CN103679027A - Searching and killing method and device for kernel level malware - Google Patents
Searching and killing method and device for kernel level malware Download PDFInfo
- Publication number
- CN103679027A CN103679027A CN201310652289.0A CN201310652289A CN103679027A CN 103679027 A CN103679027 A CN 103679027A CN 201310652289 A CN201310652289 A CN 201310652289A CN 103679027 A CN103679027 A CN 103679027A
- Authority
- CN
- China
- Prior art keywords
- data structure
- antivirus software
- operating system
- place ahead
- killing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Abstract
The invention provides a searching and killing method and device for kernel level malware and relates to the technical field of computers. The method includes the steps that a data structure used for recording the pointing relation between on-going processes in an operating system is obtained; a front process and a back process of a loaded antivirus software process are positioned, wherein the front process is the process that an antivirus software process points to, and the back process is the process which points to the antivirus software process; the pointing relation between the front process and the back process is changed into the pointing relation that the back process directly points to the front process. Through the searching and killing method, the processes of the antivirus software can be hidden in the data structure used for recording the pointing relation between the processes in the operating system so that a malicious program can not obtain process information of the antivirus software by editing the data structure, and the processes of the antivirus software can not be closed. Therefore, it is ensured that the antivirus software can search for and kill the malicious program, and searching and killing of the malware can be carried out on the operating system through the hidden antivirus software, and security is improved.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to the method and apparatus of a kind of kernel level Malware killing.
Background technology
Current day by day perfect along with antivirus software, viral wooden horse with kill soft antagonism by the past, the passive behavior such as escape free to kill, changes active countermeasures into and finishes to kill the active behaviors such as soft process.Rogue program can scan according to the title of antivirus software the process of the antivirus software that move in operating system, and finishes the process of antivirus software, makes antivirus software can not carry out virus killing operation.
Such as within 2012, wreaking havoc ranking the first and second virus in the ten computation machine viruses of China, ghost series and AV(Anti-Virus, anti-virus) terminator's series all can finish the process of antivirus software, causes poisoning rear extremely difficult killing.These viruses can be after infection system, and load driver is enumerated all processes, and discovery is to kill the just same termination process of soft process.Due to the processing of carrying out in kernel level, cause antagonism very difficult.
More existing technical schemes are specially to kill by some, and more changed name is processed, but due to as long as supply the software of user's download, can be obtained by rogue program author, so or can be added and stop in list by wooden horse.
Generally, can only allow the name of the random antivirus software of user's manual modification, start, but this mode cause very large trouble, much kill soft self-insurance and protect according to name, revise name and also can cause self-insurance to be lost efficacy simultaneously.
Summary of the invention
In view of the above problems, having proposed the present invention overcomes the problems referred to above or the method that is suitable for the killing of kernel level Malware addressing the above problem at least in part and correspondingly installs to provide a kind of.
According to one aspect of the present invention, the method for a kind of kernel level Malware killing is provided, comprising:
Obtain the data structure that records points relationship between the current process of moving in operating system;
The place ahead process and the rear process of the antivirus software process that location has loaded in data structure, wherein, the place ahead process is antivirus software process process pointed, rear process is for pointing to the process of antivirus software process;
The points relationship of the place ahead process and rear process is revised as to the direct directed forward process of rear process;
By hiding antivirus software, described operating system is carried out the killing of Malware.
Alternatively, obtain the data structure that records points relationship between the current process of moving in operating system, comprising:
Receive the killing request of user to the Malware of kernel level;
By the protection instrument starting in advance, carry out and obtain the operation of recording the data structure of points relationship between the current process of moving in operating system.
Alternatively, obtain the data structure that records points relationship between the current process of moving in operating system, comprising:
In internal memory, read for recording the doubly linked list of the progress information of the current process of moving of operating system;
In doubly linked list, read the data structure for points relationship between record the process.
Alternatively, doubly linked list is PsAcvtiveProcessList chained list.
Alternatively, data structure is EPROCESS structure;
Wherein, EPROCESS structure comprises LIST_ENTRY structure, LIST_ENTRY structure comprises pointer member FLINK and BLINK, the pointer recording in FLINK is used in reference to the place ahead process of process under current EPROCESS structure, and the pointer recording in BLINK is used in reference to the rear process of process under current EPROCESS structure.
Alternatively, the place ahead process and the rear process of the antivirus software process that location has loaded in data structure, comprising:
The EPROCESS structure corresponding to antivirus software process of searching and having loaded;
Read the pointer that pointer member FLINK in EPROCESS structure and BLINK record;
The place ahead process and the rear process of the pointer location antivirus software recording by pointer member FLINK and BLINK.
Alternatively, the place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, comprising:
In described doubly linked list, extract the self information of described antivirus software process.
Alternatively, in described doubly linked list, extract the self information of described antivirus software process, comprising:
By the pointer modified recording in the BLINK in EPROCESS structure corresponding to the place ahead process, it is sensing rear process;
By the pointer modified recording in the FLINK in EPROCESS structure corresponding to rear process, it is directed forward process.
According to one aspect of the present invention, the device of a kind of kernel level Malware killing is also provided, comprising:
Data structure acquisition module, is configured to obtain the data structure that records points relationship between the current process of moving in operating system;
Process allocation module, is configured in data structure the place ahead process and the rear process of the antivirus software process that location loaded, and wherein, the place ahead process is antivirus software process process pointed, and rear process is for pointing to the process of antivirus software process;
Points relationship modified module, is configured to the points relationship of the place ahead process and rear process to be revised as the direct directed forward process of rear process;
Killing module, is configured to by hiding antivirus software, described operating system be carried out the killing of Malware.
Alternatively, described data structure acquisition module is configured to obtain in the following manner the data structure that records points relationship between the current process of moving in operating system:
Receive the killing request of user to the Malware of kernel level;
By the protection instrument starting in advance, carry out and obtain the operation of recording the data structure of points relationship between the current process of moving in operating system.
Alternatively, data structure acquisition module comprises:
Chained list acquiring unit, is configured to read in internal memory for recording the doubly linked list of the progress information of the current process of moving of operating system;
Data structure reading unit, is configured to read the data structure for points relationship between record the process in doubly linked list.
Alternatively, the doubly linked list that chained list acquiring unit obtains is PsAcvtiveProcessList chained list.
Alternatively, data structure is EPROCESS structure;
Wherein, EPROCESS structure comprises LIST_ENTRY structure, LIST_ENTRY structure comprises pointer member FLINK and BLINK, the pointer recording in FLINK is used in reference to the place ahead process of process under current EPROCESS structure, and the pointer recording in BLINK is used in reference to the rear process of process under current EPROCESS structure.
Alternatively, process allocation module comprises:
Data structure lookup unit, is configured to search the EPROCESS structure corresponding with the antivirus software process having loaded;
Pointer reading unit, is configured to read the pointer that pointer member FLINK in EPROCESS structure and BLINK record;
Process allocation unit, the pointer that is configured to record by pointer member FLINK and BLINK is located the place ahead process and the rear process of antivirus software.
Alternatively, described points relationship modified module is configured to extract the self information of described antivirus software process in described doubly linked list.
Alternatively, points relationship modified module is configured in described doubly linked list, extract in the following manner the self information of described antivirus software process:
By the pointer modified recording in the BLINK in EPROCESS structure corresponding to the place ahead process, it is sensing rear process;
By the pointer modified recording in the FLINK in EPROCESS structure corresponding to rear process, it is directed forward process.
The invention provides the method and apparatus of a kind of kernel level Malware killing, the present invention is by obtaining the data structure that records points relationship between the current process of moving in operating system, the place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, and the points relationship of the place ahead process and rear process is revised as to the direct directed forward process of rear process, can in operating system, for the data structure of points relationship between record the process, hide the process of antivirus software, make rogue program cannot obtain by editing this data structure the progress information of antivirus software, and then cannot close the process of antivirus software, guaranteed that antivirus software can carry out killing to rogue program normally, and by hiding antivirus software, described operating system is carried out the killing of Malware, improved security.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, by identical reference symbol, represent identical parts.In the accompanying drawings:
Fig. 1 is the method flow diagram of a kind of according to an embodiment of the invention kernel level Malware killing;
Fig. 2 is the concrete grammar process flow diagram of a kind of according to an embodiment of the invention kernel level Malware killing;
Fig. 3 is the structural representation of doubly linked list according to an embodiment of the invention;
Fig. 4 is the structural representation of revising according to an embodiment of the invention the doubly linked list after points relationship;
Fig. 5 is the apparatus structure block diagram of a kind of according to an embodiment of the invention kernel level Malware killing.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order thoroughly to understand the disclosure that these embodiment are provided, and can by the scope of the present disclosure complete convey to those skilled in the art.
The embodiment of the present invention can be applied to computer system/server, and it can operation together with numerous other universal or special computingasystem environment or configuration.The example of well-known computing system, environment and/or the configuration that is suitable for using together with computer system/server includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, Set Top Box, programmable consumer electronics, NetPC Network PC, little type Ji calculate machine Xi Tong ﹑ large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.
Computer system/server can be described under the general linguistic context of the computer system executable instruction (such as program module) of being carried out by computer system.Conventionally, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they are carried out specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in distributed cloud computing environment, task is to be carried out by the teleprocessing equipment linking by communication network.In distributed cloud computing environment, program module can be positioned on the Local or Remote computing system storage medium that comprises memory device.
Embodiment mono-
The embodiment of the present invention provides the method for a kind of kernel level Malware killing.The method is improved the device of kernel level Malware killing.For example, in the present embodiment, the device of kernel level Malware killing can be for being arranged on the instrument in client, and wherein, client can be PC(Personal Computer, personal computer), mobile phone, the user terminals such as Hand Personal Computer, and this client can be moved the checking and killing virus system based on cloud security, in conjunction with cloud security server etc., and the virus scanning engine of processing various files in different types, Initiative Defense modules etc., process Malware killing.
Fig. 1 is the method flow diagram of a kind of according to an embodiment of the invention kernel level Malware killing, the method comprising the steps of S102 to S108.
S102, obtains the data structure that records points relationship between the current process of moving in operating system.
S104, the place ahead process and the rear process of the antivirus software process that location has loaded in data structure.
Wherein, the place ahead process is antivirus software process process pointed, and rear process is for pointing to the process of antivirus software process.
S106, is revised as the direct directed forward process of rear process by the points relationship of the place ahead process and rear process.
S108, carries out the killing of Malware to operating system by hiding antivirus software.
The embodiment of the present invention provides the method for a kind of kernel level Malware killing, the method is by obtaining the data structure that records points relationship between the current process of moving in operating system, the place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, and the points relationship of the place ahead process and rear process is revised as to the direct directed forward process of rear process, can in operating system, for the data structure of points relationship between record the process, hide the process of antivirus software, make rogue program cannot obtain by editing this data structure the progress information of antivirus software, and then cannot close the process of antivirus software, guaranteed that antivirus software can carry out killing to rogue program normally, and by hiding antivirus software, described operating system is carried out the killing of Malware, improved security.
Embodiment bis-
The present embodiment is a kind of concrete application scenarios of above-described embodiment one, by the present embodiment, can set forth clearer, particularly method provided by the present invention.
Fig. 2 is the concrete grammar process flow diagram of a kind of according to an embodiment of the invention kernel level Malware killing, the method comprising the steps of S201 to S208.
It should be noted that, the method can realize in antivirus software by driving, makes antivirus software when starting, and can automatically hide self process, make rogue program can not find that the process of antivirus software exists, and then carry out scanning and the clear operation of rogue program.
First, execution step S201, receives the killing request of user to the Malware of kernel level, starts default protection instrument, and operation is for hiding the driving of antivirus software.
The present embodiment is realized the hiding of the process of antivirus software by driving, and when antivirus software being detected and start, operation drives the process hiding of antivirus software at once.
Above-mentioned driving both can realize in antivirus software, also can realize in the protection instrument of antivirus software, and this protection instrument can be proof box etc.
Wherein, DKOM (Direct Kernel Object Manipulation, the directly kernel objects operation) technology providing in operating system has been provided in this driving.All operating system is all stored customizing messages in internal memory, conventionally adopts the form of structure or object, by Object Management group management.When user space processes solicit operation system information is for example when process, thread or device driver list, these objects are reported to user.These objects or structure are arranged in internal memory, therefore can directly to it, modify.
For example, in Windows operating system, the windows key data structure that hidden process is mainly paid close attention to is: the EPROCESS structure of process and the ETHREAD structure of thread, chained list (as the scheduling chained list of process, thread chained list and CPU) etc.The present invention operates to reach the object of hidden process to these data structures by DKOM.
Then, execution step S202 reads for recording the doubly linked list of the progress information of the current process of moving of operating system in internal memory.
The present embodiment be take Windows operating system as example, and this bi-directional list is: PsAcvtiveProcessList chained list.
It should be noted that, in Windows operating system, after system starts, can set up the chained list that name is called PsAcvtiveProcessList, by this chained list, preserve the progress information of the process of moving in current operation system.
Wherein, rogue program is also by scanning this chained list, to obtain the progress information of the process of antivirus software.
After reading doubly linked list, execution step S203, in above-mentioned doubly linked list, read for record the process between the data structure of points relationship.
Wherein, in Windows operating system, above-mentioned data structure is EPROCESS structure.
In PsAcvtiveProcessList chained list, there is the EPROCESS structure of all processes, each EPROCESS structure is for preserving the progress information of a process.
The present embodiment also provides Fig. 3, has shown the structural representation of doubly linked list (PsAcvtiveProcessList).
It should be noted that, in each EPROCESS structure, all to there is a LIST_ENTRY structure with pointer member FLINK and BLINK;
Wherein, FLINK is for recording the pointer of the place ahead process of pointing to current process;
BLINK is for recording the pointer of the rear process of pointing to current process.
Between reading for record the process, after the data structure of points relationship, continue execution step S204.In step S204, in data structure, search the EPROCESS structure corresponding with the antivirus software process having loaded.
It should be noted that, in PsAcvtiveProcessList chained list, each process is corresponding to an EPROCESS structure, and the EPROCESS structure of all processes adopts the mode of doubly linked list to preserve, by traveling through this PsAcvtiveProcessList chained list, read successively progress information, can obtain EPROCESS structure corresponding to antivirus software having loaded.
After execution of step S204, continue to read by step S205 the pointer that FLINK in the EPROCESS structure corresponding with antivirus software and BLINK record.
Wherein, the FLINK in EPROCESS structure and BLINK are respectively used to preserve the pointer of the place ahead process and the rear process of current process, by obtaining FLINK and BLINK member, can know the place ahead process and the rear process of current antivirus software process.
Next, continue execution step S206, the pointer recording by the above-mentioned FLINK acquiring and BLINK location obtains the place ahead process and the rear process of antivirus software.
It should be noted that, by this step, can obtain the place ahead process and the EPROCESS structure corresponding to rear process of the process of antivirus software.
Then, execution step S207 extracts the self information of antivirus software process in above-mentioned doubly linked list.
Wherein, the points relationship that the self information of extracing antivirus software process in above-mentioned doubly linked list is also about to above-mentioned the place ahead process and rear process is revised as the direct directed forward process of rear process.
Due in operating system, by the points relationship between the EPROCESS structure record the process in PsAcvtiveProcessList chained list, therefore, in the present embodiment, step S207 specifically can realize in the following way:
By the pointer modified recording in the BLINK in EPROCESS structure corresponding to the place ahead process, it is sensing rear process;
By the pointer modified recording in the FLINK in EPROCESS structure corresponding to rear process, it is directed forward process.
The present embodiment also provides Fig. 4, has shown the structural representation of revising the doubly linked list (PsAcvtiveProcessList) after points relationship.
By the way, can in PsAcvtiveProcessList chained list, hide the EPROCESS structure of the process of antivirus software, make rogue program can not read the progress information of the process of antivirus software, even if calling system is served ZwQuerySystemInformation, also cannot find the process of antivirus software.And, can't affect the operation of the process of antivirus software.
Finally, execution step S208, carries out the killing of Malware to described operating system by hiding antivirus software.
It should be noted that, due to process step S201-S207, antivirus software is hidden, and Malware cannot be closed antivirus software, therefore can start to carry out the killing operation of Malware.
Wherein, antivirus software provided by the invention, goes for detecting obstinate virus, and goes for carrying out wooden horse scanning, clearing function, MBR(Master Boot Record, the i.e. Main Boot Record of hard disk) function such as repair function.
Antivirus software provided by the present invention comprises obstinate virus and wooden horse scans, clearing function.In order to help user to clear up stubbornness virus, the wooden horse in computer system, this software, when scanning computer virus, can automatically be deleted virus document or lock virus document and forbid its operation.Antivirus software provided by the present invention will scan the critical item of system and automated processing system abnormal conditions.Killing result will present in list.User can in file isolated area, to partial document, operation recovers.
Antivirus software provided by the present invention drives the wooden horse of the system bottom operations such as wooden horse to carry out the normal operation of protection system by killing.In scanning process, can carry out killing to the malice service existing in system, driving.Because killing may cause system in some cases, cannot normally start, this software can increase a startup item in system, and user as started, can attempt repairing by this startup item after reparation.
Antivirus software provided by the present invention has system file repair function.This function can scan the own crucial dynamic link library file (Dynamic Link Library, hereinafter to be referred as dll file) of the operating system in your system.When finding the dll file of disappearance, this software can be inquired about the dll file of losing from cloud querying server, then selects the dll file of applicable user's current system to download on subscriber set.This function can solve because wooden horse malicious sabotage or other reason cause system dll file disappearance, and the problem that causes your computer normally to work.User also can manually input the title of the dll file of disappearance and search, repairs.
Antivirus software provided by the present invention has MBR repair function.The MBR of some wooden horse meeting infect computers reaches and hides self also object of repeated infection computer system.This function can help user to remove the malicious code in MBR.
And antivirus software provided by the present invention can be in conjunction with making cloud security technology, its principle is the fingerprint that gathers file on user computer, send on Cloud Server and analyze, thus the level of security of authenticating document.File fingerprint is the file unique identification information calculating according to general international standard algorithm, be generally numeral, the monogram of dozens of byte, the algorithm often using is as MD5(Message Digest Algorithm 5, Message Digest Algorithm 5), SHA1(Secure Hash Algorithm1, Secure Hash Algorithm first published) etc.
Protection instrument provided by the present invention, the suspicious executable program sample that can find is uploaded to Cloud Server, by slip-stick artist, is analyzed.And the sample of uploading only limits to the PE file for virus analysis, the existing sample of cloud security central server can not uploaded again.
The embodiment of the present invention provides the method for a kind of kernel level Malware killing, the method is by obtaining the data structure that records points relationship between the current process of moving in operating system, the place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, and the points relationship of the place ahead process and rear process is revised as to the direct directed forward process of rear process, can in operating system, for the data structure of points relationship between record the process, hide the process of antivirus software, make rogue program cannot obtain by editing this data structure the progress information of antivirus software, and then cannot close the process of antivirus software, guaranteed that antivirus software can carry out killing to rogue program normally, and by hiding antivirus software, described operating system is carried out the killing of Malware, improved security.
Embodiment tri-
Fig. 5 is the apparatus structure block diagram of a kind of kernel level Malware killing of providing of one embodiment of the invention, and this device 500 comprises:
Data structure acquisition module 510, is configured to obtain the data structure that records points relationship between the current process of moving in operating system;
Process allocation module 520, is configured in data structure the place ahead process and the rear process of the antivirus software process that location loaded, and wherein, the place ahead process is antivirus software process process pointed, and rear process is for pointing to the process of antivirus software process;
Points relationship modified module 530, is configured to the points relationship of the place ahead process and rear process to be revised as the direct directed forward process of rear process;
Killing module 540, is configured to by hiding antivirus software, described operating system be carried out the killing of Malware.
Alternatively, described data structure acquisition module configuration 510 is for obtaining in the following manner the data structure that records points relationship between the current process of moving in operating system:
Receive the killing request of user to the Malware of kernel level;
By the protection instrument starting in advance, carry out and obtain the operation of recording the data structure of points relationship between the current process of moving in operating system.
Alternatively, data structure acquisition module 510 comprises:
Chained list acquiring unit 511, is configured to read in internal memory for recording the doubly linked list of the progress information of the current process of moving of operating system;
Data structure reading unit 512, is configured to read the data structure for points relationship between record the process in doubly linked list.
Alternatively, the doubly linked list that chained list acquiring unit 511 obtains is PsAcvtiveProcessList chained list.
Alternatively, data structure is EPROCESS structure;
Wherein, EPROCESS structure comprises LIST_ENTRY structure, LIST_ENTRY structure comprises pointer member FLINK and BLINK, the pointer recording in FLINK is used in reference to the place ahead process of process under current EPROCESS structure, and the pointer recording in BLINK is used in reference to the rear process of process under current EPROCESS structure.
Alternatively, process allocation module 520 comprises:
Data structure lookup unit 521, is configured to search the EPROCESS structure corresponding with the antivirus software process having loaded;
Alternatively, described points relationship modified module configuration 530 for extracing the self information of antivirus software process in above-mentioned doubly linked list.
Alternatively, points relationship modified module 530 is configured in above-mentioned doubly linked list, extract in the following manner the self information of antivirus software process:
By the pointer modified recording in the BLINK in EPROCESS structure corresponding to the place ahead process, it is sensing rear process;
By the pointer modified recording in the FLINK in EPROCESS structure corresponding to rear process, it is directed forward process.
The embodiment of the present invention provides the device of a kind of kernel level Malware killing, this device is by obtaining the data structure that records points relationship between the current process of moving in operating system, the place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, and the points relationship of the place ahead process and rear process is revised as to the direct directed forward process of rear process, can in operating system, for the data structure of points relationship between record the process, hide the process of antivirus software, make rogue program cannot obtain by editing this data structure the progress information of antivirus software, and then cannot close the process of antivirus software, guaranteed that antivirus software can carry out killing to rogue program normally, and by hiding antivirus software, described operating system is carried out the killing of Malware, improved security.
In the instructions that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module moved on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize according to the some or all functions of the some or all parts in the device of the kernel level Malware killing of the embodiment of the present invention.The present invention for example can also be embodied as, for carrying out part or all equipment or device program (, computer program and computer program) of method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not depart from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
So far, those skilled in the art will recognize that, although detailed, illustrate and described a plurality of exemplary embodiment of the present invention herein, but, without departing from the spirit and scope of the present invention, still can directly determine or derive many other modification or the modification that meets the principle of the invention according to content disclosed by the invention.Therefore, scope of the present invention should be understood and regard as and cover all these other modification or modifications.
The embodiment of the present invention also provides the method for A1. kernel level Malware killing, comprising:
Obtain the data structure that records points relationship between the current process of moving in operating system;
The place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, wherein, described the place ahead process is described antivirus software process process pointed, described rear process is for pointing to the process of described antivirus software process;
The points relationship of described the place ahead process and described rear process is revised as to described rear process and directly points to described the place ahead process;
By hiding antivirus software, described operating system is carried out the killing of Malware.
A2. according to the method described in A1, wherein, described in obtain the data structure that records points relationship between the current process of moving in operating system, comprising:
Receive the killing request of user to the Malware of kernel level;
By the protection instrument starting in advance, carry out and obtain the operation of recording the data structure of points relationship between the current process of moving in operating system.
A3. according to the method described in A1, wherein, described in obtain the data structure that records points relationship between the current process of moving in operating system, comprising:
In internal memory, read for recording the doubly linked list of the progress information of the current process of moving of described operating system;
The data structure of points relationship between reading for record the process in described doubly linked list.
A4. according to the method described in A3, wherein, described doubly linked list is PsAcvtiveProcessList chained list.
A5. according to the method described in A1 to A4 any one, wherein, described data structure is EPROCESS structure;
Wherein, described EPROCESS structure comprises LIST_ENTRY structure, described LIST_ENTRY structure comprises pointer member FLINK and BLINK, the pointer recording in described FLINK is used in reference to the place ahead process of process under current EPROCESS structure, and the pointer recording in described BLINK is used in reference to the rear process of process under current EPROCESS structure.
A6. according to the method described in A5, wherein, the place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, comprising:
The EPROCESS structure corresponding to antivirus software process of searching and having loaded;
Read the pointer that pointer member FLINK in described EPROCESS structure and BLINK record;
The pointer recording by described pointer member FLINK and BLINK is located the place ahead process and the rear process of described antivirus software.
A7. according to the method described in A3 to A6 any one, wherein, the place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, comprising:
In described doubly linked list, extract the self information of described antivirus software process.
A8. according to the method described in A7, wherein, the described self information of extracing described antivirus software process in described doubly linked list, comprising:
By the pointer modified recording in the BLINK in EPROCESS structure corresponding to described the place ahead process, it is the described rear of sensing process;
By the pointer modified recording in the FLINK in EPROCESS structure corresponding to described rear process, it is the described the place ahead of sensing process.
The embodiment of the present invention also provides the device of B9. kernel level Malware killing, comprising:
Data structure acquisition module, is configured to obtain the data structure that records points relationship between the current process of moving in operating system;
Process allocation module, be configured to the place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, wherein, described the place ahead process is described antivirus software process process pointed, and described rear process is for pointing to the process of described antivirus software process;
Points relationship modified module, is configured to that the points relationship of described the place ahead process and described rear process is revised as to described rear process and directly points to described the place ahead process;
Killing module, is configured to by hiding antivirus software, described operating system be carried out the killing of Malware.
B10. according to the device described in B9, wherein, described data structure acquisition module is configured to obtain in the following manner the data structure that records points relationship between the current process of moving in operating system:
Receive the killing request of user to the Malware of kernel level;
By the protection instrument starting in advance, carry out and obtain the operation of recording the data structure of points relationship between the current process of moving in operating system.
B11. according to the device described in B9, wherein, described data structure acquisition module comprises:
Chained list acquiring unit, is configured to read in internal memory for recording the doubly linked list of the progress information of the current process of moving of described operating system;
Data structure reading unit, be configured to read for record the process in described doubly linked list between the data structure of points relationship.
B12. according to the device described in B11, wherein, the doubly linked list that described chained list acquiring unit obtains is PsAcvtiveProcessList chained list.
B13. according to the device described in B9 to 12 any one, wherein, described data structure is EPROCESS structure;
Wherein, described EPROCESS structure comprises LIST_ENTRY structure, described LIST_ENTRY structure comprises pointer member FLINK and BLINK, the pointer recording in described FLINK is used in reference to the place ahead process of process under current EPROCESS structure, and the pointer recording in described BLINK is used in reference to the rear process of process under current EPROCESS structure.
B14. according to the device described in B13, wherein, described process allocation module comprises:
Data structure lookup unit, is configured to search the EPROCESS structure corresponding with the antivirus software process having loaded;
Pointer reading unit, is configured to read the pointer that pointer member FLINK in described EPROCESS structure and BLINK record;
Process allocation unit, the pointer that is configured to record by described pointer member FLINK and BLINK is located the place ahead process and the rear process of described antivirus software.
B15. according to the device described in B11 to B14 any one, wherein, described points relationship modified module is configured to extract the self information of described antivirus software process in described doubly linked list.
B16. according to the device described in B15, wherein, described points relationship modified module is configured in described doubly linked list, extract in the following manner the self information of described antivirus software process:
By the pointer modified recording in the BLINK in EPROCESS structure corresponding to described the place ahead process, it is the described rear of sensing process;
By the pointer modified recording in the FLINK in EPROCESS structure corresponding to described rear process, it is the described the place ahead of sensing process.
Claims (10)
1. a method for kernel level Malware killing, comprising:
Obtain the data structure that records points relationship between the current process of moving in operating system;
The place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, wherein, described the place ahead process is described antivirus software process process pointed, described rear process is for pointing to the process of described antivirus software process;
The points relationship of described the place ahead process and described rear process is revised as to described rear process and directly points to described the place ahead process;
By hiding antivirus software, described operating system is carried out the killing of Malware.
2. method according to claim 1, wherein, described in obtain the data structure that records points relationship between the current process of moving in operating system, comprising:
Receive the killing request of user to the Malware of kernel level;
By the protection instrument starting in advance, carry out and obtain the operation of recording the data structure of points relationship between the current process of moving in operating system.
3. method according to claim 1, wherein, described in obtain the data structure that records points relationship between the current process of moving in operating system, comprising:
In internal memory, read for recording the doubly linked list of the progress information of the current process of moving of described operating system;
The data structure of points relationship between reading for record the process in described doubly linked list.
4. method according to claim 3, wherein, described doubly linked list is PsAcvtiveProcessList chained list.
5. according to the method described in claim 1 to 4 any one, wherein, described data structure is EPROCESS structure;
Wherein, described EPROCESS structure comprises LIST_ENTRY structure, described LIST_ENTRY structure comprises pointer member FLINK and BLINK, the pointer recording in described FLINK is used in reference to the place ahead process of process under current EPROCESS structure, and the pointer recording in described BLINK is used in reference to the rear process of process under current EPROCESS structure.
6. method according to claim 5 wherein, is located the place ahead process and the rear process of the antivirus software process having loaded in described data structure, comprising:
The EPROCESS structure corresponding to antivirus software process of searching and having loaded;
Read the pointer that pointer member FLINK in described EPROCESS structure and BLINK record;
The pointer recording by described pointer member FLINK and BLINK is located the place ahead process and the rear process of described antivirus software.
7. a device for kernel level Malware killing, comprising:
Data structure acquisition module, is configured to obtain the data structure that records points relationship between the current process of moving in operating system;
Process allocation module, be configured to the place ahead process and the rear process of the antivirus software process that location has loaded in described data structure, wherein, described the place ahead process is described antivirus software process process pointed, and described rear process is for pointing to the process of described antivirus software process;
Points relationship modified module, is configured to that the points relationship of described the place ahead process and described rear process is revised as to described rear process and directly points to described the place ahead process;
Killing module, is configured to by hiding antivirus software, described operating system be carried out the killing of Malware.
8. device according to claim 7, wherein, described data structure acquisition module is configured to obtain in the following manner the data structure that records points relationship between the current process of moving in operating system:
Receive the killing request of user to the Malware of kernel level;
By the protection instrument starting in advance, carry out and obtain the operation of recording the data structure of points relationship between the current process of moving in operating system.
9. device according to claim 7, wherein, described data structure acquisition module comprises:
Chained list acquiring unit, is configured to read in internal memory for recording the doubly linked list of the progress information of the current process of moving of described operating system;
Data structure reading unit, be configured to read for record the process in described doubly linked list between the data structure of points relationship.
10. device according to claim 9, wherein, the doubly linked list that described chained list acquiring unit obtains is PsAcvtiveProcessList chained list.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310652289.0A CN103679027A (en) | 2013-12-05 | 2013-12-05 | Searching and killing method and device for kernel level malware |
| PCT/CN2014/092133 WO2015081791A1 (en) | 2013-12-05 | 2014-11-25 | Method and apparatus for scanning and removing kernel-level malware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310652289.0A CN103679027A (en) | 2013-12-05 | 2013-12-05 | Searching and killing method and device for kernel level malware |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103679027A true CN103679027A (en) | 2014-03-26 |
Family
ID=50316537
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310652289.0A Pending CN103679027A (en) | 2013-12-05 | 2013-12-05 | Searching and killing method and device for kernel level malware |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103679027A (en) |
| WO (1) | WO2015081791A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104156653A (en) * | 2014-08-07 | 2014-11-19 | 深圳鼎瑄通讯科技有限公司 | Application protection method and device of mobile terminal |
| WO2015081791A1 (en) * | 2013-12-05 | 2015-06-11 | 北京奇虎科技有限公司 | Method and apparatus for scanning and removing kernel-level malware |
| CN106815523A (en) * | 2015-11-27 | 2017-06-09 | 北京金山安全软件有限公司 | Malicious software defense method and device |
| CN109784059A (en) * | 2019-01-11 | 2019-05-21 | 北京中睿天下信息技术有限公司 | A kind of wooden horse file source tracing method, system and equipment |
| CN109829270A (en) * | 2018-12-27 | 2019-05-31 | 北京奇安信科技有限公司 | Application program means of defence and device |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112580030B (en) * | 2019-09-27 | 2023-08-01 | 奇安信科技集团股份有限公司 | Network system and semi-isolated network terminal virus checking and killing method and device |
| US20230048653A1 (en) * | 2021-07-29 | 2023-02-16 | Kyndryl, Inc. | Software application deployment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101206692A (en) * | 2006-12-20 | 2008-06-25 | 联想(北京)有限公司 | Method and equipment for detecting course |
| US20130247180A1 (en) * | 2007-08-15 | 2013-09-19 | Tracy E. Camp | System, method, and computer program product for comparing an object with object enumeration results to identify an anomaly that at least potentially indicates unwanted activity |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100504904C (en) * | 2007-12-25 | 2009-06-24 | 北京大学 | Windows concealed malevolence software detection method |
| CN101477600B (en) * | 2009-01-20 | 2010-06-09 | 中国人民解放军保密委员会技术安全研究所 | Software automatic protection system and security card based on firmware |
| CN103679027A (en) * | 2013-12-05 | 2014-03-26 | 北京奇虎科技有限公司 | Searching and killing method and device for kernel level malware |
-
2013
- 2013-12-05 CN CN201310652289.0A patent/CN103679027A/en active Pending
-
2014
- 2014-11-25 WO PCT/CN2014/092133 patent/WO2015081791A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101206692A (en) * | 2006-12-20 | 2008-06-25 | 联想(北京)有限公司 | Method and equipment for detecting course |
| US20130247180A1 (en) * | 2007-08-15 | 2013-09-19 | Tracy E. Camp | System, method, and computer program product for comparing an object with object enumeration results to identify an anomaly that at least potentially indicates unwanted activity |
Non-Patent Citations (1)
| Title |
|---|
| 刘正宏: "Windows RootKit进程隐藏与检测技术的研究", 《中国现代教育装备》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015081791A1 (en) * | 2013-12-05 | 2015-06-11 | 北京奇虎科技有限公司 | Method and apparatus for scanning and removing kernel-level malware |
| CN104156653A (en) * | 2014-08-07 | 2014-11-19 | 深圳鼎瑄通讯科技有限公司 | Application protection method and device of mobile terminal |
| CN106815523A (en) * | 2015-11-27 | 2017-06-09 | 北京金山安全软件有限公司 | Malicious software defense method and device |
| CN106815523B (en) * | 2015-11-27 | 2019-10-15 | 珠海豹趣科技有限公司 | A kind of malware defence method and device |
| CN109829270A (en) * | 2018-12-27 | 2019-05-31 | 北京奇安信科技有限公司 | Application program means of defence and device |
| CN109829270B (en) * | 2018-12-27 | 2022-04-15 | 奇安信科技集团股份有限公司 | Application program protection method and device |
| CN109784059A (en) * | 2019-01-11 | 2019-05-21 | 北京中睿天下信息技术有限公司 | A kind of wooden horse file source tracing method, system and equipment |
| CN109784059B (en) * | 2019-01-11 | 2020-11-17 | 北京中睿天下信息技术有限公司 | Trojan file tracing method, system and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2015081791A1 (en) | 2015-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11068591B2 (en) | Cybersecurity systems and techniques | |
| CN103679027A (en) | Searching and killing method and device for kernel level malware | |
| Ntantogian et al. | Evaluating the privacy of Android mobile applications under forensic analysis | |
| RU2468426C2 (en) | File conversion in restricted process | |
| CN103019778B (en) | The method for cleaning of starting up's item and device | |
| CN103281325A (en) | Method and device for processing file based on cloud security | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| CN103034513B (en) | The processing method of start process and system | |
| CN103473501B (en) | A kind of Malware method for tracing based on cloud security | |
| CN104025107A (en) | Fuzzy whitelisting anti-malware systems and methods | |
| CN103001947A (en) | Program processing method and program processing system | |
| CN104091125A (en) | Floating window processing method and device | |
| CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
| US8321940B1 (en) | Systems and methods for detecting data-stealing malware | |
| CN102999720A (en) | Program identification method and system | |
| US8448243B1 (en) | Systems and methods for detecting unknown malware in an executable file | |
| CN102982281A (en) | Program condition detecting method and system | |
| CN103279707A (en) | Method, device and system for actively defending against malicious programs | |
| CN103559447A (en) | Detection method, detection device and detection system based on virus sample characteristics | |
| US9740865B2 (en) | System and method for configuring antivirus scans | |
| US11522885B1 (en) | System and method for information gain for malware detection | |
| CN104486312A (en) | Recognition method and recognition device for applications | |
| US11580248B2 (en) | Data loss prevention | |
| CN103713945A (en) | Game identifying method and device | |
| CN103473350A (en) | File processing method and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140326 |