CN103500309B - A kind of method and device for detecting and killing macro virus - Google Patents
A kind of method and device for detecting and killing macro virus Download PDFInfo
- Publication number
- CN103500309B CN103500309B CN201310446768.7A CN201310446768A CN103500309B CN 103500309 B CN103500309 B CN 103500309B CN 201310446768 A CN201310446768 A CN 201310446768A CN 103500309 B CN103500309 B CN 103500309B
- Authority
- CN
- China
- Prior art keywords
- document
- killing
- macrovirus
- macrodoce
- file structure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 241000700605 Viruses Species 0.000 title abstract description 21
- 230000008439 repair process Effects 0.000 claims abstract description 68
- 239000000284 extract Substances 0.000 claims abstract description 24
- 230000004069 differentiation Effects 0.000 claims abstract description 8
- 230000006837 decompression Effects 0.000 claims description 61
- 150000001875 compounds Chemical class 0.000 claims description 32
- 238000000605 extraction Methods 0.000 claims description 27
- 239000002131 composite material Substances 0.000 claims description 25
- 208000015181 infectious disease Diseases 0.000 claims description 19
- 238000010276 construction Methods 0.000 claims description 16
- 230000009467 reduction Effects 0.000 claims description 9
- 230000013011 mating Effects 0.000 claims description 6
- 238000011049 filling Methods 0.000 claims description 5
- 230000000694 effects Effects 0.000 abstract description 10
- 238000012360 testing method Methods 0.000 abstract description 7
- 230000002155 anti-virotic effect Effects 0.000 abstract description 5
- 230000006399 behavior Effects 0.000 description 162
- 239000000203 mixture Substances 0.000 description 32
- 230000008569 process Effects 0.000 description 21
- 230000006870 function Effects 0.000 description 16
- 230000008878 coupling Effects 0.000 description 9
- 238000010168 coupling process Methods 0.000 description 9
- 238000005859 coupling reaction Methods 0.000 description 9
- 230000000840 anti-viral effect Effects 0.000 description 8
- 230000006835 compression Effects 0.000 description 8
- 238000007906 compression Methods 0.000 description 8
- 231100001261 hazardous Toxicity 0.000 description 8
- 239000002574 poison Substances 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 6
- 230000008859 change Effects 0.000 description 6
- 201000010099 disease Diseases 0.000 description 6
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 6
- 231100000614 poison Toxicity 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 238000002372 labelling Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000009395 breeding Methods 0.000 description 1
- 230000001488 breeding effect Effects 0.000 description 1
- 230000006854 communication Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000001035 drying Methods 0.000 description 1
- 238000000227 grinding Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 238000004445 quantitative analysis Methods 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 230000003362 replicative effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The invention discloses a kind of method and device for detecting and killing macro virus, method therein specifically includes: the file structure of killing document treated by safety equipment by calculating the processor parsing of equipment;Described file structure includes the bibliographic structure that the data stream of document is corresponding;Treat killing document extracts macrodoce according to resolving the file structure obtained from described;The macrodoce that processor extracts is mated with the behavior code in behavior code storehouse;Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior;Described in matching result differentiation, treat whether killing document infects macrovirus;Treat that killing document carries out repair process according to resolving the file structure obtained to infecting macrovirus.The present invention can improve the power of test of unknown macrovirus, possesses preferable anti-virus effect, and can treat to extract killing document macrodoce from various all sidedly, and treats that killing document carries out repair process to infecting the various of macrovirus.
Description
Technical field
The present invention relates to technical field of data security, be specifically related to method and the dress of a kind of macrovirus killing
Put.
Background technology
Along with the universal of computer and the development of mobile Internet, networked information era has been arrived.Sick
Poison as a kind of form of information, have breeding, infect, the characteristic such as destruction, threaten the letter of user
Breath safety.Computer document, i.e. WORD, the literary composition that copy editor's software such as EXCEL, PPT produces
Part, is widely used by people, and macrovirus destroys the new of computer document information security as being exclusively used in
Type virus, gradually comes into the sight line of people.
Owing to macrovirus is hidden in data file, and its script grammer used is flexible and changeable, completes one
Individual function has a variety of literary style, therefore identifies whether a file has macrovirus extremely difficult.
The anti-viral method that existing anti-viral software is used nearly all is to rely on virus signature.
The most all there is the features such as respective identity due to computer virus, when a kind of computer virus occurs
After, first finding the feature that this virus has, the virus characterized this feature according to this feature is carried out
Search and process;I.e. prior art has certain killing ability for known macrovirus.
But, owing to macrovirus infects, shows effect formerly, anti-poison is rear;And macrolanguage is a kind of foot
This, be modified slightly mutating, it might even be possible to revise self in communication process, often propagate once
Just change is once;Therefore prior art is difficult to catch up with the speed of macrovirus change, basic to unknown macrovirus
Ability without killing, anti-virus effect is poor.
Summary of the invention
In view of the above problems, it is proposed that the present invention is to provide one to overcome the problems referred to above or at least portion
Ground is divided to solve a kind of method and device for detecting and killing macro virus of the problems referred to above.
According to one aspect of the present invention, it is provided that a kind of method of macrovirus killing, including:
The file structure of killing document treated by safety equipment by calculating the processor parsing of equipment;Described literary composition
Mark structure includes the bibliographic structure that the data stream of document is corresponding;
Treat killing document extracts macrodoce according to resolving the file structure obtained from described;
The macrodoce that processor extracts is mated with the behavior code in behavior code storehouse;Wherein,
Described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior;
Described in matching result differentiation, treat whether killing document infects macrovirus;
Treat that killing document carries out repair process according to resolving the file structure obtained to infecting macrovirus.
Wherein, described when killing document is compound document, WORD document or EXCEL document,
The step of the file structure of killing document is treated in described parsing, including: resolve and obtain the tree treating killing document
Shape bibliographic structure;
The most described according to resolving the file structure obtained from the described step treating to extract macrodoce killing document
Suddenly, including:
Travel through each directory entry in described tree directory structure;
The title of the title of each directory entry with specific macrodirectory is mated;
For the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom decompress out
Corresponding macrodoce;
To infecting macrovirus, the described file structure obtained according to parsing treats that killing document carries out repair place
The step of reason, including:
That revises described infection macrovirus treats the successful directory entry of macrovirus Corresponding matching in killing document
Title;
For the described directory entry that the match is successful, its macrodoce is removed;
For the described directory entry that the match is successful, it is deleted or renames.
Wherein, described when killing document is EXCEL document, described according to resolving the document obtained
To infecting macrovirus, structure treats that killing document carries out the step of repair process, also include:
When described EXCEL document infects macrovirus, revise the flow data of its workbook directory entry
In description field, not affect normally opening of described EXCEL document..
Alternatively, treat described in that killing document is PPT document;
The step of the file structure of killing document is treated in the most described parsing, including:
Resolve the bibliographic structure obtaining PPT document;The bibliographic structure of described PPT document includes
POWERPOINT DOCUMENT directory entry;
Resolve the flow data under described POWERPOINT DOCUMENT directory entry, and analytically tie
Composite object structure is searched in Guo;
The data deposited in described composite object structure are decompressed, is decompressed number accordingly
According to;The document that after described decompression, data are corresponding include such as Documents in one or more: PPT literary composition
Shelves and the embedded document of PPT, the embedded document of described PPT include compound document, WORD document and
One or more in EXCEL document;
The document that data are corresponding after described decompression, as treating killing document, resolves and obtains corresponding mesh
Directory structures;
Described according to resolving the file structure obtained from the described step treating to extract macrodoce killing document
Suddenly, including:
Each directory entry in the bibliographic structure of killing document is treated described in traversal;
The title of the title of each directory entry with specific macrodirectory is mated;
For the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom decompress out
Corresponding macrodoce;
To infecting macrovirus, the described file structure obtained according to parsing treats that killing document carries out repair place
The step of reason, including:
When the document that data are corresponding after described decompression includes PPT embedded document, obtain according to resolving
The file structure of the embedded document of PPT carries out repair process to the embedded document of PPT infecting macrovirus, will
PPT embedded document compression after repair process, and be filled in corresponding composite object structure;And/or
When the document that data are corresponding after described decompression includes PPT document, reduce composite object structure
In length field, and add a new construction, wherein, corresponding to the new construction of described reduction and interpolation
Length corresponding to the macrodoce of PPT document of a length of infection macrovirus.
Alternatively, treat described in that killing document is OFFICE07 document;
The step of the file structure of killing document is treated in the most described parsing, including:
Decompress the data that OFFICE07 document is corresponding, data after being decompressed accordingly;Described solution
After compression, data include embedded catalogue;
Using the document under described embedded catalogue as treating killing document, resolve and obtain corresponding directory tree
Structure;
The most described according to resolving the file structure obtained from the described step treating to extract macrodoce killing document
Suddenly, including:
Travel through each directory entry in described tree directory structure;
The title of the title of each directory entry with specific macrodirectory is mated;
For the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom decompress out
Corresponding macrodoce;
To infecting macrovirus, the described file structure obtained according to parsing treats that killing document carries out repair place
The step of reason, including:
Repair the document under the described embedded catalogue infecting macrovirus, and the literary composition under described embedded catalogue
Other data in data after described embedded document and described decompression are compressed after repairing successfully by shelves
OFFICE07 document after reparation.
Alternatively, after described decompression, data also include the grand document of OFFICE07 and content field labelling literary composition
Shelves;
The step of the file structure of killing document is treated in the most described parsing, also includes: with described OFFICE07
Grand document, as treating killing document, resolves and obtains corresponding tree directory structure;
To infecting macrovirus, the most described file structure obtained according to parsing treats that killing document is repaired
The step processed, also includes:
When the grand document of described OFFICE07 infects macrovirus, delete the grand document of described OFFICE07,
Resolve the content obtaining described content field marking document, and will described content field marking document draw
Delete with the corresponding contents of the grand document of described OFFICE07.
Alternatively, the title of described specific macrodirectory includes: VBA_PROJECT_CUR and/or
Macros。
Alternatively, described behavior code storehouse is constructed as follows:
Collect the behavior code realized needed for fixing macrovirus behavior;
Described behavior code is preserved to behavior code storehouse;
Wherein, the step of the described behavior code collected needed for the macrovirus behavior realizing fixing, enter one
Step includes:
Collect the macrovirus sample of various computer document;
Resolve the file structure of described macrovirus sample;Described file structure specifically can include document
The bibliographic structure that data stream is corresponding;
From described macrovirus sample, macrodoce is extracted according to resolving the file structure obtained;
According to the grammer of macrodoce, the semanteme of the macrodoce of described macrovirus sample is analyzed, from
Middle extraction realizes the behavior code needed for the macrovirus behavior fixed accordingly.
According to a further aspect in the invention, it is provided that the device of a kind of macrovirus killing, this device application
In safety equipment, including:
Parsing module, for treating the file structure of killing document by calculating the processor parsing of equipment;
Described file structure includes the bibliographic structure that the data stream of document is corresponding;
Extraction module, for according to resolve the file structure that obtains from described treat killing document extracts grand
Code;
Matching module, for entering the macrodoce that processor extracts with the behavior code in behavior code storehouse
Row coupling;Wherein, described behavior code is for representing the grand generation realized needed for fixing macrovirus behavior
Code;
Discrimination module, treats whether killing document infects macrovirus described in differentiating according to matching result;
And
Repair process module, treats killing for the file structure obtained according to parsing to infecting macrovirus
Document carries out repair process.
Wherein, described when killing document is compound document, WORD document or EXCEL document,
Described parsing module includes: obtain treating that the first of the tree directory structure of killing document resolves for resolving
Submodule;
The most described extraction module includes:
First traversal submodule, for traveling through each directory entry in described tree directory structure;
First matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory
Row coupling;
First reads decompression module, for for the directory entry that the match is successful, reads its subdirectory
The flow data of item, and therefrom decompress out the macrodoce of correspondence;
Described repair process module includes:
First amendment submodule, treats macrovirus pair in killing document for revise described infection macrovirus
Answer the title of the directory entry that the match is successful;
Its macrodoce, for the described directory entry that the match is successful, is removed by filling submodule;And
Second amendment submodule, for for the described directory entry that the match is successful, is deleted or renames;
Wherein, described when killing document is EXCEL document, repair process module also includes:
3rd amendment submodule, for when described EXCEL document infects macrovirus, revising it
Description field in the flow data of workbook directory entry, not affect the normal of described EXCEL document
Open.
Alternatively, treat described in that killing document is PPT document;
The most described parsing module includes:
Second analyzing sub-module, for resolving the bibliographic structure obtaining PPT document;Described PPT document
Bibliographic structure include POWERPOINT DOCUMENT directory entry;
3rd analyzing sub-module, is used for resolving under described POWERPOINT DOCUMENT directory entry
Flow data, and result is analytically searched composite object structure;
Decompression module, for the data deposited in described composite object structure are decompressed,
Decompressed data accordingly;The document that after described decompression, data are corresponding includes as in Documents
One or more: PPT document and the embedded document of PPT, the embedded document of described PPT includes compound literary composition
One or more in shelves, WORD document and EXCEL document;
4th analyzing sub-module, for the document corresponding using data after described decompression as treating killing literary composition
Shelves, resolve and obtain corresponding bibliographic structure;
Described extraction module includes:
Second traversal submodule, each mesh in the bibliographic structure treating killing document described in traveling through
Record item;
Second matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory
Row coupling;
Second reads decompression module, for for the directory entry that the match is successful, reads its subdirectory
The flow data of item, and therefrom decompress out the macrodoce of correspondence;
Described repair process module includes:
First repairs submodule, includes that PPT is embedded for the document that data are corresponding after described decompression
During document, embedded to the PPT infecting macrovirus according to resolving the file structure obtaining the embedded document of PPT
Document carries out repair process, is compressed by embedded for PPT after repair process document, and is filled into corresponding multiple
Close in object structure;And/or
Second repairs submodule, includes PPT document for the document that data are corresponding after described decompression
Time, reduce the length field in composite object structure, and add a new construction;Wherein, described reduction
The length corresponding with the macrodoce of the PPT document of a length of infection macrovirus corresponding to the new construction added
Degree.
Alternatively, treat described in that killing document is OFFICE07 document;
The most described parsing module includes:
Decompression module, for decompressing the data that OFFICE07 document is corresponding, is solved accordingly
Data after compression;After described decompression, data include embedded catalogue;
4th analyzing sub-module, for using the document under described embedded catalogue as treating killing document, solves
Analysis obtains corresponding tree directory structure;
The most described extraction module includes:
3rd traversal submodule, each mesh in the bibliographic structure treating killing document described in traveling through
Record item;
3rd matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory
Row coupling;
Third reading takes decompression module, for for the directory entry that the match is successful, reads its subdirectory
The flow data of item, and therefrom decompress out the macrodoce of correspondence;
Described repair process module includes:
Repair compression submodule, for repairing the document under the described embedded catalogue infecting macrovirus, and
Document under described embedded catalogue repair successfully after by data after described embedded document and described decompression
In other data be compressed the OFFICE07 document after being repaired.
Alternatively, after described decompression, data also include the grand document of OFFICE07 and content field labelling literary composition
Shelves;
The most described parsing module also includes: for using the grand document of described OFFICE07 as treating killing literary composition
Shelves, resolve the 5th analyzing sub-module obtaining corresponding tree directory structure
The most described repair process module also includes:
Delete submodule, infect macrovirus for the grand document of OFFICE07 under described embedded catalogue
Time, delete the grand document of described OFFICE07, resolve the content obtaining described content field marking document,
And the corresponding contents quoting the grand document of described OFFICE07 in described content field marking document is deleted.
Alternatively, the title of described specific macrodirectory includes: VBA_PROJECT_CUR and/or
Macros。
Alternatively, described device also includes: for constructing the constructing module in described behavior code storehouse;
Described constructing module includes:
Collect submodule, for collecting the behavior code realized needed for fixing macrovirus behavior;
Preserve submodule, for preserving described behavior code to behavior code storehouse;
Wherein, described collection submodule farther includes:
Sample collection unit, for collecting the macrovirus sample of various computer document;
Sample resolution unit, for resolving the file structure of described macrovirus sample;Described file structure
Specifically can include the bibliographic structure that the data stream of document is corresponding;
Sample extraction unit, carries from described macrovirus sample for the file structure obtained according to parsing
Take macrodoce;And
Analyze extraction unit, for the grammer according to macrodoce, the macrodoce to described macrovirus sample
Semanteme be analyzed, therefrom extract the corresponding behavior code realized needed for fixing macrovirus behavior.
A kind of method and device for detecting and killing macro virus according to the present invention achieves following beneficial effect:
The embodiment of the present invention is based on " realizing the behavior code needed for fixing macrovirus behavior is to be relatively fixed
" this rule carries out the killing of macrovirus;Specifically, macrovirus is being carried out for computer document
During killing, the macrodoce of extraction is mated with the behavior code in behavior code storehouse, foundation
Join and treat whether killing document infects macrovirus described in result differentiation;Due to the most known macrovirus or not
Know that macrovirus all can follow above-mentioned rule, namely the speed no matter how macrovirus changes and change is such as
What, this rule is all constant, therefore unknown macrovirus can be possessed certain by the embodiment of the present invention
Power of test, therefore, it is possible to improve the power of test of unknown macrovirus, and possesses preferable anti-virus effect
Really;
Meanwhile, the embodiment of the present invention resolves the file structure treating killing document, according to resolving the literary composition obtained
Mark structure treats to extract killing document macrodoce from described, and, according to resolving the file structure that obtains
Treating that killing document carries out repair process to infecting macrovirus, described file structure specifically can include literary composition
The bibliographic structure corresponding to data stream of shelves;Owing to the bibliographic structure that the data stream of document is corresponding is computer
The generic features of document, therefore the technical scheme of the embodiment of the present invention can be applicable to all computer documents
Killing, that is, the embodiment of the present invention can be extracted grand generation killing document from various treating all sidedly
Code, and treat that killing document carries out repair process to infecting the various of macrovirus.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the present invention's
Technological means, and can being practiced according to the content of description, and in order to allow the above-mentioned of the present invention and
Other objects, features and advantages can become apparent, below especially exemplified by the specific embodiment party of the present invention
Formula.
Accompanying drawing explanation
By reading the detailed description of hereafter preferred implementation, various other advantage and benefit for
Those of ordinary skill in the art will be clear from understanding.Accompanying drawing is only used for illustrating the mesh of preferred implementation
, and it is not considered as limitation of the present invention.And in whole accompanying drawing, with identical reference symbol
Number represent identical parts.In the accompanying drawings:
Fig. 1 shows the flow chart of the method for macrovirus killing according to an embodiment of the invention;
Fig. 2 shows the file structure schematic diagram of compound document according to an embodiment of the invention;
Fig. 3 shows the flow chart of the method for macrovirus killing according to an embodiment of the invention;
Fig. 4 shows the flow chart of the method for macrovirus killing according to an embodiment of the invention;
Fig. 5 shows the flow chart of the method for macrovirus killing according to an embodiment of the invention;And
Fig. 6 shows the structure chart of the device of macrovirus killing according to an embodiment of the invention.
Detailed description of the invention
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although it is aobvious in accompanying drawing
Show the exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure
And should not limited by embodiments set forth here.On the contrary, it is provided that these embodiments are able to more
Thoroughly understand the disclosure, and can be by the technology conveying to this area complete for the scope of the present disclosure
Personnel.
The embodiment of the present invention is based on " realizing the behavior code needed for fixing macrovirus behavior is to be relatively fixed
" this rule carries out the killing of macrovirus;Specifically, due to the macrovirus master using macrolanguage to write
In the macrodoce of computer document to be acted on, therefore above-mentioned behavior code can be used for representing what realization was fixed
Macrodoce needed for macrovirus behavior, so, in the killing carrying out macrovirus for computer document
Cheng Zhong, mates the macrodoce of extraction with the behavior code in behavior code storehouse, according to matching result
Treat described in differentiation whether killing document infects macrovirus;Due to the most known macrovirus or unknown grand disease
Poison all can follow above-mentioned rule, namely the speed no matter how macrovirus changes and change is how, therefore this
Inventive embodiments can possess certain power of test to unknown macrovirus, therefore, it is possible to improve unknown grand
The power of test of virus, and possess preferable anti-virus effect.
With reference to Fig. 1, it is shown that the flow process of the method for macrovirus killing according to an embodiment of the invention
Figure, specifically may include that
By calculating the processor parsing of equipment, step 101, safety equipment treat that the document of killing document is tied
Structure;Described file structure specifically can include the bibliographic structure that the data stream of document is corresponding;
Step 102, foundation resolve the file structure obtained and treat to extract killing document macrodoce from described;
In being embodied as, the type of computer document is more, specifically can include WORD,
The document of the types such as EXCEL, PPT, compound document, wherein, each type of document includes again
03, the version such as 07, is embedded with again other type of document in a type of document;Therefore, how
All sidedly from treating that killing document, extraction macrodoce is a difficult problem of this area.
The embodiment of the present invention resolves the file structure treating killing document, according to resolving the file structure obtained
Treat killing document extracts macrodoce from described;Described file structure specifically can include the data of document
The bibliographic structure that stream is corresponding.
As a example by compound document, compound document specifically can include some data stream, and these data streams are again
It is stored in different warehouses;Data stream is similar to file system with the naming rule in warehouse, same
Can not bear the same name in data stream and warehouse under warehouse, can have stream of the same name under different warehouses;Each compound
Document has a root warehouse;And catalogue is a kind of internal control stream, by a series of directory entry groups
Becoming, each directory entry all points to a warehouse or the data stream of compound document.
With reference to Fig. 2, it is shown that the file structure schematic diagram of the compound document of one embodiment of the invention, its
In, the direct member (warehouse or data stream) in each warehouse is placed on an independent directory tree by catalogue
In structure.
In Fig. 2, in tree directory structure, each node (root node and leaf node) all has the title of correspondence,
Therefore in the case of known to the title of specific macrodirectory, by each directory entry in tree directory structure
Title carry out mating of character string with the title of specific macrodirectory, can obtain in compound document is grand
Catalogue;And for the directory entry that the match is successful, read the flow data of subdirectory item, and therefrom decompress
Go out the macrodoce of correspondence.
For the documents such as WORD document, EXCEL document, due to its file structure and compound literary composition
The file structure of shelves is similar to, therefore can carry out the extraction of macrodoce based on same principle.For PPT literary composition
For the computer document in addition to WORD document, EXCEL document and compound document such as shelves, permissible
The extraction of macrodoce is carried out based on its document mechanism.
In a word, due to the generic features that bibliographic structure is computer document that the data stream of document is corresponding,
Therefore the embodiment of the present invention is according to resolving the file structure obtained from treating to extract killing document macrodoce, energy
Enough it is applicable to all computer documents of all kinds, various version, that is, embodiment of the present invention energy
Enough all sidedly from treating killing document extracts macrodoce.
Behavior code in step 103, macrodoce and the behavior code storehouse extracted by processor is carried out
Join;Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior;
In the embodiment of the present invention, behavior code storehouse is exactly for storing the macrovirus behavior institute realizing fixing
One container of the behavior code needed, it can use various data structure to realize.As behavior code storehouse
Behavior code needed for the macrovirus behavior that storage content, behavior code namely realization are fixing, for simplicity
For the sake of, row below is that code all can represent the behavior code realized needed for fixing macrovirus behavior.
In actual applications, described behavior code storehouse can be constructed as follows: collect and realize admittedly
The fixed behavior code needed for macrovirus behavior;Described behavior code is preserved to behavior code storehouse.And
And, if constantly collecting behavior code, and preserving to behavior code storehouse, i.e. can be constantly updated
Behavior code storehouse.
In a kind of preferred embodiment of the embodiment of the present invention, described collection realizes fixing macrovirus row
For the step of required behavior code, may further include:
Sub-step A1, collect the macrovirus sample of various computer document;
In the embodiment of the present invention, the macrovirus sample of various computer documents should meet following condition: 1,
Containing macrodoce;2, it is confirmed to be macrovirus.In actual applications, above-mentioned performance can constantly be collected
The macrovirus sample of form.
Generally by host's (namely computer document) at macrovirus place, macrovirus sample can be divided
For (the only VBA script) that be deposited with in WORD and be deposited with in EXCEL (the most again
Including VBA script, with the Macro4.0 type existed in worksheet) macrovirus sample etc. plants
Class, namely the collection of macrovirus sample can be carried out according to classification;The kind of certain above-mentioned macrovirus sample
Class is not intended as the application of the application and limits.
In actual applications, that anti-viral software is scanned, determine infect macrovirus document,
Can be directly as macrovirus sample.
In a kind of example of the embodiment of the present invention, it is also possible to collect grand disease by the way of user feedback
Poison sample.Such as, user can suspect and infects the literary composition that macrovirus but anti-viral software can not scan
Shelves, and upload onto the server, the approach uploaded here can be the client of anti-viral software, clothes
Business device can refer to the server of anti-viral software;So, server can collect all or part of client
The macrovirus sample that end is uploaded, and it is analyzed.Certainly, user can also pass through other approach
Feedback macrovirus sample, such as, Web end upload interface etc., the embodiment of the present invention is to concrete
Approach of uploading is not any limitation as.
Sub-step A2, resolve the file structure of described macrovirus sample;Described file structure is the most permissible
Including the bibliographic structure that the data stream of document is corresponding;
Sub-step A3, foundation resolve the file structure obtained and extract grand generation from described macrovirus sample
Code;
For according to resolve the file structure that obtains extract from macrovirus sample macrodoce process and
Speech, owing to itself and above-mentioned foundation resolve the file structure obtained from treating to extract killing document macrodoce
Process is similar to, therefore cross-referenced, and therefore not to repeat here.
Due to the generic features that bibliographic structure is computer document that the data stream of document is corresponding, therefore this
Bright embodiment extracts macrodoce according to resolving the file structure obtained from macrovirus sample, it is possible to be suitable for
In the macrovirus sample of all computer documents, that is, the embodiment of the present invention can collect institute all sidedly
Computer document is had to realize the behavior code needed for fixing macrovirus behavior, to carry out various treating killing
The killing of document.
Sub-step A4, the grammer of foundation macrodoce, enter the semanteme of the macrodoce of described macrovirus sample
Row is analyzed, and therefrom extracts the corresponding behavior code realized needed for fixing macrovirus behavior.
It is intended to from the macrodoce of described macrovirus sample extract the corresponding macrovirus behavior institute realizing and fixing
The behavior code needed, needs first to obtain specific macrovirus behavior, because code is just in software development
It is the code realizing certain function, if obtaining concrete macrovirus behavior, then just can find
For realizing the behavior code needed for specific this function of macrovirus behavior.
Embodiment of the present invention inventor is through grinding the macrovirus sample of a large amount of Microsoft Office
Study carefully, obtain following specific macrovirus behavior:
1, the behavior of edit the registry, purpose: reduce safe class and the performed literary composition that maybe will discharge is set
Part write starting up's item etc.;
2, dissemination, its utilize infect masterplate propagate, wherein, different Microsoft
Office has different infection masterplates, and such as Windows7 system, under default situations
The infection template file of WORD be C: Users [user name]
\AppData\Roaming\Microsoft\Templates\normal.dot
The infection template directory of EXCEL: C: Users [user name]
AppData Roaming Microsoft Excel xlstart and Excel installation directory office11 xlstart
3, infection risk: user opens secure file, oneself replicates inside secure file. to user
Mail contact sends the mail etc. including virus document
4, behavior during outbreak, including:
4.1, in certain time period pop-up;
4.2, repeat replication worksheet, affects software and normally uses
4.3, release executable file, specifically may include that establishment file, written document, execution file
Etc..
It should be noted that above-mentioned specific macrovirus behavior is to study for Microsoft Office
Arriving, it is intended only as a kind of example of the embodiment of the present invention, is not intended as the reality of the embodiment of the present invention
Execute restriction.
In implementing, can be for the macrodoce of described macrovirus sample, according to its grammer to it
Semanteme is analyzed, and therefrom extracts the corresponding behavior code realized needed for fixing macrovirus behavior.
Such as, in a kind of application example of the embodiment of the present invention, described analysis process may include that traversal
The macrodoce of described macrovirus sample, by function, Step Into or is analyzed by variable, sees that it is
No the most then can be extracted for realizing specific this function of macrovirus behavior, and
Carry out next function, statement or become quantitative analysis, otherwise carrying out dividing of next function, statement or variable
Analysis.In a word, those skilled in the art can use various technology or strategy, it is judged that function, statement or
Whether variable is used for realizing specific this function of macrovirus behavior, and concrete is sentenced by the embodiment of the present invention
Disconnected mode is not any limitation as.
By analysis with extract after, the behavior code of the embodiment of the present invention specifically can include function
Name, function variable name or function statement.
In a kind of preferred embodiment of the embodiment of the present invention, the behavior code of the embodiment of the present invention can be
Character string forms.So, during the detection of file macrovirus, the macrodoce of killing document will be treated
The process carrying out mating with the behavior code in behavior code storehouse relates to the process operation of character string.?
In a kind of application example of the embodiment of the present invention, the macrodoce treating killing document can be read, obtain one
Individual big character string, then searches given character string in the character string that this is big, wherein gives character
String is exactly the behavior code of storage in described behavior code storehouse, if searching successfully, then it represents that mate into
Merit, if searching unsuccessfully, then carries out the lookup of next given character string, until in described behavior code storehouse
The given string searching of storage is complete.
It is appreciated that those skilled in the art can be according to the macrovirus sample constantly occurred, to realization
The fixing behavior code needed for macrovirus behavior carries out increasing, deletes, amendment etc. updates operation.
Step 104, foundation matching result treat whether killing document infects macrovirus described in differentiating;
In a kind of preferred embodiment of the embodiment of the present invention, described by treat the macrodoce of killing document with
Behavior code in behavior code storehouse carries out the step mated, and may further include:
Obtain mating into when the described existence behavior code that the match is successful in the macrodoce of killing document
The matching result of merit, and, there is not, in the described macrodoce treating killing document, the row that the match is successful
During for code, obtain the matching result that it fails to match;
The most described foundation matching result treats whether killing document infects the step of macrovirus described in differentiating, can
To farther include:
Step B1, when described matching result is that it fails to match, it determines described in treat that killing document is uninfected by
Macrovirus;
Step B2, when described matching result is that the match is successful, according to described in treat grand generation of killing document
The behavior code that in Ma, the match is successful, it determines described in treat whether killing document infects macrovirus.
In the another kind of preferred embodiment of the embodiment of the present invention, described in described step B2 foundation, treat killing
The behavior code that in the macrodoce of document, the match is successful, it determines described in treat whether killing document infects grand disease
The step of poison, may further include:
Treat described in judgement whether the behavior code that in the macrodoce of killing document, the match is successful meets default
Hazardous conditions, the most then treat described in differentiation that killing document infects macrovirus, otherwise, it determines described
Treat that killing document is uninfected by macrovirus.
In the still another preferable embodiment of the embodiment of the present invention, described default hazardous conditions is concrete
Can include in following condition is one or more:
Hazardous conditions C1, described in treat the danger of the behavior code that the match is successful in the macrodoce of killing document
Danger coefficient exceedes default danger coefficient threshold value;
About the dangerous system how obtaining the behavior code treating that in the macrodoce of killing document, the match is successful
Number, in practice, can preset corresponding dangerous system for each behavior code in described behavior code storehouse
Number;Or, in order to alleviate the workload of setting, each behavior code in described behavior code storehouse can be entered
Row classification, and preset corresponding danger coefficient for each classification.
It is appreciated that the classification foundation that those skilled in the art use can be diversified, in application
A kind of preferred embodiment in, can be using the kind of virus behavior as classification foundation, such as, for
The danger coefficient that the behavior correspondence classification of " edit the registry " is preset is 10, and " dissemination " is corresponding
The danger coefficient of classification is 5, and the danger coefficient of " infection risk " corresponding classification is 8 etc..
With reference to upper example, owing to virus behavior is likely subdivided, therefore can be for the virus behavior being subdivided
Preset corresponding danger coefficient, such as, in this big classification of infection risk, can be for " replicating
Worksheet " behavior correspondence classification preset danger coefficient be 5, can be for the row of " execution file "
The danger coefficient preset for corresponding classification is 10, etc..
Certainly, above-mentioned it is intended only as example;It practice, the virus behavior that those skilled in the art obtain
It is various, and can be according to the degree of danger of various virus behaviors, respectively to corresponding class
Not presetting different danger coefficients, concrete danger coefficient is not any limitation as by the embodiment of the present invention.
In actual applications, treat described in that the behavior code that in the macrodoce of killing document, the match is successful may
More than one, at this point it is possible to the danger coefficient to multiple behavior codes be averaging, weight flat
All, superposition etc. process, obtain comprehensive danger coefficient, then by comprehensive danger coefficient and the danger preset
Danger coefficient threshold compares.
Those skilled in the art can manslaughter the index of rate according to macrovirus recall rate or macrovirus, presets
Danger coefficient threshold value.Such as, if being intended to reach higher macrovirus recall rate, can preset less
Danger coefficient threshold value;And for example, if being intended to reach relatively low macrovirus to manslaughter rate, can preset higher
Danger coefficient threshold value etc..
Hazardous conditions C2, described in treat the danger of the behavior code that the match is successful in the macrodoce of killing document
Danger grade exceedes default danger classes;
The danger coefficient of behavior code and danger classes are equally used for reflecting the degree of danger of behavior code,
One of difference of the two is, danger coefficient more specifically numerical value describes, and danger classes can be with letter
Just numerical value or word describe;Such as, the span of danger coefficient can be [0,20], and danger etc.
Level span can be [1,5] or [1,3], or, the literal scope of danger classes be [rudimentary,
Intermediate, senior] etc..
The danger etc. of the behavior code that the match is successful in the macrodoce of killing document is treated about how to obtain
Level, in practice, can preset corresponding danger etc. for each behavior code in described behavior code storehouse
Level;Or, in order to alleviate the workload of setting, each behavior code in described behavior code storehouse can be entered
Row classification, and preset corresponding danger classes for each classification.
For hazardous conditions C2, the classification foundation used due to it and default danger classes with
Hazardous conditions C1 is similar, therefore cross-referenced, and therefore not to repeat here.
Hazardous conditions C3, to treat that the behavior code that in the macrodoce of killing document, the match is successful occurs in that pre-
If single behavior code, or, occur in that the combination of default behavior code.
As long as hazardous conditions C3 can specify that the behavior generation treating that in the macrodoce of killing document, the match is successful
Code occurs in that default single behavior code, it is possible to treat described in differentiation that killing document infects macrovirus.
In practice, can be using function name corresponding for some macrovirus behavior as default single behavior
Code.Such as, once treat that the behavior code that in the macrodoce of killing document, the match is successful occurs in that as follows
In function name one, then can differentiate described in treat killing document infect macrovirus:
1=runblackice
2=infectdocument
3=infectnormal
4=Empirical
In implementing, it is also possible to according to the behavior code that macrovirus behavior is corresponding, preset behavior generation
Code character is closed, if treating that the behavior code that in the macrodoce of killing document, the match is successful occurs in that default row
For code combination, then can differentiate that it infects macrovirus.
In a kind of application example of the embodiment of the present invention, behavior code corresponding to macrovirus behavior can be used
Arabic numerals numbering is as follows:
1=filesystemobject
2=wcripting.shell
3=createobject
4=Application.OnKey " %{F
5=normal.dot
6=book1.xls
7=startup.xls
8=normal.xlm
9=norma1.xlm
10=norma1.dot
11=Open
12=for
13=as
14=writefile
15=createfile
16=Private Declare Function
17=lib
18=infectnormal
19=<!!blackice>
20=(m1) _ (m2) _ (m3)
21=System.PrivateProfileString
22=HKEY_CURRENT_USER
23=shell
24=Shell
25=NormalTemplate.VBProject.VBComponents
26=Application.StartupPath
It is possible to according to the degree of danger of these behavior code correspondence macrovirus behaviors, preset as follows
Behavior code combines, and numbers with Arabic numerals respectively:
1=3,2
2=3,1
3=21,22
4=16,17
5=25
6=11,12,13
Step 105, foundation resolve the file structure obtained and treat that killing document is repaiied to infecting macrovirus
Multiple process.
In the embodiment of the present invention, described treat killing document be compound document, WORD document or
During EXCEL document, with reference to Fig. 3, it is shown that macrovirus killing according to an embodiment of the invention
The flow chart of method, specifically may include that
Step 301, parsing obtain treating the tree directory structure of killing document;
Step 302, each directory entry traveled through in described tree directory structure;
Step 303, the title of the title of each directory entry with specific macrodirectory is mated;
Step 304, for the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom
Decompress out the macrodoce of correspondence;
Behavior code in step 305, macrodoce and the behavior code storehouse extracted by processor is carried out
Join;Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior;
Step 306, foundation matching result treat whether killing document infects macrovirus described in differentiating;
Step 307, revise described infection macrovirus treat that in killing document, macrovirus Corresponding matching is successful
The title of directory entry;
Step 308, for the described directory entry that the match is successful, its macrodoce is removed;And
Step 309, for the described directory entry that the match is successful, be deleted or rename.
The present embodiment is applied to compound document, WORD document or EXCEL document and waits killing literary composition
Shelves.For the documents such as compound document, WORD document or EXCEL document, its directory tree
Structure includes specific macrodirectory, in the case of known to the title of specific macrodirectory, by tree-like mesh
The title of each directory entry in directory structures carries out mating of character string with the title of specific macrodirectory,
The macrodirectory in compound document can be obtained;And for the directory entry that the match is successful, read subdirectory item
Flow data, can therefrom decompress out correspondence macrodoce.
Step 302-step 304 is that the file structure obtained according to parsing extracts killing document from described treating
Macrodoce implement process;In one preferred embodiment of the invention, described specific macrodirectory
Title specifically may include that VBA_PROJECT_CUR and/or Macros, it will be understood that on
State VBA_PROJECT_CUR, Macros and be not intended as specific macrodirectory in the embodiment of the present invention
The application of title limits.
Step 307-step 309 is that the file structure obtained according to parsing treats killing literary composition to infecting macrovirus
What shelves carried out repair process implements process.Owing to differentiating that certain treats that killing document infects macrovirus
After, anti-viral software would generally record the name of this directory entry treating that the macrovirus in killing document is corresponding
Claim, therefore the effect of the title of the effect amendment directory entry of step 307 is in order to avoid anti-viral software by mistake
Report;The effect of step 308 is for the macrodoce data dump by infecting macrovirus, to avoid
The grand of OFFICE program is made mistakes, for example, it is possible to by the way of filling macrodoce with 0, macrodoce is clear
Remove;After step 308 removes the macrodoce infecting macrovirus, step 309 is by macrodirectory corresponding for macrodoce
Deleting or rename, its effect is so that OFFICE program thinks that corresponding directory entry is empty list, no
It is further continued for resolving, wherein it is possible to by by the adjacent catalogue of the described directory entry that the match is successful and subdirectory
Labelling be revised as the mode of sky and delete the described directory entry that the match is successful, the present invention is to concrete deletion
Or the mode that renames is not any limitation as.
In the embodiment of the present invention, described when killing document is EXCEL document, described according to resolving
To infecting macrovirus, the file structure obtained treats that killing document carries out the step of repair process, it is also possible to
Including: when described EXCEL document infects macrovirus, revise the flow data of its workbook directory entry
Described in field, not affect normally opening of described EXCEL document.
In a kind of application example of the present invention, ObProj structure in the flow data of workbook directory entry
Type field for describing the type of ObProj structure, this type field can be revised as
Continue etc. do not affect the value normally opened of EXCEL document, it is possible to make EXCEL program not
Will be considered that this EXCEL document exists macrodoce, also pop-up macrodata would not be reminded to lose.
In a word, the embodiment of the present invention is based on " realizing the behavior code needed for fixing macrovirus behavior is phase
To fixing " this rule carries out the killing of macrovirus;Specifically, carrying out grand for computer document
During the killing of virus, the macrodoce of extraction is mated with the behavior code in behavior code storehouse,
Described in matching result differentiation, treat whether killing document infects macrovirus;Due to the most known macrovirus
Or unknown macrovirus all can follow above-mentioned rule, namely the speed no matter how macrovirus changes and change
Degree how, therefore the embodiment of the present invention can possess certain power of test to unknown macrovirus, therefore can
Enough power of test improving unknown macrovirus, and possess preferable anti-virus effect;
Meanwhile, the embodiment of the present invention resolves the file structure treating killing document, according to resolving the literary composition obtained
Mark structure treats to extract killing document macrodoce from described, and, according to resolving the file structure that obtains
Treating that killing document carries out repair process to infecting macrovirus, described file structure specifically can include literary composition
The bibliographic structure corresponding to data stream of shelves;Owing to the bibliographic structure that the data stream of document is corresponding is computer
The generic features of document, therefore the technical scheme of the embodiment of the present invention can be applicable to all computer documents
Killing, that is, the embodiment of the present invention can be extracted grand generation killing document from various treating all sidedly
Code, and treat that killing document carries out repair process to infecting the various of macrovirus, and at described EXCEL
When document infects macrovirus, can normally open this EXCEL document.
With reference to Fig. 4, it is shown that the flow process of the method for macrovirus killing according to an embodiment of the invention
Figure, the present embodiment is applied to PPT document and waits killing document, specifically may include that
Step 401, safety equipment obtain the catalogue of PPT document and tie by calculating the processor parsing of equipment
Structure;The bibliographic structure of described PPT document specifically can include POWERPOINT DOCUMENT mesh
Record item;
Step 402, the flow data resolved under described POWERPOINT DOCUMENT directory entry,
And result is analytically searched composite object structure;
Step 403, the data deposited in described composite object structure are decompressed, obtain corresponding
Decompress data;The document that after described decompression, data are corresponding specifically can include such as Documents in one
Item or multinomial: PPT document and the embedded document of PPT, the embedded document of described PPT specifically can include multiple
That closes in document, WORD document and EXCEL document is one or more;
Step 404, using document corresponding to data after described decompression as treating killing document, parsing obtains
Corresponding bibliographic structure;
Each directory entry in the bibliographic structure of killing document is treated described in step 405, traversal;
Step 406, the title of the title of each directory entry with specific macrodirectory is mated;
Step 407, for the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom
Decompress out the macrodoce of correspondence;
Behavior code in step 408, macrodoce and the behavior code storehouse extracted by processor is carried out
Join;Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior;
Step 409, foundation matching result treat whether killing document infects macrovirus described in differentiating;
Treat that killing document carries out repair process according to resolving the file structure obtained to infecting macrovirus,
Specifically may include that
When step 410, the document that data are corresponding after described decompression include PPT embedded document, foundation
Resolve the file structure obtaining the embedded document of PPT the embedded document of PPT infecting macrovirus is repaired
Process, embedded for PPT after repair process document is compressed, and is filled into corresponding composite object structure
In;
When step 411, the document that data are corresponding after described decompression include PPT document, reduce compound
Length field in object structure, and add a new construction;Wherein, described reduction and the new knot of interpolation
The length that the macrodoce of the PPT document of a length of infection macrovirus corresponding to structure is corresponding.
For PPT document, itself and compound document, WORD document or the district of EXCEL document
Not: its bibliographic structure does not exist specific macrodirectory, but PPT document would generally be by all of
Macrodoce leaves composite object in after being encapsulated as document format and compressing with zlib scheduling algorithm
(ExternalOLEObjectStg) in structure, and ExternalOLEObjectStg structure is
The structure in flow data under POWERPOINT DOCUMENT directory entry.
Macrodoce can directly be hidden in the data stream of PPT document, and specifically, macrodoce can be hidden in
The composite object in flow data under POWERPOINT DOCUMENT directory entry
(ExternalOLEObjectStg) in structure.
In order to killing goes out to be hidden in the macrodoce in ExternalOLEObjectStg structure, step 401-walks
Rapid 402 lookups obtain ExternalOLEObjectStg structure, and step 403 is to described composite object structure
In the data deposited decompress, decompressed data accordingly.
Described decompression data specifically can include two kinds of document: a class is the embedded literary composition of PPT
Shelves, specifically can include compound document, WORD document or EXCEL document, the embedded literary composition of some PPT
Shelves are embedded in PPT document;Another kind of is PPT document, and PPT document is also possible to macrodoce.
Either PPT document or the embedded document of PPT, all can as treating killing document, according to
The grand disease of the compound document of step 301-step 306 shown in Fig. 3, WORD document or EXCEL document
Poison killing flow process carries out the extraction of macrodoce and the detection of macrovirus.
Document embedded for PPT, it is possible to according to the flow process foundation of step 307-step 309 shown in Fig. 3
Resolve the file structure obtaining the embedded document of PPT the embedded document of PPT infecting macrovirus is repaired
Process, and embedded for PPT after repair process document is compressed, be finally filled into corresponding composite object knot
In structure;Described filling it can be avoided that PPT program occur " library of object invalid or comprise not finding right
As definition quote " etc. mistake.
For PPT document, its repair process process specifically may include that in reduction composite object structure
Length field, and add a new construction;Wherein, corresponding to the new construction of described reduction and interpolation
Length corresponding to the macrodoce of PPT document of a length of infection macrovirus.Wherein, reduction is compound right
Length field in image structures is in order to by macrodoce data dump existing in PPT document;Add one
New construction is to take existing macrodoce data correspondence space, preventing OFFICE program from makeing mistakes, institute
State new construction can be type be the data structure of 0 or other value, the embodiment of the present invention is to described in concrete
New construction is not any limitation as.
With reference to Fig. 5, it is shown that the flow process of the method for macrovirus killing according to an embodiment of the invention
Figure, the present embodiment is applied to OFFICE07 document and waits killing document, specifically may include that
Step 501, safety equipment decompress OFFICE07 document correspondence by calculating the processor of equipment
Data, data after being decompressed accordingly;After described decompression, data specifically can include embedded
Catalogue;
Step 502, using the document under described embedded catalogue as treating killing document, resolve obtain corresponding
Tree directory structure;
Step 503, each directory entry traveled through in described tree directory structure;
Step 504, the title of the title of each directory entry with specific macrodirectory is mated;
Step 505, for the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom
Decompress out the macrodoce of correspondence;
Behavior code in step 506, macrodoce and the behavior code storehouse extracted by processor is carried out
Join;Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior;
Step 507, foundation matching result treat whether killing document infects macrovirus described in differentiating;
Step 508, the document repaired under the described embedded catalogue infecting macrovirus, and at described embedded mesh
After document reparation success under Lu, other data in data after described embedded document and described decompression are entered
Row compresses the OFFICE07 document after being repaired.
Fig. 1-embodiment illustrated in fig. 3 default application is in OFFICE03 document wait killing document, and Fig. 5
The OFFICE07 document of illustrated embodiment application specifically can include the various OFFICE literary composition of 07 version
Shelves, such as compound document 07, WORD07 document, EXCEL07 document or PPT07 document etc..
For OFFICE07 document, it is the compressed package of a zip, gives tacit consent to and is divided into two kinds of forms:
The OFFICE07 document of the first form specifically can include the document that suffix is docx, these lattice
The not subsidiary any macrodoce data of the document of formula, if there being macrodoce data, cannot preserve this form,
Will be deleted because once preserving;
The OFFICE07 document of the second form specifically can include that suffix is docm, pptm, xlsm's
Document, for the document of this form, unties corresponding zip bag, and after corresponding decompression, data are concrete
Including multiple catalogues and corresponding document, such as after the decompression that EXCEL07 document is corresponding, data are concrete
Including xl catalogue, docProps catalogue, _ rels catalogue and content field labelling
([Content_Types] .xml) documents etc., wherein have an embedded catalogue, this embedded mesh under xl catalogue
Document under Lu is it is possible to include the relevant documentation data and macrodoce being embedded in EXCEL07 document
Data, therefore the present embodiment is that the OFFICE07 document for the second form carries out macrovirus killing
's.Above-mentioned xl catalogue, for EXCEL07 document, is then replaced for WORD07 document
For word catalogue, ppt catalogue then replaces with for PPT07 document, namely word catalogue and ppt mesh
An embedded catalogue is had respectively under record.
For the OFFICE07 document of the second form, owing to the document under its embedded catalogue has compound
The file structure of document, therefore can be according to the compound document of step 301-step 306 shown in Fig. 3, WORD
The macrovirus killing flow process of document or EXCEL document carries out the extraction of macrodoce and the inspection of macrovirus
Survey, and the described interior of macrovirus can be infected according to the flow process reparation of step 307-step 309 shown in Fig. 3
Document under embedding catalogue;
Further, since OFFICE07 form is in the nature the compressed package forms such as zip form, simply suffix can
Can be docx, xlsx, pptx etc., therefore the document that step 508 is under described embedded catalogue will after repairing successfully
(as described in the include xl of embedded document of other data in data after described embedded document and described decompression
Catalogue, original docProps catalogue, original _ rels catalogue and original content field marking document) carry out
Compress the OFFICE07 document after being repaired.
Document under above-mentioned embedded catalogue is the document that OFFICE07 document is embedded, in the one of the present invention
In preferred embodiment, after described decompression, data can also include the grand document of OFFICE07 and content word segment mark
Note document;The grand document of described OFFICE07 is the grand document that OFFICE07 document carries,
When OFFICE07 document self has macrodoce, macrodoce will be saved in the document, if the document
There is virus, then can illustrate that OFFICE07 document has virus;
The step of the file structure of killing document is treated in the most described parsing, it is also possible to including: with described
The grand document of OFFICE07, as treating killing document, resolves and obtains corresponding tree directory structure;
To infecting macrovirus, the most described file structure obtained according to parsing treats that killing document is repaired
The scheme processed, it is also possible to including: the grand document of OFFICE07 under described embedded catalogue infects grand disease
During poison, delete the grand document of described OFFICE07, resolve and obtain the interior of described content field marking document
Hold, and the corresponding contents quoting the grand document of described OFFICE07 in described content field marking document is deleted
Remove.
In a kind of application example of the present invention, the grand document of described OFFICE07 is VbaProject.bin.
[Content_Types] .xml is the document of the catalogue format of data, Qi Zhonghui after describing described decompression
Refer to VbaProject.bin, and VbaProject.bin document is a literary composition under described embedded catalogue
Shelves;Therefore the VbaProject.bin document that this preferred embodiment is under described embedded catalogue infects macrovirus
Time, not only delete VbaProject.bin document, and resolve and obtain described content field marking document
Content, and the corresponding contents quoting described VbaProject.bin in described content field marking document is deleted
Remove.
Corresponding to preceding method embodiment, the embodiment of the invention also discloses the dress of a kind of macrovirus killing
Putting, this device is applied to safety equipment, with reference to the structure chart shown in Fig. 6, specifically may include that
Parsing module 601, for treating the document knot of killing document by calculating the processor parsing of equipment
Structure;Described file structure specifically can include the bibliographic structure that the data stream of document is corresponding;
Extraction module 602, extracts killing document from described treating for the file structure obtained according to parsing
Macrodoce;
Matching module 603, for the macrodoce and the behavior code in behavior code storehouse that are extracted by processor
Mate;Wherein, described behavior code is for representing realize needed for fixing macrovirus behavior grand
Code;
Discrimination module 604, treats whether killing document infects grand disease described in differentiating according to matching result
Poison;And
Repair process module 605, for according to resolving the file structure obtained to infecting the to be checked of macrovirus
Kill document and carry out repair process.
In the embodiment of the present invention, described treat killing document be compound document, WORD document or
During EXCEL document, described parsing module 601 specifically may include that and obtains treating killing literary composition for parsing
First analyzing sub-module of the tree directory structure of shelves;
Described extraction module 602 specifically may include that
First traversal submodule, for traveling through each directory entry in described tree directory structure;
First matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory
Row coupling;
First reads decompression module, for for the directory entry that the match is successful, reads its subdirectory
The flow data of item, and therefrom decompress out the macrodoce of correspondence;
Described repair process module 605 specifically may include that
First amendment submodule, treats macrovirus pair in killing document for revise described infection macrovirus
Answer the title of the directory entry that the match is successful;
Its macrodoce, for the described directory entry that the match is successful, is removed by filling submodule;And
Second amendment submodule, for for the described directory entry that the match is successful, is deleted or changes
Name.
In the embodiment of the present invention, described when killing document is EXCEL document, repair process module
605 can also include:
3rd amendment submodule, for when described EXCEL document infects macrovirus, revising it
Description field in the flow data of workbook directory entry, not affect the normal of described EXCEL document
Open.
In the still another preferable embodiment of the embodiment of the present invention, described in treat killing document be PPT literary composition
Shelves;
The most described parsing module 601 specifically may include that
Second analyzing sub-module, for resolving the bibliographic structure obtaining PPT document;Described PPT document
Bibliographic structure specifically can include POWERPOINT DOCUMENT directory entry;
3rd analyzing sub-module, is used for resolving under described POWERPOINT DOCUMENT directory entry
Flow data, and result is analytically searched composite object structure;
Decompression module, for the data deposited in described composite object structure are decompressed,
Decompressed data accordingly;The document that after described decompression, data are corresponding includes as in Documents
One or more: PPT document and the embedded document of PPT, the embedded document of described PPT includes compound literary composition
One or more in shelves, WORD document and EXCEL document;
4th analyzing sub-module, for the document corresponding using data after described decompression as treating killing literary composition
Shelves, resolve and obtain corresponding bibliographic structure;
Described extraction module 602 specifically may include that
Second traversal submodule, each mesh in the bibliographic structure treating killing document described in traveling through
Record item;
Second matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory
Row coupling;
Second reads decompression module, for for the directory entry that the match is successful, reads its subdirectory
The flow data of item, and therefrom decompress out the macrodoce of correspondence;
Described repair process module 605 specifically may include that
First repairs submodule, includes that PPT is embedded for the document that data are corresponding after described decompression
During document, embedded to the PPT infecting macrovirus according to resolving the file structure obtaining the embedded document of PPT
Document carries out repair process, is compressed by embedded for PPT after repair process document, and is filled into corresponding multiple
Close in object structure;And/or
Second repairs submodule, includes PPT document for the document that data are corresponding after described decompression
Time, reduce the length field in composite object structure, and add a new construction;Wherein, described reduction
The length corresponding with the macrodoce of the PPT document of a length of infection macrovirus corresponding to the new construction added
Degree.
In a kind of preferred embodiment of the embodiment of the present invention, described in treat killing document be OFFICE07 literary composition
Shelves;
The most described parsing module 601 specifically may include that
Decompression module, for decompressing the data that OFFICE07 document is corresponding, is solved accordingly
Data after compression;After described decompression, data include embedded catalogue;
4th analyzing sub-module, for using the document under described embedded catalogue as treating killing document, solves
Analysis obtains corresponding tree directory structure;
The most described extraction module 602 specifically may include that
3rd traversal submodule, each mesh in the bibliographic structure treating killing document described in traveling through
Record item;
3rd matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory
Row coupling;
Third reading takes decompression module, for for the directory entry that the match is successful, reads its subdirectory
The flow data of item, and therefrom decompress out the macrodoce of correspondence;
Described repair process module 605 specifically may include that
Repair compression submodule, for repairing the document under the described embedded catalogue infecting macrovirus, and
Document under described embedded catalogue repair successfully after by data after described embedded document and described decompression
In other data be compressed the OFFICE07 document after being repaired.
In the another kind of preferred embodiment of the embodiment of the present invention, after described decompression, data can also include
The grand document of OFFICE07 and content field marking document;
The most described parsing module 601 can also include: for using the grand document of described OFFICE07 as treating
Killing document, resolves the 5th analyzing sub-module obtaining corresponding tree directory structure
The most described repair process module 605 can also include:
Delete submodule, infect macrovirus for the grand document of OFFICE07 under described embedded catalogue
Time, delete the grand document of described OFFICE07, resolve the content obtaining described content field marking document,
And the corresponding contents quoting the grand document of described OFFICE07 in described content field marking document is deleted.
In the still another preferable embodiment of the embodiment of the present invention, the title of described specific macrodirectory is concrete
May include that VBA_PROJECT_CUR and/or Macros.
In embodiments of the present invention, it is preferred that described device can also include: be used for constructing described
The constructing module in behavior code storehouse;
Described constructing module specifically may include that
Collect submodule, for collecting the behavior code realized needed for fixing macrovirus behavior;
Preserve submodule, for preserving described behavior code to behavior code storehouse;
Wherein, described collection submodule farther includes:
Sample collection unit, for collecting the macrovirus sample of various computer document;
Sample resolution unit, for resolving the file structure of described macrovirus sample;Described file structure
Specifically can include the bibliographic structure that the data stream of document is corresponding;
Sample extraction unit, carries from described macrovirus sample for the file structure obtained according to parsing
Take macrodoce;And
Analyze extraction unit, for the grammer according to macrodoce, the macrodoce to described macrovirus sample
Semanteme be analyzed, therefrom extract the corresponding behavior code realized needed for fixing macrovirus behavior
Device as described in the present embodiment of the invention, it is characterised in that described in treat that killing document is EXCEL
Document;
Then repair process module also includes:
3rd amendment submodule, for when described EXCEL document infects macrovirus, revising it
Description field in the flow data of workbook directory entry, not affect the normal of described EXCEL document
Open.
Device as described in the present embodiment of the invention, it is characterised in that described in treat killing document be PPT literary composition
Shelves;
The most described parsing module includes:
Second analyzing sub-module, for resolving the bibliographic structure obtaining PPT document;Described PPT document
Bibliographic structure include POWERPOINT DOCUMENT directory entry;
3rd analyzing sub-module, is used for resolving under described POWERPOINT DOCUMENT directory entry
Flow data, and result is analytically searched composite object structure;
Decompression module, for the data deposited in described composite object structure are decompressed,
Decompressed data accordingly;The document that after described decompression, data are corresponding includes as in Documents
One or more: PPT document and the embedded document of PPT, the embedded document of described PPT includes compound literary composition
One or more in shelves, WORD document and EXCEL document;
4th analyzing sub-module, for the document corresponding using data after described decompression as treating killing literary composition
Shelves, resolve and obtain corresponding bibliographic structure;
Described extraction module includes:
Second traversal submodule, each mesh in the bibliographic structure treating killing document described in traveling through
Record item;
Second matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory
Row coupling;
Second reads decompression module, for for the directory entry that the match is successful, reads its subdirectory
The flow data of item, and therefrom decompress out the macrodoce of correspondence;
Described repair process module includes:
First repairs submodule, includes that PPT is embedded for the document that data are corresponding after described decompression
During document, embedded to the PPT infecting macrovirus according to resolving the file structure obtaining the embedded document of PPT
Document carries out repair process, is compressed by embedded for PPT after repair process document, and is filled into corresponding multiple
Close in object structure;And/or
Second repairs submodule, includes PPT document for the document that data are corresponding after described decompression
Time, reduce the length field in composite object structure, and add a new construction;Wherein, described reduction
The length corresponding with the macrodoce of the PPT document of a length of infection macrovirus corresponding to the new construction added
Degree.
Device as described in the present embodiment of the invention, it is characterised in that described in treat that killing document is
OFFICE07 document;
The most described parsing module includes:
Decompression module, for decompressing the data that OFFICE07 document is corresponding, is solved accordingly
Data after compression;After described decompression, data include embedded catalogue;
4th analyzing sub-module, for using the document under described embedded catalogue as treating killing document, solves
Analysis obtains corresponding tree directory structure;
The most described extraction module includes:
3rd traversal submodule, each mesh in the bibliographic structure treating killing document described in traveling through
Record item;
3rd matched sub-block, for entering the title of each directory entry with the title of specific macrodirectory
Row coupling;
Third reading takes decompression module, for for the directory entry that the match is successful, reads its subdirectory
The flow data of item, and therefrom decompress out the macrodoce of correspondence;
Described repair process module includes:
Repair compression submodule, for repairing the document under the described embedded catalogue infecting macrovirus, and
Document under described embedded catalogue repair successfully after by data after described embedded document and described decompression
In other data be compressed the OFFICE07 document after being repaired.
Device as described in the present embodiment of the invention, it is characterised in that after described decompression, data also include
The grand document of OFFICE07 and content field marking document;
The most described parsing module also includes: for using the grand document of described OFFICE07 as treating killing literary composition
Shelves, resolve the 5th analyzing sub-module obtaining corresponding tree directory structure
The most described repair process module also includes:
Delete submodule, infect macrovirus for the grand document of OFFICE07 under described embedded catalogue
Time, delete the grand document of described OFFICE07, resolve the content obtaining described content field marking document,
And the corresponding contents quoting the grand document of described OFFICE07 in described content field marking document is deleted.
Device as described in the present embodiment of the invention, it is characterised in that the title bag of described specific macrodirectory
Include: VBA_PROJECT_CUR and/or Macros.
Device as described in the present embodiment of the invention, it is characterised in that also include: be used for constructing described row
Constructing module for code library;
Described constructing module includes:
Collect submodule, for collecting the behavior code realized needed for fixing macrovirus behavior;
Preserve submodule, for preserving described behavior code to behavior code storehouse;
Wherein, described collection submodule farther includes:
Sample collection unit, for collecting the macrovirus sample of various computer document;
Sample resolution unit, for resolving the file structure of described macrovirus sample;Described file structure
Specifically can include the bibliographic structure that the data stream of document is corresponding;
Sample extraction unit, carries from described macrovirus sample for the file structure obtained according to parsing
Take macrodoce;And
Analyze extraction unit, for the grammer according to macrodoce, the macrodoce to described macrovirus sample
Semanteme be analyzed, therefrom extract the corresponding behavior generation realized needed for fixing macrovirus behavior
Code.
Provided herein algorithm and display not with any certain computer, virtual system or miscellaneous equipment
Intrinsic relevant.Various general-purpose systems can also be used together with based on teaching in this.According to above
Describe, construct the structure required by this kind of system and be apparent from.Additionally, the present invention is also not for
Any certain programmed language.It is understood that, it is possible to use various programming languages realize described here
The content of invention, and the description above done language-specific is to disclose the optimal real of the present invention
Execute mode.
In description mentioned herein, illustrate a large amount of detail.It is to be appreciated, however, that
Embodiments of the invention can be put into practice in the case of not having these details.In some instances,
It is not shown specifically known method, structure and technology, in order to do not obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand in each inventive aspect
Individual or multiple, above in the description of the exemplary embodiment of the present invention, each feature of the present invention
Sometimes it is grouped together in single embodiment, figure or descriptions thereof.But, should be by
The method of the disclosure is construed to reflect an intention that i.e. the present invention for required protection requires that ratio is each
The more feature of feature being expressly recited in claim.More precisely, as following right is wanted
As asking book to be reflected, inventive aspect is all spies less than single embodiment disclosed above
Levy.Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this specific embodiment party
Formula, the most each claim itself is as the independent embodiment of the present invention.
Those skilled in the art are appreciated that and can carry out the module in the equipment in embodiment
Adaptively change and they are arranged in one or more equipment different from this embodiment.
Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and
In addition multiple submodule or subelement or sub-component can be put them into.Except such feature and/or
Outside at least some in process or unit excludes each other, any combination can be used this explanation
All features disclosed in book (including adjoint claim, summary and accompanying drawing) and so disclosed
Any method or all processes of equipment or unit are combined.Unless expressly stated otherwise, this theory
Each feature disclosed in bright book (including adjoint claim, summary and accompanying drawing) can be by providing phase
Together, the alternative features of equivalent or similar purpose replaces.
Although additionally, it will be appreciated by those of skill in the art that embodiments more described herein include
Some feature included in other embodiments rather than further feature, but the feature of different embodiment
Combination mean to be within the scope of the present invention and formed different embodiments.Such as, under
In the claims in face, embodiment required for protection one of arbitrarily can be in any combination
Mode uses.
The all parts embodiment of the present invention can realize with hardware, or with at one or more
The software module run on reason device realizes, or realizes with combinations thereof.Those skilled in the art
Should be appreciated that and microprocessor or digital signal processor (DSP) can be used in practice to realize
The some or all functions of the some or all parts in equipment according to embodiments of the present invention.This
Invention be also implemented as part or all equipment for performing method as described herein or
Person's device program (such as, computer program and computer program).Such realize the present invention's
Program can store on a computer-readable medium, or can have the shape of one or more signal
Formula.Such signal can be downloaded from internet website and obtain, or provides on carrier signal,
Or provide with any other form.
The present invention will be described rather than limits the present invention to it should be noted above-described embodiment
Make, and those skilled in the art can design without departing from the scope of the appended claims
Alternative embodiment.In the claims, any reference marks that should not will be located between bracket is configured to
Limitations on claims.Word " comprises " and does not excludes the presence of the element or step not arranged in the claims
Suddenly.Word "a" or "an" before being positioned at element does not excludes the presence of multiple such element.The present invention
And can come real by means of properly programmed computer by means of including the hardware of some different elements
Existing.If in the unit claim listing equipment for drying, several in these devices can be logical
Cross same hardware branch specifically to embody.Word first, second and third use do not indicate that
Any order.Can be title by these word explanations.
Claims (7)
1. a method for macrovirus killing, including:
The file structure of killing document treated by safety equipment by calculating the processor parsing of equipment;Described file structure includes the bibliographic structure that the data stream of document is corresponding;
Treat killing document extracts macrodoce according to resolving the file structure obtained from described;
The macrodoce that processor extracts is mated with the behavior code in behavior code storehouse;Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior;
Described in matching result differentiation, treat whether killing document infects macrovirus;
Treat that killing document carries out repair process according to resolving the file structure obtained to infecting macrovirus;
Wherein, described when killing document is compound document, WORD document or EXCEL document, the step of the file structure of killing document is treated in described parsing, including: resolve and obtain treating the tree directory structure of killing document;
Described according to resolving the file structure that obtains from the described step treating to extract macrodoce killing document, including:
Travel through each directory entry in described tree directory structure;
The title of the title of each directory entry with specific macrodirectory is mated;
For the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom decompress out the macrodoce of correspondence;
To infecting macrovirus, the described file structure obtained according to parsing treats that killing document carries out the step of repair process, including:
That revises described infection macrovirus treats the title of the successful directory entry of macrovirus Corresponding matching in killing document;
For the described directory entry that the match is successful, its macrodoce is removed;
For the described directory entry that the match is successful, it is deleted or renames;
Wherein, described when killing document is EXCEL document, to infecting macrovirus, the described file structure obtained according to parsing treats that killing document carries out the step of repair process, also include:
When described EXCEL document infects macrovirus, revise the description field in the flow data of its workbook directory entry, not affect normally opening of described EXCEL document.
2. the method for claim 1, it is characterised in that described in treat that killing document is PPT document;
The step of the file structure of killing document is treated in the most described parsing, including:
Resolve the bibliographic structure obtaining PPT document;The bibliographic structure of described PPT document includes POWERPOINT DOCUMENT directory entry;
Resolve the flow data under described POWERPOINT DOCUMENT directory entry, and analytically result searches composite object structure;
The data deposited in described composite object structure are decompressed, is decompressed data accordingly;The document that after described decompression, data are corresponding include such as Documents in one or more: PPT document and the embedded document of PPT, it is one or more that the embedded document of described PPT includes in compound document, WORD document and EXCEL document;
The document that data are corresponding after described decompression, as treating killing document, resolves and obtains corresponding bibliographic structure;
Described according to resolving the file structure that obtains from the described step treating to extract macrodoce killing document, including:
Each directory entry in the bibliographic structure of killing document is treated described in traversal;
The title of the title of each directory entry with specific macrodirectory is mated;
For the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom decompress out the macrodoce of correspondence;
To infecting macrovirus, the described file structure obtained according to parsing treats that killing document carries out the step of repair process, including:
When the document that data are corresponding after described decompression includes PPT embedded document, according to resolving the file structure obtaining the embedded document of PPT, the embedded document of PPT infecting macrovirus is carried out repair process, embedded for PPT after repair process document is compressed, and is filled in corresponding composite object structure;And/or
When the document that data are corresponding after described decompression includes PPT document, reduce the length field in composite object structure, and add a new construction, wherein, the length that described reduction is corresponding with the macrodoce of the PPT document of a length of infection macrovirus corresponding to the new construction of interpolation.
3. the method for claim 1, it is characterised in that described in treat that killing document is OFFICE07 document;
The step of the file structure of killing document is treated in the most described parsing, including:
Decompress the data that OFFICE07 document is corresponding, data after being decompressed accordingly;After described decompression, data include embedded catalogue;
Using the document under described embedded catalogue as treating killing document, resolve and obtain corresponding tree directory structure;
The most described according to resolving the file structure that obtains from the described step treating to extract macrodoce killing document, including:
Travel through each directory entry in described tree directory structure;
The title of the title of each directory entry with specific macrodirectory is mated;
For the directory entry that the match is successful, read the flow data of its subdirectory item, and therefrom decompress out the macrodoce of correspondence;
To infecting macrovirus, the described file structure obtained according to parsing treats that killing document carries out the step of repair process, including:
After repairing the document under the described embedded catalogue infecting macrovirus, and the document reparation success under described embedded catalogue, other data in data after described embedded document and described decompression are compressed the OFFICE07 document after being repaired.
4. method as claimed in claim 3, it is characterised in that after described decompression, data also include the grand document of OFFICE07 and content field marking document;
The step of the file structure of killing document is treated in the most described parsing, also includes: using the grand document of described OFFICE07 as treating killing document, resolves and obtains corresponding tree directory structure;
To infecting macrovirus, the most described file structure obtained according to parsing treats that killing document carries out the step of repair process, also include:
When the grand document of described OFFICE07 infects macrovirus, delete the grand document of described OFFICE07, resolve the content obtaining described content field marking document, and the corresponding contents quoting the grand document of described OFFICE07 in described content field marking document is deleted.
5. the method for claim 1, it is characterised in that the title of described specific macrodirectory includes: VBA_PROJECT_CUR and/or Macros.
6. the method as according to any one of claim 1 to 5, it is characterised in that construct described behavior code storehouse as follows:
Collect the behavior code realized needed for fixing macrovirus behavior;
Described behavior code is preserved to behavior code storehouse;
Wherein, the step of the described behavior code collected needed for the macrovirus behavior realizing fixing, farther include:
Collect the macrovirus sample of various computer document;
Resolve the file structure of described macrovirus sample;Described file structure specifically can include the bibliographic structure that the data stream of document is corresponding;
From described macrovirus sample, macrodoce is extracted according to resolving the file structure obtained;
According to the grammer of macrodoce, the semanteme of the macrodoce of described macrovirus sample is analyzed, therefrom extracts the corresponding behavior code realized needed for fixing macrovirus behavior.
7. a device for macrovirus killing, is applied to safety equipment, including:
Parsing module, for treating the file structure of killing document by calculating the processor parsing of equipment;Described file structure includes the bibliographic structure that the data stream of document is corresponding;
Extraction module, treats to extract killing document macrodoce for the file structure obtained according to parsing from described;
Matching module, for mating the macrodoce that processor extracts with the behavior code in behavior code storehouse;Wherein, described behavior code is for representing the macrodoce realized needed for fixing macrovirus behavior;
Discrimination module, treats whether killing document infects macrovirus described in differentiating according to matching result;And
To infecting macrovirus, repair process module, treats that killing document carries out repair process for the file structure obtained according to parsing;
Wherein, described when killing document is compound document, WORD document or EXCEL document, described parsing module includes: obtain treating the first analyzing sub-module of the tree directory structure of killing document for resolving;
The most described extraction module includes:
First traversal submodule, for traveling through each directory entry in described tree directory structure;
First matched sub-block, for mating the title of each directory entry with the title of specific macrodirectory;
First reads decompression module, for for the directory entry that the match is successful, reads the flow data of its subdirectory item, and therefrom decompresses out the macrodoce of correspondence;
Described repair process module includes:
First amendment submodule, treats the title of the successful directory entry of macrovirus Corresponding matching in killing document for revise described infection macrovirus;
Its macrodoce, for the described directory entry that the match is successful, is removed by filling submodule;And
Second amendment submodule, for for the described directory entry that the match is successful, is deleted or renames;
Wherein, described when killing document is EXCEL document, described repair process module, also include:
3rd amendment submodule, for when described EXCEL document infects macrovirus, revising the description field in the flow data of its workbook directory entry, not affect normally opening of described EXCEL document.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310446768.7A CN103500309B (en) | 2013-09-26 | 2013-09-26 | A kind of method and device for detecting and killing macro virus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310446768.7A CN103500309B (en) | 2013-09-26 | 2013-09-26 | A kind of method and device for detecting and killing macro virus |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103500309A CN103500309A (en) | 2014-01-08 |
CN103500309B true CN103500309B (en) | 2016-09-28 |
Family
ID=49865516
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310446768.7A Active CN103500309B (en) | 2013-09-26 | 2013-09-26 | A kind of method and device for detecting and killing macro virus |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103500309B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107025407A (en) * | 2017-03-22 | 2017-08-08 | 国家计算机网络与信息安全管理中心 | The malicious code detecting method and system of a kind of office document files |
CN108197472A (en) * | 2017-12-20 | 2018-06-22 | 北京金山安全管理系统技术有限公司 | macro processing method, device, storage medium and processor |
CN109033831A (en) * | 2018-06-22 | 2018-12-18 | 珠海市君天电子科技有限公司 | A kind of method for detecting virus, device, electronic equipment and storage medium |
CN110866256A (en) * | 2019-11-12 | 2020-03-06 | 深信服科技股份有限公司 | Macro code detection method, device, equipment and storage medium |
CN111488556A (en) * | 2020-04-09 | 2020-08-04 | 深信服科技股份有限公司 | Nested document extraction method and device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7210041B1 (en) * | 2001-04-30 | 2007-04-24 | Mcafee, Inc. | System and method for identifying a macro virus family using a macro virus definitions database |
CN102694801A (en) * | 2012-05-21 | 2012-09-26 | 华为技术有限公司 | Method and device for detecting virus and firewall equipment |
CN102841999A (en) * | 2012-07-16 | 2012-12-26 | 北京奇虎科技有限公司 | Method and device for detecting macro virus of files |
CN102999726A (en) * | 2012-12-14 | 2013-03-27 | 北京奇虎科技有限公司 | File macro virus immunization method and device |
CN103150504A (en) * | 2013-01-23 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting and removing computer macro viruses |
-
2013
- 2013-09-26 CN CN201310446768.7A patent/CN103500309B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7210041B1 (en) * | 2001-04-30 | 2007-04-24 | Mcafee, Inc. | System and method for identifying a macro virus family using a macro virus definitions database |
CN102694801A (en) * | 2012-05-21 | 2012-09-26 | 华为技术有限公司 | Method and device for detecting virus and firewall equipment |
CN102841999A (en) * | 2012-07-16 | 2012-12-26 | 北京奇虎科技有限公司 | Method and device for detecting macro virus of files |
CN102999726A (en) * | 2012-12-14 | 2013-03-27 | 北京奇虎科技有限公司 | File macro virus immunization method and device |
CN103150504A (en) * | 2013-01-23 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting and removing computer macro viruses |
Also Published As
Publication number | Publication date |
---|---|
CN103500309A (en) | 2014-01-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103500309B (en) | A kind of method and device for detecting and killing macro virus | |
Jeon et al. | A recovery method of deleted record for SQLite database | |
CN102841999B (en) | A kind of file method and a device for detecting macro virus | |
CN102999726B (en) | File macro virus immunization method and device | |
RU2420791C1 (en) | Method of associating previously unknown file with collection of files depending on degree of similarity | |
Hechinger et al. | Food webs including parasites, biomass, body sizes, and life stages for three California/Baja California estuaries: Ecological Archives E092‐066 | |
CN101484892B (en) | A method of managing web services using integrated document | |
US20180211140A1 (en) | Dictionary Based Deduplication of Training Set Samples for Machine Learning Based Computer Threat Analysis | |
Li et al. | FEPDF: a robust feature extractor for malicious PDF detection | |
CN103716394B (en) | Download the management method and device of file | |
AL‐Taharwa et al. | JSOD: JavaScript obfuscation detector | |
CN106384048A (en) | Threat message processing method and device | |
Fu et al. | Digital forensics of Microsoft Office 2007–2013 documents to prevent covert communication | |
Dwivedi et al. | Environmental policies in the third world: a comparative analysis | |
Urrea | An analysis of Linux RAM forensics | |
CN109308336A (en) | Data processing method, processing equipment and storage medium | |
CN105512305B (en) | A kind of document compression, document decompressing method and device based on serializing | |
CN103034809B (en) | Method and device for immunizing file macro virus | |
Christopher et al. | SCHEMADB: Structures in relational datasets | |
Christopher et al. | SchemaDB: A Dataset for Structures in Relational Data | |
Khan et al. | Malware Detection in Word Documents Using Machine Learning | |
Spencer | Fractal in detail: What information is in a file format identification report? | |
Powers | Using PHP to Manage Files | |
Weitzman et al. | An XML schema for taxonomic literature–taXMLit | |
Shearer et al. | Source-code stylometry improvements in python |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220714 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |