CN103136475A - Method and device for detecting computer viruses - Google Patents
Method and device for detecting computer viruses Download PDFInfo
- Publication number
- CN103136475A CN103136475A CN2011103885840A CN201110388584A CN103136475A CN 103136475 A CN103136475 A CN 103136475A CN 2011103885840 A CN2011103885840 A CN 2011103885840A CN 201110388584 A CN201110388584 A CN 201110388584A CN 103136475 A CN103136475 A CN 103136475A
- Authority
- CN
- China
- Prior art keywords
- api
- operating system
- system api
- weights
- default
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method and a device for detecting computer viruses. The method and the device for detecting the computer viruses are used for solving the problem of low efficiency of detecting the computer viruses in the prior art. The method comprises a first step of counting the number of operating system application programmers interfaces (API) belonging to preset API aggregation from a plurality of operating system APIs called by a detected program, and a second step of outputting a prompt message for promoting that the detected program includes the computer viruses when the number is larger than a preset value. According to the technical scheme, high-efficient detection of the computer viruses is benefited.
Description
Technical field
The present invention relates to field of computer technology, relate to especially a kind of method and apparatus that checks computer virus.
Background technology
Along with the development of computer technology, computer virus is also in the data security that day by day affects the computer user or experience.A lot of computing machines have been installed antivirus software (or claiming antivirus software, fire wall etc.) with the opposing computer virus for this reason.Antivirus software adopts the mode of condition code identification to check virus more at present, confirms to comprise virus in the file of current scanning by checking viral condition code, and this mode checks that the efficient of virus is lower.
In prior art, check that the efficient of computer virus is lower, for this problem, not yet propose at present effective solution.
Summary of the invention
Fundamental purpose of the present invention is to provide a kind of method and apparatus that checks file, to solve the lower problem of efficient that checks computer virus in prior art.
To achieve these goals, according to an aspect of the present invention, provide a kind of method that checks computer virus.
The method of inspection computer virus of the present invention is used for determining whether tested program comprises computer virus, the method comprises: in a plurality of operating system application programming interfaces (API) that the statistics tested program is called, belong to the quantity of the operating system API of default API set; Time output is used for the information that the prompting tested program comprises computer virus greater than preset value when described quantity.
Further, in a plurality of operating system application programming interfaces (API) that the statistics tested program is called, the quantity that belongs to the operating system API of default API set, comprise: constructing system API table, each list item of described system API table comprises the weights that operating system API is corresponding, weights corresponding to operating system API that wherein belong to described default API set are 1, otherwise corresponding weights are 0; Weights corresponding to operating system API that called by described tested program in cumulative described system API table, with accumulated value as described quantity.
Further, in a plurality of operating system application programming interfaces (API) that the statistics tested program is called, the quantity that belongs to the operating system API of default API set, comprise: constructing system API table, each list item of described system API table comprises the weights that operating system API is corresponding, wherein, weights corresponding to operating system API that belong to described default API set are 1, otherwise corresponding weights are 0; Weights corresponding to operating system API that called by described tested program in cumulative described system API table, and, count 1 with operating system API in the default subset of the described default API set corresponding weights of invoked operating system API in the lump, with accumulated value as described quantity.
According to a further aspect in the invention, provide a kind of device that checks computer virus.
The device of inspection computer virus of the present invention is used for determining whether tested program comprises computer virus, this device comprises: statistical module, be used for a plurality of operating system application programming interfaces (API) that the statistics tested program is called, belong to the quantity of the operating system API of default API set; The judgement output module is used for judging according to described quantity, if described quantity during greater than preset value output be used for pointing out described tested program to comprise the information of computer virus.
Further, described statistical module also is used for: constructing system API table, each list item of described system API table comprises the weights that operating system API is corresponding, and weights corresponding to operating system API that wherein belong to described default API set are 1, otherwise corresponding weights are 0; Weights corresponding to operating system API that called by described tested program in cumulative described system API table, with accumulated value as described quantity.
Further, described statistical module also is used for: constructing system API table, and each list item of described system API table comprises the weights that operating system API is corresponding, wherein, weights corresponding to operating system API that belong to described default API set are 1, otherwise corresponding weights are 0; Weights corresponding to operating system API that called by described tested program in cumulative described system API table, and, count 1 with operating system API in the default subset of the described default API set corresponding weights of invoked operating system API in the lump, with accumulated value as described quantity.
According to technical scheme of the present invention, check the method for computer virus according to the situation of being called of operating system API, if program too much when (greater than preset value), determines that this program comprises computer virus for the call number of specific operating system API (namely belong to default API set).This method need not to relate to a large amount of calculating in the coupling of condition code, and treatment effeciency is higher; And because thereby virus can't be avoided calling for operating system API for normal operation, so therefore the various means of inspection of evading of computer virus adopt the method for the present embodiment also to help effectively to check out computer virus to the method inefficacy of the present embodiment.
Description of drawings
Figure of description is used to provide a further understanding of the present invention, consists of the application's a part, and illustrative examples of the present invention and explanation thereof are used for explaining the present invention, do not consist of improper restriction of the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram according to the basic step of the method for the inspection computer virus of the embodiment of the present invention;
Fig. 2 is the basic structure schematic diagram according to the device of the inspection computer virus of the embodiment of the present invention.
Embodiment
Need to prove, in the situation that do not conflict, embodiment and the feature in embodiment in the application can make up mutually.Describe below with reference to the accompanying drawings and in conjunction with the embodiments the present invention in detail.
The method of the inspection computer virus of the embodiment of the present invention is carried out by antivirus software, can be undertaken by step shown in Figure 1.Fig. 1 is the schematic diagram according to the basic step of the method for the inspection computer virus of the embodiment of the present invention.As shown in Figure 1, the method for the inspection computer virus of the embodiment of the present invention mainly comprises the steps:
Step S11: in a plurality of operating system application programming interfaces (API) that the statistics tested program is called, belong to the quantity of the operating system API of default API set.
Step S12: time output is used for the information that the prompting tested program comprises computer virus greater than preset value when described quantity.
Below be described further for above-mentioned steps.
Computer virus is in order to reach its oneself purpose, for example destroy or steal the data in computing machine, can use some specific system API, and use more multiple this class particular system API toward the contact meeting, and some normal programs are because the function completed obviously is different from viral wooden horse, therefore can be lower to the frequency of this class specific system API Calls.Above-mentioned " the specific API of system " be which API specifically, can determine by summary of experience, for example can for a plurality of known be virus program and do not contain virus program, add up respectively the kind of the API that they call, find out rule with this, and determine above-mentioned " the specific API of system " and these API that are preset as in step S11 are gathered.
Above-mentioned known when being the API that calls of program of virus or API that the tested program in step S11, S22 is called in statistics, can carry out in the simulated environment that builds, in order to avoid destruction of computer systems.Can adopt the anti-virus virtual machine of using at present a lot of antivirus softwares, program can inside be moved for simulation certain operations system performance, then just can monitor and add up its API Calls situation.
Particularly, can show by first constructing system API, each list item of the API of this system table comprises the weights that operating system API is corresponding, and weights corresponding to operating system API that wherein belong to above-mentioned default API set are 1, otherwise corresponding weights are 0.Then, weights corresponding to operating system API that called by tested program in the cumulative API of this system table, with accumulated value as the quantity in step S11.
Also can there be characteristics in Virus for calling of the API of system, can call synergistically two API exactly.Namely for some API, non-viral program can be called separately it, and Virus can call it before or after calling another specific API.So the statistics in step S11 can be considered this characteristics.
Can be specifically, except constructing system API table, and weights corresponding to operating system API that called by tested program in Accumulation System API table, and, count 1 with operating system API in the default subset of the default API set corresponding weights of invoked operating system API in the lump, with accumulated value as the quantity in step S11.Operating system API in the default subset here is above-mentioned specific API, and specifically which API can rule of thumb determine.
Below explain for the device of the inspection computer virus in the present embodiment.Fig. 2 is the basic structure schematic diagram according to the device of the inspection computer virus of the embodiment of the present invention.
As shown in Figure 2, the device 20 of the inspection computer virus in the embodiment of the present invention is used for determining whether tested program comprises computer virus, mainly comprise as lower module: statistical module 21, be used for a plurality of operating system application programming interfaces (API) that the statistics tested program is called, belong to the quantity of the operating system API of default API set; Judgement output module 22 is used for judging according to described quantity, if described quantity during greater than preset value output be used for pointing out described tested program to comprise the information of computer virus.
The present embodiment provides a kind of situation of being called according to operating system API to check the method for computer virus.This method need not to relate to a large amount of calculating in the coupling of condition code, and treatment effeciency is higher; And because thereby virus can't be avoided calling for operating system API for normal operation, so therefore the various means of inspection of evading of computer virus adopt the method for the present embodiment also to help effectively to check out computer virus to the method inefficacy of the present embodiment.
obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with general calculation element, they can concentrate on single calculation element, perhaps be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in memory storage and be carried out by calculation element, perhaps they are made into respectively each integrated circuit modules, perhaps a plurality of modules in them or step being made into the single integrated circuit module realizes.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is only the preferred embodiments of the present invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (6)
1. a method that checks computer virus, be used for definite tested program and whether comprise computer virus, it is characterized in that, described method comprises:
In a plurality of operating system application programming interfaces (API) that the statistics tested program is called, belong to the quantity of the operating system API of default API set;
Time output is used for pointing out described tested program to comprise the information of computer virus greater than preset value when described quantity.
2. method according to claim 1, is characterized in that, in a plurality of operating system application programming interfaces (API) that the statistics tested program is called, belongs to the quantity of the operating system API of default API set, comprising:
Constructing system API table, each list item of described system API table comprises the weights that operating system API is corresponding, and weights corresponding to operating system API that wherein belong to described default API set are 1, on the contrary corresponding weights are 0;
Weights corresponding to operating system API that called by described tested program in cumulative described system API table, with accumulated value as described quantity.
3. method according to claim 1, is characterized in that, in a plurality of operating system application programming interfaces (API) that the statistics tested program is called, belongs to the quantity of the operating system API of default API set, comprising:
Constructing system API table, each list item of described system API table comprises the weights that operating system API is corresponding, and wherein, weights corresponding to operating system API that belong to described default API set are 1, on the contrary corresponding weights are 0;
Weights corresponding to operating system API that called by described tested program in cumulative described system API table, and, count 1 with operating system API in the default subset of the described default API set corresponding weights of invoked operating system API in the lump, with accumulated value as described quantity.
4. a device that checks computer virus, be used for definite tested program and whether comprise computer virus, it is characterized in that, described device comprises:
Statistical module is used for a plurality of operating system application programming interfaces (API) that the statistics tested program is called, and belongs to the quantity of the operating system API of default API set;
The judgement output module is used for judging according to described quantity, if described quantity during greater than preset value output be used for pointing out described tested program to comprise the information of computer virus.
5. device according to claim 4, is characterized in that, described statistical module also is used for:
Constructing system API table, each list item of described system API table comprises the weights that operating system API is corresponding, and weights corresponding to operating system API that wherein belong to described default API set are 1, on the contrary corresponding weights are 0;
Weights corresponding to operating system API that called by described tested program in cumulative described system API table, with accumulated value as described quantity.
6. device according to claim 4, is characterized in that, described statistical module also is used for:
Constructing system API table, each list item of described system API table comprises the weights that operating system API is corresponding, and wherein, weights corresponding to operating system API that belong to described default API set are 1, on the contrary corresponding weights are 0;
Weights corresponding to operating system API that called by described tested program in cumulative described system API table, and, count 1 with operating system API in the default subset of the described default API set corresponding weights of invoked operating system API in the lump, with accumulated value as described quantity.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110388584.0A CN103136475B (en) | 2011-11-29 | 2011-11-29 | A kind of method and apparatus for checking computer virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110388584.0A CN103136475B (en) | 2011-11-29 | 2011-11-29 | A kind of method and apparatus for checking computer virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103136475A true CN103136475A (en) | 2013-06-05 |
| CN103136475B CN103136475B (en) | 2017-07-04 |
Family
ID=48496292
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110388584.0A Active CN103136475B (en) | 2011-11-29 | 2011-11-29 | A kind of method and apparatus for checking computer virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103136475B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104252594A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Virus detection method and device |
| CN106803040A (en) * | 2017-01-18 | 2017-06-06 | 腾讯科技(深圳)有限公司 | Virus signature processing method and processing device |
| CN107315957A (en) * | 2017-06-22 | 2017-11-03 | 宇龙计算机通信科技(深圳)有限公司 | The control method and device of camera |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1801030A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for distinguishing baleful program behavior |
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN101013461A (en) * | 2007-02-14 | 2007-08-08 | 白杰 | Method of computer protection based on program behavior analysis |
| JP2010009296A (en) * | 2008-06-26 | 2010-01-14 | Fujitsu Ltd | Software operation monitoring device and method |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
-
2011
- 2011-11-29 CN CN201110388584.0A patent/CN103136475B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1801030A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for distinguishing baleful program behavior |
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN101013461A (en) * | 2007-02-14 | 2007-08-08 | 白杰 | Method of computer protection based on program behavior analysis |
| JP2010009296A (en) * | 2008-06-26 | 2010-01-14 | Fujitsu Ltd | Software operation monitoring device and method |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104252594A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Virus detection method and device |
| CN106803040A (en) * | 2017-01-18 | 2017-06-06 | 腾讯科技(深圳)有限公司 | Virus signature processing method and processing device |
| CN106803040B (en) * | 2017-01-18 | 2021-08-10 | 腾讯科技(深圳)有限公司 | Virus characteristic code processing method and device |
| CN107315957A (en) * | 2017-06-22 | 2017-11-03 | 宇龙计算机通信科技(深圳)有限公司 | The control method and device of camera |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103136475B (en) | 2017-07-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102469267B1 (en) | Blockchain consensus method, accounting node and node | |
| US9465941B2 (en) | Method, system, and apparatus for detecting malicious code | |
| CN106557697B (en) | System and method for generating a set of disinfection records | |
| US8220054B1 (en) | Process exception list updating in a malware behavior monitoring program | |
| Wang et al. | Malicious firmware detection with hardware performance counters | |
| KR101899589B1 (en) | System and method for authentication about safety software | |
| US20210014251A1 (en) | Systems and methods for protecting devices from malware | |
| US20160021131A1 (en) | Identifying stealth packets in network communications through use of packet headers | |
| Ho et al. | PREC: practical root exploit containment for android devices | |
| CN104392175A (en) | System and method and device for processing cloud application attack behaviors in cloud computing system | |
| CN104536776B (en) | A kind of method and apparatus running plug-in application in the plug-in component operation environment of host end | |
| CN105844146B (en) | Method and device for protecting driver and electronic equipment | |
| EP3270319A1 (en) | Method and apparatus for generating dynamic security module | |
| CN102609654A (en) | Method and device for detecting malicious flash files | |
| CN106326737A (en) | System and method for detecting harmful files executable on a virtual stack machine | |
| WO2020019485A1 (en) | Simulator identification method, identification device, and computer readable medium | |
| CN104462962A (en) | Method for detecting unknown malicious codes and binary bugs | |
| CN103136475A (en) | Method and device for detecting computer viruses | |
| CN104992116B (en) | Monitoring method based on intent sniffer and system | |
| KR101324691B1 (en) | System and method for detecting malicious mobile applications | |
| CN105528546B (en) | Vulnerability mining method and device and electronic equipment | |
| CN112383513B (en) | Crawler behavior detection method and device based on proxy IP address pool and storage medium | |
| Karim et al. | Opening Pandora's box through ATFuzzer: dynamic analysis of AT interface for Android smartphones | |
| JP2013109553A (en) | Program white list distribution device and method | |
| CN103679024B (en) | Virus treating method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |