CN105809026B - The authority configuring method and device of process - Google Patents
The authority configuring method and device of process Download PDFInfo
- Publication number
- CN105809026B CN105809026B CN201410838120.9A CN201410838120A CN105809026B CN 105809026 B CN105809026 B CN 105809026B CN 201410838120 A CN201410838120 A CN 201410838120A CN 105809026 B CN105809026 B CN 105809026B
- Authority
- CN
- China
- Prior art keywords
- permission
- subprocess
- application
- parent
- resource manager
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
Abstract
The invention discloses a kind of authority configuring method of process and devices, it is related to information technology field, after avoiding the high permission that newly created subprocess caused by the high permission of subprocess succession parent process inherits parent process, security threat is caused to intelligent terminal used by a user, to guarantee the safety of intelligent terminal.The described method includes: judging the application for being lower than parent process in currently running application process with the presence or absence of permission first when needing to create subprocess;If it exists, then the permission of the application process is obtained;It is the permission of the application process by the authority configuration of the subprocess finally during the parent process creates the subprocess.The present invention is suitable for the permission of configuration process.
Description
Technical field
The present invention relates to information technology fields, more particularly to the authority configuring method and device of a kind of process.
Background technique
With the development of information technology, the function of intelligent terminal is also stronger and stronger.In order to guarantee the safety of intelligent terminal,
The permission of operating system application processes has strict requirements, especially needs stringent control to the permission of third-party application process
System.
Currently, typically directly calling Windows application when carrying out the creation of subprocess according to existing process creation mode
Program interface functions (Windows Application Programming Interface, Windows API) carry out subprocess
Creation, the subprocess of creation can inherit adjust parent process process permission.It is new to create however when parent process has higher-rights
Subprocess can also have high permission, for newly created subprocess be uncontrollable third party application process when, by
In the permission inheritance high permission of parent process of the process of third party application, to will lead to the intelligent terminal that user uses
There are security risks.
Summary of the invention
In view of this, the present invention provides the authority configuring method and device of a kind of process, main purpose is to avoid newly to create
The subprocess built inherits the high permission of parent process, to guarantee the safety for the intelligent terminal that user uses.
According to the present invention on one side, a kind of authority configuring method of process is provided, comprising:
When needing to create subprocess, judge to be lower than answering for parent process with the presence or absence of permission in currently running application process
With;
If it exists, then the permission of the application process is obtained;
The parent process create the subprocess during, by the authority configuration of the subprocess be it is described apply into
The permission of journey.
According to the present invention on the other hand, a kind of authority configuration device of process is additionally provided, comprising:
Judging unit, for when needing to create subprocess, judging in currently running application process with the presence or absence of permission
Lower than the application of parent process;
Acquiring unit is lower than the application of parent process for permission if it exists, then obtains the permission of the application process;
Configuration unit, for during the parent process creates the subprocess, the permission of the subprocess to be matched
It is set to the permission of the application process.
By above-mentioned technical proposal, technical solution provided in an embodiment of the present invention is at least had the advantage that
The embodiment of the present invention provides the authority configuring method and device of a kind of process, first when needing to create subprocess,
Judge the application for being lower than parent process in currently running application process with the presence or absence of permission;If it exists, then obtain it is described apply into
The permission of journey;Finally during the parent process creates the subprocess, the authority configuration by the subprocess is described
The permission of application process.Compared with calling directly Windows api function at present and carrying out the authority configuration of process, the present invention is implemented
Example is the permission of subprocess by the application process authority configuration lower than parent process that will acquire, avoid subprocess succession father into
After newly created subprocess caused by the high permission of journey inherits the high permission of parent process, the intelligent terminal that user uses is caused to pacify
It is complete to threaten, to guarantee the safety of operating system.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of authority configuring method of process provided in an embodiment of the present invention;
Fig. 2 shows the authority configuring methods of another process provided in an embodiment of the present invention;
Fig. 3 shows a kind of authority configuration device of process provided in an embodiment of the present invention;
Fig. 4 shows the authority configuration device of another process provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
The embodiment of the present invention provides a kind of authority configuring method of process, as shown in Figure 1, which comprises
101, when needing to create subprocess, judge in currently running application process with the presence or absence of permission lower than parent process
Application.
Wherein, the permission of application process can be typically divided between high permission, middle permission and low rights.High permission is administrative power
Limit, file can be installed to " program file (Program Files) " file by the process with high permission, and sensitivity is written
Register table section;Middle permission is user right, and the process with middle permission can be created and be modified in " document " file of user
File, and the registration table section that user specifies is written;Low rights are not trusted permission.For example, the permission of parent process is Gao Quan
Limit, then judge in currently running application process with the presence or absence of permission be middle permission or be low rights application.
102, the permission of the application process if it exists, is then obtained.
For example, the permission of parent process is high permission, then obtains permission in currently running application and be middle permission or be low
The application process of permission.
It 103, is described answer by the authority configuration of the subprocess during parent process creates the subprocess
With the permission of process.
For the embodiment of the present invention, by being application of the Permission Levels lower than patriarchy limit by the authority configuration of the subprocess
The permission of process, rather than the permission of parent process is directly continued to use, it can be inherited to avoid subprocess caused by the high permission of parent process
After newly created subprocess inherits the high permission of parent process, security threat is caused to intelligent terminal used by a user, to protect
The safety of intelligent terminal is demonstrate,proved.
A kind of authority configuring method of process provided in an embodiment of the present invention, first when needing to create subprocess, judgement
It is lower than the application of parent process in currently running application process with the presence or absence of permission;If it exists, then the application process is obtained
Permission;It is the application by the authority configuration of the subprocess finally during the parent process creates the subprocess
The permission of process.Compared with calling directly Windows api function at present and carrying out the authority configuration of process, the embodiment of the present invention is logical
The application process authority configuration lower than parent process that crossing will acquire is the permission of subprocess, avoids subprocess and inherits parent process
After newly created subprocess caused by high permission inherits the high permission of parent process, safety is caused to intelligent terminal used by a user
It threatens, to guarantee the safety of intelligent terminal.
Further, the embodiment of the present invention provides the authority configuring method of another process, as shown in Fig. 2, the method
Include:
201, whether the current operating system environment for carrying out subprocess creation of judgement meets prerequisite.
Wherein, the operating system environment for meeting prerequisite can be version after Microsoft Windows Vista operating system
This operating system, such as Windows7, Windows8 operating system, the operating system of these versions to the management of process and into
The control of journey permission is stringenter compared with the operating system of version before Windows Vista, and to the Permission Levels of process into
It has gone and has clearly divided, to ensure that the feasibility of the authority configuring method of process provided in an embodiment of the present invention.
If the operating system environment for 202, currently carrying out subprocess creation meets prerequisite, when needing to create subprocess
When, judge the application for being lower than parent process in currently running application process with the presence or absence of permission.
Wherein, the permission of application process can be typically divided between high permission, middle permission and low rights.High permission is administrative power
Limit, file can be installed to " program file (Program Files) " file by the process with high permission, and sensitivity is written
Register table section;Middle permission is user right, and the process with middle permission can be created and be modified in " document " file of user
File, and the registration table section that user specifies is written;Low rights are not trusted permission.For example, the permission of parent process is Gao Quan
Limit, then judge in currently running application process with the presence or absence of permission be middle permission or be low rights application.
For the embodiment of the present invention, step 202 be can specifically include: when needing to create subprocess, judge resource management
Whether the permission of device process is lower than the permission of the parent process.Since the permission of parent process is usually high permission, and resource management
Device is the application of real time execution, therefore directly judges whether the permission of explorer process is lower than the permission of the parent process,
It can be further improved the authority configuration efficiency of process.
203, the permission of the application process if it exists, is then obtained.
For the embodiment of the present invention, step 203 be can specifically include: if it exists, then obtain the process Token of the application
Information obtains the permission of the application process then according to the process Token information of the application.Wherein, process Token believes
Breath is used for the possessed privilege of identification process, can reflect the permission of the process by the privilege that process possesses.
Further, and if it exists, the process Token information for then obtaining the application is specifically as follows: if being lower than the father
The permission of process then obtains the process Token information of the resource manager;According to the process Token information of the application, obtain
It takes the permission of the application process to be specifically as follows: according to the process Token information of the resource manager, obtaining the resource
The permission of manager process.
For the embodiment of the present invention, if being lower than the permission of the parent process, the process of the resource manager is obtained
Token information is specifically as follows: if being lower than the permission of the parent process, by calling described in the first preset interface function acquisition
The process Token information of resource manager.Wherein, the first preset interface function can be duplication resource manager token
DuplicateExplorer Token function.According to the process Token information of the resource manager, the resource pipe is obtained
The permission of reason device process is specifically as follows: according to the process Token information of the resource manager, connecing by the way that calling second is preset
Mouth function obtains the permission of the explorer process.Wherein, the second preset interface function can be acquisition token full stage
Other GetToken IntegrityLevel function.
Wherein, the DuplicateExplorer Token function and the Get TokenIntegrityLevel function
For the function LowCreateProcess subfunction that includes of creation of the embodiment of the present invention, by by function
The parameter format of LowCreateProcess is set as the parameter format with standard Windows api function CreateProcess
Unanimously, so that the subfunction DuplicateExplorer Token of function LowCreateProcess and described
GetTokenIntegrityLevel complies with standard the parameter format requirement of Windows api function, in this way, only needing if necessary
CreateProcess is directly changed to LowCreateProcess can be solved the authority configuration problem of subprocess, so as to
With guarantee process provided in an embodiment of the present invention authority configuring method and existing operating system have it is good compatibility and can
It is realisation.
It 204, is described answer by the authority configuration of the subprocess during parent process creates the subprocess
With the permission of process.
For the embodiment of the present invention, by being application of the Permission Levels lower than patriarchy limit by the authority configuration of the subprocess
The permission of process, rather than the permission of parent process is directly continued to use, it can be inherited to avoid subprocess caused by the high permission of parent process
After newly created subprocess inherits the high permission of parent process, security threat is caused to intelligent terminal used by a user, to protect
The safety of intelligent terminal is demonstrate,proved.
The authority configuring method of another kind process provided in an embodiment of the present invention is sentenced first when needing to create subprocess
It is lower than the application of parent process in currently running application process of breaking with the presence or absence of permission;If it exists, then the application process is obtained
Permission;It is described answer by the authority configuration of the subprocess finally during the parent process creates the subprocess
With the permission of process.Compared with calling directly Windows api function at present and carrying out the authority configuration of process, the embodiment of the present invention
It is the permission of subprocess by the application process authority configuration lower than parent process that will acquire, avoids subprocess and inherit parent process
High permission caused by after newly created subprocess inherits the high permission of parent process, intelligent terminal used by a user is caused to pacify
It is complete to threaten, to guarantee the safety of intelligent terminal.
As the specific implementation of method shown in Fig. 1 of the embodiment of the present invention, the embodiment of the present invention provides a kind of permission of process
Configuration device, as shown in figure 3, the apparatus may include: judging unit 31, acquiring unit 32, configuration unit 33.
Judging unit 31, for when needing to create subprocess, judging in currently running application process with the presence or absence of power
Limit is lower than the application of parent process.
Acquiring unit 32 is lower than the application of parent process for permission if it exists, then obtains the permission of the application process.
Configuration unit 33 is used for during the parent process creates the subprocess, by the permission of the subprocess
It is configured to the permission for the application process that the acquiring unit 32 obtains.
It should be noted that each functional unit involved by a kind of authority configuration device of process provided in an embodiment of the present invention
Other it is corresponding describe, can be with reference to the corresponding description in method shown in Fig. 1, details are not described herein.
A kind of authority configuration device of process provided in an embodiment of the present invention, first when needing to create subprocess, judgement
It is lower than the application of parent process in currently running application process with the presence or absence of permission;If it exists, then the application process is obtained
Permission;It is the application by the authority configuration of the subprocess finally during the parent process creates the subprocess
The permission of process.Compared with calling directly Windows api function at present and carrying out the authority configuration of process, the embodiment of the present invention is logical
The application process authority configuration lower than parent process that crossing will acquire is the permission of subprocess, avoids subprocess and inherits parent process
After newly created subprocess caused by high permission inherits the high permission of parent process, safety is caused to intelligent terminal used by a user
It threatens, to guarantee the safety of intelligent terminal.
Further, the specific implementation as method shown in Fig. 2 of the embodiment of the present invention, the embodiment of the present invention provide another
The authority configuration device of process, as shown in figure 4, the apparatus may include: judging unit 41, acquiring unit 42, configuration unit
43。
Judging unit 41, for when needing to create subprocess, judging in currently running application process with the presence or absence of power
Limit is lower than the application of parent process.
Acquiring unit 42 is lower than the application of parent process for permission if it exists, then obtains the permission of the application process.
Configuration unit 43 is used for during the parent process creates the subprocess, by the permission of the subprocess
It is configured to the permission for the application process that the acquiring unit 42 obtains.
The acquiring unit 42 includes:
First obtains module 4201, and the application of parent process is lower than for permission if it exists, then obtains the process of the application
Token information;
Second obtains module 4202, and the process Token for obtaining the application that module 4201 obtains according to described first believes
Breath, obtains the permission of the application process.
The judging unit 41, specifically for when needing to create process, judge explorer process permission whether
Lower than the permission of the parent process.
Described first obtains module 4201, if obtaining the resource pipe specifically for the permission for being lower than the parent process
Manage the process Token information of device.
Described second obtains module 4202, specifically for obtaining the resource manager that module 4201 obtains according to described first
Process Token information, obtain the permission of the explorer process.
Described first obtains module 4201, is specifically also used to by calling the first preset interface function to obtain the resource pipe
Manage the process Token information of device;
Described second obtains module 4202, is specifically also used to obtain the resource management that module 4201 obtains according to described first
The process Token information of device, by calling the second preset interface function to obtain the permission of the explorer process.
For the embodiment of the present invention, the parameter format of the first preset interface function and the second preset interface function
It is identical as the parameter format in interface function Windows API.
It is preset to be also used to judge whether the operating system environment of currently progress subprocess creation meets for the judging unit 41
Condition.
It should be noted that each function list involved by the authority configuration device of another kind process provided in an embodiment of the present invention
Other corresponding descriptions of member, can be with reference to the corresponding description in method shown in Fig. 2, and details are not described herein.
A kind of authority configuration device of process provided in an embodiment of the present invention, first when needing to create subprocess, judgement
It is lower than the application of parent process in currently running application process with the presence or absence of permission;If it exists, then the application process is obtained
Permission;It is the application by the authority configuration of the subprocess finally during the parent process creates the subprocess
The permission of process.Compared with calling directly Windows api function at present and carrying out the authority configuration of process, the embodiment of the present invention is logical
The application process authority configuration lower than parent process that crossing will acquire is the permission of subprocess, avoids subprocess and inherits parent process
After newly created subprocess caused by high permission inherits the high permission of parent process, safety is caused to intelligent terminal used by a user
It threatens, to guarantee the safety of intelligent terminal.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) realize the authority configuring method and dress of process according to an embodiment of the present invention
The some or all functions of some or all components in setting.The present invention is also implemented as described here for executing
Method some or all device or device programs (for example, computer program and computer program product).This
The program that the realization of sample is of the invention can store on a computer-readable medium, or can have one or more signal
Form.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other
Form provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
The invention discloses A1, a kind of authority configuring method of process, comprising:
When needing to create subprocess, judge to be lower than answering for parent process with the presence or absence of permission in currently running application process
With;
If it exists, then the permission of the application process is obtained;
The parent process create the subprocess during, by the authority configuration of the subprocess be it is described apply into
The permission of journey.
A2, process authority configuring method as described in a1, it is described if it exists, then obtain the permission packet of the application process
It includes:
If it exists, then the process Token information of the application is obtained;
According to the process Token information of the application, the permission of the application process is obtained.
The authority configuring method of A3, process as described in a1 or a2 judge currently running when needing to create subprocess
Whether there is application of the permission lower than the parent process in application process includes:
When needing to create subprocess, judge whether the permission of explorer process is lower than the permission of the parent process;
It is described if it exists, then the permission for obtaining the application process includes:
If being lower than the permission of the parent process, the process Token information of the resource manager is obtained;
According to the process Token information of the resource manager, the permission of the explorer process is obtained.
The authority configuring method of A4, process as described in A3, if the permission lower than the parent process, obtain described in
The process Token information of resource manager includes:
If being lower than the permission of the parent process, by calling the first preset interface function to obtain the resource manager
Process Token information;
The process Token information according to the resource manager, obtains the permission packet of the explorer process
It includes:
According to the process Token information of the resource manager, by calling the second preset interface function to obtain the money
The permission of source manager process.
The authority configuring method of A5, process as described in A4, the first preset interface function and the second preset interface letter
Several parameter formats is identical as the parameter format in interface function Windows API.
The authority configuring method of the described in any item processes of A6, such as A1-A5, described when needing to create subprocess, judgement
It is lower than before the application of the parent process in currently running application process with the presence or absence of permission, further includes:
Whether the current operating system environment for carrying out subprocess creation of judgement meets prerequisite.
The invention discloses B7, a kind of authority configuration device of process, comprising:
Judging unit, for when needing to create subprocess, judging in currently running application process with the presence or absence of permission
Lower than the application of parent process;
Acquiring unit is lower than the application of parent process for permission if it exists, then obtains the permission of the application process;
Configuration unit, for during the parent process creates the subprocess, the permission of the subprocess to be matched
It is set to the permission of the application process.
The authority configuration device of B8, process as described in b7, the acquiring unit, comprising:
First obtains module, and the application of parent process is lower than for permission if it exists, then obtains the process Token of the application
Information;
Second acquisition module obtains the permission of the application process for the process Token information according to the application.
The authority configuration device of B9, process as described in b7 or b8,
Whether the judging unit, the permission specifically for when needing to create process, judging explorer process are low
In the permission of the parent process;
Described first obtains module, if obtaining the resource manager specifically for the permission for being lower than the parent process
Process Token information;
The second acquisition module obtains the money specifically for the process Token information according to the resource manager
The permission of source manager process.
The authority configuration device of B10, process as described in B9,
Described first obtains module, preset by calling first if being specifically also used to the permission lower than the parent process
Interface function obtains the process Token information of the resource manager;
Described second obtains module, is specifically also used to the process Token information according to the resource manager, passes through calling
Second preset interface function obtains the permission of the explorer process.
The authority configuring method of B11, process as described in B10, the first preset interface function and described second preset
The parameter format of interface function is identical as the parameter format in interface function Windows API.
The authority configuration device of the described in any item processes of B12, such as B7-B11, the judging unit are also used to judge to work as
Whether the preceding operating system environment for carrying out subprocess creation meets prerequisite.
Claims (8)
1. a kind of authority configuring method of process characterized by comprising
When needing to create subprocess, the application for being lower than parent process in currently running application process with the presence or absence of permission is judged;
If it exists, then the permission of the application process is obtained;
It is the application process by the authority configuration of the subprocess during parent process creates the subprocess
Permission;
When needing to create subprocess, judge to be lower than answering for the parent process with the presence or absence of permission in currently running application process
With including:
When needing to create subprocess, judge whether the permission of explorer process is lower than the permission of the parent process;
It is described if it exists, then the permission for obtaining the application process includes:
If being lower than the permission of the parent process, the process Token information of the resource manager is obtained;
According to the process Token information of the resource manager, the permission of the explorer process is obtained.
2. the authority configuring method of process according to claim 1, which is characterized in that if described lower than the parent process
Permission, then the process Token information for obtaining the resource manager include:
If being lower than the permission of the parent process, by calling the first preset interface function to obtain the process of the resource manager
Token information;
The process Token information according to the resource manager, the permission for obtaining the explorer process include:
According to the process Token information of the resource manager, by calling the second preset interface function to obtain the resource pipe
Manage the permission of device process.
3. the authority configuring method of process according to claim 2, which is characterized in that the first preset interface function and described
The parameter format of second preset interface function is identical as the parameter format in interface function Windows API.
4. the authority configuring method of process according to claim 1-3, which is characterized in that described to need to create
When subprocess, judge to be lower than in currently running application process with the presence or absence of permission before the application of the parent process, further includes:
Whether the current operating system environment for carrying out subprocess creation of judgement meets prerequisite.
5. a kind of authority configuration device of process characterized by comprising
Judging unit is lower than in currently running application process with the presence or absence of permission for judging when needing to create subprocess
The application of parent process;
Acquiring unit is lower than the application of parent process for permission if it exists, then obtains the permission of the application process;
Configuration unit, for during the parent process creates the subprocess, the authority configuration by the subprocess to be
The permission of the application process;
The acquiring unit, comprising: first, which obtains module and second, obtains module;
The judging unit, specifically for when needing to create process, judging whether the permission of explorer process is lower than institute
State the permission of parent process;
First obtains module, if obtaining the process of the resource manager specifically for the permission for being lower than the parent process
Token information;
Second acquisition module obtains the resource manager specifically for the process Token information according to the resource manager
The permission of process.
6. the authority configuration device of process according to claim 5, which is characterized in that
Described first obtains module, if being specifically also used to the permission lower than the parent process, by calling the first preset interface
Function obtains the process Token information of the resource manager;
Described second obtains module, is specifically also used to the process Token information according to the resource manager, by calling second
Preset interface function obtains the permission of the explorer process.
7. the authority configuration device of process according to claim 6, which is characterized in that the first preset interface function and
The parameter format of the second preset interface function is identical as the parameter format in interface function Windows API.
8. according to the authority configuration device of the described in any item processes of claim 5-7, which is characterized in that the judging unit,
It is also used to judge whether the operating system environment for currently carrying out subprocess creation meets prerequisite.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410838120.9A CN105809026B (en) | 2014-12-29 | 2014-12-29 | The authority configuring method and device of process |
| CN201811619949.4A CN109684824B (en) | 2014-12-29 | 2014-12-29 | Process permission configuration method and device |
| PCT/CN2015/095709 WO2016107348A1 (en) | 2014-12-29 | 2015-11-26 | Process right configuration method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410838120.9A CN105809026B (en) | 2014-12-29 | 2014-12-29 | The authority configuring method and device of process |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811619949.4A Division CN109684824B (en) | 2014-12-29 | 2014-12-29 | Process permission configuration method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105809026A CN105809026A (en) | 2016-07-27 |
| CN105809026B true CN105809026B (en) | 2019-02-01 |
Family
ID=56284186
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811619949.4A Active CN109684824B (en) | 2014-12-29 | 2014-12-29 | Process permission configuration method and device |
| CN201410838120.9A Active CN105809026B (en) | 2014-12-29 | 2014-12-29 | The authority configuring method and device of process |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811619949.4A Active CN109684824B (en) | 2014-12-29 | 2014-12-29 | Process permission configuration method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (2) | CN109684824B (en) |
| WO (1) | WO2016107348A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112395611B (en) * | 2019-08-15 | 2024-01-30 | 奇安信安全技术(珠海)有限公司 | Process chain processing method, device and equipment |
| CN113407940A (en) * | 2021-06-21 | 2021-09-17 | 成都欧珀通信科技有限公司 | Script detection method and device, storage medium and computer equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663318A (en) * | 2012-03-22 | 2012-09-12 | 百度在线网络技术(北京)有限公司 | Browser and client |
| CN103544447A (en) * | 2013-05-30 | 2014-01-29 | Tcl集团股份有限公司 | Method and terminal for preventing leakage of confidential information according to Android system |
| CN103605920A (en) * | 2013-11-10 | 2014-02-26 | 电子科技大学 | Method and system for dynamic application program safety management based on SEAndroid platform |
| CN103886249A (en) * | 2012-12-20 | 2014-06-25 | 腾讯科技(深圳)有限公司 | Method and device for executing processes under superuser right in system |
| CN104156662A (en) * | 2014-08-28 | 2014-11-19 | 北京奇虎科技有限公司 | Process monitoring method and device and intelligent terminal |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7490072B1 (en) * | 2005-02-16 | 2009-02-10 | Novell, Inc. | Providing access controls |
| CN101751287B (en) * | 2008-12-03 | 2013-01-09 | 北京天融信科技有限公司 | Method for executing operation under Windows without limitation of user right |
| JP5562143B2 (en) * | 2010-06-28 | 2014-07-30 | キヤノン株式会社 | Authority delegation system, authority delegation method, information processing apparatus, and program |
| US9209976B2 (en) * | 2010-10-29 | 2015-12-08 | Code Systems Corporation | Method and system for restricting execution of virtual applications to a managed process environment |
| KR101242127B1 (en) * | 2011-04-28 | 2013-03-12 | 주식회사 파수닷컴 | Computing device having a function of DLL injection and method for DLL injection |
| CN103955468B (en) * | 2012-03-06 | 2017-12-19 | 北京奇虎科技有限公司 | Document display method and device based on browser |
| CN102663321B (en) * | 2012-04-24 | 2016-01-13 | 百度在线网络技术(北京)有限公司 | For security enhancement system and the method for software |
| CN102722559B (en) * | 2012-05-31 | 2015-09-16 | 北京奇虎科技有限公司 | A kind of course control method of the abnormal page, device and system |
| CN103530547A (en) * | 2012-07-02 | 2014-01-22 | 爱思爱(天津)高科技有限公司 | Method for logging into third-party application program through integrated authentication function based on Windows operating system |
| CN103020512B (en) * | 2012-11-26 | 2015-03-04 | 清华大学 | Realization method and control system for safe control flow of system |
| CN104199711B (en) * | 2014-09-29 | 2018-02-13 | 北京奇虎科技有限公司 | The method and apparatus for establishing root authority |
-
2014
- 2014-12-29 CN CN201811619949.4A patent/CN109684824B/en active Active
- 2014-12-29 CN CN201410838120.9A patent/CN105809026B/en active Active
-
2015
- 2015-11-26 WO PCT/CN2015/095709 patent/WO2016107348A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663318A (en) * | 2012-03-22 | 2012-09-12 | 百度在线网络技术(北京)有限公司 | Browser and client |
| CN103886249A (en) * | 2012-12-20 | 2014-06-25 | 腾讯科技(深圳)有限公司 | Method and device for executing processes under superuser right in system |
| CN103544447A (en) * | 2013-05-30 | 2014-01-29 | Tcl集团股份有限公司 | Method and terminal for preventing leakage of confidential information according to Android system |
| CN103605920A (en) * | 2013-11-10 | 2014-02-26 | 电子科技大学 | Method and system for dynamic application program safety management based on SEAndroid platform |
| CN104156662A (en) * | 2014-08-28 | 2014-11-19 | 北京奇虎科技有限公司 | Process monitoring method and device and intelligent terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2016107348A1 (en) | 2016-07-07 |
| CN109684824B (en) | 2021-09-03 |
| CN105809026A (en) | 2016-07-27 |
| CN109684824A (en) | 2019-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8479188B2 (en) | Binary code change vulnerability prioritization | |
| CN110084039B (en) | Framework for coordination between endpoint security and network security services | |
| US9525698B2 (en) | Risk prioritization and management | |
| Safonov | Using aspect-oriented programming for trustworthy software development | |
| US20130014110A1 (en) | Creating a virtual machine containing third party code | |
| EP3824391A1 (en) | Transparently remote execution of development tool extensions | |
| CN109997143A (en) | The safety of sensitive data is shared | |
| CN105528251B (en) | Processing method, device and the mobile terminal of applicative notifications information | |
| CN105653943B (en) | The log audit method and system of Android applications | |
| CN105793862A (en) | Directed execution of dynamic programs in isolated environments | |
| US20160378987A1 (en) | Self-repair and distributed-repair of applications | |
| CN105809026B (en) | The authority configuring method and device of process | |
| CN104503778A (en) | Installation method and installation device for applications | |
| CN105809028A (en) | Apparatus and method for running multiple instances of same application in mobile devices | |
| WO2020123364A1 (en) | Portable hosted content | |
| CN104252594A (en) | Virus detection method and device | |
| CN104915594B (en) | Application program operation method and device | |
| WO2022078366A1 (en) | Application protection method and apparatus, device and medium | |
| Pasquier et al. | FlowR: aspect oriented programming for information flow control in ruby | |
| CN109522683B (en) | Software tracing method, system, computer equipment and storage medium | |
| CN108874479A (en) | Notification bar message display method, device, user terminal and readable storage medium storing program for executing | |
| CN106411899A (en) | Security detection method and device for data files | |
| CN108460254B (en) | Firmware protection method and device | |
| CN105592105B (en) | Guarantee the asynchronous system Network Access Method and device of safety | |
| CN105471809A (en) | Verification method and verification system for software authorization information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220714 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |