CN103500309B

CN103500309B - A kind of method and device for detecting and killing macro virus

Info

Publication number: CN103500309B
Application number: CN201310446768.7A
Authority: CN
Inventors: 杨康
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2013-09-26
Filing date: 2013-09-26
Publication date: 2016-09-28
Anticipated expiration: 2033-09-26
Also published as: CN103500309A

Abstract

The invention discloses a kind of method and device for detecting and killing macro virus, method therein specifically includes: the file structure of killing document treated by safety equipment by calculating the processor parsing of equipment；Described file structure includes the bibliographic structure that the data stream of document is corresponding；Treat killing document extracts macrodoce according to resolving the file structure obtained from described；The macrodoce that processor extracts is mated with the behavior code in behavior code storehouse；Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior；Described in matching result differentiation, treat whether killing document infects macrovirus；Treat that killing document carries out repair process according to resolving the file structure obtained to infecting macrovirus.The present invention can improve the power of test of unknown macrovirus, possesses preferable anti-virus effect, and can treat to extract killing document macrodoce from various all sidedly, and treats that killing document carries out repair process to infecting the various of macrovirus.

Description

A kind of method and device for detecting and killing macro virus

Technical field

The present invention relates to technical field of data security, be specifically related to method and the dress of a kind of macrovirus killing Put.

Background technology

Along with the universal of computer and the development of mobile Internet, networked information era has been arrived.Sick Poison as a kind of form of information, have breeding, infect, the characteristic such as destruction, threaten the letter of user Breath safety.Computer document, i.e. WORD, the literary composition that copy editor's software such as EXCEL, PPT produces Part, is widely used by people, and macrovirus destroys the new of computer document information security as being exclusively used in Type virus, gradually comes into the sight line of people.

Owing to macrovirus is hidden in data file, and its script grammer used is flexible and changeable, completes one Individual function has a variety of literary style, therefore identifies whether a file has macrovirus extremely difficult.

The anti-viral method that existing anti-viral software is used nearly all is to rely on virus signature. The most all there is the features such as respective identity due to computer virus, when a kind of computer virus occurs After, first finding the feature that this virus has, the virus characterized this feature according to this feature is carried out Search and process；I.e. prior art has certain killing ability for known macrovirus.

But, owing to macrovirus infects, shows effect formerly, anti-poison is rear；And macrolanguage is a kind of foot This, be modified slightly mutating, it might even be possible to revise self in communication process, often propagate once Just change is once；Therefore prior art is difficult to catch up with the speed of macrovirus change, basic to unknown macrovirus Ability without killing, anti-virus effect is poor.

Summary of the invention

In view of the above problems, it is proposed that the present invention is to provide one to overcome the problems referred to above or at least portion Ground is divided to solve a kind of method and device for detecting and killing macro virus of the problems referred to above.

According to one aspect of the present invention, it is provided that a kind of method of macrovirus killing, including:

The file structure of killing document treated by safety equipment by calculating the processor parsing of equipment；Described literary composition Mark structure includes the bibliographic structure that the data stream of document is corresponding；

Treat killing document extracts macrodoce according to resolving the file structure obtained from described；

The macrodoce that processor extracts is mated with the behavior code in behavior code storehouse；Wherein, Described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior；

Described in matching result differentiation, treat whether killing document infects macrovirus；

Treat that killing document carries out repair process according to resolving the file structure obtained to infecting macrovirus.

Wherein, described when killing document is compound document, WORD document or EXCEL document, The step of the file structure of killing document is treated in described parsing, including: resolve and obtain the tree treating killing document Shape bibliographic structure；

The most described according to resolving the file structure obtained from the described step treating to extract macrodoce killing document Suddenly, including:

Travel through each directory entry in described tree directory structure；

The title of the title of each directory entry with specific macrodirectory is mated；

For the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom decompress out Corresponding macrodoce；

To infecting macrovirus, the described file structure obtained according to parsing treats that killing document carries out repair place The step of reason, including:

That revises described infection macrovirus treats the successful directory entry of macrovirus Corresponding matching in killing document Title；

For the described directory entry that the match is successful, its macrodoce is removed；

For the described directory entry that the match is successful, it is deleted or renames.

Wherein, described when killing document is EXCEL document, described according to resolving the document obtained To infecting macrovirus, structure treats that killing document carries out the step of repair process, also include:

When described EXCEL document infects macrovirus, revise the flow data of its workbook directory entry In description field, not affect normally opening of described EXCEL document..

Alternatively, treat described in that killing document is PPT document；

The step of the file structure of killing document is treated in the most described parsing, including:

Resolve the bibliographic structure obtaining PPT document；The bibliographic structure of described PPT document includes POWERPOINT DOCUMENT directory entry；

Resolve the flow data under described POWERPOINT DOCUMENT directory entry, and analytically tie Composite object structure is searched in Guo；

The data deposited in described composite object structure are decompressed, is decompressed number accordingly According to；The document that after described decompression, data are corresponding include such as Documents in one or more: PPT literary composition Shelves and the embedded document of PPT, the embedded document of described PPT include compound document, WORD document and One or more in EXCEL document；

The document that data are corresponding after described decompression, as treating killing document, resolves and obtains corresponding mesh Directory structures；

Described according to resolving the file structure obtained from the described step treating to extract macrodoce killing document Suddenly, including:

Each directory entry in the bibliographic structure of killing document is treated described in traversal；

When the document that data are corresponding after described decompression includes PPT embedded document, obtain according to resolving The file structure of the embedded document of PPT carries out repair process to the embedded document of PPT infecting macrovirus, will PPT embedded document compression after repair process, and be filled in corresponding composite object structure；And/or

When the document that data are corresponding after described decompression includes PPT document, reduce composite object structure In length field, and add a new construction, wherein, corresponding to the new construction of described reduction and interpolation Length corresponding to the macrodoce of PPT document of a length of infection macrovirus.

Alternatively, treat described in that killing document is OFFICE07 document；

Decompress the data that OFFICE07 document is corresponding, data after being decompressed accordingly；Described solution After compression, data include embedded catalogue；

Using the document under described embedded catalogue as treating killing document, resolve and obtain corresponding directory tree Structure；

Travel through each directory entry in described tree directory structure；

Repair the document under the described embedded catalogue infecting macrovirus, and the literary composition under described embedded catalogue Other data in data after described embedded document and described decompression are compressed after repairing successfully by shelves OFFICE07 document after reparation.

Alternatively, after described decompression, data also include the grand document of OFFICE07 and content field labelling literary composition Shelves；

The step of the file structure of killing document is treated in the most described parsing, also includes: with described OFFICE07 Grand document, as treating killing document, resolves and obtains corresponding tree directory structure；

To infecting macrovirus, the most described file structure obtained according to parsing treats that killing document is repaired The step processed, also includes:

When the grand document of described OFFICE07 infects macrovirus, delete the grand document of described OFFICE07, Resolve the content obtaining described content field marking document, and will described content field marking document draw Delete with the corresponding contents of the grand document of described OFFICE07.

Alternatively, the title of described specific macrodirectory includes: VBA_PROJECT_CUR and/or Macros。

Alternatively, described behavior code storehouse is constructed as follows:

Collect the behavior code realized needed for fixing macrovirus behavior；

Described behavior code is preserved to behavior code storehouse；

Wherein, the step of the described behavior code collected needed for the macrovirus behavior realizing fixing, enter one Step includes:

Collect the macrovirus sample of various computer document；

Resolve the file structure of described macrovirus sample；Described file structure specifically can include document The bibliographic structure that data stream is corresponding；

From described macrovirus sample, macrodoce is extracted according to resolving the file structure obtained；

According to the grammer of macrodoce, the semanteme of the macrodoce of described macrovirus sample is analyzed, from Middle extraction realizes the behavior code needed for the macrovirus behavior fixed accordingly.

According to a further aspect in the invention, it is provided that the device of a kind of macrovirus killing, this device application In safety equipment, including:

Parsing module, for treating the file structure of killing document by calculating the processor parsing of equipment； Described file structure includes the bibliographic structure that the data stream of document is corresponding；

Extraction module, for according to resolve the file structure that obtains from described treat killing document extracts grand Code；

Matching module, for entering the macrodoce that processor extracts with the behavior code in behavior code storehouse Row coupling；Wherein, described behavior code is for representing the grand generation realized needed for fixing macrovirus behavior Code；

Discrimination module, treats whether killing document infects macrovirus described in differentiating according to matching result； And

Repair process module, treats killing for the file structure obtained according to parsing to infecting macrovirus Document carries out repair process.

Wherein, described when killing document is compound document, WORD document or EXCEL document, Described parsing module includes: obtain treating that the first of the tree directory structure of killing document resolves for resolving Submodule；

The most described extraction module includes:

First traversal submodule, for traveling through each directory entry in described tree directory structure；

First matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory Row coupling；

First reads decompression module, for for the directory entry that the match is successful, reads its subdirectory The flow data of item, and therefrom decompress out the macrodoce of correspondence；

Described repair process module includes:

First amendment submodule, treats macrovirus pair in killing document for revise described infection macrovirus Answer the title of the directory entry that the match is successful；

Its macrodoce, for the described directory entry that the match is successful, is removed by filling submodule；And

Second amendment submodule, for for the described directory entry that the match is successful, is deleted or renames；

Wherein, described when killing document is EXCEL document, repair process module also includes:

3rd amendment submodule, for when described EXCEL document infects macrovirus, revising it Description field in the flow data of workbook directory entry, not affect the normal of described EXCEL document Open.

Alternatively, treat described in that killing document is PPT document；

The most described parsing module includes:

Second analyzing sub-module, for resolving the bibliographic structure obtaining PPT document；Described PPT document Bibliographic structure include POWERPOINT DOCUMENT directory entry；

3rd analyzing sub-module, is used for resolving under described POWERPOINT DOCUMENT directory entry Flow data, and result is analytically searched composite object structure；

Decompression module, for the data deposited in described composite object structure are decompressed, Decompressed data accordingly；The document that after described decompression, data are corresponding includes as in Documents One or more: PPT document and the embedded document of PPT, the embedded document of described PPT includes compound literary composition One or more in shelves, WORD document and EXCEL document；

4th analyzing sub-module, for the document corresponding using data after described decompression as treating killing literary composition Shelves, resolve and obtain corresponding bibliographic structure；

Described extraction module includes:

Second traversal submodule, each mesh in the bibliographic structure treating killing document described in traveling through Record item；

Second matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory Row coupling；

Second reads decompression module, for for the directory entry that the match is successful, reads its subdirectory The flow data of item, and therefrom decompress out the macrodoce of correspondence；

Described repair process module includes:

First repairs submodule, includes that PPT is embedded for the document that data are corresponding after described decompression During document, embedded to the PPT infecting macrovirus according to resolving the file structure obtaining the embedded document of PPT Document carries out repair process, is compressed by embedded for PPT after repair process document, and is filled into corresponding multiple Close in object structure；And/or

Second repairs submodule, includes PPT document for the document that data are corresponding after described decompression Time, reduce the length field in composite object structure, and add a new construction；Wherein, described reduction The length corresponding with the macrodoce of the PPT document of a length of infection macrovirus corresponding to the new construction added Degree.

Alternatively, treat described in that killing document is OFFICE07 document；

The most described parsing module includes:

Decompression module, for decompressing the data that OFFICE07 document is corresponding, is solved accordingly Data after compression；After described decompression, data include embedded catalogue；

4th analyzing sub-module, for using the document under described embedded catalogue as treating killing document, solves Analysis obtains corresponding tree directory structure；

The most described extraction module includes:

3rd traversal submodule, each mesh in the bibliographic structure treating killing document described in traveling through Record item；

3rd matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory Row coupling；

Third reading takes decompression module, for for the directory entry that the match is successful, reads its subdirectory The flow data of item, and therefrom decompress out the macrodoce of correspondence；

Described repair process module includes:

Repair compression submodule, for repairing the document under the described embedded catalogue infecting macrovirus, and Document under described embedded catalogue repair successfully after by data after described embedded document and described decompression In other data be compressed the OFFICE07 document after being repaired.

The most described parsing module also includes: for using the grand document of described OFFICE07 as treating killing literary composition Shelves, resolve the 5th analyzing sub-module obtaining corresponding tree directory structure

The most described repair process module also includes:

Delete submodule, infect macrovirus for the grand document of OFFICE07 under described embedded catalogue Time, delete the grand document of described OFFICE07, resolve the content obtaining described content field marking document, And the corresponding contents quoting the grand document of described OFFICE07 in described content field marking document is deleted.

Alternatively, described device also includes: for constructing the constructing module in described behavior code storehouse；

Described constructing module includes:

Collect submodule, for collecting the behavior code realized needed for fixing macrovirus behavior；

Preserve submodule, for preserving described behavior code to behavior code storehouse；

Wherein, described collection submodule farther includes:

Sample collection unit, for collecting the macrovirus sample of various computer document；

Sample resolution unit, for resolving the file structure of described macrovirus sample；Described file structure Specifically can include the bibliographic structure that the data stream of document is corresponding；

Sample extraction unit, carries from described macrovirus sample for the file structure obtained according to parsing Take macrodoce；And

Analyze extraction unit, for the grammer according to macrodoce, the macrodoce to described macrovirus sample Semanteme be analyzed, therefrom extract the corresponding behavior code realized needed for fixing macrovirus behavior.

A kind of method and device for detecting and killing macro virus according to the present invention achieves following beneficial effect:

The embodiment of the present invention is based on " realizing the behavior code needed for fixing macrovirus behavior is to be relatively fixed " this rule carries out the killing of macrovirus；Specifically, macrovirus is being carried out for computer document During killing, the macrodoce of extraction is mated with the behavior code in behavior code storehouse, foundation Join and treat whether killing document infects macrovirus described in result differentiation；Due to the most known macrovirus or not Know that macrovirus all can follow above-mentioned rule, namely the speed no matter how macrovirus changes and change is such as What, this rule is all constant, therefore unknown macrovirus can be possessed certain by the embodiment of the present invention Power of test, therefore, it is possible to improve the power of test of unknown macrovirus, and possesses preferable anti-virus effect Really；

Meanwhile, the embodiment of the present invention resolves the file structure treating killing document, according to resolving the literary composition obtained Mark structure treats to extract killing document macrodoce from described, and, according to resolving the file structure that obtains Treating that killing document carries out repair process to infecting macrovirus, described file structure specifically can include literary composition The bibliographic structure corresponding to data stream of shelves；Owing to the bibliographic structure that the data stream of document is corresponding is computer The generic features of document, therefore the technical scheme of the embodiment of the present invention can be applicable to all computer documents Killing, that is, the embodiment of the present invention can be extracted grand generation killing document from various treating all sidedly Code, and treat that killing document carries out repair process to infecting the various of macrovirus.

Described above is only the general introduction of technical solution of the present invention, in order to better understand the present invention's Technological means, and can being practiced according to the content of description, and in order to allow the above-mentioned of the present invention and Other objects, features and advantages can become apparent, below especially exemplified by the specific embodiment party of the present invention Formula.

Accompanying drawing explanation

By reading the detailed description of hereafter preferred implementation, various other advantage and benefit for Those of ordinary skill in the art will be clear from understanding.Accompanying drawing is only used for illustrating the mesh of preferred implementation , and it is not considered as limitation of the present invention.And in whole accompanying drawing, with identical reference symbol Number represent identical parts.In the accompanying drawings:

Fig. 1 shows the flow chart of the method for macrovirus killing according to an embodiment of the invention；

Fig. 2 shows the file structure schematic diagram of compound document according to an embodiment of the invention；

Fig. 3 shows the flow chart of the method for macrovirus killing according to an embodiment of the invention；

Fig. 4 shows the flow chart of the method for macrovirus killing according to an embodiment of the invention；

Fig. 5 shows the flow chart of the method for macrovirus killing according to an embodiment of the invention；And

Fig. 6 shows the structure chart of the device of macrovirus killing according to an embodiment of the invention.

Detailed description of the invention

It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although it is aobvious in accompanying drawing Show the exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure And should not limited by embodiments set forth here.On the contrary, it is provided that these embodiments are able to more Thoroughly understand the disclosure, and can be by the technology conveying to this area complete for the scope of the present disclosure Personnel.

The embodiment of the present invention is based on " realizing the behavior code needed for fixing macrovirus behavior is to be relatively fixed " this rule carries out the killing of macrovirus；Specifically, due to the macrovirus master using macrolanguage to write In the macrodoce of computer document to be acted on, therefore above-mentioned behavior code can be used for representing what realization was fixed Macrodoce needed for macrovirus behavior, so, in the killing carrying out macrovirus for computer document Cheng Zhong, mates the macrodoce of extraction with the behavior code in behavior code storehouse, according to matching result Treat described in differentiation whether killing document infects macrovirus；Due to the most known macrovirus or unknown grand disease Poison all can follow above-mentioned rule, namely the speed no matter how macrovirus changes and change is how, therefore this Inventive embodiments can possess certain power of test to unknown macrovirus, therefore, it is possible to improve unknown grand The power of test of virus, and possess preferable anti-virus effect.

With reference to Fig. 1, it is shown that the flow process of the method for macrovirus killing according to an embodiment of the invention Figure, specifically may include that

By calculating the processor parsing of equipment, step 101, safety equipment treat that the document of killing document is tied Structure；Described file structure specifically can include the bibliographic structure that the data stream of document is corresponding；

Step 102, foundation resolve the file structure obtained and treat to extract killing document macrodoce from described；

In being embodied as, the type of computer document is more, specifically can include WORD, The document of the types such as EXCEL, PPT, compound document, wherein, each type of document includes again 03, the version such as 07, is embedded with again other type of document in a type of document；Therefore, how All sidedly from treating that killing document, extraction macrodoce is a difficult problem of this area.

The embodiment of the present invention resolves the file structure treating killing document, according to resolving the file structure obtained Treat killing document extracts macrodoce from described；Described file structure specifically can include the data of document The bibliographic structure that stream is corresponding.

As a example by compound document, compound document specifically can include some data stream, and these data streams are again It is stored in different warehouses；Data stream is similar to file system with the naming rule in warehouse, same Can not bear the same name in data stream and warehouse under warehouse, can have stream of the same name under different warehouses；Each compound Document has a root warehouse；And catalogue is a kind of internal control stream, by a series of directory entry groups Becoming, each directory entry all points to a warehouse or the data stream of compound document.

With reference to Fig. 2, it is shown that the file structure schematic diagram of the compound document of one embodiment of the invention, its In, the direct member (warehouse or data stream) in each warehouse is placed on an independent directory tree by catalogue In structure.

In Fig. 2, in tree directory structure, each node (root node and leaf node) all has the title of correspondence, Therefore in the case of known to the title of specific macrodirectory, by each directory entry in tree directory structure Title carry out mating of character string with the title of specific macrodirectory, can obtain in compound document is grand Catalogue；And for the directory entry that the match is successful, read the flow data of subdirectory item, and therefrom decompress Go out the macrodoce of correspondence.

For the documents such as WORD document, EXCEL document, due to its file structure and compound literary composition The file structure of shelves is similar to, therefore can carry out the extraction of macrodoce based on same principle.For PPT literary composition For the computer document in addition to WORD document, EXCEL document and compound document such as shelves, permissible The extraction of macrodoce is carried out based on its document mechanism.

In a word, due to the generic features that bibliographic structure is computer document that the data stream of document is corresponding, Therefore the embodiment of the present invention is according to resolving the file structure obtained from treating to extract killing document macrodoce, energy Enough it is applicable to all computer documents of all kinds, various version, that is, embodiment of the present invention energy Enough all sidedly from treating killing document extracts macrodoce.

Behavior code in step 103, macrodoce and the behavior code storehouse extracted by processor is carried out Join；Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior；

In the embodiment of the present invention, behavior code storehouse is exactly for storing the macrovirus behavior institute realizing fixing One container of the behavior code needed, it can use various data structure to realize.As behavior code storehouse Behavior code needed for the macrovirus behavior that storage content, behavior code namely realization are fixing, for simplicity For the sake of, row below is that code all can represent the behavior code realized needed for fixing macrovirus behavior.

In actual applications, described behavior code storehouse can be constructed as follows: collect and realize admittedly The fixed behavior code needed for macrovirus behavior；Described behavior code is preserved to behavior code storehouse.And And, if constantly collecting behavior code, and preserving to behavior code storehouse, i.e. can be constantly updated Behavior code storehouse.

In a kind of preferred embodiment of the embodiment of the present invention, described collection realizes fixing macrovirus row For the step of required behavior code, may further include:

Sub-step A1, collect the macrovirus sample of various computer document；

In the embodiment of the present invention, the macrovirus sample of various computer documents should meet following condition: 1, Containing macrodoce；2, it is confirmed to be macrovirus.In actual applications, above-mentioned performance can constantly be collected The macrovirus sample of form.

Generally by host's (namely computer document) at macrovirus place, macrovirus sample can be divided For (the only VBA script) that be deposited with in WORD and be deposited with in EXCEL (the most again Including VBA script, with the Macro4.0 type existed in worksheet) macrovirus sample etc. plants Class, namely the collection of macrovirus sample can be carried out according to classification；The kind of certain above-mentioned macrovirus sample Class is not intended as the application of the application and limits.

In actual applications, that anti-viral software is scanned, determine infect macrovirus document, Can be directly as macrovirus sample.

In a kind of example of the embodiment of the present invention, it is also possible to collect grand disease by the way of user feedback Poison sample.Such as, user can suspect and infects the literary composition that macrovirus but anti-viral software can not scan Shelves, and upload onto the server, the approach uploaded here can be the client of anti-viral software, clothes Business device can refer to the server of anti-viral software；So, server can collect all or part of client The macrovirus sample that end is uploaded, and it is analyzed.Certainly, user can also pass through other approach Feedback macrovirus sample, such as, Web end upload interface etc., the embodiment of the present invention is to concrete Approach of uploading is not any limitation as.

Sub-step A2, resolve the file structure of described macrovirus sample；Described file structure is the most permissible Including the bibliographic structure that the data stream of document is corresponding；

Sub-step A3, foundation resolve the file structure obtained and extract grand generation from described macrovirus sample Code；

For according to resolve the file structure that obtains extract from macrovirus sample macrodoce process and Speech, owing to itself and above-mentioned foundation resolve the file structure obtained from treating to extract killing document macrodoce Process is similar to, therefore cross-referenced, and therefore not to repeat here.

Due to the generic features that bibliographic structure is computer document that the data stream of document is corresponding, therefore this Bright embodiment extracts macrodoce according to resolving the file structure obtained from macrovirus sample, it is possible to be suitable for In the macrovirus sample of all computer documents, that is, the embodiment of the present invention can collect institute all sidedly Computer document is had to realize the behavior code needed for fixing macrovirus behavior, to carry out various treating killing The killing of document.

Sub-step A4, the grammer of foundation macrodoce, enter the semanteme of the macrodoce of described macrovirus sample Row is analyzed, and therefrom extracts the corresponding behavior code realized needed for fixing macrovirus behavior.

It is intended to from the macrodoce of described macrovirus sample extract the corresponding macrovirus behavior institute realizing and fixing The behavior code needed, needs first to obtain specific macrovirus behavior, because code is just in software development It is the code realizing certain function, if obtaining concrete macrovirus behavior, then just can find For realizing the behavior code needed for specific this function of macrovirus behavior.

Embodiment of the present invention inventor is through grinding the macrovirus sample of a large amount of Microsoft Office Study carefully, obtain following specific macrovirus behavior:

1, the behavior of edit the registry, purpose: reduce safe class and the performed literary composition that maybe will discharge is set Part write starting up's item etc.；

2, dissemination, its utilize infect masterplate propagate, wherein, different Microsoft Office has different infection masterplates, and such as Windows7 system, under default situations

The infection template file of WORD be C: Users [user name] \AppData\Roaming\Microsoft\Templates\normal.dot

The infection template directory of EXCEL: C: Users [user name] AppData Roaming Microsoft Excel xlstart and Excel installation directory office11 xlstart

3, infection risk: user opens secure file, oneself replicates inside secure file. to user Mail contact sends the mail etc. including virus document

4, behavior during outbreak, including:

4.1, in certain time period pop-up；

4.2, repeat replication worksheet, affects software and normally uses

4.3, release executable file, specifically may include that establishment file, written document, execution file Etc..

It should be noted that above-mentioned specific macrovirus behavior is to study for Microsoft Office Arriving, it is intended only as a kind of example of the embodiment of the present invention, is not intended as the reality of the embodiment of the present invention Execute restriction.

In implementing, can be for the macrodoce of described macrovirus sample, according to its grammer to it Semanteme is analyzed, and therefrom extracts the corresponding behavior code realized needed for fixing macrovirus behavior. Such as, in a kind of application example of the embodiment of the present invention, described analysis process may include that traversal The macrodoce of described macrovirus sample, by function, Step Into or is analyzed by variable, sees that it is No the most then can be extracted for realizing specific this function of macrovirus behavior, and Carry out next function, statement or become quantitative analysis, otherwise carrying out dividing of next function, statement or variable Analysis.In a word, those skilled in the art can use various technology or strategy, it is judged that function, statement or Whether variable is used for realizing specific this function of macrovirus behavior, and concrete is sentenced by the embodiment of the present invention Disconnected mode is not any limitation as.

By analysis with extract after, the behavior code of the embodiment of the present invention specifically can include function Name, function variable name or function statement.

In a kind of preferred embodiment of the embodiment of the present invention, the behavior code of the embodiment of the present invention can be Character string forms.So, during the detection of file macrovirus, the macrodoce of killing document will be treated The process carrying out mating with the behavior code in behavior code storehouse relates to the process operation of character string.? In a kind of application example of the embodiment of the present invention, the macrodoce treating killing document can be read, obtain one Individual big character string, then searches given character string in the character string that this is big, wherein gives character String is exactly the behavior code of storage in described behavior code storehouse, if searching successfully, then it represents that mate into Merit, if searching unsuccessfully, then carries out the lookup of next given character string, until in described behavior code storehouse The given string searching of storage is complete.

It is appreciated that those skilled in the art can be according to the macrovirus sample constantly occurred, to realization The fixing behavior code needed for macrovirus behavior carries out increasing, deletes, amendment etc. updates operation.

Step 104, foundation matching result treat whether killing document infects macrovirus described in differentiating；

In a kind of preferred embodiment of the embodiment of the present invention, described by treat the macrodoce of killing document with Behavior code in behavior code storehouse carries out the step mated, and may further include:

Obtain mating into when the described existence behavior code that the match is successful in the macrodoce of killing document The matching result of merit, and, there is not, in the described macrodoce treating killing document, the row that the match is successful During for code, obtain the matching result that it fails to match；

The most described foundation matching result treats whether killing document infects the step of macrovirus described in differentiating, can To farther include:

Step B1, when described matching result is that it fails to match, it determines described in treat that killing document is uninfected by Macrovirus；

Step B2, when described matching result is that the match is successful, according to described in treat grand generation of killing document The behavior code that in Ma, the match is successful, it determines described in treat whether killing document infects macrovirus.

In the another kind of preferred embodiment of the embodiment of the present invention, described in described step B2 foundation, treat killing The behavior code that in the macrodoce of document, the match is successful, it determines described in treat whether killing document infects grand disease The step of poison, may further include:

Treat described in judgement whether the behavior code that in the macrodoce of killing document, the match is successful meets default Hazardous conditions, the most then treat described in differentiation that killing document infects macrovirus, otherwise, it determines described Treat that killing document is uninfected by macrovirus.

In the still another preferable embodiment of the embodiment of the present invention, described default hazardous conditions is concrete Can include in following condition is one or more:

Hazardous conditions C1, described in treat the danger of the behavior code that the match is successful in the macrodoce of killing document Danger coefficient exceedes default danger coefficient threshold value；

About the dangerous system how obtaining the behavior code treating that in the macrodoce of killing document, the match is successful Number, in practice, can preset corresponding dangerous system for each behavior code in described behavior code storehouse Number；Or, in order to alleviate the workload of setting, each behavior code in described behavior code storehouse can be entered Row classification, and preset corresponding danger coefficient for each classification.

It is appreciated that the classification foundation that those skilled in the art use can be diversified, in application A kind of preferred embodiment in, can be using the kind of virus behavior as classification foundation, such as, for The danger coefficient that the behavior correspondence classification of " edit the registry " is preset is 10, and " dissemination " is corresponding The danger coefficient of classification is 5, and the danger coefficient of " infection risk " corresponding classification is 8 etc..

With reference to upper example, owing to virus behavior is likely subdivided, therefore can be for the virus behavior being subdivided Preset corresponding danger coefficient, such as, in this big classification of infection risk, can be for " replicating Worksheet " behavior correspondence classification preset danger coefficient be 5, can be for the row of " execution file " The danger coefficient preset for corresponding classification is 10, etc..

Certainly, above-mentioned it is intended only as example；It practice, the virus behavior that those skilled in the art obtain It is various, and can be according to the degree of danger of various virus behaviors, respectively to corresponding class Not presetting different danger coefficients, concrete danger coefficient is not any limitation as by the embodiment of the present invention.

In actual applications, treat described in that the behavior code that in the macrodoce of killing document, the match is successful may More than one, at this point it is possible to the danger coefficient to multiple behavior codes be averaging, weight flat All, superposition etc. process, obtain comprehensive danger coefficient, then by comprehensive danger coefficient and the danger preset Danger coefficient threshold compares.

Those skilled in the art can manslaughter the index of rate according to macrovirus recall rate or macrovirus, presets Danger coefficient threshold value.Such as, if being intended to reach higher macrovirus recall rate, can preset less Danger coefficient threshold value；And for example, if being intended to reach relatively low macrovirus to manslaughter rate, can preset higher Danger coefficient threshold value etc..

Hazardous conditions C2, described in treat the danger of the behavior code that the match is successful in the macrodoce of killing document Danger grade exceedes default danger classes；

The danger coefficient of behavior code and danger classes are equally used for reflecting the degree of danger of behavior code, One of difference of the two is, danger coefficient more specifically numerical value describes, and danger classes can be with letter Just numerical value or word describe；Such as, the span of danger coefficient can be [0,20], and danger etc. Level span can be [1,5] or [1,3], or, the literal scope of danger classes be [rudimentary, Intermediate, senior] etc..

The danger etc. of the behavior code that the match is successful in the macrodoce of killing document is treated about how to obtain Level, in practice, can preset corresponding danger etc. for each behavior code in described behavior code storehouse Level；Or, in order to alleviate the workload of setting, each behavior code in described behavior code storehouse can be entered Row classification, and preset corresponding danger classes for each classification.

For hazardous conditions C2, the classification foundation used due to it and default danger classes with Hazardous conditions C1 is similar, therefore cross-referenced, and therefore not to repeat here.

Hazardous conditions C3, to treat that the behavior code that in the macrodoce of killing document, the match is successful occurs in that pre- If single behavior code, or, occur in that the combination of default behavior code.

As long as hazardous conditions C3 can specify that the behavior generation treating that in the macrodoce of killing document, the match is successful Code occurs in that default single behavior code, it is possible to treat described in differentiation that killing document infects macrovirus.

In practice, can be using function name corresponding for some macrovirus behavior as default single behavior Code.Such as, once treat that the behavior code that in the macrodoce of killing document, the match is successful occurs in that as follows In function name one, then can differentiate described in treat killing document infect macrovirus:

1=runblackice

2=infectdocument

3=infectnormal

4=Empirical

In implementing, it is also possible to according to the behavior code that macrovirus behavior is corresponding, preset behavior generation Code character is closed, if treating that the behavior code that in the macrodoce of killing document, the match is successful occurs in that default row For code combination, then can differentiate that it infects macrovirus.

In a kind of application example of the embodiment of the present invention, behavior code corresponding to macrovirus behavior can be used Arabic numerals numbering is as follows:

1=filesystemobject

2=wcripting.shell

3=createobject

4=Application.OnKey " %{F

5=normal.dot

6=book1.xls

7=startup.xls

8=normal.xlm

9=norma1.xlm

10=norma1.dot

11=Open

12=for

13=as

14=writefile

15=createfile

16=Private Declare Function

17=lib

18=infectnormal

19=<！！blackice>

20=(m1) _ (m2) _ (m3)

21=System.PrivateProfileString

22=HKEY_CURRENT_USER

23=shell

24=Shell

25=NormalTemplate.VBProject.VBComponents

26=Application.StartupPath

It is possible to according to the degree of danger of these behavior code correspondence macrovirus behaviors, preset as follows Behavior code combines, and numbers with Arabic numerals respectively:

1=3,2

2=3,1

3=21,22

4=16,17

5=25

6=11,12,13

Step 105, foundation resolve the file structure obtained and treat that killing document is repaiied to infecting macrovirus Multiple process.

In the embodiment of the present invention, described treat killing document be compound document, WORD document or During EXCEL document, with reference to Fig. 3, it is shown that macrovirus killing according to an embodiment of the invention The flow chart of method, specifically may include that

Step 301, parsing obtain treating the tree directory structure of killing document；

Step 302, each directory entry traveled through in described tree directory structure；

Step 303, the title of the title of each directory entry with specific macrodirectory is mated；

Step 304, for the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom Decompress out the macrodoce of correspondence；

Behavior code in step 305, macrodoce and the behavior code storehouse extracted by processor is carried out Join；Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior；

Step 306, foundation matching result treat whether killing document infects macrovirus described in differentiating；

Step 307, revise described infection macrovirus treat that in killing document, macrovirus Corresponding matching is successful The title of directory entry；

Step 308, for the described directory entry that the match is successful, its macrodoce is removed；And

Step 309, for the described directory entry that the match is successful, be deleted or rename.

The present embodiment is applied to compound document, WORD document or EXCEL document and waits killing literary composition Shelves.For the documents such as compound document, WORD document or EXCEL document, its directory tree Structure includes specific macrodirectory, in the case of known to the title of specific macrodirectory, by tree-like mesh The title of each directory entry in directory structures carries out mating of character string with the title of specific macrodirectory, The macrodirectory in compound document can be obtained；And for the directory entry that the match is successful, read subdirectory item Flow data, can therefrom decompress out correspondence macrodoce.

Step 302-step 304 is that the file structure obtained according to parsing extracts killing document from described treating Macrodoce implement process；In one preferred embodiment of the invention, described specific macrodirectory Title specifically may include that VBA_PROJECT_CUR and/or Macros, it will be understood that on State VBA_PROJECT_CUR, Macros and be not intended as specific macrodirectory in the embodiment of the present invention The application of title limits.

Step 307-step 309 is that the file structure obtained according to parsing treats killing literary composition to infecting macrovirus What shelves carried out repair process implements process.Owing to differentiating that certain treats that killing document infects macrovirus After, anti-viral software would generally record the name of this directory entry treating that the macrovirus in killing document is corresponding Claim, therefore the effect of the title of the effect amendment directory entry of step 307 is in order to avoid anti-viral software by mistake Report；The effect of step 308 is for the macrodoce data dump by infecting macrovirus, to avoid The grand of OFFICE program is made mistakes, for example, it is possible to by the way of filling macrodoce with 0, macrodoce is clear Remove；After step 308 removes the macrodoce infecting macrovirus, step 309 is by macrodirectory corresponding for macrodoce Deleting or rename, its effect is so that OFFICE program thinks that corresponding directory entry is empty list, no It is further continued for resolving, wherein it is possible to by by the adjacent catalogue of the described directory entry that the match is successful and subdirectory Labelling be revised as the mode of sky and delete the described directory entry that the match is successful, the present invention is to concrete deletion Or the mode that renames is not any limitation as.

In the embodiment of the present invention, described when killing document is EXCEL document, described according to resolving To infecting macrovirus, the file structure obtained treats that killing document carries out the step of repair process, it is also possible to Including: when described EXCEL document infects macrovirus, revise the flow data of its workbook directory entry Described in field, not affect normally opening of described EXCEL document.

In a kind of application example of the present invention, ObProj structure in the flow data of workbook directory entry Type field for describing the type of ObProj structure, this type field can be revised as Continue etc. do not affect the value normally opened of EXCEL document, it is possible to make EXCEL program not Will be considered that this EXCEL document exists macrodoce, also pop-up macrodata would not be reminded to lose.

In a word, the embodiment of the present invention is based on " realizing the behavior code needed for fixing macrovirus behavior is phase To fixing " this rule carries out the killing of macrovirus；Specifically, carrying out grand for computer document During the killing of virus, the macrodoce of extraction is mated with the behavior code in behavior code storehouse, Described in matching result differentiation, treat whether killing document infects macrovirus；Due to the most known macrovirus Or unknown macrovirus all can follow above-mentioned rule, namely the speed no matter how macrovirus changes and change Degree how, therefore the embodiment of the present invention can possess certain power of test to unknown macrovirus, therefore can Enough power of test improving unknown macrovirus, and possess preferable anti-virus effect；

Meanwhile, the embodiment of the present invention resolves the file structure treating killing document, according to resolving the literary composition obtained Mark structure treats to extract killing document macrodoce from described, and, according to resolving the file structure that obtains Treating that killing document carries out repair process to infecting macrovirus, described file structure specifically can include literary composition The bibliographic structure corresponding to data stream of shelves；Owing to the bibliographic structure that the data stream of document is corresponding is computer The generic features of document, therefore the technical scheme of the embodiment of the present invention can be applicable to all computer documents Killing, that is, the embodiment of the present invention can be extracted grand generation killing document from various treating all sidedly Code, and treat that killing document carries out repair process to infecting the various of macrovirus, and at described EXCEL When document infects macrovirus, can normally open this EXCEL document.

With reference to Fig. 4, it is shown that the flow process of the method for macrovirus killing according to an embodiment of the invention Figure, the present embodiment is applied to PPT document and waits killing document, specifically may include that

Step 401, safety equipment obtain the catalogue of PPT document and tie by calculating the processor parsing of equipment Structure；The bibliographic structure of described PPT document specifically can include POWERPOINT DOCUMENT mesh Record item；

Step 402, the flow data resolved under described POWERPOINT DOCUMENT directory entry, And result is analytically searched composite object structure；

Step 403, the data deposited in described composite object structure are decompressed, obtain corresponding Decompress data；The document that after described decompression, data are corresponding specifically can include such as Documents in one Item or multinomial: PPT document and the embedded document of PPT, the embedded document of described PPT specifically can include multiple That closes in document, WORD document and EXCEL document is one or more；

Step 404, using document corresponding to data after described decompression as treating killing document, parsing obtains Corresponding bibliographic structure；

Each directory entry in the bibliographic structure of killing document is treated described in step 405, traversal；

Step 406, the title of the title of each directory entry with specific macrodirectory is mated；

Step 407, for the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom Decompress out the macrodoce of correspondence；

Behavior code in step 408, macrodoce and the behavior code storehouse extracted by processor is carried out Join；Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior；

Step 409, foundation matching result treat whether killing document infects macrovirus described in differentiating；

Treat that killing document carries out repair process according to resolving the file structure obtained to infecting macrovirus, Specifically may include that

When step 410, the document that data are corresponding after described decompression include PPT embedded document, foundation Resolve the file structure obtaining the embedded document of PPT the embedded document of PPT infecting macrovirus is repaired Process, embedded for PPT after repair process document is compressed, and is filled into corresponding composite object structure In；

When step 411, the document that data are corresponding after described decompression include PPT document, reduce compound Length field in object structure, and add a new construction；Wherein, described reduction and the new knot of interpolation The length that the macrodoce of the PPT document of a length of infection macrovirus corresponding to structure is corresponding.

For PPT document, itself and compound document, WORD document or the district of EXCEL document Not: its bibliographic structure does not exist specific macrodirectory, but PPT document would generally be by all of Macrodoce leaves composite object in after being encapsulated as document format and compressing with zlib scheduling algorithm (ExternalOLEObjectStg) in structure, and ExternalOLEObjectStg structure is The structure in flow data under POWERPOINT DOCUMENT directory entry.

Macrodoce can directly be hidden in the data stream of PPT document, and specifically, macrodoce can be hidden in The composite object in flow data under POWERPOINT DOCUMENT directory entry (ExternalOLEObjectStg) in structure.

In order to killing goes out to be hidden in the macrodoce in ExternalOLEObjectStg structure, step 401-walks Rapid 402 lookups obtain ExternalOLEObjectStg structure, and step 403 is to described composite object structure In the data deposited decompress, decompressed data accordingly.

Described decompression data specifically can include two kinds of document: a class is the embedded literary composition of PPT Shelves, specifically can include compound document, WORD document or EXCEL document, the embedded literary composition of some PPT Shelves are embedded in PPT document；Another kind of is PPT document, and PPT document is also possible to macrodoce.

Either PPT document or the embedded document of PPT, all can as treating killing document, according to The grand disease of the compound document of step 301-step 306 shown in Fig. 3, WORD document or EXCEL document Poison killing flow process carries out the extraction of macrodoce and the detection of macrovirus.

Document embedded for PPT, it is possible to according to the flow process foundation of step 307-step 309 shown in Fig. 3 Resolve the file structure obtaining the embedded document of PPT the embedded document of PPT infecting macrovirus is repaired Process, and embedded for PPT after repair process document is compressed, be finally filled into corresponding composite object knot In structure；Described filling it can be avoided that PPT program occur " library of object invalid or comprise not finding right As definition quote " etc. mistake.

For PPT document, its repair process process specifically may include that in reduction composite object structure Length field, and add a new construction；Wherein, corresponding to the new construction of described reduction and interpolation Length corresponding to the macrodoce of PPT document of a length of infection macrovirus.Wherein, reduction is compound right Length field in image structures is in order to by macrodoce data dump existing in PPT document；Add one New construction is to take existing macrodoce data correspondence space, preventing OFFICE program from makeing mistakes, institute State new construction can be type be the data structure of 0 or other value, the embodiment of the present invention is to described in concrete New construction is not any limitation as.

With reference to Fig. 5, it is shown that the flow process of the method for macrovirus killing according to an embodiment of the invention Figure, the present embodiment is applied to OFFICE07 document and waits killing document, specifically may include that

Step 501, safety equipment decompress OFFICE07 document correspondence by calculating the processor of equipment Data, data after being decompressed accordingly；After described decompression, data specifically can include embedded Catalogue；

Step 502, using the document under described embedded catalogue as treating killing document, resolve obtain corresponding Tree directory structure；

Step 503, each directory entry traveled through in described tree directory structure；

Step 504, the title of the title of each directory entry with specific macrodirectory is mated；

Step 505, for the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom Decompress out the macrodoce of correspondence；

Behavior code in step 506, macrodoce and the behavior code storehouse extracted by processor is carried out Join；Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior；

Step 507, foundation matching result treat whether killing document infects macrovirus described in differentiating；

Step 508, the document repaired under the described embedded catalogue infecting macrovirus, and at described embedded mesh After document reparation success under Lu, other data in data after described embedded document and described decompression are entered Row compresses the OFFICE07 document after being repaired.

Fig. 1-embodiment illustrated in fig. 3 default application is in OFFICE03 document wait killing document, and Fig. 5 The OFFICE07 document of illustrated embodiment application specifically can include the various OFFICE literary composition of 07 version Shelves, such as compound document 07, WORD07 document, EXCEL07 document or PPT07 document etc..

For OFFICE07 document, it is the compressed package of a zip, gives tacit consent to and is divided into two kinds of forms:

The OFFICE07 document of the first form specifically can include the document that suffix is docx, these lattice The not subsidiary any macrodoce data of the document of formula, if there being macrodoce data, cannot preserve this form, Will be deleted because once preserving；

The OFFICE07 document of the second form specifically can include that suffix is docm, pptm, xlsm's Document, for the document of this form, unties corresponding zip bag, and after corresponding decompression, data are concrete Including multiple catalogues and corresponding document, such as after the decompression that EXCEL07 document is corresponding, data are concrete Including xl catalogue, docProps catalogue, _ rels catalogue and content field labelling ([Content_Types] .xml) documents etc., wherein have an embedded catalogue, this embedded mesh under xl catalogue Document under Lu is it is possible to include the relevant documentation data and macrodoce being embedded in EXCEL07 document Data, therefore the present embodiment is that the OFFICE07 document for the second form carries out macrovirus killing 's.Above-mentioned xl catalogue, for EXCEL07 document, is then replaced for WORD07 document For word catalogue, ppt catalogue then replaces with for PPT07 document, namely word catalogue and ppt mesh An embedded catalogue is had respectively under record.

For the OFFICE07 document of the second form, owing to the document under its embedded catalogue has compound The file structure of document, therefore can be according to the compound document of step 301-step 306 shown in Fig. 3, WORD The macrovirus killing flow process of document or EXCEL document carries out the extraction of macrodoce and the inspection of macrovirus Survey, and the described interior of macrovirus can be infected according to the flow process reparation of step 307-step 309 shown in Fig. 3 Document under embedding catalogue；

Further, since OFFICE07 form is in the nature the compressed package forms such as zip form, simply suffix can Can be docx, xlsx, pptx etc., therefore the document that step 508 is under described embedded catalogue will after repairing successfully (as described in the include xl of embedded document of other data in data after described embedded document and described decompression Catalogue, original docProps catalogue, original _ rels catalogue and original content field marking document) carry out Compress the OFFICE07 document after being repaired.

Document under above-mentioned embedded catalogue is the document that OFFICE07 document is embedded, in the one of the present invention In preferred embodiment, after described decompression, data can also include the grand document of OFFICE07 and content word segment mark Note document；The grand document of described OFFICE07 is the grand document that OFFICE07 document carries, When OFFICE07 document self has macrodoce, macrodoce will be saved in the document, if the document There is virus, then can illustrate that OFFICE07 document has virus；

The step of the file structure of killing document is treated in the most described parsing, it is also possible to including: with described The grand document of OFFICE07, as treating killing document, resolves and obtains corresponding tree directory structure；

To infecting macrovirus, the most described file structure obtained according to parsing treats that killing document is repaired The scheme processed, it is also possible to including: the grand document of OFFICE07 under described embedded catalogue infects grand disease During poison, delete the grand document of described OFFICE07, resolve and obtain the interior of described content field marking document Hold, and the corresponding contents quoting the grand document of described OFFICE07 in described content field marking document is deleted Remove.

In a kind of application example of the present invention, the grand document of described OFFICE07 is VbaProject.bin. [Content_Types] .xml is the document of the catalogue format of data, Qi Zhonghui after describing described decompression Refer to VbaProject.bin, and VbaProject.bin document is a literary composition under described embedded catalogue Shelves；Therefore the VbaProject.bin document that this preferred embodiment is under described embedded catalogue infects macrovirus Time, not only delete VbaProject.bin document, and resolve and obtain described content field marking document Content, and the corresponding contents quoting described VbaProject.bin in described content field marking document is deleted Remove.

Corresponding to preceding method embodiment, the embodiment of the invention also discloses the dress of a kind of macrovirus killing Putting, this device is applied to safety equipment, with reference to the structure chart shown in Fig. 6, specifically may include that

Parsing module 601, for treating the document knot of killing document by calculating the processor parsing of equipment Structure；Described file structure specifically can include the bibliographic structure that the data stream of document is corresponding；

Extraction module 602, extracts killing document from described treating for the file structure obtained according to parsing Macrodoce；

Matching module 603, for the macrodoce and the behavior code in behavior code storehouse that are extracted by processor Mate；Wherein, described behavior code is for representing realize needed for fixing macrovirus behavior grand Code；

Discrimination module 604, treats whether killing document infects grand disease described in differentiating according to matching result Poison；And

Repair process module 605, for according to resolving the file structure obtained to infecting the to be checked of macrovirus Kill document and carry out repair process.

In the embodiment of the present invention, described treat killing document be compound document, WORD document or During EXCEL document, described parsing module 601 specifically may include that and obtains treating killing literary composition for parsing First analyzing sub-module of the tree directory structure of shelves；

Described extraction module 602 specifically may include that

Described repair process module 605 specifically may include that

Second amendment submodule, for for the described directory entry that the match is successful, is deleted or changes Name.

In the embodiment of the present invention, described when killing document is EXCEL document, repair process module 605 can also include:

In the still another preferable embodiment of the embodiment of the present invention, described in treat killing document be PPT literary composition Shelves；

The most described parsing module 601 specifically may include that

Second analyzing sub-module, for resolving the bibliographic structure obtaining PPT document；Described PPT document Bibliographic structure specifically can include POWERPOINT DOCUMENT directory entry；

Described extraction module 602 specifically may include that

Described repair process module 605 specifically may include that

In a kind of preferred embodiment of the embodiment of the present invention, described in treat killing document be OFFICE07 literary composition Shelves；

The most described parsing module 601 specifically may include that

The most described extraction module 602 specifically may include that

Described repair process module 605 specifically may include that

In the another kind of preferred embodiment of the embodiment of the present invention, after described decompression, data can also include The grand document of OFFICE07 and content field marking document；

The most described parsing module 601 can also include: for using the grand document of described OFFICE07 as treating Killing document, resolves the 5th analyzing sub-module obtaining corresponding tree directory structure

The most described repair process module 605 can also include:

In the still another preferable embodiment of the embodiment of the present invention, the title of described specific macrodirectory is concrete May include that VBA_PROJECT_CUR and/or Macros.

In embodiments of the present invention, it is preferred that described device can also include: be used for constructing described The constructing module in behavior code storehouse；

Described constructing module specifically may include that

Wherein, described collection submodule farther includes:

Analyze extraction unit, for the grammer according to macrodoce, the macrodoce to described macrovirus sample Semanteme be analyzed, therefrom extract the corresponding behavior code realized needed for fixing macrovirus behavior

Device as described in the present embodiment of the invention, it is characterised in that described in treat that killing document is EXCEL Document；

Then repair process module also includes:

Device as described in the present embodiment of the invention, it is characterised in that described in treat killing document be PPT literary composition Shelves；

The most described parsing module includes:

Described extraction module includes:

Described repair process module includes:

Device as described in the present embodiment of the invention, it is characterised in that described in treat that killing document is OFFICE07 document；

The most described parsing module includes:

The most described extraction module includes:

Described repair process module includes:

Device as described in the present embodiment of the invention, it is characterised in that after described decompression, data also include The grand document of OFFICE07 and content field marking document；

The most described repair process module also includes:

Device as described in the present embodiment of the invention, it is characterised in that the title bag of described specific macrodirectory Include: VBA_PROJECT_CUR and/or Macros.

Device as described in the present embodiment of the invention, it is characterised in that also include: be used for constructing described row Constructing module for code library；

Described constructing module includes:

Wherein, described collection submodule farther includes:

Analyze extraction unit, for the grammer according to macrodoce, the macrodoce to described macrovirus sample Semanteme be analyzed, therefrom extract the corresponding behavior generation realized needed for fixing macrovirus behavior Code.

Provided herein algorithm and display not with any certain computer, virtual system or miscellaneous equipment Intrinsic relevant.Various general-purpose systems can also be used together with based on teaching in this.According to above Describe, construct the structure required by this kind of system and be apparent from.Additionally, the present invention is also not for Any certain programmed language.It is understood that, it is possible to use various programming languages realize described here The content of invention, and the description above done language-specific is to disclose the optimal real of the present invention Execute mode.

In description mentioned herein, illustrate a large amount of detail.It is to be appreciated, however, that Embodiments of the invention can be put into practice in the case of not having these details.In some instances, It is not shown specifically known method, structure and technology, in order to do not obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify the disclosure and help to understand in each inventive aspect Individual or multiple, above in the description of the exemplary embodiment of the present invention, each feature of the present invention Sometimes it is grouped together in single embodiment, figure or descriptions thereof.But, should be by The method of the disclosure is construed to reflect an intention that i.e. the present invention for required protection requires that ratio is each The more feature of feature being expressly recited in claim.More precisely, as following right is wanted As asking book to be reflected, inventive aspect is all spies less than single embodiment disclosed above Levy.Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this specific embodiment party Formula, the most each claim itself is as the independent embodiment of the present invention.

Those skilled in the art are appreciated that and can carry out the module in the equipment in embodiment Adaptively change and they are arranged in one or more equipment different from this embodiment. Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and In addition multiple submodule or subelement or sub-component can be put them into.Except such feature and/or Outside at least some in process or unit excludes each other, any combination can be used this explanation All features disclosed in book (including adjoint claim, summary and accompanying drawing) and so disclosed Any method or all processes of equipment or unit are combined.Unless expressly stated otherwise, this theory Each feature disclosed in bright book (including adjoint claim, summary and accompanying drawing) can be by providing phase Together, the alternative features of equivalent or similar purpose replaces.

Although additionally, it will be appreciated by those of skill in the art that embodiments more described herein include Some feature included in other embodiments rather than further feature, but the feature of different embodiment Combination mean to be within the scope of the present invention and formed different embodiments.Such as, under In the claims in face, embodiment required for protection one of arbitrarily can be in any combination Mode uses.

The all parts embodiment of the present invention can realize with hardware, or with at one or more The software module run on reason device realizes, or realizes with combinations thereof.Those skilled in the art Should be appreciated that and microprocessor or digital signal processor (DSP) can be used in practice to realize The some or all functions of the some or all parts in equipment according to embodiments of the present invention.This Invention be also implemented as part or all equipment for performing method as described herein or Person's device program (such as, computer program and computer program).Such realize the present invention's Program can store on a computer-readable medium, or can have the shape of one or more signal Formula.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, Or provide with any other form.

The present invention will be described rather than limits the present invention to it should be noted above-described embodiment Make, and those skilled in the art can design without departing from the scope of the appended claims Alternative embodiment.In the claims, any reference marks that should not will be located between bracket is configured to Limitations on claims.Word " comprises " and does not excludes the presence of the element or step not arranged in the claims Suddenly.Word "a" or "an" before being positioned at element does not excludes the presence of multiple such element.The present invention And can come real by means of properly programmed computer by means of including the hardware of some different elements Existing.If in the unit claim listing equipment for drying, several in these devices can be logical Cross same hardware branch specifically to embody.Word first, second and third use do not indicate that Any order.Can be title by these word explanations.

Claims

1. a method for macrovirus killing, including:

The file structure of killing document treated by safety equipment by calculating the processor parsing of equipment；Described file structure includes the bibliographic structure that the data stream of document is corresponding；

Treat that killing document carries out repair process according to resolving the file structure obtained to infecting macrovirus；

Wherein, described when killing document is compound document, WORD document or EXCEL document, the step of the file structure of killing document is treated in described parsing, including: resolve and obtain treating the tree directory structure of killing document；

Described according to resolving the file structure that obtains from the described step treating to extract macrodoce killing document, including:

Travel through each directory entry in described tree directory structure；

For the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom decompress out the macrodoce of correspondence；

To infecting macrovirus, the described file structure obtained according to parsing treats that killing document carries out the step of repair process, including:

That revises described infection macrovirus treats the title of the successful directory entry of macrovirus Corresponding matching in killing document；

For the described directory entry that the match is successful, it is deleted or renames；

Wherein, described when killing document is EXCEL document, to infecting macrovirus, the described file structure obtained according to parsing treats that killing document carries out the step of repair process, also include:

When described EXCEL document infects macrovirus, revise the description field in the flow data of its workbook directory entry, not affect normally opening of described EXCEL document.

2. the method for claim 1, it is characterised in that described in treat that killing document is PPT document；

Resolve the flow data under described POWERPOINT DOCUMENT directory entry, and analytically result searches composite object structure；

The data deposited in described composite object structure are decompressed, is decompressed data accordingly；The document that after described decompression, data are corresponding include such as Documents in one or more: PPT document and the embedded document of PPT, it is one or more that the embedded document of described PPT includes in compound document, WORD document and EXCEL document；

The document that data are corresponding after described decompression, as treating killing document, resolves and obtains corresponding bibliographic structure；

When the document that data are corresponding after described decompression includes PPT embedded document, according to resolving the file structure obtaining the embedded document of PPT, the embedded document of PPT infecting macrovirus is carried out repair process, embedded for PPT after repair process document is compressed, and is filled in corresponding composite object structure；And/or

When the document that data are corresponding after described decompression includes PPT document, reduce the length field in composite object structure, and add a new construction, wherein, the length that described reduction is corresponding with the macrodoce of the PPT document of a length of infection macrovirus corresponding to the new construction of interpolation.

3. the method for claim 1, it is characterised in that described in treat that killing document is OFFICE07 document；

Decompress the data that OFFICE07 document is corresponding, data after being decompressed accordingly；After described decompression, data include embedded catalogue；

Using the document under described embedded catalogue as treating killing document, resolve and obtain corresponding tree directory structure；

The most described according to resolving the file structure that obtains from the described step treating to extract macrodoce killing document, including:

Travel through each directory entry in described tree directory structure；

After repairing the document under the described embedded catalogue infecting macrovirus, and the document reparation success under described embedded catalogue, other data in data after described embedded document and described decompression are compressed the OFFICE07 document after being repaired.

4. method as claimed in claim 3, it is characterised in that after described decompression, data also include the grand document of OFFICE07 and content field marking document；

The step of the file structure of killing document is treated in the most described parsing, also includes: using the grand document of described OFFICE07 as treating killing document, resolves and obtains corresponding tree directory structure；

To infecting macrovirus, the most described file structure obtained according to parsing treats that killing document carries out the step of repair process, also include:

When the grand document of described OFFICE07 infects macrovirus, delete the grand document of described OFFICE07, resolve the content obtaining described content field marking document, and the corresponding contents quoting the grand document of described OFFICE07 in described content field marking document is deleted.

5. the method for claim 1, it is characterised in that the title of described specific macrodirectory includes: VBA_PROJECT_CUR and/or Macros.

6. the method as according to any one of claim 1 to 5, it is characterised in that construct described behavior code storehouse as follows:

Collect the behavior code realized needed for fixing macrovirus behavior；

Described behavior code is preserved to behavior code storehouse；

Wherein, the step of the described behavior code collected needed for the macrovirus behavior realizing fixing, farther include:

Collect the macrovirus sample of various computer document；

Resolve the file structure of described macrovirus sample；Described file structure specifically can include the bibliographic structure that the data stream of document is corresponding；

According to the grammer of macrodoce, the semanteme of the macrodoce of described macrovirus sample is analyzed, therefrom extracts the corresponding behavior code realized needed for fixing macrovirus behavior.

7. a device for macrovirus killing, is applied to safety equipment, including:

Parsing module, for treating the file structure of killing document by calculating the processor parsing of equipment；Described file structure includes the bibliographic structure that the data stream of document is corresponding；

Extraction module, treats to extract killing document macrodoce for the file structure obtained according to parsing from described；

Matching module, for mating the macrodoce that processor extracts with the behavior code in behavior code storehouse；Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior；

Discrimination module, treats whether killing document infects macrovirus described in differentiating according to matching result；And

To infecting macrovirus, repair process module, treats that killing document carries out repair process for the file structure obtained according to parsing；

Wherein, described when killing document is compound document, WORD document or EXCEL document, described parsing module includes: obtain treating the first analyzing sub-module of the tree directory structure of killing document for resolving；

The most described extraction module includes:

First matched sub-block, for mating the title of each directory entry with the title of specific macrodirectory；

First reads decompression module, for for the directory entry that the match is successful, reads the flow data of its subdirectory item, and therefrom decompresses out the macrodoce of correspondence；

Described repair process module includes:

First amendment submodule, treats the title of the successful directory entry of macrovirus Corresponding matching in killing document for revise described infection macrovirus；

Wherein, described when killing document is EXCEL document, described repair process module, also include:

3rd amendment submodule, for when described EXCEL document infects macrovirus, revising the description field in the flow data of its workbook directory entry, not affect normally opening of described EXCEL document.