CN105825127B - A kind of window destroys hold-up interception method and device - Google Patents
A kind of window destroys hold-up interception method and device Download PDFInfo
- Publication number
- CN105825127B CN105825127B CN201610139728.1A CN201610139728A CN105825127B CN 105825127 B CN105825127 B CN 105825127B CN 201610139728 A CN201610139728 A CN 201610139728A CN 105825127 B CN105825127 B CN 105825127B
- Authority
- CN
- China
- Prior art keywords
- window
- function
- application program
- instruction
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The embodiment of the invention discloses a kind of windows to destroy hold-up interception method and device, applied to the first application program, the program includes: the window destruction instruction that the first application program obtains second application program transmission, which destroys instruction and carry the second application program identification and application information to be destroyed;According to the application information to be destroyed, judge that the window destroys whether instruction is to destroy instruction for itself window;If so, determining corresponding second process path of second application program according to the identification information of second application program;Judge whether second process path is contained in the first preset path set;If be contained in, abandons the window and destroy instruction.Process to realize application program guarantees the normal operation of the process of application program from being closed by other applications by destroying window mode.
Description
Technical field
The present invention relates to window protection technique field, in particular to a kind of window destroys hold-up interception method and device.
Background technique
Security software generally has optimization function, such as the functions such as software optimization and acceleration ball.The software optimization and
The function of accelerating ball is mainly to terminate the process of the other software in addition to this software.Wherein, destroying window is to terminate software process
A kind of implementation method, therefore, destroying window also can achieve the purpose of software optimization.Facing to viral and Malware
Rampantly, in order to guarantee that the safety of electronic equipment, the type of security software are also more and more.Also, for holding electronic equipment
For user, a plurality of security softwares are often installed in the electronic device, these security softwares all can be to the electronic equipment (packet
Containing the software installed in electronic equipment) carry out security control.In turn, it for these security softwares, will form mutually competing
The form striven, there are the softwares of competitive relation can mutually be known as competing product software for these.
After a certain security software opens the function of software optimization, software optimization function can also force to terminate other safety
The process of software, in order to guarantee the safety of electronic equipment, user is often that such case is not intended to occur.At this time, it is necessary to
Such case is avoided as far as possible.In the prior art, security software avoids the optimization by competing product software each other from terminating process, mainly logical
The instruction for intercepting and terminating own process is crossed, and then realizes the protection of own process.However, the prior art but has ignored security software
The problem of terminating process by way of destroying window.
Summary of the invention
The embodiment of the invention discloses a kind of windows to destroy hold-up interception method and device, with realize the process of application program from
It is closed by other applications by destroying window mode, guarantees the normal operation of the process of application program.Concrete scheme is as follows:
On the one hand, the embodiment of the invention provides a kind of windows to destroy hold-up interception method, is applied to the first application program, described
Method includes:
The window for obtaining the transmission of the second application program destroys instruction, and the window destruction instruction carries described second and applies journey
The identification information of sequence and application information to be destroyed;
According to the application information to be destroyed, judge that the window destroys whether instruction is window pin for itself
Ruin instruction;
If so, determining that second application program is corresponding according to the identification information of second application program
Second process path;
Judge whether second process path is contained in the first preset path set;
If be contained in, abandons the window and destroy instruction.
Preferably, described according to the application information to be destroyed, judge the window destroy instruction whether be for
The window of itself destroys instruction, comprising:
According to the application information to be destroyed, the corresponding first process mark of the application information to be destroyed is determined
Know symbol;
Judge whether first Process identifier is own process identifier, if so, showing that the window destruction refers to
It enables to destroy instruction for the window of itself.
Preferably, described according to the application information to be destroyed, judge the window destroy instruction whether be for
The window of itself destroys instruction, comprising:
According to the application information to be destroyed, the corresponding first process mark of the application information to be destroyed is determined
Know symbol;
By first Process identifier, function ZwQueryInformationProcess query procedure path is called
Information determines corresponding first process path of the application information to be destroyed;
Judge whether first process path is contained in the second preset path set, if so, showing the window
Instruction is destroyed to destroy instruction for the window of itself, wherein the second preset path collection, which is combined into, to be forbidden destroying window by competing product
The set of the process path of the application program of mouth.
Preferably, the embodiment of the present invention is mentioned before the window that the second application program of the acquisition is sent destroys instruction
A kind of window supplied destroys hold-up interception method further include:
According to system service descriptor table SSDT, default destruction window function is replaced with and is preset with the first of identical parameters
It is default to destroy window hook function, so that first application program is obtained by the described first default window hook function of destroying
The window that second application program is sent destroys instruction.
Preferably, when the default destruction window function is function NtUserDestroyWindow, the default destruction
Window hook function is Hook Function NewNtUserDestroyWindow;
When the default destruction window function is function NtUserShowWindow, the default destruction window hook letter
Number is Hook Function NewNtUserShowWindow;
When the default destruction window function is function NtUserSetParent, the default destruction window hook letter
Number is Hook Function New NtUserSetParent;
When the default destruction window function is function NtUserSetWindowPlacement, the default destruction window
Oral hook subfunction is Hook Function New NtUserSetWindowPlacement;
When the default destruction window function is function NtUserSetWindowPos, the default destruction window hook
Function is Hook Function New NtUserSetWindowPos;
When the default destruction window function is function NtUserCallHwndParmLock, the default destruction window
Hook Function is Hook Function NewNtUserCallHwndParmLock;
It is described pre- when the default destruction window function is function NtUSerSetLayeredWindowAttributes
If destruction window hook function is Hook Function NewNtUSerSetLayeredWindowAttributes.
Preferably, destroying instruction when the window is that second application program utilizes function DestroyWindow transmission
When, the window destruction instruction for obtaining the second application program and sending, comprising:
By being obtained as the default Hook Function NewNtUserDestroyWindow for destroying window hook function
The window that second application program is sent destroys instruction.
Preferably, it is described according to the application information to be destroyed, determine that the application information to be destroyed is corresponding
The first Process identifier, comprising:
Call kernel function ZwUserQueryWindow, inquire the application information corresponding first to be destroyed into
Journey identifier.
Preferably, the identification information according to second application program, determines second application program pair
The second process path answered, comprising:
The identification information for calling function PsGetCurrentProcessId to inquire second application program is corresponding
Second Process identifier;
By second Process identifier, the function ZwQueryInformationProcess query procedure is called
Routing information determines corresponding second process path of second application program.
Preferably, the first preset path collection be combined into belong to the competing product of first application program application program institute it is right
The set for the process path answered.
On the other hand, a kind of window destruction blocking apparatus provided by the embodiment of the present invention, is applied to the first application program,
Described device includes: that instruction obtains module, instruction judgment module, process path determining module, process path judgment module and refers to
Enable discard module;
Described instruction obtains module: the window for obtaining the transmission of the second application program destroys instruction, and the window is destroyed
Instruction carries the identification information and application information to be destroyed of second application program;
Described instruction judgment module: for judging that the window destroys instruction according to the application information to be destroyed
Whether be for itself window destroy instruction, if so, triggering the process path determining module;
The process path determining module: for the identification information according to second application program, determine described in
Corresponding second process path of second application program;
The process path judgment module: for judging whether second process path is contained in the first preset path collection
In conjunction, if be contained in, described instruction discard module is triggered;
Described instruction discard module: instruction is destroyed for abandoning the window.
Preferably, described instruction judgment module includes that the first Process identifier determination unit and Process identifier judgement are single
Member;
The first Process identifier determination unit: for according to the application information to be destroyed, determine it is described to
Destroy corresponding first Process identifier of application information;
The Process identifier judging unit: for judging whether first Process identifier is own process mark
Symbol, if so, showing that the window destroys instruction to destroy instruction for the window of itself.
Preferably, described instruction judgment module includes the second Process identifier determination unit, the determining list of the first process path
Member and process path judging unit;
The second Process identifier determination unit: for according to the application information to be destroyed, determine it is described to
Destroy corresponding first Process identifier of application information;
The first process path determination unit: for calling function by first Process identifier
ZwQueryInformationProcess query procedure routing information determines the application information to be destroyed corresponding
One process path;
The process path judging unit: for judging whether first process path is contained in the second preset path collection
In conjunction, if so, showing that the window destroys instruction to destroy instruction for the window of itself, wherein the second default road
Diameter collection is combined into the set for forbidding being destroyed the process path of application program of window by competing product.
Preferably, it further includes function replacement module that a kind of window provided by the embodiment of the present invention, which destroys blocking apparatus,;
The function replacement module: for destroying instruction in the window for obtaining the second application program transmission
Before, according to system service descriptor table SSDT, the first default destruction window function is replaced with and is preset with the first of identical parameters
It is default to destroy window hook function, so that first application program is obtained by the described first default window hook function of destroying
The window that second application program is sent destroys instruction.
Preferably, described instruction obtains module, it is specifically used for:
When it is that second application program is sent using function DestroyWindow that the window, which destroys instruction, pass through
Second application is obtained as the default Hook Function NewNtUserDestroyWindow for destroying window hook function
The window that program is sent destroys instruction.
Preferably, the first Process identifier determination unit, is specifically used for:
Kernel function ZwUserQueryWindow is called, the application information to be destroyed corresponding described the is inquired
One Process identifier.
Preferably, the process path determining module includes that the second Process identifier query unit and the second process path are true
Order member;
The second Process identifier query unit: for calling described in function PsGetCurrentProcessId inquiry
Corresponding second Process identifier of the identification information of second application program;
The second process path determination unit: for calling the function by second Process identifier
ZwQueryInformationProcess query procedure routing information determines corresponding second process of second application program
Path.
Preferably, the first preset path collection be combined into belong to the competing product of first application program application program institute it is right
The set for the process path answered.
In the present solution, the window that the first application program obtains second application program transmission destroys instruction, the window pin
It ruins instruction and carries the second application program identification and application information to be destroyed;According to the application information to be destroyed, sentence
Break the window destroy instruction whether be for itself window destroy instruction;If so, according to the mark of second application program
Know information, determines corresponding second process path of second application program;Judge whether second process path is contained in first
In preset path set;If be contained in, abandons the window and destroy instruction.To realize the process of application program from being answered by other
It is closed with program by destroying window mode, guarantees the normal operation of the process of application program.Certainly, implement any of the invention
Product or method must be not necessarily required to reach all the above advantage simultaneously.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is the flow diagram that a kind of window provided in an embodiment of the present invention destroys hold-up interception method;
Fig. 2 is another flow diagram that a kind of window provided in an embodiment of the present invention destroys hold-up interception method;
Fig. 3 is the structural schematic diagram that a kind of window provided in an embodiment of the present invention destroys blocking apparatus;
Fig. 4 is another structural schematic diagram that a kind of window provided in an embodiment of the present invention destroys blocking apparatus.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The embodiment of the invention provides a kind of windows to destroy hold-up interception method and device, with realize the process of application program from
It is closed by other applications by destroying window mode, guarantees the normal operation of the process of application program.
It it is provided for the embodiments of the invention a kind of window first below destroys hold-up interception method and be introduced.
It should be noted that window provided by the embodiment of the present invention, which destroys hold-up interception method, can be applied to first using journey
Sequence, which can be installed in any terminal, such as computer and mobile phone.And it is possible to realize the window pin
The functional software for ruining hold-up interception method can be special client software, be also possible to the plug-in unit of other security softwares.
As shown in Figure 1, a kind of window destruction hold-up interception method provided by the embodiment of the present invention, may include step:
S101: it obtains the window that the second application program is sent and destroys instruction, which destroys instruction and carry second application
The identification information of program and application information to be destroyed;
It is understood that first application program can be installed in any terminal, which passes through spy
The window that fixed operation can obtain the transmission of the second application program destroys instruction, wherein second application program can be with this
One application program is installed on any application program that can be sent window and destroy instruction in same terminal.Also, this first is answered
The window destruction instruction that second application program is directed to any application program for being installed on the terminal can be obtained with program, i.e., should
The window for itself that first application program can not only obtain second application program transmission destroys instruction, but also can be somebody's turn to do
The window for other application software that second application program is sent destroys instruction, on condition that being installed on together with the first application program
One terminal.
S102: according to the application information to be destroyed, judge that the window destroys whether instruction is window for itself
Instruction is destroyed, if so, executing step S103;
It is understood that first application program can obtain second application program transmission for any using journey
The window of sequence destroys instruction, which can destroy the application program to be destroyed carried in instruction according to the window and believe
Breath judges that the window destroys whether instruction is to destroy instruction for itself window, refers to if so, carrying out the destruction of subsequent window
It enables and intercepts process, intercept process if not, terminating subsequent window and destroying instruction, continue to execute the window and intercept instruction, wherein
Continuing to execute window interception instruction can be using the prior art, and therefore not to repeat here.
In practical applications, the corresponding application program to be destroyed may be carried in the application information to be destroyed
First Process identifier, specifically, judging the window pin as shown in Fig. 2, described according to the application information to be destroyed
Ruin instruction whether be for itself window destroy instruction (S102), may include:
S1021: according to the application information to be destroyed, corresponding first process of the application information to be destroyed is determined
Identifier;
S1022: judging whether first Process identifier is own process identifier, if so, showing that the window is destroyed
Instruction instructs to destroy for the window of itself.
It should be noted that each of which functional module is all corresponding with respectively at runtime for the first application program
Process identifier, which is matched with each Process identifier, successful match, it can determine should
First Process identifier is own process identifier.
In another implementation, described according to the application information to be destroyed, judge that the window destruction refers to
Enable whether be for itself window destroy instruction (S102), may include:
According to the application information to be destroyed, corresponding first process identification (PID) of the application information to be destroyed is determined
Symbol;
By first Process identifier, function ZwQueryInformationProcess query procedure path letter is called
Breath determines corresponding first process path of the application information to be destroyed;
Judge whether first process path is contained in the second preset path set, if so, showing that the window is destroyed
Instruction instructs to destroy for the window of itself, wherein the second preset path collection, which is combined into, to be forbidden destroying answering for window by competing product
With the set of the process path of program.
It should be noted that in practical applications, the application program for forbidding being destroyed window by competing product can be stored in advance
Process path set (the second preset path set), can be uniquely true according to first Process identifier by the prior art
Whether fixed corresponding first process path, first application program can be contained in by judging the first process path of the determination
The second preset path set, so determine the window destroy instruction whether be for itself window destroy instruction.If should
The first determining process path is contained in the second preset path set, then proves that the window destroys instruction as the window for itself
Mouth destroys instruction;If the first process path of the determination is not included in the second preset path set, the window pin is proved
Instruction is ruined not instruct to destroy for the window of itself.Also, each functional module of first application program is at runtime
Corresponding process path is had, i.e., for the first application program, there can be multiple process paths when running.
S103: according to the identification information of second application program, corresponding second process of second application program is determined
Path;
It should be noted that the window of the acquisition destroys the mark letter for carrying the second application program of sender in instruction
Breath, first application program according to the identification information, can determine that the second of second application program carries out path.Wherein, right
In the identification information type in embodiments of the present invention and without limitation, as long as the identification information can uniquely determine this second
Application program.
S104: judging whether second process path is contained in the first preset path set, if be contained in, executes step
Rapid S105;
Specifically, the first preset path collection is combined into corresponding to the application program for belonging to the competing product of first application program
The set of process path.
It is blocked it is understood that the window provided by the application embodiment of the present invention destroys hold-up interception method progress window destruction
Before cutting, the process road that the corresponding application program of instruction is destroyed about the window for needing to intercept (discarding) has been stored in advance
The set (the first preset path set) of diameter, wherein preferably, which can be for about first application
The set of process path corresponding to the application program of the competing product of program, first application program apply journey for the second of the determination
Second process path of sequence is matched one by one with the process path in the first preset path set, judges this second using journey
Whether sequence is contained in the first preset path set, if successful match, prove second application program be contained in this first
In preset path set, continues subsequent window and destroy interception process;If matching is unsuccessful, the second application program is proved
It is not included in the first preset path set, continuing, which terminates subsequent window, destroys interception process, executes window destruction and refers to
It enables, destroys the corresponding window of application program to be destroyed.
S105: it abandons the window and destroys instruction.
Specifically, this judge the window destroy instruction be for itself, and second process path be contained in this first
After in preset path set, i.e., the provable window destroy instruction be other applications (the second application program) for this first
What application program was sent, then the window is destroyed into instruction and abandoned, which is destroyed into instruction and is abandoned, prevents it from continuing to realize
Its function of destroying to window realizes the interception destroyed to the window.Wherein, instruction is destroyed to the window to abandon and can adopt
With the prior art, therefore not to repeat here.
Using the embodiment of the present invention, the window that the first application program obtains second application program transmission destroys instruction, should
Window destroys instruction and carries the second application program identification and application information to be destroyed;Believed according to the application program to be destroyed
Breath, judge the window destroy instruction whether be for itself window destroy instruction;If so, according to second application program
The identification information determines corresponding second process path of second application program;Judge whether second process path is contained in
In first preset path set;If be contained in, abandons the window and destroy instruction.To realize the process of application program from by it
He is closed at application program by destroying window mode, guarantees the normal operation of the process of application program.
Specifically, the present invention is implemented before the window that the second application program of the acquisition is sent destroys instruction (S101)
Window provided by example destroys hold-up interception method
According to system service descriptor table SSDT, default destruction window function is replaced with and is preset with the first of identical parameters
It is default to destroy window hook function so that first application program by the first default destruction window hook function obtain this
The window that two application programs are sent destroys instruction.
It is understood that second application program can destroy window function by capable of reaching for the application layer of terminal
When first function sends window destruction instruction, it can all pass through the default destruction window letter corresponding with the first function of terminal kernel
Number, which directly can destroy corresponding window according to window destruction instruction, in order to reach to window
Mouth destroys the purpose that instruction intercepts, and needs to replace with the default destruction window function into the first default pin for being preset with identical parameters
Ruin window hook function.
Wherein it is possible to according to system service descriptor table (System Services Descriptor Table-SSDT),
Record has the corresponding function address of each function for example to find in the system service descriptor table
NtUserDestroyWindow function address in SSDT table replaces with one Hook Function of default identical parameters
NewNtUserDestroyWindow.In NewNtUserDestroyWindow Hook Function, original function can be called
NtUserDestroyWindow sends window and destroys instruction, executes the movement that window is destroyed, which can also be destroyed and be instructed
It abandons, prevents it from being further continued for carrying out the movement of subsequent window destruction.
In practical applications, there are a variety of functions that can reach destruction window function should in face of the different class functions
Every kind of function all has corresponding default destruction window function, in order to improve the application program window protection scope,
A variety of default destruction window functions can be handled, specifically,
When the default destruction window function is function NtUserDestroyWindow, the default destruction window hook letter
Number is Hook Function NewNtUserDestroyWindow;
When the default destruction window function is function NtUserShowWindow, which is
Hook Function NewNtUserShowWindow;
When the default destruction window function is function NtUserSetParent, which is
Hook Function New NtUserSetParent;
When the default destruction window function is function NtUserSetWindowPlacement, the default destruction window hook
Subfunction is Hook Function New NtUserSetWindowPlacement;
When the default destruction window function is function NtUserSetWindowPos, the default destruction window hook function
For Hook Function New NtUserSetWindowPos;
When the default destruction window function is function NtUserCallHwndParmLock, the default destruction window hook
Function is Hook Function NewNtUserCallHwndParmLock;
When the default destruction window function is function NtUSerSetLayeredWindowAttributes, the default pin
Ruining window hook function is Hook Function NewNtUSerSetLayeredWindowAttributes.
Certainly, it is emphasized that, it is above-mentioned only as an example, should not be formed to the default destruction in present invention implementation
The restriction of window function and the corresponding default type for destroying window hook function.
Specifically, when it is that second application program is sent using function DestroyWindow that the window, which destroys instruction,
The window destruction instruction for obtaining the second application program and sending, comprising:
By being somebody's turn to do as the default Hook Function NewNtUserDestroyWindow for destroying window hook function
The window that second application program is sent destroys instruction.
It should be noted that destroying instruction when the window is that second application program utilizes other that can realize that window destroys function
Can function send when, this as the default Hook Function for destroying window hook function be then it is corresponding with the function other
Hook Function.
Specifically, it is described according to the application information to be destroyed, determine that the application information to be destroyed is corresponding
The first Process identifier, comprising:
Call kernel function ZwUserQueryWindow, inquire the application information corresponding first to be destroyed into
Journey identifier.
It further, in practical applications, can be by this after the first application program inquires first Process identifier
First Process identifier calls function ZwQueryInformationProcess query procedure routing information, determines that this is to be destroyed
Corresponding first process path of application program can be by judging if the second preset path set has been stored in advance
Whether one process path is contained in the second preset path set, determines that the window destroys whether instruction is window for itself
Mouth destroys instruction.
Specifically, the identification information according to second application program, determines that second application program is corresponding
Second process path, comprising:
Function PsGetCurrentProcessId is called to inquire identification information corresponding second of second application program
Process identifier;
By second Process identifier, function ZwQueryInformationProcess query procedure path is called
Information determines corresponding second process path of second application program.
In practical applications, the first application program can be by calling function PsGetCurrentProcessId inquiry should
Corresponding second Process identifier of identification information by second Process identifier, calls function in turn
ZwQueryInformationProcess query procedure routing information determines second application program corresponding second process road
Diameter.Wherein, the process path of the application program of each operation can be inquired in process path information.
Corresponding to above method embodiment, dress is intercepted as shown in figure 3, destroying the embodiment of the invention also provides a kind of window
It sets, is applied to the first application program, the apparatus may include: instruction obtains module 301, instruction judgment module 302, process road
Diameter determining module 303, process path judgment module 304 and instruction discard module 305;
Described instruction obtains module 301: the window for obtaining the transmission of the second application program destroys instruction, the window pin
Ruin identification information and application information to be destroyed that instruction carries second application program;
Described instruction judgment module 302: for judging that the window destruction refers to according to the application information to be destroyed
Enable whether be for itself window destroy instruction, if so, triggering the process path determining module;
The process path determining module 303: for the identification information according to second application program, institute is determined
State corresponding second process path of the second application program;
The process path judgment module 304: for judging whether second process path is contained in the first default road
In diameter set, if be contained in, described instruction discard module is triggered;
Described instruction discard module 305: instruction is destroyed for abandoning the window.
Using the embodiment of the present invention, the window that the first application program obtains second application program transmission destroys instruction, should
Window destroys instruction and carries the second application program identification and application information to be destroyed;Believed according to the application program to be destroyed
Breath, judge the window destroy instruction whether be for itself window destroy instruction;If so, according to second application program
The identification information determines corresponding second process path of second application program;Judge whether second process path is contained in
In first preset path set;If be contained in, abandons the window and destroy instruction.To realize the process of application program from by it
He is closed at application program by destroying window mode, guarantees the normal operation of the process of application program.
Specifically, as shown in figure 4, described instruction judgment module 302 may include the first Process identifier determination unit
3021 and Process identifier judging unit 3022;
The first Process identifier determination unit 3021: for determining institute according to the application information to be destroyed
State corresponding first Process identifier of application information to be destroyed;
The Process identifier judging unit 3022: for judging whether first Process identifier is own process mark
Symbol is known, if so, showing that the window destroys instruction to destroy instruction for the window of itself.
Specifically, described instruction judgment module 302 may include the second Process identifier determination unit, the first process path
Determination unit and process path judging unit;
The second Process identifier determination unit: for according to the application information to be destroyed, determine it is described to
Destroy corresponding first Process identifier of application information;
The first process path determination unit: for calling function by first Process identifier
ZwQueryInformationProcess query procedure routing information determines the application information to be destroyed corresponding
One process path;
The process path judging unit: for judging whether first process path is contained in the second preset path collection
In conjunction, if so, showing that the window destroys instruction to destroy instruction for the window of itself, wherein the second default road
Diameter collection is combined into the set for forbidding being destroyed the process path of application program of window by competing product.
Specifically, it can also include that function replaces mould that a kind of window provided by the embodiment of the present invention, which destroys blocking apparatus,
Block;
The function replacement module: for destroying instruction in the window for obtaining the second application program transmission
Before, according to system service descriptor table SSDT, the first default destruction window function is replaced with and is preset with the first of identical parameters
It is default to destroy window hook function, so that first application program is obtained by the described first default window hook function of destroying
The window that second application program is sent destroys instruction.
Specifically, when the default destruction window function is function NtUserDestroyWindow, the default destruction
Window hook function is Hook Function NewNtUserDestroyWindow;
When the default destruction window function is function NtUserShowWindow, the default destruction window hook letter
Number is Hook Function NewNtUserShowWindow;
When the default destruction window function is function NtUserSetParent, the default destruction window hook letter
Number is Hook Function New NtUserSetParent;
When the default destruction window function is function NtUserSetWindowPlacement, the default destruction window
Oral hook subfunction is Hook Function New NtUserSetWindowPlacement;
When the default destruction window function is function NtUserSetWindowPos, the default destruction window hook
Function is Hook Function New NtUserSetWindowPos;
When the default destruction window function is function NtUserCallHwndParmLock, the default destruction window
Hook Function is Hook Function NewNtUserCallHwndParmLock;
It is described pre- when the default destruction window function is function NtUSerSetLayeredWindowAttributes
If destruction window hook function is Hook Function NewNtUSerSetLayeredWindowAttributes.
Specifically, described instruction obtains module 301, it is specifically used for:
When it is that second application program is sent using function DestroyWindow that the window, which destroys instruction, pass through
Second application is obtained as the default Hook Function NewNtUserDestroyWindow for destroying window hook function
The window that program is sent destroys instruction.
Specifically, the first Process identifier determination unit 3021, is specifically used for:
Call kernel function ZwUserQueryWindow, inquire the application information corresponding first to be destroyed into
Journey identifier.
Specifically, the process path determining module 303 may include the second Process identifier query unit 3031 and
Two process path determination units 3032;
The second Process identifier query unit 3031: for calling function PsGetCurrentProcessId to inquire
Corresponding second Process identifier of the identification information of second application program;
The second process path determination unit 3032: for calling the function by second Process identifier
ZwQueryInformationProcess query procedure routing information determines corresponding second process of second application program
Path.
Specifically, the first preset path set can be to belong to the application program of the competing product of first application program
The set of corresponding process path.
For systems/devices embodiment, since it is substantially similar to the method embodiment, so the comparison of description is simple
Single, the relevent part can refer to the partial explaination of embodiments of method.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Those of ordinary skill in the art will appreciate that all or part of the steps in realization above method embodiment is can
It is completed with instructing relevant hardware by program, the program can store in computer-readable storage medium,
The storage medium designated herein obtained, such as: ROM/RAM, magnetic disk, CD.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (11)
1. a kind of window destroys hold-up interception method, which is characterized in that be applied to the first application program, which comprises
The window for obtaining the transmission of the second application program destroys instruction, and the window destroys instruction and carries second application program
Identification information and application information to be destroyed;
According to the application information to be destroyed, corresponding first process identification (PID) of the application information to be destroyed is determined
Symbol;
By first Process identifier, function ZwQueryInformationProcess query procedure routing information is called,
Determine corresponding first process path of the application information to be destroyed;
Judge whether first process path is contained in the second preset path set, wherein the second preset path collection
It is combined into the set for forbidding being destroyed the process path of application program of window by competing product;
If so, determining second application program corresponding second according to the identification information of second application program
Process path;
Judge whether second process path is contained in the first preset path set, wherein the first preset path collection
It is combined into the set for belonging to process path corresponding to the application program of the competing product of first application program;
If be contained in, abandons the window and destroy instruction.
2. the method according to claim 1, wherein being destroyed in the window that the second application program of the acquisition is sent
Before instruction, further includes:
According to system service descriptor table SSDT, default destruction window function is replaced with and is preset with the first of identical parameters and presets
Window hook function is destroyed, so that first application program passes through described in the described first default destruction window hook function acquisition
The window that second application program is sent destroys instruction.
3. according to the method described in claim 2, it is characterized in that,
When the default destruction window function is function NtUserDestroyWindow, the default destruction window hook letter
Number is Hook Function NewNtUserDestroyWindow;
When the default destruction window function is function NtUserShowWindow, the default destruction window hook function is
Hook Function NewNtUserShowWindow;
When the default destruction window function is function NtUserSetParent, the default destruction window hook function is
Hook Function New NtUserSetParent;
When the default destruction window function is function NtUserSetWindowPlacement, the default destruction window hook
Subfunction is Hook Function New NtUserSetWindowPlacement;
When the default destruction window function is function NtUserSetWindowPos, the default destruction window hook function
For Hook Function New NtUserSetWindowPos;
When the default destruction window function is function NtUserCallHwndParmLock, the default destruction window hook
Function is Hook Function NewNtUserCallHwndParmLock;
When the default destruction window function is function NtUSerSetLayeredWindowAttributes, the default pin
Ruining window hook function is Hook Function NewNtUSerSetLayeredWindowAttributes.
4. according to the method described in claim 3, it is characterized in that, destroying instruction when the window is second application program
When being sent using function DestroyWindow, the window destruction instruction for obtaining the second application program and sending, comprising:
Described in being obtained as the default Hook Function NewNtUserDestroyWindow for destroying window hook function
The window that second application program is sent destroys instruction.
5. the method according to claim 1, wherein described according to the application information to be destroyed, determination
Corresponding first Process identifier of the application information to be destroyed, comprising:
Kernel function ZwUserQueryWindow is called, the corresponding first process mark of the application information to be destroyed is inquired
Know symbol.
6. the method according to claim 1, wherein described believe according to the mark of second application program
Breath, determines corresponding second process path of second application program, comprising:
Function PsGetCurrentProcessId is called to inquire the identification information corresponding second of second application program
Process identifier;
By second Process identifier, the function ZwQueryInformationProcess query procedure path is called
Information determines corresponding second process path of second application program.
7. a kind of window destroys blocking apparatus, which is characterized in that be applied to the first application program, described device includes: that instruction obtains
Obtain module, instruction judgment module, process path determining module, process path judgment module and instruction discard module;
Described instruction obtains module: the window for obtaining the transmission of the second application program destroys instruction, and the window destroys instruction
Carry the identification information and application information to be destroyed of second application program;
Described instruction judgment module includes the second Process identifier determination unit, the first process path determination unit and process path
Judging unit;
The second Process identifier determination unit: for determining described to be destroyed according to the application information to be destroyed
Corresponding first Process identifier of application information;
The first process path determination unit: for calling function by first Process identifier
ZwQueryInformationProcess query procedure routing information determines the application information to be destroyed corresponding
One process path;
The process path judging unit: for judging whether first process path is contained in the second preset path set
In, wherein the second preset path collection is combined into the set for forbidding being destroyed the process path of application program of window by competing product;Such as
Fruit is to trigger the process path determining module;
The process path determining module: for the identification information according to second application program, described second is determined
Corresponding second process path of application program;
The process path judgment module: for judging whether second process path is contained in the first preset path set
In, wherein the first preset path collection be combined into corresponding to the application program for belonging to the competing product of first application program into
The set in journey path triggers described instruction discard module if be contained in;
Described instruction discard module: instruction is destroyed for abandoning the window.
8. device according to claim 7, which is characterized in that further include function replacement module;
The function replacement module: for being obtained before the window that second application program is sent destroys instruction described, according to
According to system service descriptor table SSDT, the first default destruction window function is replaced with to the first default pin for being preset with identical parameters
Window hook function is ruined, so that first application program obtains described the by the described first default window hook function of destroying
The window that two application programs are sent destroys instruction.
9. device according to claim 8, which is characterized in that described instruction obtains module, is specifically used for:
When it is that second application program is sent using function DestroyWindow that the window, which destroys instruction, pass through conduct
The described first default Hook Function NewNtUserDestroyWindow for destroying window hook function obtains second application
The window that program is sent destroys instruction.
10. device according to claim 7, which is characterized in that the second Process identifier determination unit is specific to use
In: kernel function ZwUserQueryWindow is called, corresponding first process of the application information to be destroyed is inquired
Identifier.
11. device according to claim 7, which is characterized in that the process path determining module includes the second process mark
Know symbol query unit and the second process path determination unit;
The second Process identifier query unit: for calling function PsGetCurrentProcessId to inquire described second
Corresponding second Process identifier of the identification information of application program;
The second process path determination unit: for calling the function by second Process identifier
ZwQueryInformationProcess query procedure routing information determines corresponding second process of second application program
Path.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610139728.1A CN105825127B (en) | 2016-03-11 | 2016-03-11 | A kind of window destroys hold-up interception method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610139728.1A CN105825127B (en) | 2016-03-11 | 2016-03-11 | A kind of window destroys hold-up interception method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105825127A CN105825127A (en) | 2016-08-03 |
CN105825127B true CN105825127B (en) | 2019-03-01 |
Family
ID=56987093
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610139728.1A Active CN105825127B (en) | 2016-03-11 | 2016-03-11 | A kind of window destroys hold-up interception method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105825127B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106648704A (en) * | 2017-01-05 | 2017-05-10 | 广东欧珀移动通信有限公司 | Process management method and device and mobile terminal |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103984897A (en) * | 2014-05-29 | 2014-08-13 | 北京奇虎科技有限公司 | Method and device for preventing virus invasion during installation of software |
CN104536981A (en) * | 2014-12-05 | 2015-04-22 | 北京奇虎科技有限公司 | Browser safety achieving method, browser client-side and device |
CN105373383A (en) * | 2015-11-13 | 2016-03-02 | 珠海市君天电子科技有限公司 | Display and hiding control method and device for application program window |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008171365A (en) * | 2007-01-15 | 2008-07-24 | Kenwood Corp | Software protecting device, software protecting method and program |
-
2016
- 2016-03-11 CN CN201610139728.1A patent/CN105825127B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103984897A (en) * | 2014-05-29 | 2014-08-13 | 北京奇虎科技有限公司 | Method and device for preventing virus invasion during installation of software |
CN104536981A (en) * | 2014-12-05 | 2015-04-22 | 北京奇虎科技有限公司 | Browser safety achieving method, browser client-side and device |
CN105373383A (en) * | 2015-11-13 | 2016-03-02 | 珠海市君天电子科技有限公司 | Display and hiding control method and device for application program window |
Also Published As
Publication number | Publication date |
---|---|
CN105825127A (en) | 2016-08-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109565500B (en) | On-demand security architecture | |
US9065846B2 (en) | Analyzing data gathered through different protocols | |
US9491189B2 (en) | Revival and redirection of blocked connections for intention inspection in computer networks | |
US20190312836A1 (en) | Network anti-tampering system | |
JP3954385B2 (en) | System, device and method for rapid packet filtering and packet processing | |
CA2496064A1 (en) | System, method and computer program product for monitoring and controlling network connections from a supervisory operating system | |
EP2651081A1 (en) | Computer system, controller, and network monitoring method | |
US20140075510A1 (en) | Communication system, control device, communication method, and program | |
EP3509001B1 (en) | Method and apparatus for detecting zombie feature | |
CN1685657A (en) | Method and apparatus for providing node security in a router of a packet network | |
CN102393894A (en) | Method and device for enhancing user information input security | |
WO2019042321A1 (en) | Method and apparatus for separating management data of network section sub-network instances | |
CN106789982B (en) | Safety protection method and system applied to industrial control system | |
Nagarathna et al. | SLAMHHA: A supervised learning approach to mitigate host location hijacking attack on SDN controllers | |
CN105825127B (en) | A kind of window destroys hold-up interception method and device | |
Park et al. | Session management for security systems in 5g standalone network | |
CN102812771B (en) | Serving Gateway For Handling Communications Of Mobile Terminal | |
CN103441923A (en) | Method and device for transmitting safety file based on network application software | |
KR101373051B1 (en) | Apparatus and method for controlling communication blocking | |
US8245294B1 (en) | Network based virus control | |
CN104253834B (en) | Method, mobile terminal and the system that mobile application data copy is controlled | |
CN105893845B (en) | A kind of data processing method and device | |
CN105868632A (en) | Method and device for intercepting and releasing DHCP (dynamic host configuration protocol) | |
CN107924610A (en) | Method and apparatus for improving the security in Remote triggering, motor vehicle | |
KR101854996B1 (en) | SDN for preventing malicious application and Determination apparatus comprising the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20181214 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant |