CN102999725B - Malevolence code processing method and system - Google Patents
Malevolence code processing method and system Download PDFInfo
- Publication number
- CN102999725B CN102999725B CN201210540960.8A CN201210540960A CN102999725B CN 102999725 B CN102999725 B CN 102999725B CN 201210540960 A CN201210540960 A CN 201210540960A CN 102999725 B CN102999725 B CN 102999725B
- Authority
- CN
- China
- Prior art keywords
- operating system
- external storage
- terminal
- startupoptions
- boot files
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 10
- 238000000034 method Methods 0.000 claims description 37
- 238000005192 partition Methods 0.000 claims description 12
- 208000015181 infectious disease Diseases 0.000 abstract description 6
- 230000008569 process Effects 0.000 description 22
- 241000700605 Viruses Species 0.000 description 8
- 238000010586 diagram Methods 0.000 description 4
- 238000002955 isolation Methods 0.000 description 4
- 241000283086 Equidae Species 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Abstract
The invention discloses a kind of malevolence code processing method and system, cannot the problem of killing to solve after terminal is by malicious code infections.Wherein, this system comprises terminal and external storage, wherein, is configured with the first operating system in terminal, is configured with the second operating system in external storage, is configured with fail-safe software in described second operating system; Described terminal comprises: add module; Start module; Described external storage comprises: killing module, for starting the fail-safe software in described second operating system, carries out killing to the malicious code in described terminal; Wherein, described interpolation module comprises: write submodule, and for writing boot files in the system disk of terminal, described boot files points to described second operating system; Adding submodule, for adding a startupoptions in the startup item of terminal, described startupoptions being pointed to described boot files.
Description
Technical field
The present invention relates to computer security technique, be specifically related to a kind of malevolence code processing method and system.
Background technology
After terminal is by malicious code infections such as virus, wooden horses, malicious code can invade the operating system of this terminal, destroys the data etc. on hard disk.And on the initiating sequence of the operating system of this terminal, the process of fail-safe software makes the process of malicious code can have precedence over the process of fail-safe software to perform driving after being usually located at the process of malicious code.
The process of malicious code preferentially performs driving, therefore can perform certain operations in systems in which to avoid it by killing.Such as, malicious code can hide the data such as file, process, module of self, thus makes fail-safe software when scanning system, cannot scan the data of malicious code.And for example, malicious code can attack operation system, the trusted domain of amendment fail-safe software, stops the killing result etc. of fail-safe software networking, amendment fail-safe software, thus make fail-safe software occur loading failure or the killing situation such as unsuccessfully, and then malicious code is reached avoid by the object of killing.
Therefore, after terminal is by malicious code infections, just there will be the situation that fail-safe software is ineffective, make fail-safe software cannot guarantee the safety of terminal.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or the malicious code disposal system solved the problem at least in part and corresponding malevolence code processing method.
According to one aspect of the present invention, provide a kind of malevolence code processing method, be configured with the first operating system in terminal, be configured with the second operating system in external storage, be provided with fail-safe software in described second operating system, described method comprises:
The startupoptions of described second operating system is added in advance in the startup item of terminal;
After entering the startup item of described terminal, select the startupoptions of described second operating system, to enter the second operating system be configured in memory device;
Start the fail-safe software in described second operating system, scan with killing malicious code to described terminal;
Wherein, the described startupoptions adding described second operating system in advance in the startup item of terminal, comprising: in the system disk of terminal, write boot files, and described boot files points to described second operating system; In the startup item of terminal, add a startupoptions, described startupoptions is pointed to described boot files.
In the embodiment of the present invention, the startupoptions of described second operating system of described selection, being configured at the second operating system in memory device to enter, comprising: by selecting the startupoptions of described second operating system, triggering described boot files; Described boot files is adopted to search described external storage; Read the data in described external storage or configuration file, start described second operating system.
In the embodiment of the present invention, described external storage possesses some device types, and the described boot files of described employing searches described external storage, comprising: described boot files triggering system boot files, obtains the hardware device of terminal; From described hardware device, described external storage is searched according to described device type parameter.
In the embodiment of the present invention, described external storage is bootable memory device, then there is Main Boot Record in described bootable memory device, data in the described external storage of described reading or configuration file, start described second operating system, comprise: the data or the configuration file that read described external storage, search and whether there is described Main Boot Record; If there is described Main Boot Record, then start described Main Boot Record and enter described second operating system.
In the embodiment of the present invention, the data of the described external storage of described reading or configuration file, search and whether there is described Main Boot Record, comprising: the data or the configuration file that read arbitrary sector in described external storage; According to the type of partition table each in described sector, determine whether there is described Main Boot Record.
In the embodiment of the present invention, described external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card.
According to a further aspect in the invention, provide a kind of malicious code disposal system, comprise terminal and external storage, wherein, be configured with the first operating system in terminal, in external storage, be configured with the second operating system, in described second operating system, be configured with fail-safe software;
Described terminal comprises:
Add module, for adding the startupoptions of described second operating system in advance in startup item;
Start module, for enter described terminal startup item after, select the startupoptions of described second operating system, be configured at the second operating system in memory device to enter;
Described external storage comprises:
Killing module, for starting the fail-safe software in described second operating system, carries out killing to the malicious code in described terminal;
Wherein, described interpolation module comprises: write submodule, and for writing boot files in the system disk of terminal, described boot files points to described second operating system; Adding submodule, for adding a startupoptions in the startup item of terminal, described startupoptions being pointed to described boot files.
In the embodiment of the present invention, described startup module, comprising: trigger module, for the startupoptions by selecting described second operating system, triggers described boot files; Searching submodule, searching described external storage for adopting described boot files; Reading submodule, for reading data in described external storage or configuration file, starts described second operating system.
In the embodiment of the present invention, described external storage possesses some device types; Describedly search submodule, specifically for described boot files triggering system boot files, obtain the hardware device of terminal; From described hardware device, described external storage is searched according to described device type parameter.
In the embodiment of the present invention, described external storage is bootable memory device, then there is Main Boot Record in described bootable memory device, then described external storage also comprises: bootstrap module; Described bootstrap module, for entering described second operating system according to described Main Boot Record; Then described reading submodule, specifically for reading data or the configuration file of described external storage, searching and whether there is described Main Boot Record; If there is described Main Boot Record, then start described Main Boot Record.
In the embodiment of the present invention, described reading submodule, specifically for reading data or the configuration file of arbitrary sector in described external storage; According to the type of partition table each in described sector, determine whether there is described Main Boot Record.
In the embodiment of the present invention, described external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card.
Be configured with the first operating system in embodiment of the present invention terminal, in external storage, be configured with the second operating system, in described second operating system, fail-safe software is installed.Therefore can add the startupoptions of described second operating system in the startup item of terminal, thus enter described second operating system when starting terminal, adopt the fail-safe software in the second operating system, described terminal is scanned with killing malicious code.When using the first operating system of terminal; the data of the second operating system are suitable for terminal isolation; even if therefore terminal is invaded by malicious code, the data in the second operating system are safe, and therefore fail-safe software wherein can protect the safety of data in terminal.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows malevolence code processing method process flow diagram according to an embodiment of the invention;
Fig. 2 shows and enters the second operating system method flow diagram according to an embodiment of the invention;
Fig. 3 shows embodiment of the present invention boot files operational flowchart;
Fig. 4 shows malicious code disposal system structural drawing according to an embodiment of the invention;
Fig. 5 shows terminal structure figure according to an embodiment of the invention.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
After terminal is by malicious code infections such as virus, wooden horses, malicious code can invade the operating system of this terminal, destroys the data on hard disk, steals user profile etc.Therefore in order to the safety of protected data, the privacy of user, can adopt fail-safe software to carry out killing to virus.Wherein, described fail-safe software be a kind of can to all known program means having the malicious code of harm to remove to computing machine such as virus, wooden horses.As antivirus software, system tool and anti rogue software etc.
But; malicious code is in order to avoid oneself is by killing; usually the initiating sequence of the operating system of this terminal can be changed; malicious process is made to be positioned at before initiating sequence; thus cause after the process of fail-safe software is positioned at the process of malicious code, making the process of malicious code can have precedence over the process of fail-safe software to perform driving.
The process of malicious code preferentially performs driving, therefore can perform certain operations in systems in which to avoid it by killing.Such as, malicious code can hide the data such as file, process, module of self, thus makes fail-safe software when scanning system, cannot scan the data of malicious code.And for example, malicious code can attack operation system, the trusted domain of amendment fail-safe software, stops the killing result etc. of fail-safe software networking, amendment fail-safe software, thus make fail-safe software occur loading failure or the killing situation such as unsuccessfully, and then malicious code is reached avoid by the object of killing.
Therefore, after terminal is by malicious code infections, just there will be the situation that fail-safe software is ineffective, make fail-safe software cannot guarantee the safety of terminal.
The embodiment of the present invention is for above-mentioned situation, provide a kind of malevolence code processing method, the operating system in external storage can be introduced for terminal, thus adopt the fail-safe software in this operating system to scan terminal, to carry out killing to the malicious code in terminal.
In the embodiment of the present invention; operating system in terminal is called the first operating system; operating system in external storage is called the second operating system, and in the second operating system, fail-safe software is installed, thus the safety of described fail-safe software protected data can be adopted.Certainly, also antivirus software can be installed in the first operating system, thus when use the first operating system, can the data security in terminal be safeguarded.
Therefore, be configured with the first operating system in described terminal, in external storage, be configured with the second operating system, and in described second operating system, fail-safe software is installed.Wherein, described first operating system and the second operating system can be Windows, Linux etc., and the embodiment of the present invention does not limit this.
Fig. 1 shows malevolence code processing method process flow diagram according to one embodiment of the invention.
Step 101, adds the startupoptions of described second operating system in advance in the startup item of terminal.
After infecting virus, the fail-safe software in the first operating system of terminal can continue the safety of protection system, therefore in order to ensure the safety of data in terminal, can introduce the second external operating system.Described second operating system is configured in external storage, thus the data itself in the second operating system are independent of terminal, if therefore terminal does not connect external storage when infecting malicious code, then the second operating system can not infect virus, and the data namely in the second operating system are safe.
If after this terminal calls this second operating system, just can use the fail-safe software in the second operating system, the data in terminal and external storage are scanned, thus protect the safety of data in terminal and external storage.Wherein, described terminal calls the second operating system, can be understood as and starts in the terminal and enter the second operating system.
Terminal can be introduced into startup item when starting, and can select the position that enters, as safe mode, the first operating system or the second operating system etc. in startup item by startupoptions.Therefore, the startupoptions of described second operating system to be added in advance in the startup item of terminal, namely in the startup item of terminal, add a startupoptions, adopt this startupoptions to point to the second operating system of external storage.
Then in the embodiment of the present invention, the described startupoptions adding described second operating system in advance in the startup item of terminal, comprising:
In the system disk of terminal, write boot files, described boot files points to described second operating system; In the startup item of terminal, add a startupoptions, described startupoptions is pointed to described boot files.
First can write boot files in the system disk of terminal, such as, adopt WriteFile to be put in system disk by boot files.Wherein, system disk is one in the hard disk of terminal, is mainly used in storing, as C dish the data of operating system in terminal etc.Described boot files is used for guiding and enters corresponding operating system, is a kind of executable file.
Boot files described in the embodiment of the present application points to the second operating system in external storage, namely after calling this boot files, this boot files can be adopted to be directed to the second operating system.
Then, a startupoptions can be added in the startup item of terminal, described startupoptions is pointed to described boot files, thus described startupoptions can be pointed in described boot files subsequently through described startupoptions.Concrete, due to the difference of the first operating system, the operation adding startupoptions in startup item is also different.
For in Windows system, if described first operating system is WindowsXP or Windows2003, then system file boot.ini can be adopted to add startupoptions in systems in which.Concrete, can the application programming interface (ApplicationProgrammingInterface of calling system when using boot.ini, API) add startup item, wherein API specifically can comprise: GetPrivateProfileInt, WritePrivateProfileString, GetPrivateProfileString and WritePrivateProfileTnt.
And for example, in vista, win7 and win8 system, this system tool of bcdedit.exe can be adopted.Carried out the interpolation of startupoptions, the function that wherein bcdedit.exe uses can comprise: 1, copy{current}; 2, displayorder; 3, addlast.
Step 102, after entering the startup item of described terminal, selects the startupoptions of described second operating system, is configured at the second operating system in memory device to enter.
With the addition of the startupoptions of the second operating system in the startup item of described terminal after, can in startup terminal after entering the startup item of described terminal, select the startupoptions of described second operating system, thus trigger the boot files of described startupoptions sensing, and then entered the second operating system in external storage by boot files.
Fig. 2 shows and enter the second operating system method flow diagram according to one embodiment of the invention.
Wherein, the startupoptions of described second operating system of described selection, is configured at the second operating system in memory device to enter, comprises:
Step 201, by selecting the startupoptions of described second operating system, triggers described boot files.
Starting terminal and after entering startup item, can select the startupoptions of described second operating system, the startupoptions of described second operating system points to described boot files, thus can trigger described boot files.
Step 202, adopts described boot files to search described external storage.
After boot files is triggered, just can perform associative operation according to the configuration in described boot files, concrete first described boot files can search described external storage.
Wherein, different files can adopt the suffix of file to distinguish, and as .exe .ini etc., the boot files therefore configured in the embodiment of the present invention can be searched by title, suffix etc.
In actual treatment, hardware device often comprises polytype, as hard disk, external storage, video card, sound card, network interface card, display, keyboard, mouse and printer etc., or flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card etc.
Therefore, device type parameter can be adopted in the terminal to distinguish each hardware device.
Along with the development of technology, external storage also become also come more various, as disk, hard disk etc., and for example flash disk, DVD CD etc., therefore device type can be adopted to distinguish different external storage, namely described external storage possesses some device types, then device type parameter can be adopted in the terminal to mark the device type of each external storage.
The described boot files of described employing searches described external storage, comprising:
Described boot files triggering system boot files, obtains the hardware device of terminal; From described hardware device, described external storage is searched according to described device type parameter.
Wherein, described System guides file can be NTDETECT.COM, for the information of hardware device each in collection terminal, thus enumerates the hardware device in terminal.
Such as: the hardware information comprised as Types Below can be collected by NTDETECT.COM: system firmware information, such as time and date etc., the type of bus adapter, the type of video card adapter, keyboard, communication port, disk, floppy disk, input equipment, such as mouse, parallel port, be arranged on the ISA equipment in ISA groove, and operating system such as WindowsXP can in the startup process etc. of onscreen cue user Windows.
In the embodiment of the present invention, described boot files meeting triggering system boot files, described System guides file can enumerate the hardware device in terminal according to each device type parameter, namely various types of hardware device in terminal can be obtained, can certainly according to device type parameter, from described hardware device, finding the external storage of each device type, as searched disk or hard disk, even searching the flash disk of the USB type of more details.
Step 203, reads the data in described external storage, starts described second operating system.
Then can read the data in described external storage, thus get and start relevant data, start the second operating system.
In the embodiment of the present invention, described external storage is bootable memory device, then there is Main Boot Record in described bootable memory device.
Described bootable memory device is a kind of memory device that can be carried out the operation such as startup by guiding.Then there is Main Boot Record (MasterBootRecord in bootable memory device, MBR), also referred to as main bootstrap program, MBR is generally divided into broad sense and narrow sense two kinds by described Main Boot Record: the MBR of broad sense comprises whole sector (boot, partition table and separation mark); And the MBR of narrow sense only refers to boot.
Terminal energising start, after mainboard self-inspection completes, MBR is positioned at the position read by first.Namely be positioned at 0 magnetic head 0 magnetic track 1 sector of hard disk, its size is 512 bytes, does not belong to any one operating system, and the disk commands that can not provide by operating system reads.The leading viruses multiparasitization that the DOS epoch overflow is in this.
Data then in the described external storage of described reading or configuration file, start described second operating system, comprising:
Read data or the configuration file of described external storage, search and whether there is described Main Boot Record; If there is described Main Boot Record, then start described Main Boot Record and enter described second operating system.
Several external storage may be inserted in terminal, therefore can search external storage one by one, and read data or the configuration file of each external storage successively, search and whether there is described MBR, if there is not described MBR, then continue read next external storage and search.If there is described MBR, then start described MBR, described second operating system can be entered by described MBR.
Further, the data of the described external storage of described reading or configuration file, search and whether there is described Main Boot Record, comprising:
Read data or the configuration file of arbitrary sector in described external storage; According to the type of partition table each in described sector, determine whether there is described Main Boot Record.
For the first sector, described first sector is first sector of memory device, it normally 512 last 2 bytes of byte are 55AA.In the embodiment of the present invention, when writing boot files in the system disk of terminal, also can insert external storage, guiding relevant data to described external storage write, as first sector can write self-defining mark, such as 360F in the 3rd and the 4th byte reciprocal.Therefore, when boot files finds external storage, and when reading data or configuration file in first sector, can judge whether the data in the 3rd and the 4th byte reciprocal are 360F.If just think to there is complete boot, namely there is Main Boot Record.And described external storage can be configured to bootable external storage, the external storage that namely can start voluntarily.
Suppose that Main Boot Record is configured in the first sector of memory device, then can search the first sector in described external storage, then the data in described first sector or configuration file is read, then according to the type of partition table each in the first sector, concrete, according to the self-defining mark write in advance in external memory, the type of this partition table can be determined, thus search whether there are bootable data, namely determine whether there is described Main Boot Record.
Certainly, described self-defining mark also can write in other sectors of external storage, as certain position in second sector or the 3rd sector.Therefore, after there is no Main Boot Record if search in the first sector, other sectors can also be searched.If by described self-defining other sectors of mark write, then the operation of associative search Main Boot Record first sector that coexists is carried out searching basically identical, for searching the associative operation of Main Boot Record only because citing is discussed in the first sector, should not be understood as the restriction to the embodiment of the present invention.
Such as, external storage is flash disk, it is the one in the disk of USB type, the data of described flash disk can be read, arbitrary sector of described flash disk is read in concrete meeting, whether the type search according to partition table each in described sector exists bootable data and MBR, after finding MBR, can be guided enter the second operating system by MBR.
In actual treatment, the process that usual terminal starts is:
1. terminal energising start, mainboard self-inspection;
2. mainboard BIOS starts from floppy disk, hard disk or CD-ROM drive according to the boot sequence of specifying in terminal;
Main Boot Record (MBR) is read in internal memory by 3.BIOS;
Control is given MBR by 4.BIOS;
5.MBR can check partition table state, the subregion of searching activity;
6. control is given the leader record of active partition by main bootstrap program, by the startup file of described leader record load operation system, starts corresponding operating system.
In the embodiment of the present invention, due to selected in terminal be the startupoptions of the second operating system, therefore, in the 3rd step, boot files can be read in internal memory by BIOS, then gives described boot files by control.
Fig. 3 shows boot files operational flowchart described in the embodiment of the present invention.
Step 301, opens external storage.
Step 302, reads the data of n boot section before external storage or configuration file in the address X of internal memory.
Wherein, described boot section can be understood as the sector of external storage, and because each sector can store the data of 512 bytes, the data therefore read in internal memory just have n*512 byte.
Step 303, jumps to data or the configuration file address X in internal memory in external storage.
I.e. follow-up leader record control can given in described front n boot section of main bootstrap program.
Step 304, after the data of address X or configuration file etc. being run, loads the second operating system.
Namely, after leader record runs, loaded the startup file of the second operating system by described leader record, start described second operating system.
Step 103, starts the fail-safe software in described second operating system, scans with killing malicious code described terminal.
After entering the second operating system, the fail-safe software in described second operating system can be started, use the data of described fail-safe software in terminal and external storage storage space to scan, thus detect malicious codes such as whether there is virus.
Can after the first operating system of terminal infects malicious code in the embodiment of the present invention; the fail-safe software of the first operating system cannot protection system safety when; restart described terminal and insert external storage; thus entering the second operating system, use safety software carries out the killing of malicious code.
Also all first can insert external storage when the described terminal of each startup, and after entering the startup item of terminal, select the startup item entering the second operating system, thus enter the second operating system, use safety software carries out the killing of malicious code.After confirmation is no problem, then enter the first operating system.
In order to ensure the safety of data in the second operating system in above-mentioned process; thus make the fail-safe software in the second operating system can protect the safety of data in terminal; can also before entering the second operating system; external storage and the isolation of described terminal of the second operating system will be configured with; thus when making to run the first operating system in terminal; the external storage being configured with the second operating system can not be connected with terminal, thus ensures the safety of data in external storage.
In the embodiment of the present invention, external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card.
Such as, a kind of malicious code is that Taobao visitor drives wooden horse, and after terminal infects described Taobao visitor driving wooden horse, the network of meeting disconnected end, the driving of wooden horse simultaneously can hide own files and process.Thus make fail-safe software cannot be connected to the antivirus engine in high in the clouds due to suspension, thus cannot this wooden horse of killing.
In the embodiment of the present invention, suppose that described second operating system is WinPE system.After terminal infection malicious code is as Taobao visitor driving wooden horse, described terminal can be restarted and insert external storage, then entering described WinPE system, thus to startup fail-safe software in WinPE system, killing being carried out to malicious code.The embodiment of the present invention, without the need to user manual configuration BIOS, operates very simple and convenient.
Wherein, WinPE refers to WindowsPreinstallEnvironment, i.e. Windows WindowsPE, is the minimum Win32 subsystem of band limited service, based on the WindowsXPProfessional kernel run with protected mode.It comprises run Windows setup and script, interconnection network is shared, robotization basic process and the minimum function that performs needed for hardware verification.
In sum, in embodiment of the present invention terminal, be configured with the first operating system, in external storage, be configured with the second operating system, in described second operating system, fail-safe software is installed.Therefore can add the startupoptions of described second operating system in the startup item of terminal, thus enter described second operating system when starting terminal, adopt the fail-safe software in the second operating system, described terminal is scanned with killing malicious code.When using the first operating system of terminal; the data of the second operating system are suitable for terminal isolation; even if therefore terminal is invaded by malicious code, the data in the second operating system are safe, and therefore fail-safe software wherein can protect the safety of data in terminal.
Secondly, the embodiment of the present invention can write boot files in the system disk of terminal, and the startupoptions added in terminal is pointed to described boot files, thus adopts boot files guiding to enter the second operating system.The method is simple to operate, automatically can complete the amendment of startup item.
Again, boot files triggering system boot files can be adopted in the embodiment of the present invention, as NTDETECT.COM, the information of each hardware device in collection terminal, thus the hardware device obtaining terminal is enumerated to the hardware device in terminal, thus search external storage according to device type, lookup method is simple.
Again, external storage described in the embodiment of the present invention is moveable magnetic disc, comprising: flash disk, portable hard drive and storage card.Wide variety, meets the demand of all types of user.
Fig. 4 shows malicious code disposal system structural drawing according to one embodiment of the invention.
The embodiment of the present invention additionally provides a kind of malicious code disposal system, comprise: terminal 1 and external storage 2, wherein, in terminal 1, be configured with the first operating system, be configured with the second operating system in external storage 2, in described second operating system, be configured with fail-safe software.
Described terminal 1 comprises:
Add module 11, for adding the startupoptions of described second operating system in advance in startup item;
Start module 12, for enter described terminal startup item after, select the startupoptions of described second operating system, be configured at the second operating system in memory device to enter;
Described external storage 2 comprises:
Killing module 22, for starting the fail-safe software in described second operating system, carries out killing to the malicious code in described terminal.
Fig. 5 shows terminal structure figure according to one embodiment of the invention.
In the embodiment of the present invention, described interpolation module 11, comprising:
Write submodule 111, for writing boot files in the system disk of terminal, described boot files points to described second operating system;
Adding submodule 112, for adding a startupoptions in the startup item of terminal, described startupoptions being pointed to described boot files.
In the embodiment of the present invention, described startup module 12, comprising:
Triggers module 121, for the startupoptions by selecting described second operating system, triggers described boot files;
Searching submodule 122, searching described external storage for adopting described boot files;
Reading submodule 123, for reading data in described external storage or configuration file, starts described second operating system.
In the embodiment of the present invention, described external storage possesses some device types; Describedly search submodule 122, specifically for described boot files triggering system boot files, obtain the hardware device of terminal; From described hardware device, described external storage is searched according to described device type parameter.
In the embodiment of the present invention, described external storage is bootable memory device, then there is Main Boot Record in described bootable memory device, then described external storage 2 also comprises: bootstrap module 21;
Described bootstrap module 21, for entering described second operating system according to described Main Boot Record;
Then described reading submodule 122, specifically for reading data or the configuration file of described external storage, searching and whether there is described Main Boot Record; If there is described Main Boot Record, then start described Main Boot Record.
In the embodiment of the present invention, described reading submodule 122, specifically for reading data or the configuration file of arbitrary sector in described external storage; According to the type of partition table each in described sector, determine whether there is described Main Boot Record.
In the embodiment of the present invention, described external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card
In sum, in embodiment of the present invention terminal, be configured with the first operating system, in external storage, be configured with the second operating system, in described second operating system, fail-safe software is installed.Therefore can add the startupoptions of described second operating system in the startup item of terminal, thus enter described second operating system when starting terminal, adopt the fail-safe software in the second operating system, described terminal is scanned with killing malicious code.When using the first operating system of terminal; the data of the second operating system are suitable for terminal isolation; even if therefore terminal is invaded by malicious code, the data in the second operating system are safe, and therefore fail-safe software wherein can protect the safety of data in terminal.
Secondly, the embodiment of the present invention can write boot files in the system disk of terminal, and the startupoptions added in terminal is pointed to described boot files, thus adopts boot files guiding to enter the second operating system.Side is simple to operate, automatically can complete the amendment of startup item.
Again, boot files triggering system boot files can be adopted in the embodiment of the present invention, as NTDETECT.COM, the information of each hardware device in collection terminal, thus the hardware device obtaining terminal is enumerated to the hardware device in terminal, thus search external storage according to device type, lookup method is simple.
Again, external storage described in the embodiment of the present invention is moveable magnetic disc, comprising: flash disk, portable hard drive and storage card.Wide variety, meets the demand of all types of user.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the malicious code disposal system of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Claims (8)
1. a malevolence code processing method, the first operating system is configured with in terminal, the second operating system is configured with in external storage, in described first operating system, fail-safe software is installed, in described second operating system, fail-safe software is installed, wherein, insert multiple external storage in terminal, described method comprises:
The startupoptions of described second operating system is added in advance in the startup item of terminal;
After entering the startup item of described terminal, select the startupoptions of described second operating system, to enter the second operating system be configured in memory device;
Start the fail-safe software in described second operating system, scan with killing malicious code to described terminal;
Wherein, the described startupoptions adding described second operating system in advance in the startup item of terminal, comprising:
In the system disk of terminal, write boot files, described boot files points to described second operating system;
In the startup item of terminal, add a startupoptions, described startupoptions is pointed to described boot files;
Wherein, the startupoptions of described second operating system of described selection, is configured at the second operating system in memory device to enter, comprises: by selecting the startupoptions of described second operating system, triggers the boot files that described startupoptions points to; Described boot files is adopted to search described external storage; Read the data in described external storage or configuration file, start described second operating system;
Described external storage is bootable memory device, then there is Main Boot Record in described bootable memory device, data in the described external storage of described reading or configuration file, start described second operating system, comprise: search external storage one by one, read data or the configuration file of described external storage successively, search and whether there is described Main Boot Record; If there is not described Main Boot Record, then continue read next external storage and search; If there is described Main Boot Record, then run the startup file that described Main Boot Record loads the second operating system, enter described second operating system.
2. the method for claim 1, described external storage possesses some device types, and the described boot files of described employing searches described external storage, comprising:
Described boot files triggering system boot files, obtains the hardware device of terminal;
From described hardware device, described external storage is searched according to described device type parameter.
3. method as claimed in claim 2, the data of the described external storage of described reading or configuration file, search and whether there is described Main Boot Record, comprising:
Read data or the configuration file of arbitrary sector in described external storage;
According to the type of partition table each in described sector, determine whether there is described Main Boot Record.
4., according to the arbitrary described method of claim 1,2 or 3, described external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card.
5. a malicious code disposal system, comprises terminal and external storage, wherein, the first operating system is configured with in terminal, be configured with the second operating system in external storage, in described first operating system, fail-safe software be installed, in described second operating system, be configured with fail-safe software; Wherein, multiple external storage is inserted in terminal;
Described terminal comprises:
Add module, for adding the startupoptions of described second operating system in advance in startup item;
Start module, for enter described terminal startup item after, select the startupoptions of described second operating system, be configured at the second operating system in memory device to enter;
Described external storage comprises:
Killing module, for starting the fail-safe software in described second operating system, carries out killing to the malicious code in described terminal;
Wherein, described interpolation module comprises:
Write submodule, for writing boot files in the system disk of terminal, described boot files points to described second operating system;
Adding submodule, for adding a startupoptions in the startup item of terminal, described startupoptions being pointed to described boot files;
Wherein, described startup module, comprising: trigger module, for the startupoptions by selecting described second operating system, triggers the boot files that described startupoptions points to; Searching submodule, searching described external storage for adopting described boot files; Reading submodule, for reading data in described external storage or configuration file, starts described second operating system;
Described external storage is bootable memory device, then there is Main Boot Record in described bootable memory device, data in the described external storage of described reading or configuration file, start described second operating system, comprise: search external storage one by one, read data or the configuration file of described external storage successively, search and whether there is described Main Boot Record; If there is not described Main Boot Record, then continue read next external storage and search, if there is described Main Boot Record, then run the startup file that described Main Boot Record loads the second operating system, enter described second operating system.
6. system as claimed in claim 5, described external storage possesses some device types;
Describedly search submodule, specifically for described boot files triggering system boot files, obtain the hardware device of terminal; From described hardware device, described external storage is searched according to described device type parameter.
7. system as claimed in claim 6, described reading submodule, specifically for reading data or the configuration file of arbitrary sector in described external storage; According to the type of partition table each in described sector, determine whether there is described Main Boot Record.
8., according to the arbitrary described system of claim 5,6 or 7, described external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210540960.8A CN102999725B (en) | 2012-12-13 | 2012-12-13 | Malevolence code processing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210540960.8A CN102999725B (en) | 2012-12-13 | 2012-12-13 | Malevolence code processing method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102999725A CN102999725A (en) | 2013-03-27 |
| CN102999725B true CN102999725B (en) | 2016-01-06 |
Family
ID=47928280
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210540960.8A Active CN102999725B (en) | 2012-12-13 | 2012-12-13 | Malevolence code processing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102999725B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105653955B (en) * | 2015-12-30 | 2019-05-10 | 珠海豹趣科技有限公司 | A kind of Malware processing method and processing device |
| CN106022111B (en) * | 2016-07-13 | 2019-01-22 | 北京金山安全软件有限公司 | Processing method and device for hiding pop-up window and electronic equipment |
| CN106203142A (en) * | 2016-07-20 | 2016-12-07 | 杭州华澜微电子股份有限公司 | A kind of method and device of the Primary Hard Drive data protecting computer |
| CN110532769A (en) * | 2019-08-29 | 2019-12-03 | 亚信科技(成都)有限公司 | A kind of method, communication device and system generating scanning log |
| CN111008378B (en) * | 2019-11-29 | 2023-08-01 | 四川效率源信息安全技术股份有限公司 | Method for cleaning malicious codes in hard disk firmware area |
| CN117093995B (en) * | 2023-10-17 | 2024-02-06 | 深圳市科力锐科技有限公司 | Virus program clearing method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1556448A (en) * | 2003-12-31 | 2004-12-22 | 珠海金山软件股份有限公司 | Mobile sterilization device and its manufacturing method |
| CN1648814A (en) * | 2005-03-25 | 2005-08-03 | 张�林 | Method for checking and killing new computer virus using independent operation system |
| CN1743990A (en) * | 2005-08-12 | 2006-03-08 | 珠海金山软件股份有限公司 | Transplatform virus detecting and killing method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100552630C (en) * | 2006-10-25 | 2009-10-21 | 深圳市研祥智能科技股份有限公司 | A kind of bootstrap technique of embedded type operating system mapping file and device |
-
2012
- 2012-12-13 CN CN201210540960.8A patent/CN102999725B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1556448A (en) * | 2003-12-31 | 2004-12-22 | 珠海金山软件股份有限公司 | Mobile sterilization device and its manufacturing method |
| CN1648814A (en) * | 2005-03-25 | 2005-08-03 | 张�林 | Method for checking and killing new computer virus using independent operation system |
| CN1743990A (en) * | 2005-08-12 | 2006-03-08 | 珠海金山软件股份有限公司 | Transplatform virus detecting and killing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102999725A (en) | 2013-03-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103150506B (en) | The method and apparatus that a kind of rogue program detects | |
| CN102999725B (en) | Malevolence code processing method and system | |
| US8387147B2 (en) | Method and system for detecting and removing hidden pestware files | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| US8719935B2 (en) | Mitigating false positives in malware detection | |
| CN104008340B (en) | Virus scanning and killing method and device | |
| US10691800B2 (en) | System and method for detection of malicious code in the address space of processes | |
| CN103020524B (en) | Computer virus supervisory system | |
| CN103077350B (en) | A kind of checking and killing method of malicious code and system | |
| US20090038011A1 (en) | System and method of identifying and removing malware on a computer system | |
| US10162965B2 (en) | Portable media system with virus blocker and method of operation thereof | |
| CN103049695B (en) | A kind of method for supervising of computer virus and device | |
| US8418245B2 (en) | Method and system for detecting obfuscatory pestware in a computer memory | |
| US6907524B1 (en) | Extensible firmware interface virus scan | |
| US9330260B1 (en) | Detecting auto-start malware by checking its aggressive load point behaviors | |
| CN102867141A (en) | Method and device for processing master boot record malicious programs | |
| CN102930201A (en) | Method and device for processing rogue program of master boot record | |
| CN102882875A (en) | Active defense method and device | |
| CN102857519B (en) | Active defensive system | |
| CN105095754A (en) | Method, device and mobile terminal for processing virus applications | |
| US8572742B1 (en) | Detecting and repairing master boot record infections | |
| US9122872B1 (en) | System and method for treatment of malware using antivirus driver | |
| CN102902925A (en) | Infected file processing method and system | |
| US20070294767A1 (en) | Method and system for accurate detection and removal of pestware | |
| US20140137253A1 (en) | Security method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220726 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |