CN103593612A - Method and device for processing malicious programs - Google Patents
Method and device for processing malicious programs Download PDFInfo
- Publication number
- CN103593612A CN103593612A CN201310551999.4A CN201310551999A CN103593612A CN 103593612 A CN103593612 A CN 103593612A CN 201310551999 A CN201310551999 A CN 201310551999A CN 103593612 A CN103593612 A CN 103593612A
- Authority
- CN
- China
- Prior art keywords
- file
- rogue program
- memory location
- killing
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Abstract
The invention discloses a method and device for processing malicious programs, and aims to improve efficiency of checking, killing and processing the malicious programs. The method for processing the malicious programs includes the steps that a file system where a first file is located is analyzed, wherein the first file is bound with the malicious programs; the storage position where the first file is located is acquired; a first drive is loaded, a miniport drive corresponding to the storage position sends instructions through the first drive, and the first file which is bound with the malicious programs is modified into a second file to check, kill and process the malicious programs, wherein the second file is a non-function drive file which is not infected by the malicious programs.
Description
Technical field
The present invention relates to field of computer technology, particularly a kind of method and device of processing rogue program.
Background technology
Along with the development of antivirus software technology, general rogue program is all unable to escape by the destiny of killing.But along with disclosing of reduction class Driving technique, rogue program just starts to have utilized this technology to reach and makes the object that antivirus software cannot killing.Particularly, on rogue program, bundled and carried the file that reduction drives, like this, rogue program is after infection system, the disk at infected system place is set to reduction-mode, now, although can utilize existing antivirus software the existence of this rogue program to be detected, but, when carrying out killing, because existing antivirus software is all, by file system, the file bundling on rogue program and rogue program is carried out to killing processing, and the reduction of rogue program binding drives in the disk filtration drive of Hui file system lower floor, to tackle to carrying the killing instruction of the file of reduction driving, and after restarting, all operations is all reduced, cause rogue program still to exist, final killing failure.
Visible, the killing that existing antivirus software has infected after the rogue program that has bundled reduction driving for system also seems helpless.At present, can only be by reinstalling system, or start from USB flash disk, with a clean driving, go to replace reduction and drive these two kinds of modes to come killing rogue program to make system recovery, these two kinds of modes all more complicated that operates, also more time-consuming.
Therefore, also relatively lack the mode that real effectively killing has fast bundled the rogue program of reduction driving at present.
Summary of the invention
The invention provides a kind of method and device of processing rogue program, in order to improve killing, process the efficiency of rogue program.
The invention provides a kind of method of processing rogue program, comprising:
Resolve the file system at the first file place of rogue program binding, obtain the memory location at described the first file place;
Loading first drives, drive by described first, the Miniport Driver corresponding with described memory location sends instruction, by the first file modification of described rogue program binding, is the second file, wherein, described the second file does not drive file for infecting the nonfunctional of rogue program;
Described rogue program is carried out to killing processing.
The invention provides a kind of device of processing rogue program, comprising:
Acquiring unit, for resolving the file system at the first file place of rogue program binding, obtains the memory location at described the first file place;
Replacement unit, being used for loading the first driving, by described first, driving toward the Miniport Driver corresponding with described memory location and send instruction, is the second file by the first file modification of described rogue program binding, wherein, described the second file does not drive file for infecting the nonfunctional of rogue program;
Killing unit, for carrying out killing processing to described rogue program.
In the present invention, the rogue program that system infects has bundled the first file, first obtain the memory location of this first file, then load the first driving, by described first, drive directly and send instruction to the Miniport Driver corresponding with memory location, the first file is replaced to and do not infect rogue program and non-functional the second file, and then this rogue program is investigated and prosecuted to processing.Like this, which kind of function the first file no matter rogue program bundlees possesses, all can by file system, directly by port, not replace, not infection rogue program after replacement and non-functional the second file can not cause any harmful effect to system, thereby can directly to having bundled the rogue program of non-functional the second file, carry out killing, system is recovered to normal, without reinstalling system or starting from other external equipments, greatly improved killing processing rogue program and made system recover normal efficiency.
Other features and advantages of the present invention will be set forth in the following description, and, partly from instructions, become apparent, or understand by implementing the present invention.Object of the present invention and other advantages can be realized and be obtained by specifically noted structure in the instructions write, claims and accompanying drawing.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Accompanying drawing explanation
Accompanying drawing is used to provide a further understanding of the present invention, and forms a part for instructions, for explaining the present invention, is not construed as limiting the invention together with embodiments of the present invention.In the accompanying drawings:
Fig. 1 processes the process flow diagram of rogue program in the embodiment of the present invention one;
Fig. 2 processes the process flow diagram of rogue program in the embodiment of the present invention two;
Fig. 3 processes the process flow diagram of rogue program in the embodiment of the present invention three;
Fig. 4 is the schematic diagram that in the embodiment of the present invention three, system infects the rogue program that has bundled reduction driving file;
Fig. 5 processes the schematic diagram of rogue program in the embodiment of the present invention three;
Fig. 6 processes the schematic diagram that system is recovered after rogue program in the embodiment of the present invention three;
Fig. 7 processes the structural drawing of the device of rogue program in the embodiment of the present invention four.
Embodiment
Below in conjunction with accompanying drawing, the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein, only for description and interpretation the present invention, is not intended to limit the present invention.
In the embodiment of the present invention, system has infected the rogue program that has bundled the first file, can load the first driving, by the direct Miniport Driver corresponding with the memory location at the first file place of this first driving, dock, the first file is replaced to non-functional the second file, like this, no matter which kind of function the first file possesses, all no longer system is produced to any impact, then, can directly the rogue program of non-functional the second file of binding be carried out to killing processing, improve the ability of killing processing rogue program.
For example: the reduction that the first file has carried as mentioned in background technology drives, the first file has possessed reduction driving function.System has infected after the rogue program that bundlees this first file, while utilizing prior art to carry out rogue program killing processing, can only the first file of the rogue program binding of storing on physical disk be deleted by file operation system, particularly, file delete instruction is issued from level to level, until physical disk, comprise: operating system application programming interface-> kernel distribution function-> file system-> volume management system-> disk filtration drive-> disk sort driving-> disk port, Miniport Driver-> physical disk.And drive after function when the first file has possessed reduction, like this, when delete instruction arrives this one deck of disk filtration drive, reduction driving meeting tackles file delete instruction get off, and translated into the file that operation is stored on another physical disk, for example: the delete instruction that the delete instruction that operates the first file of storing on the 100th sector of hard disk is originally shifted to the file for storing on the 1000th sector idle in operation hard disk, like this, formerly should delete the first file that is stored in the 100th sector, become the idle file that is stored in the 1000th sector has been deleted, after system restart, the first file still exists, the rogue program that has bundled the first file also cannot killing.
Visible, existing antivirus software also cannot killing have bundled the rogue program that reduction drives file, and in the embodiment of the present invention, having loaded one first driving, this first driving can directly be issued to file operation instruction this one deck of disk Miniport Driver, by disk Miniport Driver, the first file is replaced, walked around reduction and driven the disk filtration drive that can tackle, like this, reduction has been driven and lose effect, thereby, can carry out killing processing to rogue program.Below in conjunction with accompanying drawing, the killing processing procedure of rogue program is described.
Embodiment mono-: referring to Fig. 1, the process of processing rogue program comprises:
Step 101: resolve the file system at the first file place of rogue program binding, obtain the memory location at the first file place.
System has infected after the rogue program that has bundled the first file, needs to obtain the memory location at the first file place.The first file can be to have carried the file that reduction drives, and can be also the file that possesses other functions.Memory location comprises: the sector of physical disk, or, other physical storage medium.
Can obtain by file system the memory location at the first file place, resolve the file system at the first file place of rogue program binding, obtain the memory location at the first file place, specifically comprise: instruction is asked in the memory location that issues the first file to file system, then, obtain the memory location at the first file place of file system feedback.
Certainly, can also obtain in other way the memory location at the first file place, for example: by existing antivirus software, resolve the file system at the first file place of rogue program binding, obtain the memory location at the first file place.
Step 102: load the first driving, send instruction by the first driving toward the Miniport Driver corresponding with memory location, the first file modification that rogue program is bundled is not for infecting rogue program and non-functional the second file.
In the embodiment of the present invention, first drives toward directly sending instruction toward the Miniport Driver corresponding with memory location, carries out file operation.Visible, first drives the directly Miniport Driver corresponding with memory location to dock, realized passing through file system, therefore, the first driving is passes through driving, when the first file is modified, need first load this energy directly the Miniport Driver corresponding with memory location dock pass through driving.
Obtained the memory location of the first file, can directly by passing through, drive the Miniport Driver corresponding toward this memory location to send instruction, the first file has been carried out to file operation.Here, by the first file modification, be the second file, wherein, the second file does not drive file for infecting the nonfunctional of rogue program.
Comprise particularly: by passing through to drive toward the Miniport Driver corresponding with memory location, send delete instruction, the first file is deleted to processing, by passing through to drive toward the Miniport Driver corresponding with memory location, send and write instruction, on memory location, write the second file.
Visible, pass through to drive to possess and directly by Miniport Driver corresponding to memory location, memory location is read and write and function that deletion etc. is processed, like this, without the existing file operation system layer by layer of process, pass through the topmost paper operating system of memory location, directly at clean non-functional second file of this layer of use of Miniport Driver, replaced the first file.
Step 103: rogue program is carried out to killing processing.
The first file has been replaced by clean and non-functional the second file, like this, can adopt the treatment scheme of existing killing rogue program to carry out killing to this rogue program, specifically can comprise:
Send instruction of restarting, make system restart, what now on rogue program, load is non-functional the second file, rather than the first file, like this, can directly to having loaded the rogue program of the second file, carry out killing.
Killing particularly, can, by modes such as file removings, can comprise following one or more processing and remove to process: delete containing the file that infects rogue program, for the file that infects rogue program, directly delete; Revise the entry point address of the file that infects rogue program, for example, revise the entry point address of the portable execute file that infects rogue program; Specific region writing data blocks to infecting the file of rogue program, carries out data block filling to specific region; Copied chunks in the file that infects rogue program; Delete to infect the specific file section of the file of rogue program, and adjust infecting the form of the file of rogue program, for example delete infect rogue program portable execute file in the file section formulated, and the form of this document is adjusted accordingly; Delete the data that infect the top of file of rogue program and/or the specific size of afterbody; The size of the file that infects rogue program is set.
Visible, in the embodiment of the present invention, directly by the first driving, pass through and drive the Miniport Driver corresponding to memory location to send instruction, the first file is replaced with to clean and non-functional the second file, like this, directly to having bundled the rogue program of the second file, carry out killing, without reinstalling system or starting from other external equipments, greatly improved killing processing rogue program and made system recover normal efficiency.
Embodiment bis-: in processing the process of rogue program, the system that need detect has infected the rogue program that bundlees the first file, then, just can carry out killing processing.Referring to Fig. 2, the process of processing rogue program in the present embodiment comprises:
Step 201: the first file of rogue program and rogue program binding detected and report.
The embodiment of the present invention, the system that can detect has infected the rogue program that has bundled the first file, the first file of rogue program and rogue program binding can be detected, and can report, or report and show.Comprise particularly:
Scan the first file of rogue program and rogue program binding, the first information of rogue program and the first file is sent to cloud server, the cloud server making carries out the renewal of information recording, rogue program after the renewal that reception cloud server issues and the second information of the first file, when determining that according to the second information rogue program and the first file have when abnormal, carry out virus report.
Wherein, the feature of rogue program can comprise a lot of information, such as the attribute information of the files such as the summary of filename, program file, file size, signing messages, version information, can also comprise for another example enable position in file place catalogue, registration table, with the context environmental attribute of the attribute supervisor file of alternative document under catalogue or under assigned catalogue.Or, the filename of rogue program or in full characteristic of correspondence value, for example: calculate the value that the full text of file or the MD5(Message Digest Algorithm 5 of signature calculate), or the SHA1(cryptographic hash of the full text of file or signature).Like this, the first information of rogue program and the first file comprise above-mentioned in one or more,
For example: start virus scan task, object to be scanned is carried out to scan operation, calculate the index sign of the file of scanning, as the first information, this index sign is sent to cloud server.Cloud server upgrades information recording, and the second information after upgrading is issued.The corresponding script of file with scanning that can find according to index sign here, issues script as the second information.
Particularly, can operate the modes such as triggering by timing or user and start scan task.Be scanning element start by set date scan task, or operate when indication and start scan task receiving user.The object of scanning can be internal memory, boot sector, BIOS(Basic Input or Output System (BIOS)) etc.
After cloud server obtains the scanning result reporting, according to this scanning result, in rogue program killing database, further analyse and compare, and can whether be rogue program according to the file of comparison information judgement scanning, then using judged result (as malice, safety, the unknown, suspicious) and/or, the reparation logic of mating with this scanning result issues as the second information, making local has extremely according to the second information judgement is no, then carries out virus report.Here, whether cloud server is rogue program by the file that judges scanning according to the high in the clouds discrimination condition of comparison information and preservation, and the high in the clouds discrimination condition that cloud server is preserved is scalable renewal, when meeting promotion condition, do not need client upgrade file to come into force, like this, the whole network upgrading at once, updating speed is very fast, has good interception result, thereby avoid client user's loss for the rogue program happening suddenly.Particularly, can in server, configure promotion condition, server regularly detects described high in the clouds discrimination condition and whether meets promotion condition, when meeting, server directly obtains new discrimination condition, and replace original high in the clouds discrimination condition by new discrimination condition, thereby to the renewal of upgrading of original high in the clouds discrimination condition.Wherein, promotion condition can judge according to the FileVersion of local discrimination condition, upgrades when having the version of renewal, also can specify and when local version meets certain condition, upgrade to an indicated release, and the embodiment of the present invention is not limited this.
In this enforcement, cloud server also can first issue comparison information as the second information, and this locality judges according to the second information, further according to judged result, has determined whether extremely, then carries out virus report.
Certainly, the present invention can not report yet, and does not carry out the renewal of cloud server, only carries out local scanning, judgement, and renewal process.
Local and cloud server is not the relation of phase trans-substitution.In the present embodiment, judged result in cloud server comprises that the file of scanning is malice, safety, the unknown or suspicious file, therefore, needs the safe class of preset file, wherein, described grade comprises safe class, unknown grade, suspicious/highly suspicious grade and malice grade.Setting for grade, can arrange when grade is 10-29 is safe class (file of this grade is text of an annotated book part), when grade is 30-49, be unknown grade (file of this grade is grey file), when grade is 50-69, be suspicious/highly suspicious grade (file of this grade is apocrypha), it is malice grade (file of this grade is malicious file) that grade is more than or equal at 70 o'clock.Certainly, it is other forms that described grade can also be set, and the present invention is not limited this.Concrete, can be by carrying out body (Portable Execute for killing portable, PE) the cloud killing engine of type file, or artificial intelligence engine (Qihoo Virtual Machine, QVM) carries out killing to described EXE file and the dll file of being held as a hostage.Wherein, PE type file is often referred to the program file in Windows operating system, and common PE type file comprises the type files such as EXE, DLL, OCX, SYS, COM.
Step 202: instruction is asked in the memory location that issues the first file to file system.
In the present embodiment, by resolving the file system at the first file place, obtain the memory location of the first file, therefore, instruction is asked in the memory location that need issue the first file to file system.
Step 203: the memory location that obtains the first file place of file system feedback.
File system receives the memory location of the first file and asks for after instruction, can directly feed back the memory location at the first file place.
Step 204: load the first driving, the Miniport Driver corresponding with memory location by the first driving sends delete instruction, and the first file is deleted to processing.
In the first file, may carry reduction drives, or other are to the influential function of system, therefore, when killing, need delete processing to the first file, in the embodiment of the present invention, need to load the first driving that directly Miniport Driver corresponding with memory location docks of an energy, load and pass through driving, then by this, pass through and drive the directly Miniport Driver corresponding with memory location to dock, the first file is deleted to processing.
Step 205: send and write instruction by the first driving Miniport Driver corresponding with memory location, write on memory location and do not infect rogue program and non-functional the second file.
After the first file is deleted, because the first file may have been changed registration table, be may have corresponding driving in registration table, for example: the first file has carried reduction and driven, so in registration table with regard to registered this driving, like this, although the first file has been deleted, but can be when system restart, there is the fault that blue screen fault or other can not normal load, therefore, need substitute the first file with clean non-functional second file, the second file is non-functional driving file, therefore, by the first driving, pass through driving, on the memory location at the first original place of file, write clean non-functional the second file, like this, fault that can not normal load while just there will not be system to restart.
Step 206: send instruction of restarting, make system restart, and load non-functional the second file when restarting on rogue program.
With clean non-functional the second file, replaced the first file, therefore, follow-up needs to adopt the flow process of normal killing rogue program just can realize the killing of rogue program in this enforcement, comprise: send instruction of restarting, make system restart, and, when restarting, on rogue program, load non-functional the second file.
Step 207: carry out killing to having loaded the rogue program of the second file.
Visible, what on rogue program, again bundle is clean non-functional the second file, and this second file can not affect system, therefore, there will not be instruction interception, and the problems such as system reducing, can directly carry out killing to this rogue program, recovery system function originally.Concrete killing processing procedure comprises the removing processing as described in above-described embodiment.
Like this, do not need to reinstall system, or start from other external equipments, just can, so that system recovers normal, greatly improve the efficiency of killing rogue program.
Embodiment tri-: in this enforcement, system is Windows system, and the first file has carried proud shield reduction and driven, and rogue program has bundled this first file, and the first file is stored on a certain concrete disk sector of Windows system C dish.Referring to Fig. 3, in the present embodiment, the flow process of processing rogue program comprises:
Step 301: system disk C under Windows environment detected and infected the rogue program that has bundled the file that carries reduction driving.
Rogue program has bundled the first file, and the first file has carried proud shield reduction and driven, and like this, system disk C is set to reduction-mode after having infected rogue program, as shown in Figure 4, has a reduction arrow on C dish.
Particularly, can be scanned and be determined that system disk C has infected and bundled the rogue program that carries the file that reduction drives by timebomb, reduction drives corresponding characteristic information, can determine in the present embodiment that the first file has carried reduction drive by this characteristic information.
Step 302: issue memory location to file system and ask for instruction FSCTL_GET_RETRIEVAL_POINTERS.
In Windows system, can issue memory location by file system and ask for instruction, be specially FSCTL_GET_RETRIEVAL_POINTERS here.
Step 303: the position, disk sector that obtains the file place of carrying reduction driving of file system feedback.
To file system, issue memory location and ask for after instruction FSCTL_GET_RETRIEVAL_POINTERS, just can obtain bunch chain at the first file place, thereby can obtain the position, disk sector at the first file place.
Step 304: load the first driving, send delete instruction by the first driving toward the Miniport Driver corresponding with disk sector, delete and carry the file that reduction drives.
Here, carrying file that reduction drives is and has carried the first file that proud shield reduction drives.
Step 305: send and write instruction toward the Miniport Driver corresponding with disk sector by the first driving, write Microsoft and provide NULL.SYS file on disk sector under SYSTEM DRIVERS catalogue.
Reduction drives and belongs to a kind of of WINDOWS disk filtration drive, this driving feature is if registered this driving in registration table, and corresponding file does not exist, or can not in the time of the startup of normal load system, will there is blue screen Bug Check0x7B:INACCESSIBLE_BOOT_DEVICE, so, although get on, in step, deleted and carried the first file that reduction drives, but, also need to replace the first file with a clean and non-functional file, like this, when system starts, the empty driving corresponding with non-functional file of loading.Here, can adopt Microsoft to provide NULL.SYS to replace under SYSTEM DRIVERS catalogue.NULL.SYS is an empty driving file, has the framework that drives file, but nonfunctional.
Step 306: send instruction of restarting, make system restart, and load NULL.SYS file on rogue program when restarting.
The first file that has carried proud shield reduction driving has been replaced by NULL.SYS file, and therefore, when system is restarted, what on rogue program, load is NULL.SYS file.Like this, NULL.SYS file can not produce and how to affect system, but also there will not be can not normal load fault.
The concrete processing procedure of above-mentioned killing rogue program as shown in Figure 5.
Step 307: carry out killing to having loaded the rogue program of NULL.SYS file.
The file bundling on rogue program does not form and has affected system, therefore, adopts normal killing program just the rogue program in the present embodiment can have been carried out to killing.Rogue program is by killing, and it is normal that system is recovered, and reduction arrow on system C dish is just disappearance also, as shown in Figure 6.
The method of above-mentioned processing rogue program can form new antivirus software, and this antivirus software can carry out killing to having bundled the rogue program of functional file, and preferably, energy killing has bundled the rogue program of the file that carries restoring function.In concrete killing process, utilize crossing technology, directly by the first driving, pass through driving, from the micro-port of disk, the functional file of binding is replaced to clean non-functional file, then rogue program is carried out to killing processing, like this, do not need to reinstall system, or switched system, or, from other external equipments, start, just can, so that system recovers normal, greatly improve the efficiency of killing processing rogue program.
Embodiment tetra-: according to the process of above-mentioned processing rogue program, can build a kind of device of processing rogue program, as shown in Figure 7, this device comprises: acquiring unit 710, replacement unit 720, and killing unit 730.Wherein,
Acquiring unit 710, for resolving the file system at the first file place of rogue program binding, obtains the memory location at the first file place.
Replacement unit 720, being used for loading the first driving, by the first driving, toward the Miniport Driver corresponding with memory location, sending instruction, is the second file by the first file modification of rogue program binding, wherein, the second file does not drive file for infecting the nonfunctional of rogue program.
Killing unit 730, for carrying out killing processing to rogue program.
Particularly, acquiring unit 710, when obtaining the memory location at the first file place, can be asked for instruction specifically for issue the memory location of the first file to file system, and obtains the memory location at the first file place of file system feedback.Certainly, acquiring unit 710 also can adopt other mode to obtain the memory location at the first file place, for example: by existing antivirus software, obtain.
The function of the concrete influential system of the first file possibility, therefore, the first file need be replaced to clean and non-functional second file, therefore, replacement unit 720, specifically for driving toward the Miniport Driver corresponding with memory location and send delete instruction by first, deletes processing to the first file, and send and write instruction toward the Miniport Driver corresponding with memory location by the first driving, on memory location, write the second file.In the present embodiment, operation to file, for example: delete, write, the file operation system not needing through layer by layer such as read, directly by first, drive, corresponding with memory location docks for port driver, file is operated, like this, even if having carried reduction in the first file drives, because drive the memory location filtration drive at place without reduction, this reduction drives just interception less than the operational order to the first file, thereby the first file can be deleted and replaced.
After the first file is replaced, killing unit 730, specifically for sending instruction of restarting, makes system restart, and when restarting, on rogue program, loads non-functional the second file; To having loaded the rogue program of the second file, carry out killing.
Certainly, in the embodiment of the present invention, this device also comprises: detecting unit, for scanning the first file of rogue program and rogue program binding, the first information of rogue program and the first file is sent to cloud server, and the cloud server making carries out the renewal of information recording, the rogue program after the renewal that reception cloud server issues and the second information of the first file, when determining that according to the second information rogue program and the first file have when abnormal, carry out virus report.Like this, the device that makes to process rogue program has possessed from the complete antivirus software function of killing being detected.Certainly, the detecting unit of this device can, only for detection of the first file to rogue program and rogue program binding, not report cloud server yet.
In the embodiment of the present invention, the device of processing rogue program can adopt crossing technology that functional the first file is replaced to and do not infect rogue program and non-functional the second file, then, to having bundled the rogue program of the second file, carry out killing, such process is particularly suitable for the rogue program that killing has bundled the file that carries reduction driving, reduction is driven and lost thoroughly function, in the process that can not restart in system, restoring system, also reduce rogue program, therefore, the embodiment of the present invention, the device of killing rogue program can be directly effectively killing bundled the rogue program of functional file, do not need to reinstall system, or switched system, or, from other external equipments, start, just can be so that system recovers normal, greatly improved the efficiency of killing processing rogue program.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt complete hardware implementation example, implement software example or in conjunction with the form of the embodiment of software and hardware aspect completely.And the present invention can adopt the form that wherein includes the upper computer program of implementing of computer-usable storage medium (including but not limited to magnetic disk memory and optical memory etc.) of computer usable program code one or more.
The present invention is with reference to describing according to process flow diagram and/or the block scheme of the method for the embodiment of the present invention, equipment (system) and computer program.Should understand can be in computer program instructions realization flow figure and/or block scheme each flow process and/or the flow process in square frame and process flow diagram and/or block scheme and/or the combination of square frame.Can provide these computer program instructions to the processor of multi-purpose computer, special purpose computer, Embedded Processor or other programmable data processing device to produce a machine, the instruction of carrying out by the processor of computing machine or other programmable data processing device is produced for realizing the device in the function of flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame appointments.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, the instruction that makes to be stored in this computer-readable memory produces the manufacture that comprises command device, and this command device is realized the function of appointment in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame.
These computer program instructions also can be loaded in computing machine or other programmable data processing device, make to carry out sequence of operations step to produce computer implemented processing on computing machine or other programmable devices, thereby the instruction of carrying out is provided for realizing the step of the function of appointment in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame on computing machine or other programmable devices.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if within of the present invention these are revised and modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.
Claims (11)
1. a method of processing rogue program, is characterized in that, comprising:
Resolve the file system at the first file place of rogue program binding, obtain the memory location at described the first file place;
Loading first drives, by described first, drive the Miniport Driver corresponding toward described memory location to send instruction, by the first file modification of described rogue program binding, be the second file, wherein, described the second file does not drive file for infecting the nonfunctional of rogue program;
Described rogue program is carried out to killing processing.
2. the method for claim 1, is characterized in that, the file system at the first file place of described parsing rogue program binding, and the memory location that obtains described the first file place comprises:
Instruction is asked in the memory location that issues described the first file to described file system;
Obtain the memory location at the described first file place of described file system feedback.
3. the method for claim 1, is characterized in that, described the first file modification by described rogue program binding is that the second file comprises:
By described first, drive toward the Miniport Driver corresponding with described memory location and send delete instruction, described the first file is deleted to processing;
By described first, drive toward the Miniport Driver corresponding with described memory location and send and write instruction, on described memory location, write the second file.
4. the method for claim 1, is characterized in that, describedly described rogue program is carried out to killing processes and to comprise:
Send instruction of restarting, make system restart, and when restarting, on described rogue program, load non-functional described the second file;
To having loaded the rogue program of described the second file, carry out killing.
5. the method for claim 1, is characterized in that, described in obtain the memory location at the first file place of rogue program binding before, also comprise:
Scan the first file of described rogue program and the binding of described rogue program;
The first information of described rogue program and described the first file is sent to cloud server, and the described cloud server making carries out the renewal of information recording;
Receive described rogue program after the renewal that described cloud server issues and the second information of described the first file;
When determining that according to described the second information described rogue program and described the first file have when abnormal, carry out virus report.
6. the either method as described in claim 1-5, is characterized in that, described the first file has carried reduction and driven.
7. a device of processing rogue program, is characterized in that, comprising:
Acquiring unit, for resolving the file system at the first file place of rogue program binding, obtains the memory location at described the first file place;
Replacement unit, being used for loading the first driving, by described first, driving toward the Miniport Driver corresponding with described memory location and send instruction, is the second file by the first file modification of described rogue program binding, wherein, described the second file does not drive file for infecting the nonfunctional of rogue program;
Killing unit, for carrying out killing processing to described rogue program.
8. device as claimed in claim 7, is characterized in that,
Described acquiring unit, asks for instruction specifically for issue the memory location of described the first file to described file system, and obtains the memory location at the described first file place of described file system feedback.
9. device as claimed in claim 7, is characterized in that,
Described replacement unit, specifically for driving toward the Miniport Driver corresponding with described memory location and send delete instruction by described first, described the first file is deleted to processing, and drive toward the Miniport Driver corresponding with described memory location and send and write instruction by described first, on described memory location, write the second file.
10. device as claimed in claim 7, is characterized in that,
Described killing unit, specifically for sending instruction of restarting, makes system restart, and when restarting, on described rogue program, loads non-functional described the second file, to having loaded the rogue program of described the second file, carries out killing.
11. devices as claimed in claim 7, is characterized in that, also comprise:
Detecting unit, for scanning the first file of described rogue program and the binding of described rogue program, the first information of described rogue program and described the first file is sent to cloud server, the described cloud server making carries out the renewal of information recording, receive described rogue program after the renewal that described cloud server issues and the second information of described the first file, when determining that according to described the second information described rogue program and described the first file have when abnormal, carry out virus report.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310551999.4A CN103593612B (en) | 2013-11-08 | 2013-11-08 | A kind of method and device of processing rogue program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310551999.4A CN103593612B (en) | 2013-11-08 | 2013-11-08 | A kind of method and device of processing rogue program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103593612A true CN103593612A (en) | 2014-02-19 |
| CN103593612B CN103593612B (en) | 2016-05-18 |
Family
ID=50083745
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310551999.4A Active CN103593612B (en) | 2013-11-08 | 2013-11-08 | A kind of method and device of processing rogue program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103593612B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106127052A (en) * | 2016-06-30 | 2016-11-16 | 北京奇虎科技有限公司 | The recognition methods of rogue program and device |
| CN110855657A (en) * | 2019-11-07 | 2020-02-28 | 深圳市高德信通信股份有限公司 | Network security control system for computer network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030093692A1 (en) * | 2001-11-13 | 2003-05-15 | Porras Phillip A. | Global deployment of host-based intrusion sensors |
| CN102902921A (en) * | 2012-09-18 | 2013-01-30 | 北京奇虎科技有限公司 | Method and device for detecting and eliminating computer viruses |
| CN102930201A (en) * | 2012-09-29 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for processing rogue program of master boot record |
-
2013
- 2013-11-08 CN CN201310551999.4A patent/CN103593612B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030093692A1 (en) * | 2001-11-13 | 2003-05-15 | Porras Phillip A. | Global deployment of host-based intrusion sensors |
| CN102902921A (en) * | 2012-09-18 | 2013-01-30 | 北京奇虎科技有限公司 | Method and device for detecting and eliminating computer viruses |
| CN102930201A (en) * | 2012-09-29 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for processing rogue program of master boot record |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106127052A (en) * | 2016-06-30 | 2016-11-16 | 北京奇虎科技有限公司 | The recognition methods of rogue program and device |
| CN110855657A (en) * | 2019-11-07 | 2020-02-28 | 深圳市高德信通信股份有限公司 | Network security control system for computer network |
| CN110855657B (en) * | 2019-11-07 | 2021-05-18 | 深圳市高德信通信股份有限公司 | Network security control system for computer network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103593612B (en) | 2016-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bayer et al. | Scalable, behavior-based malware clustering. | |
| JP4406627B2 (en) | Computer security management, such as in virtual machines or hardened operating systems | |
| CN102736978B (en) | A kind of method and device detecting the installment state of application program | |
| JP4288292B2 (en) | Operating system monitoring setting information generation device and operating system monitoring device | |
| JP5816198B2 (en) | System and method for sharing the results of computing operations between related computing systems | |
| JP6196393B2 (en) | System and method for optimizing scanning of pre-installed applications | |
| RU2487405C1 (en) | System and method for correcting antivirus records | |
| US20070234337A1 (en) | System and method for sanitizing a computer program | |
| US20120124007A1 (en) | Disinfection of a file system | |
| KR20180018531A (en) | Behavioral malware detection using an interpreter virtual machine | |
| JP6170900B2 (en) | File processing method and apparatus | |
| CN104461594A (en) | Updating method and device of embedded operating system | |
| US9330260B1 (en) | Detecting auto-start malware by checking its aggressive load point behaviors | |
| WO2012095348A1 (en) | Malware detection | |
| JP2014515858A (en) | Method and apparatus for recombining executing instructions | |
| US8448243B1 (en) | Systems and methods for detecting unknown malware in an executable file | |
| JP6255336B2 (en) | Secure data storage method and device | |
| KR101974989B1 (en) | Method and apparatus for determining behavior information corresponding to a dangerous file | |
| CN102902921A (en) | Method and device for detecting and eliminating computer viruses | |
| US10089469B1 (en) | Systems and methods for whitelisting file clusters in connection with trusted software packages | |
| CN103593612B (en) | A kind of method and device of processing rogue program | |
| EP2958045B1 (en) | System and method for treatment of malware using antivirus driver | |
| CN108959915B (en) | Rootkit detection method, rootkit detection device and server | |
| US9491193B2 (en) | System and method for antivirus protection | |
| EP2729893B1 (en) | Security method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220328 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |
|
| TR01 | Transfer of patent right |