CN103136475B - A kind of method and apparatus for checking computer virus - Google Patents
A kind of method and apparatus for checking computer virus Download PDFInfo
- Publication number
- CN103136475B CN103136475B CN201110388584.0A CN201110388584A CN103136475B CN 103136475 B CN103136475 B CN 103136475B CN 201110388584 A CN201110388584 A CN 201110388584A CN 103136475 B CN103136475 B CN 103136475B
- Authority
- CN
- China
- Prior art keywords
- api
- system api
- operating system
- tested program
- corresponding weights
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention provides a kind of method and apparatus for checking computer virus, it is used to solve the problems, such as check the less efficient of computer virus in the prior art.The method includes:In multiple operating system application programming interfaces (API) that statistics tested program is called, belong to the quantity of the operating system API of default API set;Exported for pointing out prompt message of the tested program comprising computer virus when quantity is more than preset value.Using technical scheme, help efficiently to detect computer virus.
Description
Technical field
The present invention relates to field of computer technology, a kind of particularly method and apparatus for checking computer virus.
Background technology
With the development of computer technology, computer virus is also increasingly affecting the data safety of computer user or is making
With experience.For this many computer is mounted with antivirus software (or antivirus software, fire wall etc.) to resist computer virus.Mesh
Known using condition code more than preceding antivirus software and check virus otherwise, Current Scan is confirmed by checking the condition code of virus
File in comprising virus, this mode check virus it is less efficient.
In the prior art, the less efficient of computer virus is checked, for the problem, effective solution party is not yet proposed at present
Case.
The content of the invention
The main object of the present invention is to provide a kind of method and apparatus for checking file, in terms of solving to check in the prior art
The less efficient problem of calculation machine virus.
To achieve these goals, according to an aspect of the invention, there is provided a kind of method for checking computer virus.
Whether the method for checking computer virus of the invention is used to determine tested program comprising computer virus, the method
Including:In multiple operating system application programming interfaces (API) that statistics tested program is called, belong to the operation of default API set
The quantity of system API;Exported for pointing out prompting of the tested program comprising computer virus when the quantity is more than preset value
Information.
Further, in multiple operating system application programming interfaces (API) that statistics tested program is called, belong to default
The quantity of the operating system API of API set, including:Constructing system API table, each list item of the system API table includes one
The corresponding weights of operating system API, wherein the corresponding weights of operating system API for belonging to the default API set are 1, otherwise
Corresponding weights are 0;The corresponding weights of used operating system API are adjusted by the tested program in the cumulative system API table,
Using accumulated value as the quantity.
Further, in multiple operating system application programming interfaces (API) that statistics tested program is called, belong to default
The quantity of the operating system API of API set, including:Constructing system API table, each list item of the system API table includes one
The corresponding weights of operating system API, wherein, it is 1 to belong to the corresponding weights of operating system API of the default API set, otherwise
Corresponding weights are 0;The corresponding weights of used operating system API are adjusted by the tested program in the cumulative system API table,
Also, corresponding to the operating system API being called in the lump with the operating system API in the predetermined subset of the default API set
Weights be calculated as 1, using accumulated value as the quantity.
According to another aspect of the present invention, there is provided a kind of device for checking computer virus.
It is of the invention check computer virus device be used for whether determine tested program comprising computer virus, the device
Including:Statistical module, for counting multiple operating system application programming interfaces (API) that tested program is called in, belong to default
The quantity of the operating system API of API set;Output module is judged, for being judged according to the quantity, if the quantity is big
Exported when preset value for pointing out prompt message of the tested program comprising computer virus.
Further, the statistical module is additionally operable to:Constructing system API table, each list item of the system API table is included
The corresponding weights of one operating system API, wherein the corresponding weights of operating system API for belonging to the default API set are 1,
Otherwise corresponding weights are 0;Adjust used operating system API corresponding by the tested program in the cumulative system API table
Weights, using accumulated value as the quantity.
Further, the statistical module is additionally operable to:Constructing system API table, each list item of the system API table is included
The corresponding weights of one operating system API, wherein, it is 1 to belong to the corresponding weights of operating system API of the default API set,
Otherwise corresponding weights are 0;Adjust used operating system API corresponding by the tested program in the cumulative system API table
Weights, also, the operating system API institutes being called in the lump with the operating system API in the predetermined subset of the default API set
Corresponding weights are calculated as 1, using accumulated value as the quantity.
Technology according to the present invention scheme, the side of computer virus is checked according to the called situation of operating system API
Method, if call number of the program for specific operating system API (belonging to default API set) is excessive (more than default
Value) when, determine that the program bag contains computer virus.This method need not be related to a large amount of calculating in the matching of condition code, treatment
Efficiency is higher;And because virus is in order to normally run so as to avoid calling for operating system API, so computer
The various means for evading inspection of virus are to the failure of the method for the present embodiment, therefore method using the present embodiment has been additionally aided
Check computer virus to effect.
Brief description of the drawings
Figure of description is used for providing a further understanding of the present invention, constitutes the part of the application, of the invention to show
Meaning property and its illustrates, for explaining the present invention, not constitute inappropriate limitation of the present invention embodiment.In the accompanying drawings:
Fig. 1 is the schematic diagram of the basic step of the method for inspection computer virus according to embodiments of the present invention;
Fig. 2 is the basic structure schematic diagram of the device of inspection computer virus according to embodiments of the present invention.
Specific embodiment
It should be noted that in the case where not conflicting, the feature in embodiment and embodiment in the application can phase
Mutually combination.Describe the present invention in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
The method of the inspection computer virus of the embodiment of the present invention is performed by antivirus software, step can be carried out as shown in Figure 1.
Fig. 1 is the schematic diagram of the basic step of the method for inspection computer virus according to embodiments of the present invention.As shown in figure 1, this hair
The method of the inspection computer virus of bright embodiment mainly comprises the following steps:
Step S11:In multiple operating system application programming interfaces (API) that statistics tested program is called, belong to default API
The quantity of the operating system API of set.
Step S12:Exported for pointing out tested program carrying comprising computer virus when the quantity is more than preset value
Show information.
It is described further below for above-mentioned steps.
Computer virus for example destroys or steals the data in computer to reach the purpose of their own, can use one
A little specific system API, and more various this kind of particular system API can be used toward contact, and some normal programs are because complete
Into function differ markedly from viral wooden horse, therefore frequency to this kind of specific system API Calls can be than relatively low.Above-mentioned
Which API " specific system API " is specifically, and can be determined by summary of experience, for example, can be known to be disease for multiple
The program of poison and the program without virus, count the species of the API that they are called respectively, are found out in rule, and determination with this
State " specific system API " and these are preset as the API set in step S11.
The tested program being known to be in the API that is called of program of virus or step S11, S22 is statistically stated to be adjusted
During API, can be carried out in the simulated environment for building, in order to avoid destruction of computer systems.Can be soft using many gas defences at present
The anti-virus virtual machine applied in part, simulates certain operations system performance, and program can inside be run, and then can just supervise
Control and count its API Calls situation.
Specifically, can first constructing system API table, each list item of the system API table includes operating system API pairs
The weights answered, wherein the corresponding weights of operating system API for belonging to above-mentioned default API set are 1, otherwise corresponding weights are 0.
Then, the corresponding weights of used operating system API are adjusted by tested program in the cumulative system API table, using accumulated value as step
Quantity in rapid S11.
Can also there is a feature in Virus calling for system API, exactly can synergistically call two API.I.e.
For some API, non-viral program can individually call it, and Virus can be before or after call another specific API
Call it.So statistics in step s 11, it may be considered that this feature.
Can be specifically, except adjusting used behaviour by tested program in constructing system API table, and Accumulation System API table
Make the corresponding weights of system API, also, the behaviour being called in the lump with the operating system API in the predetermined subset of default API set
Make the weights corresponding to system API and be calculated as 1, using accumulated value as the quantity in step S11.Here the operation in predetermined subset
System API is above-mentioned specific API, and specifically which API can be with empirically determined.
Device below for the inspection computer virus in the present embodiment is explained.Fig. 2 is implemented according to the present invention
The basic structure schematic diagram of the device of the inspection computer virus of example.
As shown in Fig. 2 whether the device 20 of the inspection computer virus in the embodiment of the present invention is used for determining tested program
It is main to include such as lower module comprising computer virus:Statistical module 21, for counting multiple operating systems that tested program is called
In application programming interfaces (API), belong to the quantity of the operating system API of default API set;Output module 22 is judged, for root
Judged according to the quantity, if the quantity is exported for pointing out the tested program to include computeritis when being more than preset value
The prompt message of poison.
Statistical module 21 can be additionally used in:Constructing system API table, each list item of the system API table includes an operation
The corresponding weights of system API, wherein the corresponding weights of operating system API for belonging to the default API set are 1, on the contrary correspondence
Weights be 0;The corresponding weights of used operating system API are adjusted by the tested program in the cumulative system API table, will be tired
It is value added as the quantity.
Statistical module 21 can be additionally used in:Constructing system API table, each list item of the system API table includes an operation
The corresponding weights of system API, wherein, it is 1 to belong to the corresponding weights of operating system API of the default API set, on the contrary correspondence
Weights be 0;The corresponding weights of used operating system API are adjusted by the tested program in the cumulative system API table, and
And, corresponding to the operating system API being called in the lump with the operating system API in the predetermined subset of the default API set
Weights are calculated as 1, using accumulated value as the quantity.
Present embodiments provide a kind of method that computer virus is checked according to the called situation of operating system API.
This method need not be related to a large amount of calculating in the matching of condition code, and treatment effeciency is higher;And because virus is in order to normally transport
Go so as to calling for operating system API cannot be avoided, so the various means for evading inspection of computer virus are to this reality
Apply the method failure of example, therefore method using the present embodiment is additionally aided and effectively checks computer virus.
Obviously, those skilled in the art should be understood that above-mentioned of the invention each module or each step can be with general
Computing device realize that they can be concentrated on single computing device, or be distributed in multiple computing devices and constituted
Network on, alternatively, the program code that they can be can perform with computing device be realized, it is thus possible to they are stored
Performed by computing device in the storage device, or they be fabricated to each integrated circuit modules respectively, or by they
In multiple modules or step single integrated circuit module is fabricated to realize.So, the present invention is not restricted to any specific
Hardware and software is combined.
The preferred embodiments of the present invention are the foregoing is only, is not intended to limit the invention, for the skill of this area
For art personnel, the present invention can have various modifications and variations.It is all within the spirit and principles in the present invention, made any repair
Change, equivalent, improvement etc., should be included within the scope of the present invention.
Claims (4)
1. it is a kind of check computer virus method, for determining tested program whether comprising computer virus, it is characterised in that
Methods described includes:
In multiple operating system application programming interfaces (API) that statistics tested program is called, belong to the operation system of default API set
The quantity of system API;Specially:Constructing system API table, each list item of the system API table includes operating system API pairs
The weights answered, wherein the corresponding weights of operating system API for belonging to the default API set are 1, otherwise corresponding weights are 0;
The corresponding weights of used operating system API are adjusted by the tested program in the cumulative system API table, using accumulated value as institute
State quantity;
Exported for pointing out prompt message of the tested program comprising computer virus when the quantity is more than preset value.
2. method according to claim 1, it is characterised in that multiple operating systems that the statistics tested program is called should
With in routine interface (API), belong to the quantity of the operating system API of default API set, can also be:
Constructing system API table, each list item of the system API table includes the corresponding weights of operating system API, wherein,
It is 1 to belong to the corresponding weights of operating system API of the default API set, otherwise corresponding weights are 0;
Add up and the corresponding weights of used operating system API are adjusted by the tested program in the system API table, also, with institute
The weights corresponding to the operating system API that the operating system API in the predetermined subset of default API set is called in the lump are stated to be calculated as
1, using accumulated value as the quantity.
3. it is a kind of check computer virus device, for determining tested program whether comprising computer virus, it is characterised in that
Described device includes:
Statistical module, for counting multiple operating system application programming interfaces (API) that tested program is called in, belong to default
The quantity of the operating system API of API set;Specially:Constructing system API table, each list item of the system API table includes one
The corresponding weights of individual operating system API, wherein the corresponding weights of operating system API for belonging to the default API set are 1, instead
Corresponding weights be 0;The corresponding power of used operating system API is adjusted by the tested program in the cumulative system API table
Value, using accumulated value as the quantity;
Output module is judged, for being judged according to the quantity, if the quantity is exported for pointing out when being more than preset value
Prompt message of the tested program comprising computer virus.
4. device according to claim 3, it is characterised in that multiple operating systems that the statistics tested program is called should
Can also be with routine interface (API), the quantity of the operating system API of default API set is belonged to:
Constructing system API table, each list item of the system API table includes the corresponding weights of operating system API, wherein,
It is 1 to belong to the corresponding weights of operating system API of the default API set, otherwise corresponding weights are 0;
Add up and the corresponding weights of used operating system API are adjusted by the tested program in the system API table, also, with institute
The weights corresponding to the operating system API that the operating system API in the predetermined subset of default API set is called in the lump are stated to be calculated as
1, using accumulated value as the quantity.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110388584.0A CN103136475B (en) | 2011-11-29 | 2011-11-29 | A kind of method and apparatus for checking computer virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110388584.0A CN103136475B (en) | 2011-11-29 | 2011-11-29 | A kind of method and apparatus for checking computer virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103136475A CN103136475A (en) | 2013-06-05 |
| CN103136475B true CN103136475B (en) | 2017-07-04 |
Family
ID=48496292
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110388584.0A Active CN103136475B (en) | 2011-11-29 | 2011-11-29 | A kind of method and apparatus for checking computer virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103136475B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104252594B (en) * | 2013-06-27 | 2019-04-02 | 贝壳网际(北京)安全技术有限公司 | virus detection method and device |
| CN106803040B (en) * | 2017-01-18 | 2021-08-10 | 腾讯科技(深圳)有限公司 | Virus characteristic code processing method and device |
| CN107315957A (en) * | 2017-06-22 | 2017-11-03 | 宇龙计算机通信科技(深圳)有限公司 | The control method and device of camera |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1801030A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for distinguishing baleful program behavior |
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN101013461A (en) * | 2007-02-14 | 2007-08-08 | 白杰 | Method of computer protection based on program behavior analysis |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010009296A (en) * | 2008-06-26 | 2010-01-14 | Fujitsu Ltd | Software operation monitoring device and method |
-
2011
- 2011-11-29 CN CN201110388584.0A patent/CN103136475B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1801030A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for distinguishing baleful program behavior |
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN101013461A (en) * | 2007-02-14 | 2007-08-08 | 白杰 | Method of computer protection based on program behavior analysis |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103136475A (en) | 2013-06-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109918916B (en) | Dual-system trusted computing system and method | |
| Collberg et al. | Distributed application tamper detection via continuous software updates | |
| CN106557697B (en) | System and method for generating a set of disinfection records | |
| Wang et al. | Malicious firmware detection with hardware performance counters | |
| CN104392175A (en) | System and method and device for processing cloud application attack behaviors in cloud computing system | |
| CN106502747A (en) | A kind of method of application upgrade and mobile terminal | |
| CN104536776B (en) | A kind of method and apparatus running plug-in application in the plug-in component operation environment of host end | |
| CN105844146B (en) | Method and device for protecting driver and electronic equipment | |
| CN102012987A (en) | Automatic behavioural analysis system for binary malicious codes | |
| CN102254120A (en) | Method, system and relevant device for detecting malicious codes | |
| CN107168749A (en) | A kind of Compilation Method, device, equipment and computer-readable recording medium | |
| CN103136475B (en) | A kind of method and apparatus for checking computer virus | |
| EP1987521A2 (en) | Trust evaluation | |
| CN102930202A (en) | Operation executing method in Linux system | |
| CN110442502B (en) | Point burying method, device, equipment and storage medium | |
| CN110399720A (en) | A kind of method and relevant apparatus of file detection | |
| US9223974B2 (en) | Anti-viral compiler | |
| CN109672553A (en) | Gateway Dynamic Configuration, system, computer equipment and storage medium | |
| CN110334522A (en) | Start the method and device of measurement | |
| CN109977681A (en) | A kind of fuzz testing system of fuzz testing method and unmanned plane towards unmanned plane | |
| CN107888706A (en) | Cloud product bug processing method, device, equipment and computer-readable recording medium | |
| KR101918546B1 (en) | Hacking Defense Contest System | |
| CN105786636B (en) | A kind of system repair and device | |
| CN103501391A (en) | Method and system for managing updating behavior of user | |
| US20160197943A1 (en) | System and Method for Profiling System Attacker |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |