of internal memory the malice in disk partition, just need to read disk; On the other hand, the safe driver in the embodiment of the present invention loads early than malice driver again, and therefore, rogue program reads and the operation of write disk just can be monitored by safe driver.During specific implementation, by the associative operation of the read/write of HOOK disk drive, the monitoring to disk read/write operations can be realized.
S104: when the read/write operations monitoring disk occurs, the data of read/write are detected, if detect in the data of described read/write and comprise malicious code, return the failure of disk read/write, to block contacting between rogue program in Main Boot Record and the malice driver in disk partition.
Safe driver is after monitoring disk read/write operations, just can tackle the data of read/write, and carry out security detection, if find to include malicious code in the data of read/write, just proof may be the malice driving code of rogue program just in read/write disk in MBR district, therefore, just directly can return disk reads unsuccessfully, malice is made to drive code cannot be read/be written in internal memory, also just cannot run, and then, just can block contacting between rogue program in MBR and the malice driver in disk partition, after contact between both is blocked, even if the rogue program in MBR still exists with malice driver, also any harm can not be produced to the computing machine of user.
Such as ghost 5, when reading disk sector, can verify certain condition code, if met, then thinks and reads the code that malice drives, thus can perform this code, by revising these, allow it think and not reading, namely can skip, avoid running malicious code.Wherein, detect the related realization that whether there is malicious code in the data be read see the method in prior art, to repeat no more here.
Certainly, in order to ensure the safety of subscriber computer further, after contacting between the rogue program blocked in MBR and the malice driver in disk, the rogue program in MBR can also be removed, in addition, the malice driver in disk partition can also be deleted.Wherein, malice driver is just being kept on disk, therefore is directly undertaken deleting by disk commands.But the rogue program in MBR is arranged in MBR, because MBR is positioned at 0 magnetic head 0 magnetic track 1 sector of hard disk, its size is 512 bytes, do not belong to any one operating system, the disk commands that can not provide by operating system reads, therefore, when removing the rogue program in MBR, can realize by rebuilding the modes such as MBR.Wherein, about the reconstruction how carrying out MBR, the existing application program for carrying out MBR reconstruction can be called.During specific implementation, by the program in the embodiment of the present invention, the MBR of system default can be write MBR district, or the order FDISK/MBR of system.Recover MBR region.
In a word, because the rogue program in MBR is after MBR obtains execution, INT13 can be mounted; when loading BOOTMGR, carry out HOOK, and when loading NTKERNEL; carry out HOOK, the malice then loading oneself drives code, thus realizes complete self-protection.Such as, rogue program in MBR can mount system bottom and drive ATAPI.SYS and file system driver NTFS.SYS, this causes security procedure cannot obtain the information of original disk file at all, also the information of original MBR cannot be obtained, what obtain is all the deceptive information be redirected, that is, after malice drive load, security procedure detects it with regard to being difficult to and removing.
Therefore, what the embodiment of the present invention will be done is exactly the commitment started in system, after the initialization such as MBR, BOOTLOADER, BOOTMGR are good, system is when initialization NTKERNEL, load safe driver, then the operation of HOOK system read-write disk, in time comprising malicious code in the sector of reading, return failure, thus malice driving cannot be loaded, cut off completely MBR and and malice drive between contact, make MBR rogue program complete failure, and then residual MBR virion can be processed easily.
Corresponding with the method processed Main Boot Record rogue program that the embodiment of the present invention provides, the embodiment of the present invention additionally provides a kind of device processed Main Boot Record rogue program, and see Fig. 2, this device specifically can comprise:
Loading unit 201, in the process started the operating system, when carrying out kernel initialization, loads safe driver;
Call unit 202, for calling described safe driver after hard disk initialization terminates;
Monitoring unit 203, for after described safe driver is called, is monitored by the read/write operations of described safe driver to disk;
Detecting unit 204, during for occurring when the read/write operations monitoring disk, the data of read/write are detected, if detect in the data of described read/write and comprise malicious code, returning disk reads unsuccessfully, to block contacting between rogue program in Main Boot Record and the malice driver in disk partition.
During specific implementation, loading unit 201 can comprise:
Registration table writing unit 2011, for safe driver being registered as system reservation types in the registration table of operating system, so that operating system is in start-up course, when carrying out kernel initialization, loads safe driver.
Call unit 202 can comprise:
Call back function registering unit, for when described safe driver is loaded, to system registry call back function, so that described safe driver is called by operating system after hard disk initialization terminates.
In order to ensure the safety of subscriber computer further, after contacting between the rogue program blocked in MBR and the malice driver in disk, the rogue program in MBR can also be removed, now, this device can also comprise:
Clearing cell, for removing the rogue program in described Main Boot Record.
Because MBR is positioned at 0 magnetic head 0 magnetic track 1 sector of hard disk, its size is 512 bytes, do not belong to any one operating system, the disk commands that can not provide by operating system reads, therefore, when removing the rogue program in MBR, can realize by rebuilding the modes such as MBR, accordingly, described clearing cell comprises:
Rebuild subelement, for rebuilding Main Boot Record.
In addition, in order to ensure the safety of subscriber computer further, this device can also comprise:
Delete cells, for deleting the malice driver in described disk partition.
Because malice driver is just kept in disk partition, therefore, disk commands can be used to delete the malice driver code in disk partition.
In a word, in the said apparatus that the embodiment of the present invention provides, the commitment that can start in system, after the initialization such as MBR, BOOTLOADER, BOOTMGR are good, system is when initialization kernel, load safe driver, then the operation of HOOK system read-write disk, in time comprising malicious code in the sector of reading, return failure, thus allow malice drive cannot be loaded, cut off completely MBR and and malice drive between contact, make MBR rogue program complete failure, and then residual MBR virion can be processed easily.
In addition, the embodiment of the present invention additionally provides a kind of equipment processed Main Boot Record rogue program, it should be noted that, when specific implementation, for the above-mentioned equipment processed Main Boot Record rogue program, described equipment is by CPU, internal memory, hard disk and other relevant portions, BIOS etc., can effectively stop the rogue program occurred in MBR region to the destruction of computer system.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the equipment processed Main Boot Record rogue program of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Claims (11)
1., to the method that Main Boot Record rogue program processes, comprising:
In the process started the operating system, when carrying out kernel initialization, load safe driver;
Described safe driver is called after hard disk initialization terminates;
Monitored by the read operation of described safe driver to disk;
When the read/write operations monitoring disk occurs, the data of read/write are tackled, and security detection is carried out to the data of read/write, if detect in the data of described read/write and comprise malicious code, returning disk reads unsuccessfully, to block contacting between rogue program in Main Boot Record and the malice driver in disk partition;
Wherein, described in the process started the operating system, when carrying out kernel initialization, load safe driver and comprise:
In the registration table of operating system, safe driver is registered as system reservation types, so that operating system is in start-up course, when carrying out kernel initialization, loads safe driver.
2. method according to claim 1, describedly after hard disk initialization terminates, call described safe driver comprise:
When described safe driver is loaded, to system registry call back function, so that described safe driver is called by operating system after hard disk initialization terminates.
3. method according to claim 1, also comprises:
Rogue program in described Main Boot Record is removed.
4. method according to claim 3, describedly removing is carried out to the rogue program in described Main Boot Record comprise:
Rebuild Main Boot Record.
5. method according to claim 1, also comprises:
Malice driver in described disk partition is deleted.
6., to the device that Main Boot Record rogue program processes, comprising:
Loading unit, in the process started the operating system, when carrying out kernel initialization, loads safe driver;
Call unit, for calling described safe driver after hard disk initialization terminates;
Monitoring unit, for monitoring by the read operation of described safe driver to disk;
Detecting unit, during for occurring when the read/write operations monitoring disk, the data of read/write are tackled, and security detection is carried out to the data of read/write, if detect in the data of described read/write and comprise malicious code, returning disk reads unsuccessfully, to block contacting between rogue program in Main Boot Record and the malice driver in disk partition;
Wherein, described loading unit comprises:
Registration table writing unit, for safe driver being registered as system reservation types in the registration table of operating system, so that operating system is in start-up course, when carrying out kernel initialization, loads safe driver.
7. device according to claim 6, described call unit comprises:
Call back function registering unit, for when described safe driver is loaded, to system registry call back function, so that described safe driver is called by operating system after hard disk initialization terminates.
8. device according to claim 6, also comprises:
Clearing cell, for removing the rogue program in described Main Boot Record.
9. device according to claim 8, described clearing cell comprises:
Rebuild subelement, for rebuilding Main Boot Record.
10. device according to claim 6, also comprises:
Delete cells, for deleting the malice driver in described disk partition.
11. 1 kinds of equipment processed Main Boot Record rogue program, comprise the device processed Main Boot Record rogue program described in any one of claim 6 to 10.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210380353.XA CN102867141B (en) | 2012-09-29 | 2012-09-29 | The method that Main Boot Record rogue program is processed and device |
| PCT/CN2013/084467 WO2014048367A1 (en) | 2012-09-29 | 2013-09-27 | Method and apparatus for processing malicious program in master boot record |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210380353.XA CN102867141B (en) | 2012-09-29 | 2012-09-29 | The method that Main Boot Record rogue program is processed and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102867141A CN102867141A (en) | 2013-01-09 |
| CN102867141B true CN102867141B (en) | 2016-03-30 |
Family
ID=47446008
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210380353.XA Active CN102867141B (en) | 2012-09-29 | 2012-09-29 | The method that Main Boot Record rogue program is processed and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102867141B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014048367A1 (en) * | 2012-09-29 | 2014-04-03 | 北京奇虎科技有限公司 | Method and apparatus for processing malicious program in master boot record |
| CN103955649B (en) * | 2014-05-23 | 2017-03-08 | 南方电网科学研究院有限责任公司 | A kind of method of clean boot terminal unit |
| CN104834861B (en) * | 2015-05-12 | 2018-10-02 | 腾讯科技(深圳)有限公司 | The checking and killing method and device of wooden horse |
| CN105426750A (en) * | 2015-12-03 | 2016-03-23 | 致象尔微电子科技(上海)有限公司 | Startup method of embedded system, and embedded device |
| CN115061734A (en) * | 2019-07-12 | 2022-09-16 | 华为技术有限公司 | System starting method and related equipment |
| CN110457899B (en) * | 2019-08-12 | 2021-06-01 | 北京无线电测量研究所 | Operating system protection system and method |
| CN112579330B (en) * | 2019-09-30 | 2024-02-06 | 奇安信安全技术(珠海)有限公司 | Processing method, device and equipment for abnormal data of operating system |
| CN110955885B (en) * | 2019-11-28 | 2022-11-22 | 亚信科技(成都)有限公司 | Data writing method and device |
| CN111008378B (en) * | 2019-11-29 | 2023-08-01 | 四川效率源信息安全技术股份有限公司 | Method for cleaning malicious codes in hard disk firmware area |
| CN114691229B (en) * | 2020-12-14 | 2023-09-26 | 北京奇艺世纪科技有限公司 | Application program self-starting method and device and electronic equipment |
| CN115828246B (en) * | 2023-01-09 | 2023-05-16 | 中国人民解放军61660部队 | Offline malicious program and behavior monitoring method, device, medium and equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101479709A (en) * | 2006-06-30 | 2009-07-08 | 微软公司 | Identifying malware in a boot environment |
| US7565523B2 (en) * | 2005-04-15 | 2009-07-21 | Samsung Electronics Co., Ltd. | Apparatus and method for restoring master boot record infected with virus |
| CN102930201A (en) * | 2012-09-29 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for processing rogue program of master boot record |
-
2012
- 2012-09-29 CN CN201210380353.XA patent/CN102867141B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7565523B2 (en) * | 2005-04-15 | 2009-07-21 | Samsung Electronics Co., Ltd. | Apparatus and method for restoring master boot record infected with virus |
| CN101479709A (en) * | 2006-06-30 | 2009-07-08 | 微软公司 | Identifying malware in a boot environment |
| CN102930201A (en) * | 2012-09-29 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for processing rogue program of master boot record |
Non-Patent Citations (1)
| Title |
|---|
| 基于访问控制和监控病毒动态行为的计算机病毒防护技术;吴永森;《计算机研究与发展》;19950331;第32卷(第3期);第57页第6至31行,第58页第31行至第59页第40行 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102867141A (en) | 2013-01-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102867141B (en) | The method that Main Boot Record rogue program is processed and device | |
| CN102930201B (en) | The method that Main Boot Record rogue program is processed and device | |
| US7886190B2 (en) | System and method for enabling seamless boot recovery | |
| CN103718165B (en) | BIOS flash memory attack protection and notice | |
| US8539584B2 (en) | Rootkit monitoring agent built into an operating system kernel | |
| EP1434135B1 (en) | Method for backing up and recovering data in the hard disk of a computer | |
| US6915420B2 (en) | Method for creating and protecting a back-up operating system within existing storage that is not hidden during operation | |
| US7962956B1 (en) | Evaluation of incremental backup copies for presence of malicious codes in computer systems | |
| US8806476B2 (en) | Implementing a software installation process | |
| US7774636B2 (en) | Method and system for kernel panic recovery | |
| CN104008340B (en) | Virus scanning and killing method and device | |
| US20120066546A1 (en) | System recovery method and computing apparatus having system recovery function | |
| US20120030766A1 (en) | Method and system for defining a safe storage area for use in recovering a computer system | |
| US8495741B1 (en) | Remediating malware infections through obfuscation | |
| CA2442947A1 (en) | System and method for restoring computer systems damaged by a malicious computer program | |
| US20110162077A1 (en) | Protecting persistent secondary platform storage against attack from malicious or unauthorized programs | |
| JP2009238153A (en) | Malware handling system, method, and program | |
| US20140317742A1 (en) | Hypervisor-based buffer overflow detection and prevention | |
| KR101064164B1 (en) | Kernel integrity inspection and the recovery method on linux kernel based smart platform | |
| WO2009144602A1 (en) | Protection and security provisioning using on-the-fly virtualization | |
| US10114747B2 (en) | Systems and methods for performing operations on memory of a computing device | |
| EP2729893B1 (en) | Security method and apparatus | |
| KR100613126B1 (en) | Method and apparatus for deleting virus code, and information storage medium storing a program thereof | |
| US9804932B2 (en) | Method and device for processing data and electronic apparatus | |
| CN104834861B (en) | The checking and killing method and device of wooden horse |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220708 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co., Ltd |