CN104751057B - A kind of method and device for enhancing computer system security - Google Patents
A kind of method and device for enhancing computer system security Download PDFInfo
- Publication number
- CN104751057B CN104751057B CN201510111889.5A CN201510111889A CN104751057B CN 104751057 B CN104751057 B CN 104751057B CN 201510111889 A CN201510111889 A CN 201510111889A CN 104751057 B CN104751057 B CN 104751057B
- Authority
- CN
- China
- Prior art keywords
- virtualized environment
- path
- file object
- data structure
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention provides a kind of method and devices for enhancing computer system security, wherein this approach includes the following steps:For file object associated with the program run in virtualized environment, the bottom data structure of the file object is obtained;Non-virtualized environment path is used in the bottom data structure of the file object, the non-virtualized environment path is used to indicate path associated with the file object.The invention enables the programs run in virtualized environment to judge whether its own runs in virtualized environment according to process path or file path, its malicious act is hidden when perceiving its own and running in virtualized environment to efficiently avoid Malware, the problem of detection to escape security software.Compared with prior art, the method for the present invention thoroughly solves the above problem, and smaller on system stability and efficiency influence, to enhance the safety of computer system.
Description
Technical field
The present invention relates to security fields more particularly to a kind of method and devices for enhancing computer system security.
Background technology
In the prior art, sandbox is a part for the dynamic protection technology of security software.Sandbox is mainly by providing one
Isolation, virtual operation platform, enable a program to normal operation in the virtualized environment, without to the computer system
Other parts generate any influence.The program operated in sandbox can inquire the road of its process path or its file created
The modes such as diameter, and by judging in such path whether to include perceiving whether its own transports with sandbox virtual environment introductory path
Row is in virtualized environment.For unknown program, user can be attempted in virtualized environment be to determine it using the program
No safety then when it is the program of safety to confirm the unknown program, then runs the program in real system environment.However one
A little Malwares can perceive whether its own runs in virtualized environment by the above method, and virtualization is run on to work as
Its malicious act is hidden when in environment, to escape the detection of security software.It, in the prior art, can in order to overcome the problems, such as this
To prevent the perception for running environment by intercepting the operation of acquisition process path or file path as much as possible.However,
Aforesaid way needs the point intercepted excessive, can not ensure comprehensive and thorough.Also, aforesaid way can also affect on the stabilization of system
Property and efficiency.Therefore, how more effectively to prevent program from being one for the perception for virtualizing running environment needs what is solved to ask
Topic.
Invention content
The object of the present invention is to provide a kind of method and devices for enhancing computer system security.
According to an aspect of the present invention, a kind of method of enhancing computer system security is provided, wherein this method packet
Include following steps:
For file object associated with the program run in virtualized environment, the bottom of the file object is obtained
Layer data structures;
Non-virtualized environment path, the non-virtualized environment are used in the bottom data structure of the file object
Path is used to indicate path associated with the file object.
According to another aspect of the present invention, a kind of device for enhancing computer system security is provided, wherein
The device includes:
For for file object associated with the program run in virtualized environment, obtaining the file object
Bottom data structure device;
Device for using non-virtualized environment path in the bottom data structure of the file object, it is described non-
Virtualized environment path is used to indicate path associated with the file object.
The invention enables the programs run in virtualized environment to judge it according to process path or file path
Whether run in virtualized environment, virtualized environment is run on to efficiently avoid Malware when perceiving its own
Its malicious act is hidden when middle, the problem of detection to escape security software.Compared with prior art, the method for the present invention thoroughly solves
Determined the above problem, and system stability and efficiency are influenced it is smaller, to enhance the safety of computer system.
Description of the drawings
By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, of the invention other
Feature, objects and advantages will become more apparent upon:
Fig. 1 shows the stream of the method for enhancing computer system security of the embodiment according to one aspect of the invention
Cheng Tu;
Fig. 2 shows the devices for enhancing computer system security of embodiment according to a further aspect of the present invention
Schematic diagram.
Same or analogous reference numeral represents same or analogous component in attached drawing.
Specific implementation mode
It should be mentioned that some exemplary embodiments are described as before exemplary embodiment is discussed in greater detail
The processing described as flow chart or method.Although operations are described as the processing of sequence by flow chart, therein to be permitted
Multioperation can be implemented concurrently, concomitantly or simultaneously.In addition, the sequence of operations can be rearranged.When it
The processing can be terminated when operation completion, it is also possible to the additional step being not included in attached drawing.The processing
It can correspond to method, function, regulation, subroutine, subprogram etc..
Alleged " computer equipment " within a context, also referred to as " computer ", referring to can be by running preset program or referring to
Enable and execute the intelligent electronic device of the predetermined process process such as numerical computations and/or logical calculated, may include processor with
Memory, executes the survival that prestores in memory by processor and instructs and execute predetermined process process, or by ASIC,
The hardware such as FPGA, DSP execute predetermined process process, or are realized by said two devices combination.Computer equipment includes but unlimited
In server, PC, laptop, tablet computer, smart mobile phone etc..
The computer equipment includes user equipment and the network equipment.Wherein, the user equipment includes but not limited to electricity
Brain, smart mobile phone, PDA etc.;The network equipment includes but not limited to that single network server, multiple network servers form
Server group or the cloud being made of a large amount of computers or network server for being based on cloud computing (Cloud Computing), wherein
Cloud computing is one kind of Distributed Calculation, a super virtual computer being made of the computer collection of a group loose couplings.Its
In, the computer equipment can isolated operation realize the present invention, also can access network and by with other calculating in network
The present invention is realized in the interactive operation of machine equipment.Wherein, the network residing for the computer equipment include but not limited to internet,
Wide area network, Metropolitan Area Network (MAN), LAN, VPN network etc..
It should be noted that the user equipment, the network equipment and network etc. are only for example, other are existing or from now on may be used
The computer equipment or network that can occur such as are applicable to the present invention, should also be included within the scope of the present invention, and to draw
It is incorporated herein with mode.
Method (some of them are illustrated by flow) discussed hereafter can be by hardware, software, firmware, centre
Part, microcode, hardware description language or its arbitrary combination are implemented.Implement when with software, firmware, middleware or microcode
When, program code or code segment to implement necessary task can be stored in machine or computer-readable medium and (for example deposit
Storage media) in.(one or more) processor can implement necessary task.
Specific structure and function details disclosed herein are only representative, and are for describing the present invention show
The purpose of example property embodiment.But the present invention can be implemented by many alternative forms, and be not interpreted as
It is limited only by the embodiments set forth herein.
Although it should be understood that may have been used term " first ", " second " etc. herein to describe each unit,
But these units should not be limited by these terms.The use of these items is only for by a unit and another unit
It distinguishes.For example, without departing substantially from the range of exemplary embodiment, it is single that first unit can be referred to as second
Member, and similarly second unit can be referred to as first unit.Term "and/or" used herein above include one of them or
The arbitrary and all combination of more listed associated items.
It should be understood that when a unit is referred to as " connecting " or when " coupled " to another unit, can directly connect
Another unit is connect or be coupled to, or may exist temporary location.In contrast, when a unit is referred to as " directly connecting
Connect " or " direct-coupling " arrive another unit when, then be not present temporary location.It should explain in a comparable manner and be used to retouch
State the relationship between unit other words (such as " between being in ... " compared to " between being directly in ... ", " and with ... it is adjacent
Closely " compared to " with ... be directly adjacent to " etc.).
Term used herein above is not intended to limit exemplary embodiment just for the sake of description specific embodiment.Unless
Context clearly refers else, otherwise singulative used herein above "one", " one " also attempt to include plural number.Also answer
When understanding, term " include " and or " include " used herein above provide stated feature, integer, step, operation,
The presence of unit and/or component, and do not preclude the presence or addition of other one or more features, integer, step, operation, unit,
Component and/or a combination thereof.
It should further be mentioned that in some replace implementations, the function action being previously mentioned can be according to different from attached
The sequence indicated in figure occurs.For example, involved function action is depended on, the two width figures shown in succession actually may be used
Substantially simultaneously to execute or can execute in a reverse order sometimes.
Present invention is further described in detail below in conjunction with the accompanying drawings.
Currently in computer systems, whether safe for the unknown program of determination, user can be first in virtualized environment
It attempts to use the program, and when confirming that the unknown program is safe, then runs the program in actual computer system environments.One
As, the program run in virtualized environment should not have an impact the other parts of computer system.In the prior art
In, typically for the program operated in virtualized environment, the file for creating or changing will be placed in virtualized environment
In, and therefore the file path of such file will include virtualized environment introductory path.Also, when program image file itself by
Also will include virtualized environment introductory path when being placed in virtualized environment, in the program process path.
For example, in Windows systems, sandbox technology can be used for providing virtualized environment.In the prior art, it runs on
The file that program in sandbox is created or changed will be placed in sandbox environment, and the path with the sandbox environment.Also,
When program image file itself is placed in sandbox environment, also by the road including the sandbox environment in the program process path
Diameter.In Windows systems, program can obtain file path or process path by User space handle.The User space handle
A file object is corresponded in Windows kernel state Object Managers.This document object has in file system to be corresponded to
Bottom data structure.For example, when using new technology file system, the bottom data structure of this document object is CCB
(Context Control Block, environmental Kuznets Curves block).Typically for the program operated in sandbox, associated by the program
Path namely the virtualized environment path of the sandbox environment will be used in the CCB structures of file object.Therefore, in the prior art,
Program can obtain the virtualized environment path by operating User space handle, and virtualized environment is run on to perceive its own
In.As described above, program would potentially result in safety problem for virtualizing the perception of running environment.The present invention solves this
Problem, to enhance computer system security.
Also, it should also be understood by those skilled in the art that herein, for virtualized environment associated description only for ease of reader
The exemplary description for understanding the principle of the invention and providing, rather than any restrictions for the scope of application of the present invention.Also, ability skill
Although art personnel should also be understood that and will hereinafter be said to embodiment using Windows operating system, sandbox, CCB structures etc.
Purpose that is bright, only understanding for ease of reader, rather than any restrictions for the present invention.The scope of the present invention is wanted by appended right
It asks rather than above description limits.
Fig. 1 shows the stream of the method for enhancing computer system security of the embodiment according to one aspect of the invention
Cheng Tu.
The method of the present invention is realized by computer equipment.The computer equipment includes but not limited to server, personal electricity
Brain, laptop, tablet computer, smart mobile phone etc..
According to one embodiment of present invention, the computer system is based on Windows operating system, described virtual
Change environment is sandbox environment, and the bottom data structure is CCB data structures.For ease of understanding, such as nothing is especially otherwise noted, under
Computer system in text be based on Windows operating system, using NTFS (New Technology File System, newly
Technological document system) file system, and in the Windows operating system virtualized environment is provided using sandbox technology.This
Field technology personnel should be understood that the principle of the invention is equally applicable to be based on using FAT (File Allocation Table, file
Allocation table) Windows operating system of file system or the computer system of other similar operations systems.
First, in step s 11, it for file object associated with the program run in virtualized environment, obtains
The bottom data structure of the file object.
Herein, file object means the expression of file associated with the program of operation in an operating system.File object
Bottom data structure mean bottom data structure of this document object in file system, such as CCB structures described above.
File object associated with program refers to the involved file object of program operation.For example, for operation
Program in Windows operating system, associated file object may include that the User space file handle institute of the program is right
The file object for the kernel state answered, wherein the User space file handle of the program can be and file phase used in the program
The file handle of pass is propped up with any Windows operating system such as name relevant file handle of pipeline used in the program
The file handle held.Particularly, the associated file object of the program can be text associated with the image file of the program
Part object.The process object of the program is using the path in the bottom data structure of the file object as described program process
Process path.
It specifically, in step s 11, can for file object associated with the program run in virtualized environment
By for example by being interacted with operating system or by obtaining the bottom data of this document object in a manner of being interacted with file system etc.
Structure.
Then, in step s 12, non-virtualized environment path is used in the bottom data structure of the file object,
For indicating path associated with the file object.As described above, virtualized environment path means and virtualization ring
Border, such as the relevant path of sandbox environment, such as sandbox path.Correspondingly, non-virtualized environment path means the department of computer science
The true environment path of system.For ease of description and understand, will include the path work of " sandbox " with pathname hereinafter
For virtualized environment path, and do not include the path of " sandbox " using in pathname as non-virtualized environment path.
Specifically, in step s 12, can be by being interacted with operating system, or the number directly in operation correspondence memory address
According to etc. modes, in the bottom data structure of the file object use non-virtualized environment path, for instruction and institute
State the associated path of file object.As described above, when obtaining the bottom number of file object by operating User space handle
When according to path included in structure, accessed path will be non-virtualized environment path.It should be noted that working as file object
Reason is stored in virtualized environment, such as when in sandbox, and practical file path is sandbox path.Therefore, institute in step s 12
The non-virtualized environment path used is different from the actual file path of this document.
It in a preferred embodiment, in step s 12, can be according to virtualized environment path and non-virtualized environment path
Between mapping relations, in the bottom data structure of the file object use non-virtualized environment path, it is described non-virtual
Change environment path and is used to indicate path associated with the file object.For example, when file physical store is in virtualized environment
In, such as when in sandbox, practical file path should include the virtualized environment path, such as sandbox path c:\sandbox.
It is assumed that sandbox path c:Sandbox be mapped to non-virtualized environment path c:, then it can be according to the mapping relations, in this document
Non-virtualized environment path c is used in the CCB structures of corresponding file object:To indicate the path of this document.
In one embodiment, the mapping that can be configured between virtualized environment path and non-virtualized environment path is closed
System.For example, connecting example, sandbox path c can be configured according to actual needs:Sandbox be mapped to non-virtualized environment path
c:\.Further, it is also possible to be closed according to actual needs to adjust the mapping between virtualized environment path and non-virtualized environment path
System, such as by c:Sandbox be adjusted to be mapped to non-virtualized environment path d:\.
In one embodiment, in step s 11, for file associated with the program run in virtualized environment
Object will create the bottom data structure of the file object.For example, for running on the program P1 in sandbox, program P1
Establishment file F1, this document F1 will be placed in sandbox environment, c is actually stored in:Under sandbox catalogues.For this article
File object FO1 corresponding to part F1 can create this article by calling Windows operating system to provide driving library function
The bottom data structure of part object FO1, for example, new technology file system CCB structures.Then, in step s 12, created
Non-virtualized environment path is used in the bottom data structure of the file object, the non-virtualized environment path is used to indicate
Path associated with the file object.It specifically, can be for example by changing the driving library function of operating system come in institute
Non-virtualized environment path is used in the bottom data structure of the file object of establishment, and does not use virtualized environment path.
Example is connected, for the CCB structures of file object FO1, non-virtualized environment path c will be used:Indicate and the file object
The associated paths FO1 namely the path of file F1.Alternatively, working as virtualized environment path c:Sandbox be mapped to it is non-virtual
Change environment path d:When, for the CCB structures of file object FO1, non-virtualized environment path d can be used:Indicate file
The path of F1.
In another embodiment, in step s 11, for text associated with the program run in virtualized environment
Part object obtains the existing bottom data structure of the file object.For example, for running on the program P1 in sandbox, it should
Program P1 creates file F1, and this document F1 is located in sandbox environment, is actually stored in c:Under sandbox catalogues.Accordingly
Ground, operating system are that create file object be FO1 to this document F1, and creates bottom data structure for this document object FO1
CCB structures, wherein the CCB structures include sandbox environment path c:Sandbox, be virtualized environment path.It can be such as
The CCB structures of this document object FO1 are obtained by being interacted with operating system.Or the Driver Library letter of operating system can be changed
It counts to send message when creating CCB structures, after receiving the message of establishment CCB structures, can be obtained based on the message
The CCB structures.It then, in step s 12, can be by the virtualized environment in the bottom data structure of the file object
Non-virtualized environment path is revised as in path, and the non-virtualized environment path is used to indicate associated with the file object
Path.Example is connected, can directly be operable to tie the CCB of this document object FO1 by the content to correspondence memory address
Virtualized environment path c in structure:Sandbox be revised as non-virtualized environment path c:To indicate this document object FO1 institutes
The path of corresponding file F1.Alternatively, working as virtualized environment path c:Sandbox be mapped to non-virtualized environment path d:\
When, it can be by the virtualized environment path c in the CCB structures of this document object FO1:Sandbox be revised as non-virtualized environment
Path d:\.
It will be understood by those skilled in the art that herein, the correlation for virtualization path to be revised as to non-virtualized path is retouched
It states and is merely illustrative and non-limiting description, there are other various realization methods without departing from the spirit or scope of the present invention, and
It is incorporated herein by reference.
In one embodiment, the file object associated with program that is running in virtualized environment be with it is described
The associated file object of image file of program.The process object of the program will be in the bottom data structure of the file object
Process path of the non-virtualized environment path as described program process.Herein, the process object of program refers to the journey of the operation
Expression of the process of sequence in the operating system of computer system.For example, it is assumed that the image file of program is P1.exe, storage
In sandbox environment catalogue c:In sandbox namely the Actual path of image file P1.exe is virtual environment path c:\
sandbox.It is assumed that c:Sandbox be mapped to non-virtualized environment path d:\.Method as described above, can be in the image
Non-virtualized environment path d is used in the bottom data structure C CB structures of the associated file object FO1 of file P1.exe:\.
It, will be in the CCB structures of the file object FO1 corresponding to image file P1.exe then for the process object of the program
Non-virtualized environment path d:As the program process process path.That is, it is non-void that the program, which will be considered to its process path,
Quasi-ization environment path d:, it is run in virtualized environment to which its own will not be perceived.
In one embodiment, the computer system is based on Windows operating system, and the virtualized environment is sandbox
Environment, the bottom data structure are CCB data structures.
Fig. 2 shows the devices for enhancing computer system security of embodiment according to a further aspect of the present invention
Schematic diagram.
The method of the present invention is realized by computer equipment.The computer equipment includes but not limited to server, personal electricity
Brain, laptop, tablet computer, smart mobile phone etc..
According to one embodiment of present invention, the computer system is based on Windows operating system, described virtual
Change environment is sandbox environment, and the bottom data structure is CCB data structures.For ease of understanding, such as nothing is especially otherwise noted, under
Computer system in text be based on Windows operating system, using NTFS (New Technology File System, newly
Technological document system) file system, and in the Windows operating system virtualized environment is provided using sandbox technology.This
Field technology personnel should be understood that the principle of the invention is equally applicable to be based on using FAT (File Allocation Table, file
Allocation table) Windows operating system of file system or the computer system of other similar operations systems.
As shown in Fig. 2, the device for being used to enhance computer system security include for for run on virtualization
The associated file object of program in environment, obtains the device 21 of the bottom data structure of the file object, hereinafter referred to as
Acquisition device 21;And the device for using non-virtualized environment path in the bottom data structure of the file object
22, hereinafter referred to as non-virtualized environment path use device 22, the non-virtualized environment path is used to indicate and the file
The associated path of object
First, acquisition device 21 obtains institute for file object associated with the program run in virtualized environment
State the bottom data structure of file object.
Herein, file object means the expression of file associated with the program of operation in an operating system.File object
Bottom data structure mean bottom data structure of this document object in file system, such as CCB structures described above.
File object associated with program refers to the involved file object of program operation.For example, for operation
Program in Windows operating system, associated file object may include that the User space file handle institute of the program is right
The file object for the kernel state answered, wherein the User space file handle of the program can be and file phase used in the program
The file handle of pass is propped up with any Windows operating system such as name relevant file handle of pipeline used in the program
The file handle held.Particularly, the associated file object of the program can be text associated with the image file of the program
Part object.The process object of the program is using the path in the bottom data structure of the file object as described program process
Process path.
Specifically, acquisition device 21 is for file object associated with the program run in virtualized environment, can be with
Such as by being interacted with operating system or obtaining the bottom data knot of this document object by the modes such as interacting with file system
Structure.
Then, non-virtualized environment path use device 22 uses non-void in the bottom data structure of the file object
Quasi-ization environment path, for indicating path associated with the file object.As described above, virtualized environment path is anticipated
Finger and virtualized environment, such as the relevant path of sandbox environment, such as sandbox path.Correspondingly, non-virtualized environment path meaning
Refer to the true environment path of the computer system.For ease of description and understand, hereinafter, will include with pathname
The path of " sandbox " using in pathname does not include the path of " sandbox " as non-virtual as virtualized environment path
Change environment path.
Specifically, non-virtualized environment path use device 22 can be by interacting with operating system, or directly operation is corresponding
The modes such as the data in memory address use non-virtualized environment path in the bottom data structure of the file object,
For indicating path associated with the file object.As described above, when obtaining text by operating User space handle
In the bottom data structure of part object when included path, accessed path will be non-virtualized environment path.It should note
Meaning, when file physical store is in virtualized environment, such as when in sandbox, practical file path is sandbox path.Cause
This, non-virtualized environment path and the actual file path of this document used in non-virtualized environment path use device 22 are not
Together.
In a preferred embodiment, non-virtualized environment path use device 22 can according to virtualized environment path with it is non-
Mapping relations between virtualized environment path use non-virtualized environment road in the bottom data structure of the file object
Diameter, the non-virtualized environment path are used to indicate path associated with the file object.For example, working as file physical store
In virtualized environment, such as when in sandbox, practical file path should include the virtualized environment path, such as sandbox path
c:\sandbox.It is assumed that sandbox path c:Sandbox be mapped to non-virtualized environment path c:, then non-virtualized environment road
Diameter use device 22 can use non-virtualized ring according to the mapping relations in the CCB structures of the corresponding file object of this document
Border path c:To indicate the path of this document.
In one embodiment, the device for enhancing computer system security further includes for configuring virtualization
The device of mapping relations between environment path and non-virtualized environment path, hereinafter referred to as 23 (not shown) of configuration device.Match
Mapping relations between virtualized environment path and non-virtualized environment path can be configured by setting device 23.For example, connecting example, match
Sandbox path c can be configured according to actual needs by setting device 23:Sandbox be mapped to non-virtualized environment path c:\.This
Outside, configuration device 23 can also adjust reflecting between virtualized environment path and non-virtualized environment path according to actual needs
Penetrate relationship, such as by c:Sandbox be adjusted to be mapped to non-virtualized environment path d:\.
In one embodiment, acquisition device 21 is for file pair associated with the program run in virtualized environment
As the bottom data structure of the file object will be created.For example, for running on the program P1 in sandbox, program P1 will
Establishment file F1, this document F1 will be placed in sandbox environment, be actually stored in c:Under sandbox catalogues.For this document
File object FO1 corresponding to F1, acquisition device 21 can by call Windows operating system provide drive library function come
Create the bottom data structure of this document object FO1, such as the CCB structures of new technology file system.Then, non-virtualized environment road
Diameter use device 22 uses non-virtualized environment path in the bottom data structure of the file object created, described non-
Virtualized environment path is used to indicate path associated with the file object.Specifically, non-virtualized environment path uses
Device 22 can be for example by changing the driving library function of operating system come in the bottom data structure of the file object created
It is middle to use non-virtualized environment path, and do not use virtualized environment path.Example is connected, the CCB of file object FO1 is tied
Structure, non-virtualized environment path use device 22 will use non-virtualized environment path c:Indicate and the file object FO1
Associated path namely the path of file F1.Alternatively, working as virtualized environment path c:Sandbox be mapped to non-virtualized ring
Border path d:When, for the CCB structures of file object FO1, non-virtualized environment path use device 22 can be used non-virtualized
Environment path d:Indicate the path of file F1.
In another embodiment, acquisition device 21 is for file associated with the program run in virtualized environment
Object obtains the existing bottom data structure of the file object.For example, for running on the program P1 in sandbox, the journey
Sequence P1 creates file F1, and this document F1 is located in sandbox environment, is actually stored in c:Under sandbox catalogues.Correspondingly,
Operating system is that create file object be FO1 to this document F1, and creates bottom data structure C CB for this document object FO1
Structure, wherein the CCB structures include sandbox environment path c:Sandbox, be virtualized environment path.Acquisition device 21
Can for example the CCB structures of this document object FO1 be obtained by being interacted with operating system.Or acquisition device 21 can be changed
The driving library function of operating system when creating CCB structures sends message, after receiving the message of establishment CCB structures,
The CCB structures can be obtained based on the message.Then, non-virtualized environment path use device 22 can be by the file object
The bottom data structure in virtualized environment path be revised as non-virtualized environment path, the non-virtualized environment road
Diameter is used to indicate path associated with the file object.Example is connected, non-virtualized environment path use device 22 can lead to
It crosses and the content of correspondence memory address is directly operable to the virtualized environment road in the CCB structures of this document object FO1
Diameter c:Sandbox be revised as non-virtualized environment path c:To indicate the path of the file F1 corresponding to this document object FO1.
Alternatively, working as virtualized environment path c:Sandbox be mapped to non-virtualized environment path d:When, non-virtualized environment path makes
It can be by the virtualized environment path c in the CCB structures of this document object FO1 with device 22:Sandbox be revised as it is non-virtual
Change environment path d:\.
It will be understood by those skilled in the art that herein, the correlation for virtualization path to be revised as to non-virtualized path is retouched
It states and is merely illustrative and non-limiting description, there are other various realization methods without departing from the spirit or scope of the present invention, and
It is incorporated herein by reference.
In one embodiment, the file object associated with program that is running in virtualized environment be with it is described
The associated file object of image file of program.The process object of the program will be in the bottom data structure of the file object
Process path of the non-virtualized environment path as described program process.Herein, the process object of program refers to the journey of the operation
Expression of the process of sequence in the operating system of computer system.For example, it is assumed that the image file of program is P1.exe, storage
In sandbox environment catalogue c:In sandbox namely the Actual path of image file P1.exe is virtual environment path c:\
sandbox.It is assumed that c:Sandbox be mapped to non-virtualized environment path d:\.Method as described above, non-virtualized ring
Border path use device 22 can be in the bottom data structure C CB structures of the associated file object FO1 of image file P1.exe
It is middle to use non-virtualized environment path d:\.Then for the process object of the program, corresponding to image file P1.exe
Non-virtualized environment path d in the CCB structures of file object FO1:As the program process process path.That is, should
It is non-virtualized environment path d that program, which will be considered to its process path,:, virtualization ring is run on to which its own will not be perceived
In border.
In one embodiment, the computer system is based on Windows operating system, and the virtualized environment is sandbox
Environment, the bottom data structure are CCB data structures.
It should be noted that the present invention can be carried out in the assembly of software and/or software and hardware, for example, this hair
Application-specific integrated circuit (ASIC) can be used in bright each device or any other is realized similar to hardware device.In one embodiment
In, software program of the invention can be executed by processor to realize steps described above or function.Similarly, of the invention
Software program (including relevant data structure) can be stored in computer readable recording medium storing program for performing, for example, RAM memory,
Magnetic or optical driver or floppy disc and similar devices.In addition, hardware can be used to realize in some steps or function of the present invention, example
Such as, coordinate to execute the circuit of each step or function as with processor.
It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er Qie
In the case of without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter
From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power
Profit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent requirements of the claims
Variation includes within the present invention.Any reference signs in the claims should not be construed as limiting the involved claims.This
Outside, it is clear that one word of " comprising " is not excluded for other units or step, and odd number is not excluded for plural number.That is stated in system claims is multiple
Unit or device can also be realized by a unit or device by software or hardware.The first, the second equal words are used for table
Show title, and does not represent any particular order.
Although front is specifically shown and describes exemplary embodiment, it will be understood to those of skill in the art that
It is that without departing substantially from the spirit and scope of claims, can be varied from terms of its form and details.Here
Sought protection illustrates in the dependent claims.
Claims (14)
1. a kind of for enhancing the method for computer system security, wherein this method includes:
For file object associated with the program run in virtualized environment, the bottom number of the file object is obtained
According to structure;
Non-virtualized environment path, the non-virtualized environment path are used in the bottom data structure of the file object
It is used to indicate path associated with the file object.
2. described for associated with the program run in virtualized environment according to the method described in claim 1, wherein
The step of file object, the bottom data structure for obtaining the file object includes:
For file object associated with the program run in virtualized environment, the bottom number of the file object is created
According to structure;
Wherein, described the step of non-virtualized environment path is used in the bottom data structure of the file object, includes:
Non-virtualized environment path is used in the bottom data structure of the file object created, it is described non-virtualized
Environment path is used to indicate path associated with the file object.
3. described for associated with the program run in virtualized environment according to the method described in claim 1, wherein
The step of file object, the bottom data structure for obtaining the file object includes:
For file object associated with the program run in virtualized environment, the existing of the file object is obtained
Bottom data structure;
Wherein, described the step of non-virtualized environment path is used in the bottom data structure of the file object, includes:
Non-virtualized environment road is revised as in virtualized environment path in the bottom data structure of the file object
Diameter, the non-virtualized environment path are used to indicate path associated with the file object.
4. according to the method in any one of claims 1 to 3, wherein the bottom data knot in the file object
Include using the step of non-virtualized environment path in structure:
According to the mapping relations between virtualized environment path and non-virtualized environment path, in the bottom of the file object
Non-virtualized environment path is used in data structure, the non-virtualized environment path is used to indicate related to the file object
The path of connection.
5. according to the method described in claim 4, wherein, further including:
Configure the mapping relations between virtualized environment path and non-virtualized environment path.
6. according to the method in any one of claims 1 to 3, wherein the computer system is based on Windows operations system
System, the virtualized environment are sandbox environment, and the bottom data structure is CCB data structures.
7. according to the method in any one of claims 1 to 3, wherein it is described with run on the program in virtualized environment
Associated file object is file object associated with the image file of described program, and the process object of described program is by institute
State the process path of process of the non-virtualized environment path as described program in the bottom data structure of file object.
8. a kind of for enhancing the device of computer system security, wherein the device includes:
For for file object associated with the program run in virtualized environment, obtaining the bottom of the file object
The device of layer data structures;
Device for using non-virtualized environment path in the bottom data structure of the file object, it is described non-virtual
Change environment path and is used to indicate path associated with the file object.
9. device according to claim 8, wherein described for for related to the program run in virtualized environment
The file object of connection, the device for obtaining the bottom data structure of the file object are used for:
For file object associated with the program run in virtualized environment, the bottom number of the file object is created
According to structure;
Wherein, described for being used using the device in non-virtualized environment path in the bottom data structure of the file object
In:
Non-virtualized environment path is used in the bottom data structure of the file object created, it is described non-virtualized
Environment path is used to indicate path associated with the file object.
10. device according to claim 8, wherein it is described for for the program phase that runs in virtualized environment
Associated file object, the device for obtaining the bottom data structure of the file object are used for:
For file object associated with the program run in virtualized environment, the existing of the file object is obtained
Bottom data structure;
Wherein, described for being used using the device in non-virtualized environment path in the bottom data structure of the file object
In:
Non-virtualized environment road is revised as in virtualized environment path in the bottom data structure of the file object
Diameter, the non-virtualized environment path are used to indicate path associated with the file object.
11. the device according to any one of claim 8 to 10, wherein the bottom in the file object
It is used for using the device in non-virtualized environment path in data structure:
According to the mapping relations between virtualized environment path and non-virtualized environment path, in the bottom of the file object
Non-virtualized environment path is used in data structure, the non-virtualized environment path is used to indicate related to the file object
The path of connection.
12. according to the devices described in claim 11, wherein further include:
Device for configuring the mapping relations between virtualized environment path and non-virtualized environment path.
13. the device according to any one of claim 8 to 10, wherein the computer system is operated based on Windows
System, the virtualized environment are sandbox environment, and the bottom data structure is CCB data structures.
14. the device according to any one of claim 8 to 10, wherein it is described with run on the journey in virtualized environment
The associated file object of sequence is file object associated with the image file of described program, and the process object of described program will
The process path of process of the non-virtualized environment path as described program in the bottom data structure of the file object.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510111889.5A CN104751057B (en) | 2015-03-13 | 2015-03-13 | A kind of method and device for enhancing computer system security |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510111889.5A CN104751057B (en) | 2015-03-13 | 2015-03-13 | A kind of method and device for enhancing computer system security |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104751057A CN104751057A (en) | 2015-07-01 |
CN104751057B true CN104751057B (en) | 2018-08-24 |
Family
ID=53590729
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510111889.5A Active CN104751057B (en) | 2015-03-13 | 2015-03-13 | A kind of method and device for enhancing computer system security |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104751057B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105488414A (en) * | 2015-09-25 | 2016-04-13 | 深圳市安之天信息技术有限公司 | Method and system for preventing malicious codes from detecting virtual environments |
CN105718793A (en) * | 2015-09-25 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification |
CN106709352B (en) * | 2015-11-12 | 2019-09-24 | 阿里巴巴集团控股有限公司 | Sample processing method, apparatus and system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101593259A (en) * | 2009-06-29 | 2009-12-02 | 北京航空航天大学 | software integrity verification method and system |
CN102609649A (en) * | 2012-02-06 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for collecting malicious software automatically |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8806479B2 (en) * | 2007-06-05 | 2014-08-12 | International Business Machines Corporation | Creating an application virtual machine image by isolating installation artifacts in shadow area |
CN101373502B (en) * | 2008-05-12 | 2012-06-20 | 公安部第三研究所 | Automatic analysis system of virus behavior based on Win32 platform |
CN103020525A (en) * | 2012-12-20 | 2013-04-03 | 北京奇虎科技有限公司 | Anti-detecting method and device of virtual machine system |
US9361459B2 (en) * | 2013-04-19 | 2016-06-07 | Lastline, Inc. | Methods and systems for malware detection based on environment-dependent behavior |
-
2015
- 2015-03-13 CN CN201510111889.5A patent/CN104751057B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101593259A (en) * | 2009-06-29 | 2009-12-02 | 北京航空航天大学 | software integrity verification method and system |
CN102609649A (en) * | 2012-02-06 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for collecting malicious software automatically |
Also Published As
Publication number | Publication date |
---|---|
CN104751057A (en) | 2015-07-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10929344B2 (en) | Trusted file indirection | |
CN106575243B (en) | Hypervisor hosted virtual machine forensics | |
Cervone | An overview of virtual and cloud computing | |
EP2879053B1 (en) | Virtual machine memory data migration method, related apparatus, and cluster system | |
US20200401698A1 (en) | Analysis system, analysis method, analysis device, and storage medium | |
CN105426227A (en) | Migrating private infrastructure services to a cloud | |
JP2006190281A (en) | System and method for virtualizing graphic subsystem | |
US9792075B1 (en) | Systems and methods for synthesizing virtual hard drives | |
Chen et al. | A lightweight virtualization solution for android devices | |
US20160080451A1 (en) | Real-time dynamic hyperlinking system and method | |
CN104883384B (en) | A kind of method and apparatus for the end ability that client is provided for light application | |
CN104751057B (en) | A kind of method and device for enhancing computer system security | |
US8704764B2 (en) | Correcting client device inputs to a virtual machine | |
US20170192805A1 (en) | Virtualizing integrated calls to provide access to resources in a virtual namespace | |
CN105488415A (en) | System process scanning method and apparatus | |
KR20140027741A (en) | Application service providing system and method, server apparatus and client apparatus for application service | |
US20200089512A1 (en) | Method and Apparatus for Invoking Input Method, Server, and Terminal | |
CN109388435A (en) | Realize app while the repeatedly method and apparatus of opening operation | |
US20170093903A1 (en) | Multi-tenant environment using pre-readied trust boundary components | |
EP3309657A1 (en) | Role-based provision of virtual reality environment | |
US9619168B2 (en) | Memory deduplication masking | |
US11086874B2 (en) | Management of a virtual infrastructure via an object query language | |
US20200153797A1 (en) | Secure Use of Dual Networks | |
US10108638B2 (en) | Integrating virtual machine file system into a native file explorer | |
US20200286299A1 (en) | Snapping virtual object to target surface |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20190814 Address after: 100085 Beijing, Haidian District, No. ten on the ground floor, No. 10 Baidu building, layer 2 Patentee after: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY Co.,Ltd. Address before: 100091 C, block, building No. 4, Zhongguancun Software Park, No. 8, West flourishing West Road, Beijing, China 1-03 Patentee before: Pacify a Heng Tong (Beijing) Science and Technology Ltd. |
|
TR01 | Transfer of patent right |