CN103593612B - A kind of method and device of processing rogue program - Google Patents
A kind of method and device of processing rogue program Download PDFInfo
- Publication number
- CN103593612B CN103593612B CN201310551999.4A CN201310551999A CN103593612B CN 103593612 B CN103593612 B CN 103593612B CN 201310551999 A CN201310551999 A CN 201310551999A CN 103593612 B CN103593612 B CN 103593612B
- Authority
- CN
- China
- Prior art keywords
- file
- malicious program
- driver
- malicious
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000012545 processing Methods 0.000 title claims abstract description 29
- 230000008569 process Effects 0.000 claims abstract description 17
- 238000003860 storage Methods 0.000 claims description 74
- 241000700605 Viruses Species 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 3
- 238000012986 modification Methods 0.000 abstract description 4
- 230000004048 modification Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 27
- 238000010586 diagram Methods 0.000 description 12
- 230000002155 anti-virotic effect Effects 0.000 description 11
- 238000004590 computer program Methods 0.000 description 7
- 238000011084 recovery Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 230000009467 reduction Effects 0.000 description 4
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- VLCQZHSMCYCDJL-UHFFFAOYSA-N tribenuron methyl Chemical compound COC(=O)C1=CC=CC=C1S(=O)(=O)NC(=O)N(C)C1=NC(C)=NC(OC)=N1 VLCQZHSMCYCDJL-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a kind of method and device of processing rogue program, process the efficiency of rogue program in order to improve killing. The method of this processing rogue program comprises: the file system of resolving the first file place of rogue program binding, obtain the memory location at described the first file place, loading first drives, drive by described first, the Miniport Driver corresponding with described memory location sends instruction, is the second file, wherein by the first file modification of described rogue program binding, described the second file is that the nonfunctional that does not infect rogue program drives file, and described rogue program is carried out to killing processing.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for processing a malicious program.
Background
With the development of antivirus software technology, general malicious programs are difficult to escape from the fate of being checked and killed. However, with the disclosure of the restore-type driver technology, malicious programs have begun to exploit this technology to achieve the goal of making antivirus software impossible to check and kill. Specifically, a file carrying a restore drive is bound to a malicious program, so that after the malicious program infects a system, a disk where the infected system is located is set to be in a restore mode, at this time, although the existence of the malicious program can be detected by using the existing antivirus software, when the file is killed, because the existing antivirus software is used for killing the malicious program and the file bound to the malicious program through the file system, and the restore drive bound to the malicious program intercepts a kill instruction of the file carrying the restore drive in a disk filter drive at the lower layer of the file system, and after the file is restarted, all operations are restored, so that the malicious program still exists, and finally the killing fails.
Therefore, the existing antivirus software still has no effect on the searching and killing of the system infected with the malicious program bundled with the reduction drive. At present, the malicious programs can be searched and killed only by reinstalling the system or starting the system from a USB flash disk and replacing a recovery drive with a clean drive so as to recover the system, and the two modes are complex to operate and time-consuming.
Therefore, a really effective and quick way for checking and killing malicious programs bound with the restore driver is relatively lacked at present.
Disclosure of Invention
The invention provides a method and a device for processing malicious programs, which are used for improving the efficiency of searching, killing and processing the malicious programs.
The invention provides a method for processing a malicious program, which comprises the following steps:
analyzing a file system where a first file bound by a malicious program is located to obtain a storage position where the first file is located;
loading a first driver, and sending an instruction through the first driver and a micro-port driver corresponding to the storage position to modify a first file bound by the malicious program into a second file, wherein the second file is a non-functional driver file not infected with the malicious program;
and carrying out searching and killing treatment on the malicious program.
The invention provides a device for processing malicious programs, which comprises:
the device comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for analyzing a file system where a first file bound by a malicious program is located and acquiring a storage position where the first file is located;
the replacing unit is used for loading a first driver, sending an instruction to the micro-port driver corresponding to the storage position through the first driver, and modifying the first file bound by the malicious program into a second file, wherein the second file is a non-functional driver file which is not infected with the malicious program;
and the searching and killing unit is used for searching and killing the malicious program.
In the invention, a malicious program infected by a system binds a first file, firstly, a storage position of the first file is obtained, then, a first driver is loaded, an instruction is directly sent to a micro-port driver corresponding to the storage position through the first driver, the first file is replaced by a second file which is not infected with the malicious program and has no function, and then, the malicious program is subjected to investigation and treatment. Therefore, no matter what kind of functions the first file bound by the malicious program has, the first file can be directly replaced through the port without a file system, the replaced second file which is not infected with the malicious program and has no function can not cause any adverse effect on the system, so that the malicious program bound with the second file which has no function can be directly checked and killed, the system is recovered to be normal, the system does not need to be reinstalled or started from other external equipment, and the efficiency of checking and killing the malicious program to enable the system to recover to be normal is greatly improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a flowchart illustrating a method for handling malicious programs according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a malicious program processing method according to a second embodiment of the present invention;
FIG. 3 is a flowchart illustrating a third embodiment of the present invention for handling malicious programs;
FIG. 4 is a diagram illustrating a system infecting a malicious program that binds a restore driver file according to a third embodiment of the present invention;
FIG. 5 is a diagram illustrating malicious program processing according to a third embodiment of the present invention;
fig. 6 is a schematic diagram of system recovery after processing a malicious program according to a third embodiment of the present invention;
fig. 7 is a block diagram of an apparatus for processing a malicious program according to a fourth embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
In the embodiment of the invention, the system is infected with the malicious program bound with the first file, the first driver can be loaded, the first driver is directly butted with the micro-port driver corresponding to the storage position of the first file, and the first file is replaced by the second file without function, so that no influence is generated on the system no matter what function the first file has, and then the malicious program bound with the second file without function can be directly checked and killed, thereby improving the capability of checking and killing the malicious program.
For example: the first file carries the restore driver as mentioned in the background, i.e. the first file has the function of the restore driver. After a system is infected with a malicious program binding the first file, when the prior art is used for performing malicious program searching and killing processing, the first file bound with the malicious program stored on the physical disk can only be deleted through the file operating system, specifically, file deletion instructions are issued layer by layer until the first file is bound to the physical disk, and the method comprises the following steps: an operating system application programming interface- > a kernel distribution function- > a file system- > a volume management system- > a disk filter driver- > a disk class driver- > a disk port, a micro-port driver- > a physical disk. When the first file has the function of the restore driver, in this way, when the delete command reaches the layer of the disk filter driver, the restore driver intercepts the file delete command and transfers the file delete command to operate a file stored on another physical disk, for example: the deleting instruction of the first file stored in the 100 th sector of the original operation hard disk is transferred to the deleting instruction of the file stored in the 1000 th sector of the operation hard disk, so that the first file stored in the 100 th sector is deleted, the idle file stored in the 1000 th sector is deleted, the first file still exists after the system is restarted, and the malicious program binding the first file cannot be searched and killed.
It can be seen that the existing antivirus software cannot check and kill the malicious program bound with the recovery drive file, but in the embodiment of the present invention, a first drive is loaded, the first drive can directly issue a file operation instruction to the layer of the disk micro-port drive, the first file is replaced by the disk micro-port drive, and the disk filter drive intercepted by the recovery drive is bypassed, so that the recovery drive loses efficacy, and the malicious program can be checked and killed. The following describes a process of searching and killing malicious programs with reference to the accompanying drawings.
The first embodiment is as follows: referring to fig. 1, a process of handling a malicious program includes:
step 101: and analyzing a file system where the first file bound by the malicious program is located, and acquiring a storage position where the first file is located.
After the system is infected with the malicious program binding the first file, the storage position of the first file needs to be obtained. The first file may be a file carrying the restore driver, or may be a file having another function. The storage locations include: sectors of a physical disk, or other physical storage media.
The storage location where the first file is located can be obtained through the file system, that is, the file system where the first file bound by the malicious program is located is analyzed, and the storage location where the first file is located is obtained, which specifically includes: and issuing a storage position retrieval instruction of the first file to the file system, and then obtaining the storage position of the first file fed back by the file system.
Of course, the storage location of the first file may also be obtained in other manners, such as: analyzing a file system where a first file bundled by a malicious program is located through existing antivirus software, and obtaining a storage position where the first file is located.
Step 102: and loading a first driver, and sending an instruction to the micro-port driver corresponding to the storage position through the first driver to modify the first file bound by the malicious program into a second file which is not infected with the malicious program and has no function.
In the embodiment of the invention, the first driver can directly send the instruction to the micro-port driver corresponding to the storage position to carry out file operation. Therefore, the first driver is the traversing driver, and when the first file is modified, the traversing driver which can be directly butted with the micro-port driver corresponding to the storage position needs to be loaded first.
After the storage location of the first file is obtained, the micro-port driver corresponding to the storage location can directly transmit an instruction through the pass-through driver, and the file operation is performed on the first file. Here, the first file is modified to a second file, wherein the second file is a non-functional driver file that is not infected with a malicious program.
The method specifically comprises the following steps: and sending a deleting instruction to the micro-port driver corresponding to the storage position through the crossing driver, deleting the first file, sending a writing instruction to the micro-port driver corresponding to the storage position through the crossing driver, and writing the second file in the storage position.
Therefore, the traversing driver has the function of directly performing processing such as reading, writing, deleting and the like on the storage position through the micro-port driver corresponding to the storage position, so that the first file is directly replaced by a clean and non-functional second file on the layer of the micro-port driver without passing through the existing layer-by-layer file operating system, namely, the upper-layer file operating system traversing the storage position.
Step 103: and (5) carrying out searching and killing treatment on the malicious program.
The first file has been replaced by a clean and non-functional second file, so that the existing processing flow for searching and killing the malicious program can be adopted to search and kill the malicious program, and the method specifically includes:
and sending a restart instruction to restart the system, wherein the second file which is not functional is loaded on the malicious program instead of the first file, so that the malicious program loaded with the second file can be directly searched and killed.
Specifically, the killing may be performed by file clearing or the like, and the clearing process may include one or more of the following processes: deleting files containing infected malicious programs, namely directly deleting the files infected with the malicious programs; modifying an entry point address of a file infected with a malicious program, for example, modifying an entry point address of a portable execution file infected with a malicious program; writing data blocks into a specific area of a file infected with a malicious program, namely performing data block filling on the specific area; copying data blocks within files infected with malicious programs; deleting a specific file section of the file infected with the malicious program, and adjusting the format of the file infected with the malicious program, for example, deleting a file section formulated in a portable execution file infected with the malicious program, and correspondingly adjusting the format of the file; deleting data of a specific size at the head and/or tail of a file infected with a malicious program; the size of the file infected with the malicious program is set.
Therefore, in the embodiment of the invention, the instruction is directly sent to the micro-port driver corresponding to the storage position through the first driver, namely the pass-through driver, and the first file is replaced by the clean and non-functional second file, so that the malicious program bound with the second file is directly checked and killed without reinstalling the system or starting the system from other external equipment, and the efficiency of checking and killing the malicious program to enable the system to recover to normal is greatly improved.
Example two: in the process of processing the malicious program, the system is detected to be infected with the malicious program binding the first file, and then the searching and killing processing can be carried out. Referring to fig. 2, the process of handling a malicious program in this embodiment includes:
step 201: and detecting and reporting the malicious program and the first file bound by the malicious program.
According to the embodiment of the invention, the system can be detected to be infected with the malicious program binding the first file, namely the malicious program and the first file binding the malicious program can be detected and reported, or the first file binding the malicious program can be reported and displayed. The method specifically comprises the following steps:
scanning a malicious program and a first file bound by the malicious program, sending the malicious program and first information of the first file to a cloud server, updating information records by the cloud server, receiving second information of the updated malicious program and the first file sent by the cloud server, and reporting viruses when the malicious program and the first file are determined to be abnormal according to the second information.
The characteristics of the malicious program may include many pieces of information, such as file name, digest of the program file, file size, signature information, version information, and other attribute information of the file, and may further include context environment attributes of the program file, such as a directory where the file is located, a start position in a registry, and attributes of other files in the same directory or in a specified directory. Or, the file name or the full text of the malicious program corresponds to a characteristic value, such as: the full-text or signed MD5 (the value calculated by the fifth version of the message digest algorithm) or the full-text or signed SHA1 (hash value) of the file is calculated. Thus, the malicious program and the first information of the first file include one or more of the above,
for example: and starting a virus scanning task, executing scanning operation on an object to be scanned, calculating an index identifier of a scanned file as first information, and sending the index identifier to a cloud server. And the cloud server updates the information record and issues the updated second information. Here, the script corresponding to the scanned file found by the index identifier may be issued as the second information.
Specifically, the scanning task may be started by timing or user operation triggering, and the like. Namely, the scanning unit starts the scanning task at regular time or starts the scanning task when receiving the user operation instruction. The scanned object may be a memory, a boot sector, a BIOS (basic input output system), or the like.
After the cloud server obtains the reported scanning result, further analyzing and comparing the scanning result in an existing malicious program searching and killing database, judging whether the scanned file is a malicious program or not according to the comparison information, and then sending a judgment result (such as malicious, safe, unknown and suspicious) and/or a repair logic matched with the scanning result as second information, so that whether the file is abnormal or not is judged locally according to the second information, and then virus reporting is carried out. Here, the cloud server judges whether the scanned file is a malicious program or not according to the comparison information and the stored cloud identification condition, the cloud identification condition stored by the cloud server can be updated in an upgrading manner, and when the updating condition is met, the file can be updated without a client side, so that the file can be effective. Specifically, an upgrade condition may be configured in the server, and the server periodically detects whether the cloud authentication condition satisfies the upgrade condition, and when the upgrade condition is satisfied, the server directly obtains a new authentication condition and replaces the original cloud authentication condition with the new authentication condition, thereby upgrading and updating the original cloud authentication condition. The upgrade condition may be determined according to a file version of the local authentication condition, for example, if there is an updated version, the upgrade may be performed, or if the local version meets a certain condition, the upgrade may be specified as a specified version.
In this implementation, the cloud server may also send the comparison information as the second information, locally perform judgment according to the second information, further determine whether there is an abnormality according to a judgment result, and then perform a virus report.
Of course, the present invention may also perform local scanning, judgment and update processes without reporting or updating the cloud server.
The local and cloud servers are not in an alternative relationship to each other. In this embodiment, the determination result in the cloud server includes that the scanned file is a malicious, secure, unknown, or suspicious file, and therefore, the security level of the file needs to be preset, where the level includes a security level, an unknown level, a suspicious/highly suspicious level, and a malicious level. For the setting of the level, a security level (the file of the level is a white file) when the level is 10-29, an unknown level (the file of the level is a gray file) when the level is 30-49, a suspicious/highly suspicious level (the file of the level is a suspicious file) when the level is 50-69, and a malicious level (the file of the level is a malicious file) when the level is greater than or equal to 70 can be set. Of course, the grade may be set in other forms, and the invention is not limited in this regard. Specifically, the EXE file and the hijacked DLL file may be killed by a cloud killing engine for killing Portable Executive (PE) type files, or an artificial intelligence engine (QVM). The PE type file generally refers to a program file on the Windows operating system, and common PE type files include EXE, DLL, OCX, SYS, COM, and other type files.
Step 202: and issuing a storage position retrieval instruction of the first file to the file system.
In this embodiment, the storage location of the first file is obtained by analyzing the file system where the first file is located, and therefore, a storage location retrieval instruction of the first file needs to be issued to the file system.
Step 203: and acquiring the storage position of the first file fed back by the file system.
After receiving the storage position request instruction of the first file, the file system can directly feed back the storage position of the first file.
Step 204: and loading the first driver, and sending a deletion instruction through the first driver and the micro-port driver corresponding to the storage position to delete the first file.
The first file may carry a restore driver or other functions affecting the system, and therefore, when searching and killing, the first file needs to be deleted.
Step 205: and sending a write-in instruction through the micro-port driver corresponding to the first driver and the storage position, and writing a second file which is not infected with a malicious program and has no function in the storage position.
After the first file is deleted, since the first file may have changed the registry, that is, there may be corresponding drivers in the registry, for example: the first file carries the restore driver, and then the driver is registered in the registry, so that although the first file is deleted, when the system is restarted, a blue screen fault or other faults which cannot be normally loaded occur, and therefore, the first file needs to be replaced by a clean and non-functional second file, namely the second file is a non-functional drive file, and therefore, the clean and non-functional second file is written in the original storage position of the first file through the first drive, namely, the drive is passed through, and therefore the fault which cannot be normally loaded when the system is restarted cannot occur.
Step 206: and sending a restart instruction to restart the system, and loading a second file without function on the malicious program when the system is restarted.
The first file is replaced by a clean non-functional second file, so that the malicious program can be searched and killed in the implementation only by adopting a normal process of searching and killing the malicious program, and the method comprises the following steps: and sending a restart instruction to restart the system, and loading a non-functional second file on the malicious program when restarting.
Step 207: and searching and killing the malicious program loaded with the second file.
Therefore, the malicious program is rebundled with the clean second file without functions, the second file does not affect the system, the problems of instruction interception, system restoration and the like do not occur, the malicious program can be directly checked and killed, and the original functions of the system are restored. A specific killing process includes a clearing process as described in the above embodiments.
Therefore, the system can be recovered to be normal without reinstalling the system or starting the system from other external equipment, and the efficiency of searching and killing malicious programs is greatly improved.
Example three: in the implementation, the system is a Windows system, the first file carries the Aodan reduction driver, the malicious program binds the first file, and the first file is stored in a specific disk sector of a C disk of the Windows system. In fig. 3, in this embodiment, the flow of processing the malicious program includes:
step 301: and detecting that the system disk C is infected with a malicious program which binds files carrying the restore driver in the Windows environment.
The malicious program binds the first file, and the first file carries the aodun restore driver, so that the system disk C is set to the restore mode after being infected with the malicious program, as shown in fig. 4, and a restore arrow is arranged on the disk C.
Specifically, it can be determined through timing virus scanning that the system disk C is infected with a malicious program that binds files carrying the restore driver, and the restore driver has corresponding characteristic information, through which it can be determined that the first file carries the restore driver in this embodiment.
Step 302: and issuing a storage position retrieval instruction FSCTL _ GET _ RETRIEVAL _ POINTERS to the file system.
In a Windows system, a storage location retrieval instruction, specifically FSCTL _ GET _ RETRIEVAL _ POINTERS, may be issued via a file system.
Step 303: and acquiring the position of the sector of the disk where the file carrying the recovery drive fed back by the file system is located.
After the storage location retrieval instruction FSCTL _ GET _ RETRIEVAL _ POINTER is issued to the file system, the cluster chain where the first file is located can be obtained, and therefore the position of the disk sector where the first file is located can be obtained.
Step 304: and loading the first drive, sending a deletion instruction to the micro-port drive corresponding to the disk sector through the first drive, and deleting the file carrying the recovery drive.
Here, the file carrying the restore drive is the first file carrying the aodun restore drive.
Step 305: and sending a write instruction to a micro-port drive corresponding to the disk sector through the first drive, and writing a NULL.
The restore driver belongs to a WINDOWS disk filter driver, and is characterized in that if the driver is registered in a registry, and a corresponding file does not exist, or the driver cannot be loaded normally, a blue screen BugCheck0x7B: INDACESSIBLE _ BOOT _ DEVICE occurs, so that although the first file carrying the restore driver is deleted in the previous step, the first file is replaced by a clean and non-functional file, and thus, when the system is started, an empty driver corresponding to the non-functional file is loaded. Sys may be provided by microsoft under the SYSTEMDRIVERS catalog for replacement. Sys is an empty drive file with a frame of drive files, but no function.
Step 306: sending a restart instruction to restart the system and loading a NULL.
The first file that will carry the aodun restore driver has been replaced by a null.sys file, so that on system restart, the null.sys file is loaded on the malicious program. Thus, the SYS file does not influence the system, and faults which cannot be loaded normally do not occur.
The specific process of searching and killing the malicious program is shown in fig. 5.
Step 307: and (4) searching and killing the malicious program loaded with the NULL.
The files bound on the malicious program do not influence the system, so that the malicious program in the embodiment can be checked and killed by adopting a normal checking and killing program. The malicious program is killed, the system returns to normal, and the restore arrow on the disk C of the system disappears, as shown in fig. 6.
The method for processing the malicious programs can form new antivirus software, and the antivirus software can check and kill the malicious programs bound with the functional files, and preferably can check and kill the malicious programs bound with the files with the restoring function. In the specific searching and killing process, the traversing technology is utilized, the bound functional file is replaced by a clean non-functional file from the micro port of the disk directly through the first drive, namely the traversing drive, and then the searching and killing processing is carried out on the malicious program, so that the system can be recovered to be normal without reinstalling the system or switching the system or starting the system from other external equipment, and the efficiency of searching and killing the malicious program is greatly improved.
Example four: according to the above procedure for dealing with malicious programs, an apparatus for dealing with malicious programs can be constructed, as shown in fig. 7, the apparatus includes: an obtaining unit 710, a replacing unit 720, and a searching and killing unit 730. Wherein,
the obtaining unit 710 is configured to analyze a file system where the first file bound by the malicious program is located, and obtain a storage location where the first file is located.
And a replacing unit 720, configured to load the first driver, and send an instruction to the micro-port driver corresponding to the storage location through the first driver, so as to modify the first file bundled by the malicious program into a second file, where the second file is a non-functional driver file that is not infected with the malicious program.
And the searching and killing unit 730 is used for searching and killing the malicious program.
Specifically, when acquiring the storage location where the first file is located, the acquiring unit 710 may be specifically configured to issue a storage location retrieval instruction of the first file to the file system, and acquire the storage location where the first file is located, where the first file is fed back by the file system. Of course, the obtaining unit 710 may also obtain the storage location of the first file in other manners, such as: obtained by existing antivirus software.
The first file may specifically affect the function of the system, and therefore, the first file needs to be replaced by a clean and non-functional second file, and therefore, the replacement unit 720 is specifically configured to send a delete instruction to the micro-port driver corresponding to the storage location through the first driver, delete the first file, send a write instruction to the micro-port driver corresponding to the storage location through the first driver, and write the second file in the storage location. In this embodiment, the operation on the file, for example: the operation of the file is performed by directly butting the port driver corresponding to the storage position through the first driver without passing through a layer-by-layer file operating system, such as deleting, writing, reading and the like, so that even if the first file carries the restore driver, the restore driver cannot intercept the operation command of the first file without passing through the storage position filter driver where the restore driver is located, and the first file can be deleted and replaced.
After the first file is replaced, the searching and killing unit 730 is specifically configured to send a restart instruction, restart the system, and load a second file without function on the malicious program when the system is restarted; and searching and killing the malicious program loaded with the second file.
Of course, in the embodiment of the present invention, the apparatus further includes: the detection unit is used for scanning the malicious program and the first file bound by the malicious program, sending the malicious program and the first information of the first file to the cloud server, enabling the cloud server to update information records, receiving the updated malicious program and the second information of the first file sent by the cloud server, and reporting viruses when the malicious program and the first file are determined to be abnormal according to the second information. In this way, the device for processing the malicious program has the complete antivirus function of detecting and killing the malicious program. Of course, the detection unit of the apparatus may also be configured to detect only the malicious program and the first file bundled by the malicious program, and does not report the first file to the cloud server.
In the embodiment of the invention, the device for processing the malicious program can replace the functional first file with the non-infected malicious program and non-functional second file by adopting a traversing technology, and then the malicious program bound with the second file is searched and killed, so that the process is particularly suitable for searching and killing the malicious program bound with the file of the reduction drive, the reduction drive completely loses the function, the system is not restored and the malicious program is also restored in the restarting process of the system, therefore, the device for searching and killing the malicious program can directly and effectively search and kill the malicious program bound with the functional file, the system does not need to be reinstalled or switched, or other external devices are started, the system can be recovered to be normal, and the efficiency of searching and killing the malicious program is greatly improved.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A method of handling malicious programs, comprising:
analyzing a file system where a first file bound by a malicious program is located to obtain a storage position where the first file is located; wherein the first file carries a restore drive;
loading a first driver, sending an instruction to a micro-port driver corresponding to the storage position through the first driver, and modifying a first file bound by the malicious program into a second file, wherein the second file is a non-functional driver file which is not infected with the malicious program;
and carrying out searching and killing treatment on the malicious program.
2. The method of claim 1, wherein the parsing a file system of a first file bundled by a malicious program to obtain a storage location of the first file comprises:
issuing a storage position retrieval instruction of the first file to the file system;
and acquiring the storage position of the first file fed back by the file system.
3. The method of claim 1, wherein modifying the first file of the malware bundle to a second file comprises:
sending a deleting instruction to the micro-port driver corresponding to the storage position through the first driver, and deleting the first file;
and sending a writing instruction to the micro-port driver corresponding to the storage position through the first driver, and writing a second file in the storage position.
4. The method of claim 1, wherein the performing a killing process on the malicious program comprises:
sending a restart instruction to restart the system, and loading the second file without function on the malicious program when the system is restarted;
and searching and killing the malicious program loaded with the second file.
5. The method of claim 1, wherein obtaining the storage location of the first file of the bundle of malicious programs further comprises:
scanning the malicious program and a first file of the malicious program bundle;
sending the malicious program and first information of the first file to a cloud server, so that the cloud server updates information records;
receiving the updated malicious program and second information of the first file sent by the cloud server;
and when the malicious program and the first file are determined to be abnormal according to the second information, performing virus report.
6. An apparatus for processing a malicious program, comprising:
the device comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for analyzing a file system where a first file bound by a malicious program is located and acquiring a storage position where the first file is located; wherein the first file carries a restore drive;
the replacing unit is used for loading a first driver, sending an instruction to the micro-port driver corresponding to the storage position through the first driver, and modifying the first file bound by the malicious program into a second file, wherein the second file is a non-functional driver file which is not infected with the malicious program;
and the searching and killing unit is used for searching and killing the malicious program.
7. The apparatus of claim 6,
the obtaining unit is specifically configured to issue a storage location retrieval instruction of the first file to the file system, and obtain a storage location where the first file is located, where the first file is fed back by the file system.
8. The apparatus of claim 6,
the replacement unit is specifically configured to send a delete instruction to the micro port driver corresponding to the storage location through the first driver, delete the first file, send a write instruction to the micro port driver corresponding to the storage location through the first driver, and write a second file in the storage location.
9. The apparatus of claim 6,
the searching and killing unit is specifically configured to send a restart instruction, so that the system is restarted, and when the system is restarted, the second file without function is loaded on the malicious program, and the malicious program loaded with the second file is searched and killed.
10. The apparatus of claim 6, further comprising:
the detection unit is used for scanning the malicious program and a first file bound by the malicious program, sending first information of the malicious program and the first file to a cloud server, enabling the cloud server to update information records, receiving second information of the malicious program and the first file which are sent by the cloud server after updating, and reporting viruses when the malicious program and the first file are determined to be abnormal according to the second information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310551999.4A CN103593612B (en) | 2013-11-08 | 2013-11-08 | A kind of method and device of processing rogue program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310551999.4A CN103593612B (en) | 2013-11-08 | 2013-11-08 | A kind of method and device of processing rogue program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103593612A CN103593612A (en) | 2014-02-19 |
| CN103593612B true CN103593612B (en) | 2016-05-18 |
Family
ID=50083745
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310551999.4A Active CN103593612B (en) | 2013-11-08 | 2013-11-08 | A kind of method and device of processing rogue program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103593612B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106127052B (en) * | 2016-06-30 | 2019-05-14 | 北京奇虎科技有限公司 | The recognition methods of rogue program and device |
| CN110855657B (en) * | 2019-11-07 | 2021-05-18 | 深圳市高德信通信股份有限公司 | Network security control system for computer network |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102902921A (en) * | 2012-09-18 | 2013-01-30 | 北京奇虎科技有限公司 | Method and device for detecting and eliminating computer viruses |
| CN102930201A (en) * | 2012-09-29 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for processing rogue program of master boot record |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030093692A1 (en) * | 2001-11-13 | 2003-05-15 | Porras Phillip A. | Global deployment of host-based intrusion sensors |
-
2013
- 2013-11-08 CN CN201310551999.4A patent/CN103593612B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102902921A (en) * | 2012-09-18 | 2013-01-30 | 北京奇虎科技有限公司 | Method and device for detecting and eliminating computer viruses |
| CN102930201A (en) * | 2012-09-29 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for processing rogue program of master boot record |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103593612A (en) | 2014-02-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9652632B2 (en) | Method and system for repairing file at user terminal | |
| KR102419574B1 (en) | Systems and methods for correcting memory corruption in computer applications | |
| US8612398B2 (en) | Clean store for operating system and software recovery | |
| US9479520B2 (en) | Fuzzy whitelisting anti-malware systems and methods | |
| Bayer et al. | Scalable, behavior-based malware clustering. | |
| US8181247B1 (en) | System and method for protecting a computer system from the activity of malicious objects | |
| US8935789B2 (en) | Fixing computer files infected by virus and other malware | |
| US7437764B1 (en) | Vulnerability assessment of disk images | |
| EP2610774B1 (en) | System and method for detecting malware targeting the boot process of a computer | |
| US20130067576A1 (en) | Restoration of file damage caused by malware | |
| US20120124007A1 (en) | Disinfection of a file system | |
| WO2014000613A1 (en) | System repair method and device, and storage medium | |
| US8561180B1 (en) | Systems and methods for aiding in the elimination of false-positive malware detections within enterprises | |
| EP2663944B1 (en) | Malware detection | |
| CN107330328B (en) | Method and device for defending against virus attack and server | |
| CN107103238A (en) | System and method for protecting computer system to exempt from malicious objects activity infringement | |
| CN109074448B (en) | Detection of a deviation of a safety state of a computing device from a nominal safety state | |
| US20110161364A1 (en) | System and method for providing a normal file database | |
| KR20110087826A (en) | Method for detecting malware using vitual machine | |
| CN103593612B (en) | A kind of method and device of processing rogue program | |
| US20210349748A1 (en) | Virtual machine restoration for anomaly condition evaluation | |
| CN112579330B (en) | Processing method, device and equipment for abnormal data of operating system | |
| US10339313B2 (en) | System and method for bypassing a malware infected driver | |
| EP2584484A1 (en) | System and method for protecting a computer system from the activity of malicious objects | |
| RU2468427C1 (en) | System and method to protect computer system against activity of harmful objects |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220328 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |
|
| TR01 | Transfer of patent right |