CN103914656A - Method and device for preventing monitoring of malware - Google Patents
Method and device for preventing monitoring of malware Download PDFInfo
- Publication number
- CN103914656A CN103914656A CN201410114577.5A CN201410114577A CN103914656A CN 103914656 A CN103914656 A CN 103914656A CN 201410114577 A CN201410114577 A CN 201410114577A CN 103914656 A CN103914656 A CN 103914656A
- Authority
- CN
- China
- Prior art keywords
- ntdll
- dll
- privately owned
- responsive process
- system service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method and a device for preventing monitoring of malware. The method includes: detecting a start sensitive process containing operations for information to be protected; building a private system service path for the sensitive process; operating the sensitive process by the private system service path. The method has the advantages that monitoring of malware can be prevented, safety is improved and users' privacy is protected.
Description
Technical field
The present invention relates to network security technology field, relate in particular to a kind of method and apparatus of being monitored by Malware avoided.
Background technology
Along with being widely used of computing machine, the value volume and range of product of various computer viruses also increases rapidly, and especially, along with the development of network, the propagation of virus and harm are more serious, for computer user causes puzzlement and loss.The monitoring of Malware can be divided into the monitoring of user model and the monitoring of kernel mode.Code under kernel mode, slightly mistake, is easy to cause the stability of whole system even cause the results such as blue screen, monitoring behavior is difficult to escape user's perception.For windows operating system, Malware is to be generally present in user model, and program under user model wants to obtain system service, the entrance of the bottom is NTDLL.dll, and Malware can be realized by the NTDLL.dll of monitoring windows operating system the monitoring of user model.
Summary of the invention
The present invention is intended to solve at least to a certain extent one of technical matters in correlation technique.
For this reason, one object of the present invention is to propose a kind of method of being monitored by Malware avoided, and the method can be avoided the monitoring of the user model that Malware realizes in windows operating system.
Another object of the present invention is to propose a kind of device of being avoided Malware monitoring.
For achieving the above object, what first aspect present invention embodiment proposed avoids the method monitored by Malware, comprising: detect and start responsive process, described responsive process contains the operation that the information to protecting is carried out; Set up the private system service path to described responsive process; Adopt described private system service path, realize the operation of described responsive process.
What first aspect present invention embodiment proposed avoids the method monitored by Malware; by setting up private system service path, can avoid the monitoring of Malware on publicly-owned system service path, guarantee the security of operation; can protect individual privacy, promote user and experience.
For achieving the above object, what second aspect present invention embodiment proposed avoids the device monitored by Malware, comprising: detection module, and for detection of to starting responsive process, described responsive process contains the operation that the information to protecting is carried out; Set up module, for setting up the private system service path to described responsive process; Processing module, for adopting described private system service path, realizes the operation of described responsive process.
What second aspect present invention embodiment proposed avoids the device monitored by Malware; by setting up private system service path, can avoid the monitoring of Malware on publicly-owned system service path, guarantee the security of operation; can protect individual privacy, promote user and experience.
For achieving the above object, the client device that third aspect present invention embodiment proposes, comprising: housing, processor, storer, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, and processor and storer are arranged on circuit board; Power circuit, is used to each circuit or the device power supply of client device; Storer is for stores executable programs code; Processor moves the program corresponding with executable program code by the executable program code of storing in read memory, for carrying out following steps: detect and start responsive process, described responsive process contains the operation that the information to protecting is carried out; Set up the private system service path to described responsive process; Adopt described private system service path, realize the operation of described responsive process.
The client device that third aspect present invention embodiment proposes, by setting up private system service path, can avoid the monitoring of Malware on publicly-owned system service path, guarantees the security of operation, can protect individual privacy, promotes user and experiences.
The aspect that the present invention is additional and advantage in the following description part provide, and part will become obviously from the following description, or recognize by practice of the present invention.
Accompanying drawing explanation
The present invention above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments obviously and easily and understand, wherein:
Fig. 1 is the schematic flow sheet of avoiding the method for being monitored by Malware that one embodiment of the invention proposes;
Fig. 2 is the schematic flow sheet of avoiding the method for being monitored by Malware that another embodiment of the present invention proposes;
Fig. 3 is the structural representation of avoiding the device of being monitored by Malware that another embodiment of the present invention proposes;
Fig. 4 is the structural representation of avoiding the device of being monitored by Malware that another embodiment of the present invention proposes.
Embodiment
Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has the element of identical or similar functions from start to finish.Be exemplary below by the embodiment being described with reference to the drawings, only for explaining the present invention, and can not be interpreted as limitation of the present invention.On the contrary, embodiments of the invention comprise all changes, modification and the equivalent within the scope of spirit and the intension that falls into additional claims.
Fig. 1 is the schematic flow sheet of avoiding the method for being monitored by Malware that one embodiment of the invention proposes, and the method comprises:
S11: detect and start responsive process, described responsive process contains the operation that the information to protecting is carried out.
Wherein, can be according to the demand of product, determine which information is the information that will protect, these information that will protect also can be called sensitive information.
Responsive process is for example the read-write operation to sensitive information.
The embodiment of the present invention is mainly for the monitoring of avoiding user model, and therefore, these responsive processes can be specifically related to the system service (windows System Service) that operating system provides, for example, and reading and writing of files or read-write registration table etc.
S12: set up the private system service path to described responsive process;
In correlation technique, the system service that Windows System Service externally provides, the process of line module need to be by the NTDLL.dll access in windows system.That is to say, all processes all, by publicly-owned system service path, are specially the NTDLL.dll in windows system.Therefore, some Malwares are by monitoring publicly-owned system service path, and the namely NTDLL.dll in windows system, realizes the monitoring of the process to line module.
And in the present embodiment, for fear of being monitored by Malware, can set up private system service path, realize the operation to responsive process by private system service path.
For example, the present embodiment can copy the NTDLL.dll in windows system, obtains privately owned NTDLL.dll, is that responsive process is served by this privately owned NTDLL.dll.
S13: adopt described private system service path, realize the operation of described responsive process.
Wherein, the command content that private system service path points to is identical with the command content of publicly-owned system service path point, for example, while creating file, the command content of publicly-owned system service path point is the command content that Creatfile points to, so, the command content that private system service path points to is identical with the command content that Creatfile points to, to complete the establishment of file.
For example, the function that privately owned NTDLL.dll can comprise the NTDLL.dll in windows system copies, can realize the interface of service derives with the form of function by copying, function after copying will point to same command content with original function, complete same function, as created file.So just can be by calling private NTDLL.dll, realize the function identical with calling NTDLL.dll in windows system, but avoid the monitoring of Malware on publicly-owned system service path.
The present embodiment, by setting up private system service path, can be avoided the monitoring of Malware on publicly-owned system service path, guarantees the security of operation, can protect individual privacy, promotes user and experiences.
Fig. 2 is the schematic flow sheet of avoiding the method for being monitored by Malware that another embodiment of the present invention proposes, and the method comprises:
S21: the responsive process that starts detected.
For example, when user uses browser downloads private data file, this downloading process user do not wish to be known by other people, and the responsive process starting so just can specifically refer to process corresponding to this download private data message.
S22: the NTDLL.dll in windows system is copied, obtain privately owned NTDLL.dll.
Wherein, privately owned NTDLL.dll can be kept in the memory headroom of this sensitivity process,
For example, function in NTDLL.dll in windows system comprises: NtCreateFile, NtWriteFile, NtReadFile and NtCloseFile, this privately owned NTDLL.dll can be respectively by NtCreateFile, NtWriteFile, the interface of NtReadFile and NtCloseFile is derived, and in privately owned NTDLL.dll RNTO MyNtCreateFile, MyNtWriteFile, MyNtReadFile and MyNtCloseFile.
S23: call described privately owned NTDLL.dll, according to the function in described privately owned NTDLL.dll, realize the operation of described responsive process.
Function in this privately owned NTDLL.dll is that respective function in the NTDLL.dll in windows system is obtained after copying, and both point to identical command content, have identical service interface, can realize same function.
For example, browser, in the time creating file, calls MyNtCreateFile, rather than NtCreateFile.That in like manner, written document calls is MyNtWriteFile etc.Like this, under user model, other programs just cannot monitor the behavior of browser operation file.
Wherein, optionally, after in private NTDLL.dll is saved in to memory headroom, the method can also comprise: determine Memory Mapping File and its (FileMapping), described Memory Mapping File and its is for recording described privately owned NTDLL.dll and the mapping relations of described privately owned NTDLL.dll between the position of described memory headroom.
Accordingly, can, according to this Memory Mapping File and its, call privately owned NTDLL.dll, for example, can, according to Memory Mapping File and its, carry out read-write operation to the memory headroom of privately owned NTDLL.dll position, to realize the read-write operation to privately owned NTDLL.dll.By internal memory operation is substituted file operation, can improve file read-write speed.
In an embodiment, the method can also comprise: if exit described responsive process, delete described Memory Mapping File and its.
The present embodiment is by copying the NTDLL.dll of windows system; obtain privately owned NTDLL.dll; responsive process is to realize by calling privately owned NTDLL.dll; because Malware can only be monitored the NTDLL.dll of windows system; and can not monitor privately owned NTDLL.dll, and therefore can effectively avoid the monitoring of Malware, improve security; protection privacy of user, promotes user and experiences.In addition, the present embodiment calls privately owned NTDLL.dll by Memory Mapping File and its, can improve read or write speed.
Fig. 3 is the structural representation of avoiding the device of being monitored by Malware that another embodiment of the present invention proposes, and this device 30 comprises detection module 31, sets up module 32 and processing module 33.
Detection module 31 starts responsive process for detection of arriving, and described responsive process contains the operation that the information to protecting is carried out;
Wherein, can be according to the demand of product, determine which information is the information that will protect, these information that will protect also can be called sensitive information.
Responsive process is for example the read-write operation to sensitive information.
The embodiment of the present invention is mainly for the monitoring of avoiding user model, and therefore, these responsive processes can be specifically related to the system service (windows System Service) that operating system provides, for example, and reading and writing of files or read-write registration table etc.
Set up module 32 for setting up the private system service path to described responsive process;
In correlation technique, the system service that Windows System Service externally provides, the process of line module need to be by the NTDLL.dll access in windows system.That is to say, all processes all, by publicly-owned system service path, are specially the NTDLL.dll in windows system.Therefore, some Malwares are by monitoring publicly-owned system service path, and the namely NTDLL.dll in windows system, realizes the monitoring of the process to line module.
And in the present embodiment, for fear of being monitored by Malware, can set up private system service path, realize the operation to responsive process by private system service path.
For example, the present embodiment can copy the NTDLL.dll in windows system, obtains privately owned NTDLL.dll, is that responsive process is served by this privately owned NTDLL.dll.
Processing module 33, for adopting described private system service path, realizes the operation of described responsive process.
Wherein, the command content that private system service path points to is identical with the command content of publicly-owned path point, for example, while creating file, the command content of publicly-owned system service path point is the command content that Creatfile points to, so, the command content that private system service path points to is identical with the command content that Creatfile points to, to complete the establishment of file.
For example, the function that privately owned NTDLL.dll can comprise the NTDLL.dll in windows system copies, can realize the interface of service derives with the form of function by copying, function after copying will point to same command content with original function, complete same function, as created file.So just can be by calling private NTDLL.dll, realize the function identical with calling NTDLL.dll in windows system, but avoid the monitoring of Malware on publicly-owned system service path.
The present embodiment, by setting up private system service path, can be avoided the monitoring of Malware on publicly-owned system service path, guarantees the security of operation, can protect individual privacy, promotes user and experiences.
Fig. 4 is the structural representation of avoiding the device of being monitored by Malware that another embodiment of the present invention proposes, and this device 30 also comprises on the basis of a upper embodiment: preserve module 34 and determination module 35.
In the present embodiment, detection module 31 for detection of to start responsive process, for example, when user uses browser downloads private data file, this downloading process user do not wish to be known by other people, and the responsive process starting so just can specifically refer to process corresponding to this download private data message.
In the present embodiment, described set up module 32 specifically for: the NTDLL.dll in windows system is copied, obtains privately owned NTDLL.dll.
Wherein, privately owned NTDLL.dll can be kept in the memory headroom of this sensitivity process,
For example, function in NTDLL.dll in windows system comprises: NtCreateFile, NtWriteFile, NtReadFile and NtCloseFile, this privately owned NTDLL.dll can be respectively by NtCreateFile, NtWriteFile, the interface of NtReadFile and NtCloseFile is derived, and in privately owned NTDLL.dll RNTO MyNtCreateFile, MyNtWriteFile, MyNtReadFile and MyNtCloseFile.
Described processing module 33 specifically for: call described privately owned NTDLL.dll, according to the function in described privately owned NTDLL.dll, realize the operation of described responsive process.
Function in this privately owned NTDLL.dll is that respective function in the NTDLL.dll in windows system is obtained after copying, and both point to identical command content, have identical service interface, can realize same function.
For example, browser, in the time creating file, calls MyNtCreateFile, rather than NtCreateFile.That in like manner, written document calls is MyNtWriteFile etc.Like this, under user model, other programs just cannot monitor the behavior of browser operation file.
Preserve module 34 for described privately owned NTDLL.dll being kept to the memory headroom of described responsive process;
Determination module 35 is for determining Memory Mapping File and its, and described Memory Mapping File and its is for recording described privately owned NTDLL.dll and the mapping relations of described privately owned NTDLL.dll between the position of described memory headroom.
In an embodiment, described processing module 33 specifically for: according to described Memory Mapping File and its, call described privately owned NTDLL.dll, according to the function in described privately owned NTDLL.dll, realize the operation of described responsive process.
For example, can, according to Memory Mapping File and its, carry out read-write operation to the memory headroom of privately owned NTDLL.dll position, to realize the read-write operation to privately owned NTDLL.dll.By internal memory operation is substituted file operation, can improve file read-write speed.
In an embodiment, this device can also comprise: removing module 36.
If removing module 36, for exiting described responsive process, is deleted described Memory Mapping File and its.
The present embodiment is by copying the NTDLL.dll of windows system; obtain privately owned NTDLL.dll; responsive process is to realize by calling privately owned NTDLL.dll; because Malware can only be monitored the NTDLL.dll of windows system; and can not monitor privately owned NTDLL.dll, and therefore can effectively avoid the monitoring of Malware, improve security; protection privacy of user, promotes user and experiences.In addition, the present embodiment calls privately owned NTDLL.dll by Memory Mapping File and its, can improve read or write speed.
The embodiment of the present invention also provides a kind of client device, and this client device comprises housing, processor, storer, circuit board and power circuit, and wherein, circuit board is placed in the interior volume that housing surrounds, and processor and storer are arranged on circuit board; Power circuit, is used to each circuit or the device power supply of client device; Storer is for stores executable programs code; Processor moves the program corresponding with executable program code by the executable program code of storing in read memory, for carrying out following steps:
S11 ': detect and start responsive process, described responsive process contains the operation that the information to protecting is carried out.
Wherein, can be according to the demand of product, determine which information is the information that will protect, these information that will protect also can be called sensitive information.
Responsive process is for example the read-write operation to sensitive information.
The embodiment of the present invention is mainly for the monitoring of avoiding user model, and therefore, these responsive processes can be specifically related to the system service (windows System Service) that operating system provides, for example, and reading and writing of files or read-write registration table etc.
S12 ': set up the private system service path to described responsive process;
In correlation technique, the system service that Windows System Service externally provides, the process of line module need to be by the NTDLL.dll access in windows system.That is to say, all processes all, by publicly-owned system service path, are specially the NTDLL.dll in windows system.Therefore, some Malwares are by monitoring publicly-owned system service path, and the namely NTDLL.dll in windows system, realizes the monitoring of the process to line module.
And in the present embodiment, for fear of being monitored by Malware, can set up private system service path, realize the operation to responsive process by private system service path.
For example, the present embodiment can copy the NTDLL.dll in windows system, obtains privately owned NTDLL.dll, is that responsive process is served by this privately owned NTDLL.dll.
S13 ': adopt described private system service path, realize the operation of described responsive process.
Wherein, the command content that private system service path points to is identical with the command content of publicly-owned system service path point, for example, while creating file, the command content of publicly-owned system service path point is the command content that Creatfile points to, so, the command content that private system service path points to is identical with the command content that Creatfile points to, to complete the establishment of file.
For example, the function that privately owned NTDLL.dll can comprise the NTDLL.dll in windows system copies, can realize the interface of service derives with the form of function by copying, function after copying will point to same command content with original function, complete same function, as created file.So just can be by calling private NTDLL.dll, realize the function identical with calling NTDLL.dll in windows system, but avoid the monitoring of Malware on publicly-owned system service path.
The present embodiment, by setting up private system service path, can be avoided the monitoring of Malware on publicly-owned system service path, guarantees the security of operation, can protect individual privacy, promotes user and experiences.
In another embodiment, processor moves the program corresponding with executable program code by the executable program code of storing in read memory, for carrying out following steps:
S21 ': the responsive process that starts detected.
For example, when user uses browser downloads private data file, this downloading process user do not wish to be known by other people, and the responsive process starting so just can specifically refer to process corresponding to this download private data message.
S22 ': the NTDLL.dll in windows system is copied, obtain privately owned NTDLL.dll.
Wherein, privately owned NTDLL.dll can be kept in the memory headroom of this sensitivity process,
For example, function in NTDLL.dll in windows system comprises: NtCreateFile, NtWriteFile, NtReadFile and NtCloseFile, this privately owned NTDLL.dll can be respectively by NtCreateFile, NtWriteFile, the interface of NtReadFile and NtCloseFile is derived, and in privately owned NTDLL.dll RNTO MyNtCreateFile, MyNtWriteFile, MyNtReadFile and MyNtCloseFile.
S23 ': call described privately owned NTDLL.dll, according to the function in described privately owned NTDLL.dll, realize the operation of described responsive process.
Function in this privately owned NTDLL.dll is that respective function in the NTDLL.dll in windows system is obtained after copying, and both point to identical command content, have identical service interface, can realize same function.
For example, browser, in the time creating file, calls MyNtCreateFile, rather than NtCreateFile.That in like manner, written document calls is MyNtWriteFile etc.Like this, under user model, other programs just cannot monitor the behavior of browser operation file.
Wherein, optionally, after in private NTDLL.dll is saved in to memory headroom, the method can also comprise: determine Memory Mapping File and its (FileMapping), described Memory Mapping File and its is for recording described privately owned NTDLL.dll and the mapping relations of described privately owned NTDLL.dll between the position of described memory headroom.
Accordingly, can, according to this Memory Mapping File and its, call privately owned NTDLL.dll, for example, can, according to Memory Mapping File and its, carry out read-write operation to the memory headroom of privately owned NTDLL.dll position, to realize the read-write operation to privately owned NTDLL.dll.By internal memory operation is substituted file operation, can improve file read-write speed.
In an embodiment, the method can also comprise: if exit described responsive process, delete described Memory Mapping File and its.
The present embodiment is by copying the NTDLL.dll of windows system; obtain privately owned NTDLL.dll; responsive process is to realize by calling privately owned NTDLL.dll; because Malware can only be monitored the NTDLL.dll of windows system; and can not monitor privately owned NTDLL.dll, and therefore can effectively avoid the monitoring of Malware, improve security; protection privacy of user, promotes user and experiences.In addition, the present embodiment calls privately owned NTDLL.dll by Memory Mapping File and its, can improve read or write speed.
It should be noted that, in description of the invention, term " first ", " second " etc. are only for describing object, and can not be interpreted as indication or hint relative importance.In addition,, in description of the invention, except as otherwise noted, the implication of " multiple " is two or more.
Any process of otherwise describing in process flow diagram or at this or method are described and can be understood to, represent to comprise that one or more is for realizing module, fragment or the part of code of executable instruction of step of specific logical function or process, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can be not according to order shown or that discuss, comprise according to related function by the mode of basic while or by contrary order, carry out function, this should be understood by embodiments of the invention person of ordinary skill in the field.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, multiple steps or method can realize with being stored in software or the firmware carried out in storer and by suitable instruction execution system.For example, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: there is the discrete logic for data-signal being realized to the logic gates of logic function, there is the special IC of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries is can carry out the hardware that instruction is relevant by program to complete, described program can be stored in a kind of computer-readable recording medium, this program, in the time carrying out, comprises step of embodiment of the method one or a combination set of.
In addition, the each functional unit in each embodiment of the present invention can be integrated in a processing module, can be also that the independent physics of unit exists, and also can be integrated in a module two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, and also can adopt the form of software function module to realize.If described integrated module realizes and during as production marketing independently or use, also can be stored in a computer read/write memory medium using the form of software function module.
The above-mentioned storage medium of mentioning can be ROM (read-only memory), disk or CD etc.
In the description of this instructions, the description of reference term " embodiment ", " some embodiment ", " example ", " concrete example " or " some examples " etc. means to be contained at least one embodiment of the present invention or example in conjunction with specific features, structure, material or the feature of this embodiment or example description.In this manual, the schematic statement of above-mentioned term is not necessarily referred to identical embodiment or example.And specific features, structure, material or the feature of description can be with suitable mode combination in any one or more embodiment or example.
Although illustrated and described embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, and those of ordinary skill in the art can change above-described embodiment within the scope of the invention, modification, replacement and modification.
Claims (12)
1. avoid a method of being monitored by Malware, it is characterized in that, comprising:
Detect and start responsive process, described responsive process contains the operation that the information to protecting is carried out;
Set up the private system service path to described responsive process;
Adopt described private system service path, realize the operation of described responsive process.
2. method according to claim 1, is characterized in that, the private system service path of described foundation to described responsive process, comprising:
NTDLL.dll in windows system is copied, obtain privately owned NTDLL.dll.
3. method according to claim 2, is characterized in that, the described private system service path of described employing, realizes the operation of described responsive process, comprising:
Call described privately owned NTDLL.dll, according to the function in described privately owned NTDLL.dll, realize the operation of described responsive process.
4. method according to claim 3, is characterized in that, described in obtain after privately owned NTDLL.dll, described method also comprises:
Described privately owned NTDLL.dll is kept in the memory headroom of described responsive process;
Determine Memory Mapping File and its, described Memory Mapping File and its is for recording described privately owned NTDLL.dll and the mapping relations of described privately owned NTDLL.dll between the position of described memory headroom.
5. method according to claim 4, is characterized in that, described in call described privately owned NTDLL.dll, comprising:
According to described Memory Mapping File and its, call described privately owned NTDLL.dll.
6. according to the method described in claim 4 or 5, it is characterized in that, also comprise:
If exit described responsive process, delete described Memory Mapping File and its.
7. avoid a device of being monitored by Malware, it is characterized in that, comprising:
Detection module, starts responsive process for detection of arriving, and described responsive process contains the operation that the information to protecting is carried out;
Set up module, for setting up the private system service path to described responsive process;
Processing module, for adopting described private system service path, realizes the operation of described responsive process.
8. device according to claim 7, is characterized in that, described set up module specifically for:
NTDLL.dll in windows system is copied, obtain privately owned NTDLL.dll.
9. device according to claim 8, is characterized in that, described processing module specifically for:
Call described privately owned NTDLL.dll, according to the function in described privately owned NTDLL.dll, realize the operation of described responsive process.
10. device according to claim 9, is characterized in that, also comprises:
Preserve module, for described privately owned NTDLL.dll being kept to the memory headroom of described responsive process;
Determination module, for determining Memory Mapping File and its, described Memory Mapping File and its is for recording described privately owned NTDLL.dll and the mapping relations of described privately owned NTDLL.dll between the position of described memory headroom.
11. devices according to claim 10, is characterized in that, described processing module specifically for:
According to described Memory Mapping File and its, call described privately owned NTDLL.dll, according to the function in described privately owned NTDLL.dll, realize the operation of described responsive process.
12. according to the device described in claim 10 or 11, it is characterized in that, also comprises:
Removing module, if for exiting described responsive process, delete described Memory Mapping File and its.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410114577.5A CN103914656A (en) | 2014-03-25 | 2014-03-25 | Method and device for preventing monitoring of malware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410114577.5A CN103914656A (en) | 2014-03-25 | 2014-03-25 | Method and device for preventing monitoring of malware |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103914656A true CN103914656A (en) | 2014-07-09 |
Family
ID=51040329
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410114577.5A Pending CN103914656A (en) | 2014-03-25 | 2014-03-25 | Method and device for preventing monitoring of malware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103914656A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108256326A (en) * | 2017-12-14 | 2018-07-06 | 捷开通讯(深圳)有限公司 | A kind of method, storage medium and electronic device that malicious code is prevented to compile |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101620660A (en) * | 2009-07-31 | 2010-01-06 | 北京大学 | Method for defending hooks in Windows operating system |
| CN102739685A (en) * | 2012-07-04 | 2012-10-17 | 网宿科技股份有限公司 | Filter method and device for application layer network communication |
| CN103019765A (en) * | 2012-11-15 | 2013-04-03 | 北京奇虎科技有限公司 | File redirection method, device and computer system |
-
2014
- 2014-03-25 CN CN201410114577.5A patent/CN103914656A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101620660A (en) * | 2009-07-31 | 2010-01-06 | 北京大学 | Method for defending hooks in Windows operating system |
| CN102739685A (en) * | 2012-07-04 | 2012-10-17 | 网宿科技股份有限公司 | Filter method and device for application layer network communication |
| CN103019765A (en) * | 2012-11-15 | 2013-04-03 | 北京奇虎科技有限公司 | File redirection method, device and computer system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108256326A (en) * | 2017-12-14 | 2018-07-06 | 捷开通讯(深圳)有限公司 | A kind of method, storage medium and electronic device that malicious code is prevented to compile |
| WO2019114812A1 (en) * | 2017-12-14 | 2019-06-20 | 捷开通讯(深圳)有限公司 | Method for preventing malicious code compilation, storage medium and electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10846425B2 (en) | Data protection based on user input during device boot-up, user login, and device shut-down states | |
| KR102270096B1 (en) | Data protection based on user and gesture recognition | |
| US10474819B2 (en) | Methods and systems for maintaining a sandbox for use in malware detection | |
| US9697375B2 (en) | Fast data protection using dual file systems | |
| JP6643128B2 (en) | Security event detection method, apparatus, and tangible computer readable storage medium through virtual machine introspection | |
| US9501435B2 (en) | Enabling method and enabling device for debugging port of terminal, and terminal | |
| US9886576B2 (en) | Security box | |
| KR20170055933A (en) | Method and apparatus for protecting kernel control-flow integrity using static binary instrumentaiton | |
| WO2015196982A1 (en) | Android malicious program detecting and processing methods and apparatuses, and device | |
| CN107944292B (en) | Privacy data protection method and system | |
| US9330260B1 (en) | Detecting auto-start malware by checking its aggressive load point behaviors | |
| KR102510846B1 (en) | Electronic apparatus and controlling method thereof | |
| US20140298462A1 (en) | Restricted Software Automated Compliance | |
| US10754931B2 (en) | Methods for configuring security restrictions of a data processing system | |
| KR101595936B1 (en) | Optimization method, optimization server and computer readable recording medium for providing service with vaccine and optimization functions | |
| US8572742B1 (en) | Detecting and repairing master boot record infections | |
| JP6700337B2 (en) | Protection device and protection method | |
| CN103914656A (en) | Method and device for preventing monitoring of malware | |
| KR102010245B1 (en) | Program for disablling watermark process during screen capture operation | |
| CN108009039B (en) | Terminal information recording method, device, storage medium and electronic equipment | |
| EP2819055B1 (en) | System and method for detecting malicious software using malware trigger scenarios | |
| KR102022168B1 (en) | Apparatus and methods for detecting of stealth task using hardware task switching | |
| CN107463837A (en) | A kind of information processing method and mobile terminal | |
| US20140351944A1 (en) | Software protecting system and electronic device using the same | |
| JP7556477B2 (en) | Backdoor detection device, backdoor detection method, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140709 |