CN106022100A - Method and device for intercepting installation of malicious program and electronic equipment - Google Patents
Method and device for intercepting installation of malicious program and electronic equipment Download PDFInfo
- Publication number
- CN106022100A CN106022100A CN201610327338.7A CN201610327338A CN106022100A CN 106022100 A CN106022100 A CN 106022100A CN 201610327338 A CN201610327338 A CN 201610327338A CN 106022100 A CN106022100 A CN 106022100A
- Authority
- CN
- China
- Prior art keywords
- file
- registry entry
- program
- directory
- created
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the invention discloses a method and a device for intercepting installation of a malicious program and electronic equipment, relates to the technical field of computer security, and solves the problem that the interception of the malicious program in the prior art is incomplete by preventing the malicious program from creating a directory and/or a registry entry. The method comprises the following steps: monitoring event information of a directory and/or registry key to be created by a program installation process in a system; wherein, the event message comprises a directory path and/or a registry key to be created; judging whether the directory path and/or the registry key to be created are recorded in a preset configurable file; and if the directory path and/or the registry key to be created are recorded in the configurable file, preventing the program installation process from creating the directory and/or the registry key. The invention is suitable for preventing the installation of the malicious program.
Description
Technical field
The present invention relates to computer security technique field, particularly relate to a kind of intercept rogue program install method,
Device and electronic equipment.
Background technology
Along with Internet technology develops, amount of software also increases in magnanimity, and user is loaded in down
The software installed on computer, although some is regular software, but regular software is also possible to promote to be installed
Some rogue programs, if rogue program is installed on the user computer, consequence is immeasurable, therefore,
Rogue program therein stop it to install in needing to identify when installing software.
Existing rogue program intercepts scheme, is to do hooking function process creation software when to do malice journey
The interception that sequence process is run, principle is that the installation kit title according to rogue program intercepts, but, if
Rogue program installation kit arbitrarily changes a title, just cannot realize the installation to rogue program and intercept.Although it is existing
Scheme can configure the installation kit title of rogue program needing to intercept, but the installation kit name that can configure
Claiming also is known limited fixed name, still cannot intercept the rogue program that installation kit title is random, because of
This, can there is easily leakage and block rogue program in existing rogue program interception scheme, intercept incomplete problem.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of and intercepts method, device and the electronics that rogue program is installed
Equipment, the installation to rogue program intercepts more comprehensively effectively.
First aspect, the embodiment of the present invention provides a kind of and intercepts the method that rogue program is installed, including:
Monitoring system Program erection schedule will create directory and/or the event message of registry entry;Wherein,
Described event message includes directory path to be created and/or registry entry;
Judge in the configurable file pre-set, if record has described directory path to be created and/or note
Volume list item;Wherein, configurable file record has directory path and/or the registry entry stoping establishment;
If record has described directory path to be created and/or registry entry in described configurable file, then stop
Described program erection schedule creaties directory and/or registry entry.
In conjunction with first aspect, in the first embodiment of first aspect, described system is Windows behaviour
Make system;
Before the event message that described monitoring system Program erection schedule will create directory, described method is also
Including: pre-set the file system filter driver journey of the file system binding described Windows operating system
Sequence, described file system filter driver is used for driving File Open routine;
The event message that described monitoring system Program erection schedule will create directory, including: by described
The event that the described system Program erection schedule of file system filter driver monitoring will create directory disappears
Breath.
In conjunction with the first embodiment of first aspect, in the second embodiment of first aspect, described
Judge in the configurable file pre-set, if record has described directory path to be created, including:
Read all preventions of record in the configurable file pre-set by described File Open routine to create
Directory path and be saved in the first chained list;Each node data of described first chained list is configurable file
The directory path that one prevention of middle record creates;
Judge that the node data in described first chained list is the most identical with described directory path to be created successively,
If described first chained list existing the node data identical with described directory path to be created, it is determined that described
In configurable file, record has described directory path to be created, otherwise, it is determined that in described configurable file
Do not record described directory path to be created.
In conjunction with the second embodiment of first aspect, in the third embodiment of first aspect, described
Described program erection schedule is stoped to create directory, including:
Described file system filter driver calls the function IoCompleteRequest that completes of IRP and terminates institute
State File Open routine, and return to the file system of Windows operating system.
In conjunction with first aspect, in the 4th kind of embodiment of first aspect, described system is Windows behaviour
Make system;
Described monitoring system Program erection schedule will create directory and/or registry entry event message it
Before, described method also includes: pre-set hook for arranging and the function of edit the registry key assignments
The Hook Function of NtSetvalueKey;
Described monitoring system Program erection schedule will create the event message of registry entry, including: pass through
Described Hook Function monitors described system Program erection schedule will create the event message of registry entry.
In conjunction with the 4th kind of embodiment of first aspect, in the 5th kind of embodiment of first aspect, described
Judge in the configurable file pre-set, if record has described registry entry to be created, including:
The note that in the configurable file pre-set, all preventions of record create is read by described Hook Function
Volume list item is also saved in the second chained list;Each node data of described second chained list is for remembering in configurable file
The registry entry that one prevention of record creates;
Judge that the node data in described second chained list is the most identical with described registry entry to be created successively,
If described second chained list existing the node data identical with described registry entry to be created, it is determined that described
In configurable file, record has described registry entry to be created, otherwise, it is determined that in described configurable file
Do not record described registry entry to be created.
In conjunction with the 5th kind of embodiment of first aspect, in the 6th kind of embodiment of first aspect, described
Described program erection schedule is stoped to create registry entry, including:
Stop performing the original NtSetvalueKey function in Windows operating system.
The first embodiment or the second embodiment of first aspect in conjunction with first aspect or first aspect
Or the third embodiment of first aspect or the 4th kind of embodiment or the 5th of first aspect the of first aspect
Plant embodiment or the 6th kind of embodiment of first aspect, in the 7th kind of embodiment of first aspect,
Will create directory and/or before the event message of registry entry in described monitoring system Program erection schedule,
Also include:
The directory path of statistics known malicious program creation and/or registry entry;
Described configurable file is write according to the data counted on.
Second aspect, the embodiment of the present invention provides a kind of and intercepts the device that rogue program is installed, including:
Monitoring module, will create directory and/or the thing of registry entry for monitoring system Program erection schedule
Described event message is also sent to judge module by part message;Wherein, described event message includes to be created
Directory path and/or registry entry;
Judge module, for judging in the configurable file pre-set, if record has the described thing received
Directory path to be created in part message and/or registry entry, record in judging described configurable file
When having described directory path to be created and/or registry entry, send to blocking module and intercept instruction;Wherein,
Configurable file record has directory path and/or the registry entry stoping establishment;
Blocking module, for according to receive interception instruction, stop described program erection schedule create directory and/
Or registry entry.
In conjunction with second aspect, in the first embodiment of second aspect, described monitoring module includes:
Catalogue monitoring submodule, for pre-setting the literary composition of the file system binding with Windows operating system
Part system filter driver also stores, and described file system filter driver is used for driving File Open example
Journey;Described catalogue monitoring submodule is additionally operable to by described file system filter driver monitoring Windows
The event message that operating system Program erection schedule will create directory, and described system Program is installed
The event message that process will create directory is sent to described judge module.
In conjunction with the first embodiment of second aspect, in the second embodiment of second aspect, described
Judge module includes:
First chained list generates submodule, configurable for pre-set by the reading of described File Open routine
The directory path that in file, all preventions of record create, generates the first chained list and preserves;Described first chained list
The directory path that creates of one that each node data is record in configurable file prevention;
First judges submodule, for receiving the thing that described system Program erection schedule will create directory
During part message, judge that the node data that described first chained list generates in the first chained list that submodule preserves is successively
In no and described event message, the directory path to be created of record is identical, if described first chained list exists with
The node data that described directory path to be created is identical, then send to described blocking module and intercept instruction.
In conjunction with the second embodiment of second aspect, in the third embodiment of second aspect, described
Blocking module is according to the interception instruction received, by the described file system arranged in described catalogue monitoring submodule
System filter drive program calls the function IoCompleteRequest that completes of IRP and terminates described File Open example
Journey, and return to the file system of Windows operating system, to stop described program erection schedule to create mesh
Record.
In conjunction with second aspect, in the 4th kind of embodiment of second aspect, described monitoring module includes:
Registry monitoring submodule, is used for pre-setting in Windows operating system and links up with for arranging and repairing
Change the Hook Function of the function NtSetvalueKey function of registration table key assignments and store, described registry monitoring submodule
Block is additionally operable to create note by described Hook Function monitoring Windows operating system Program erection schedule
The event message of volume list item, and the event that described system Program erection schedule will create registry entry is disappeared
Breath is sent to described judge module.
In conjunction with the 4th kind of embodiment of second aspect, in the 5th kind of embodiment of second aspect, described
Judge module includes:
Second chained list generates submodule, for being read the configurable file pre-set by described Hook Function
The registry entry that all preventions of middle record create, generates the second chained list and preserves;Described second chained list every
Individual node data is the registry entry that in configurable file, a prevention of record creates;
Second judges submodule, for creating registry entry receiving described system Program erection schedule
Event message time, judge successively described second chained list generate submodule preserve the second chained list in nodes
Identical, if described second chained list is deposited with the registry entry to be created of record in described event message according to whether
At the node data identical with described registry entry to be created, then send to described blocking module and intercept instruction.
In conjunction with the 5th kind of embodiment of second aspect, in the 6th kind of embodiment of second aspect, described
Blocking module is according to the interception instruction received, original by stop performing in Windows operating system
NtSetvalueKey function, to stop described program erection schedule to create registry entry.
The first embodiment or the second embodiment of second aspect in conjunction with second aspect or second aspect
Or the 5th kind of embodiment of the third aspect or the 4th kind of embodiment or the 5th of second aspect the of second aspect
Plant embodiment or the 6th kind of embodiment of second aspect, in the 7th kind of embodiment of second aspect,
The device that described interception rogue program is installed also includes:
Configurable file generating module, for directory path and/or the note of statistics known malicious program creation in advance
Volume list item, can configure file according to the data genaration counted on and stores.
The third aspect, the present invention provides a kind of electronic equipment, and described electronic equipment includes: housing, processor,
Memorizer, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, and processes
Device and memorizer are arranged on circuit boards;Power circuit, is used for each circuit for described electronic equipment or device
Part is powered;Memorizer is used for storing executable program code;Processor can by store in reading memorizer
Perform program code and run the program corresponding with executable program code, be used for performing aforementioned arbitrary embodiment party
The method intercepting rogue program installation described in formula.
A kind of interception rogue program installation method, device and the electronic equipment that the embodiment of the present invention provides, passes through
Stop rogue program to create directory and/or registry entry, solve interception rogue program in prior art the most comprehensive
Problem.Meanwhile, intercept catalogue and registry entry can be the most perfect, reach the purpose maintained easily.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to enforcement
In example or description of the prior art, the required accompanying drawing used is briefly described, it should be apparent that, describe below
In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying
On the premise of going out creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the schematic flow sheet that the present invention intercepts the embodiment of the method one that rogue program is installed;
Fig. 2 is the schematic flow sheet that the present invention intercepts the embodiment of the method two that rogue program is installed;
Fig. 3 is the schematic flow sheet that the present invention intercepts the embodiment of the method three that rogue program is installed;
Fig. 4 is the structural representation that the present invention intercepts the device embodiment one that rogue program is installed;
Fig. 5 is the structural representation that the present invention intercepts the device embodiment two that rogue program is installed;
Fig. 6 is the structural representation that the present invention intercepts the device embodiment three that rogue program is installed;
Fig. 7 is the structural representation that the present invention intercepts the device embodiment four that rogue program is installed;
Fig. 8 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawings embodiment of the present invention one is intercepted rogue program mount scheme to be described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole realities
Execute example.Based on the embodiment in the present invention, those of ordinary skill in the art are not before making creative work
Put all other embodiments obtained, broadly fall into the scope of protection of the invention.
Fig. 1 is the schematic flow sheet that the present invention intercepts rogue program installation method embodiment one, as it is shown in figure 1,
The method of the present embodiment may include that
Step 101, monitoring system Program erection schedule will create directory and/or the event of registry entry disappears
Breath;Wherein, event message includes directory path to be created and/or registry entry.
In the present embodiment, rogue program when mounted, will create specific catalogue and/or registry entry, due to
Rogue program almost cannot be accomplished stochastic transformation installation directory and install registry entry, therefore by system intermediate range
Sequence erection schedule creaties directory and/or the monitoring of registry entry event, and monitoring creaties directory and/or registry entry letter
Breath, if the particular category path that described catalogue and/or registry entry are rogue program to be created and/or registry entry,
Then stop described program erection schedule to create directory and/or registry entry, thus realize rogue program installation
Comprehensive interception.
In the configurable file that step 102, judgement pre-set, if record has in current event message to be waited to create
The directory path built and/or registry entry, be then to perform step 103, otherwise perform step 104;Wherein, may be used
Configuration file record has directory path and/or the registry entry stoping establishment.
In the present embodiment, the form of configurable file such as can be such that
<item type=" 1 ", path=" C: dsak "/>
<item type=" 2 ", reg=" and HKEY_LOCAL_MACHINE SOFTWARE ahxki "/>
Type=1 represent be configuration be catalogue, path be rogue program create directory path;
Type=2 represent be configuration be registry entry, reg be create rogue program be create registry entry;
One<item>is one and intercepts item, and this configurable file can constantly improve increase, facilitate follow-up doing more
Many rogue programs intercept.
Step 103, prevention program erection schedule create directory and/or registry entry.
In the present embodiment, by stoping program erection schedule to create directory and/or registry entry, reach to intercept and dislike
The purpose that meaning program is installed.
Step 104, permission program erection schedule create directory and/or registry entry.
In the present embodiment, by stoping rogue program to create directory and/or registry entry, solve existing interception and dislike
The incomplete problem of meaning program.Meanwhile, intercept catalogue and/or registry entry can be the most perfect, reach conveniently to tie up
The purpose protected.
Fig. 2 is the schematic flow sheet that the present invention intercepts rogue program installation method embodiment two, and the present embodiment carries
The method of confession is applicable to Windows operating system, as in figure 2 it is shown, the method for the present embodiment may include that
Step 201, the file system filter of the file system pre-setting binding Windows operating system are driven
Dynamic program, this document system filter driver is used for driving File Open routine.
In the present embodiment, by pre-setting the file system of the file system of binding Windows operating system
Filter drive program, can call, in system erection schedule, create directory CreateFile function creation file or mesh
During record, receive I/O request bag (IRP:I/O Request Package) of IRP-MJ-CREAT, wherein
When upper level applications communicates with underlying file systems filter drive program, application program can send I/O request,
This request is converted into corresponding IRP data structure by operating system.File system filter driver receives
After IRP-MJ-CREAT, it will pass to self-defining routine function IrpCreate process.
Step 202, mesh will be created by file system filter driver monitoring system Program erection schedule
The event message of record.
In the present embodiment, owing to the directory creating of rogue program also can go to IrpCreate routine function, because of
This, can drive monitoring system Program erection schedule will create mesh by file system filter driver
The event message of record.
Step 203, read all preventions of record in the configurable file that pre-sets by File Open routine
Create directory path and be saved in the first chained list;Wherein, each node data of the first chained list is for joining
Put the directory path that a prevention of record in file creates.
In the present embodiment, when the form that configurableization file provides for embodiment one, in IrpCreate routine
In function, read all data (likely having the data of multiple item) of configurableization file acquisition Type=1,
Data are saved in first chained list.
Step 204, judge that the node data in the first chained list is the most identical with directory path to be created successively,
If the first chained list exists the node data identical with directory path to be created, it is determined that in configurable file
Record has directory path to be created and performs step 205, otherwise, it is determined that does not records in configurable file and treats
The directory path created, and perform step 206.
In the present embodiment, from the parameter of IrpCreate routine function, get directory path the most to be created,
Mate the path in directory path whether with the first chained list node to be created identical, identical think to be created
Catalogue is to need to intercept.
What step 205, file system filter driver called IRP completes function IoCompleteRequest
Ends file opens routine, and returns to the file system of Windows operating system.
In the present embodiment, file system filter driver calls function IoCompleteRequest and completes
IrpCreate function routine, and return to the file system of Windows operating system;So Wndows grasps
Make the file system of system to learn that directory creating is the most treated and complete, would not be toward write;So mesh
Record creates and substantially will have ceased, and have failed.Preferably, intercept any installation kit to more preferably show,
Intercept is any rogue program, can be by calling the ident value function obtaining current operation process
PsGetCurrentProcessId and query procedure information function ZwQueryInformationProcess gets and works as
The process name of front installation, is i.e. rogue program installation kit process name.
Step 206, permission program erection schedule create directory.
In the present embodiment, by stoping rogue program to create directory, solve existing interception rogue program the most comprehensive
Problem.Meanwhile, intercepting catalogue can be the most perfect, reaches the purpose maintained easily.
Fig. 3 is the schematic flow sheet that the present invention intercepts rogue program installation method embodiment three, and the present embodiment carries
The method of confession is applicable to Windows operating system, as it is shown on figure 3, the method for the present embodiment may include that
Step 301, pre-set hook for arrange and the function NtSetvalueKey of edit the registry key assignments
Hook Function.
In the present embodiment, due to the establishment of registry entry in Windows operating system, it is carried out kernel letter
Number NtSetvalueKey, so hook kernel function NtSetvalueKey can realize the establishment of registry entry
Intercept;Wherein, hook method is for finding system service descriptor table (SSDT:System Services
Descriptor Table) NtSetvalueKey function, preserve original NtSetvalueKey function address, fixed
One NewNtSetvalueKey function of justice replaces original NtSetvalueKey function address, it is achieved that
The hook of NewNtSetvalueKey function, Hook Function is NewNtSetvalueKey.
Step 302, the event of registry entry will be created by Hook Function monitoring system Program erection schedule
Message.
In the present embodiment, owing to Hook Function has linked up with NtSetvalueKey kernel function, therefore pacify in program
When putting into journey registry entry to be created, Hook Function can monitor this event message.
Step 303, read all preventions of record in the configurable file that pre-sets by Hook Function and create
Registry entry and be saved in the second chained list;Wherein, each node data of the second chained list is configurable literary composition
The registry entry that in part, a prevention of record creates.
In the present embodiment, read configurableization file, such as, when configurableization file provides for embodiment one
Form time, obtain Type=2 all data (likely having the data of multiple item), will obtain number
According to being saved in second chained list.
Step 304, judge that the node data in the second chained list is the most identical with registry entry to be created successively,
If the second chained list exists the node data identical with registry entry to be created, it is determined that in configurable file
Record has registry entry to be created and performs step 305, otherwise, it is determined that does not records in configurable file and treats
Create registry entry and perform step 306.
In this embodiment, from the parameter of NewNtSetvalueKey, get registry entry to be created,
Mate the reg in registry entry whether with the second chained list node to be created identical, identical, think to be created
Registry entry is to need to intercept.
Step 305, the NtSetvalueKey function stopped in execution Windows operating system.
In this embodiment, NewNtSetvalueKey function exits, and does not perform NtSetvalueKey function,
Rogue program creates registry entry will be failed.It addition, intercepted what installation kit to more preferably show, it is
What rogue program, equally can by call kernel function PsGetCurrentProcessId and
ZwQueryInformationProcess gets the process name being currently installed on, and is i.e. rogue program installation kit process
Name.
Step 306, the NtSetvalueKey function performed in Windows operating system.
In the present embodiment, in the case of normally need not intercept establishment registry entry, continue to call execution
NtSetvalueKey function, creating registry entry will be successful.
In the present embodiment, by stoping rogue program to create registry entry, solve existing interception rogue program not
Comprehensively problem.Meanwhile, intercepting catalogue can be the most perfect, reaches the purpose maintained easily.
Preferably, in Fig. 1~Fig. 3 in the technical scheme of embodiment of the method shown in any one, in described monitoring system
System Program erection schedule will create directory and/or before the event message of registry entry, also include: statistics
The directory path of known malicious program creation and/or registry entry;Write according to the data counted on and described can join
Put file.
In the present embodiment, the Data Source of configurableization file, is through the long-term statistics of Prevention-Security software
Analyzing, createing directory of the rogue program obtained, or registry entry, as long as so have matched these catalogues
Or registration table creates, and is i.e. regarded as rogue program and is createing directory and registry entry, because the most any
Normal software can create these catalogues and registry entry.
Intercepting, corresponding to what the embodiment of the present invention provided, the method that rogue program is installed, the embodiment of the present invention also carries
Supply to intercept the device that rogue program is installed.
Fig. 4 is the structural representation that the present invention intercepts the device embodiment one that rogue program is installed, such as Fig. 4 institute
Showing, the device that the present embodiment one provides may include that monitoring module 11, judge module 12 and blocking module
13;
Monitoring module 11, will create directory for monitoring system Program erection schedule and/or registry entry
Described event message is also sent to judge module 12 by event message;Wherein, event message includes to be created
Directory path and/or registry entry;
Judge module 12, for judging in the configurable file pre-set, if record has the event received
Directory path to be created in message and/or registry entry, in judging configurable file, record needs to be created
When the directory path built and/or registry entry, send to blocking module and intercept instruction;Wherein, configurable file
Record has directory path and/or the registry entry stoping establishment;
Blocking module 13, for according to receive interception instruction, stop program erection schedule create directory and/or
Registry entry.
The device of the present embodiment one, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1, in fact
Existing principle is similar with technique effect, and here is omitted.
Fig. 5 is the structural representation that the present invention intercepts the device embodiment two that rogue program is installed, such as Fig. 5 institute
Showing, on the basis of embodiment illustrated in fig. 4, monitoring module 11 includes: catalogue monitoring submodule 111, uses
In pre-setting the file system filter driver of the binding of the file system with Windows operating system and depositing
Storage, described file system filter driver is used for driving File Open routine;Catalogue monitoring submodule 111
It is additionally operable to receive Windows operating system Program erection schedule by File Open routine will create directory
Event message, and be sent to judge mould by the event message that system Program erection schedule will create directory
Block 12.
Judge module 12 includes that the first chained list generates submodule 21 and first and judges submodule 22;Wherein,
One chained list generates submodule 21, remembers for being read in the configurable file pre-set by File Open routine
The directory path that all preventions of record create, generates the first chained list and preserves;Wherein, the first chained list is each
Node data is the directory path that in configurable file, a prevention of record creates;First judges submodule 22,
For when receiving the event message that system Program erection schedule will create directory, judging the first chain successively
Table generate the node data in the first chained list that submodule preserves whether with record to be created in event message
Directory path is identical, if the first chained list exists the node data identical with directory path to be created, then to
Blocking module 13 sends and intercepts instruction.
Blocking module 13 is according to the interception instruction received, described in arranging in catalogue monitoring submodule 111
File system filter driver calls IoCompleteRequest function ends file and opens routine, to stop
Program erection schedule creaties directory.
The device of the present embodiment two, may be used for performing the technical scheme of embodiment of the method shown in Fig. 2, in fact
Existing principle is similar with technique effect, and here is omitted.
Fig. 6 is the structural representation that the present invention intercepts the device embodiment three that rogue program is installed, such as Fig. 6 institute
Showing, on the basis of embodiment illustrated in fig. 4, monitoring module 11 includes: registry monitoring submodule 112,
For pre-setting the Hook Function linking up with NtSetvalueKey function in Windows operating system and storing,
Registry monitoring submodule 112 is additionally operable to be installed by Hook Function monitoring Windows operating system Program
Process will create the event message of registry entry, and system Program erection schedule will be created registration table
The event message of item is sent to judge module 12.
Judge module 12 includes that the second chained list generates submodule 31 and second and judges submodule 32;Wherein,
Two chained lists generate submodule 31, for reading record in the configurable file pre-set by Hook Function
All registry entries stoping establishment, generate the second chained list and preserve;Wherein, each node of the second chained list
Data are the registry entry that in configurable file, a prevention of record creates;Second judges submodule 32, uses
In when receiving the event message that system Program erection schedule will create registry entry, judge second successively
Chained list generate the node data in the second chained list that submodule 31 preserves whether with in event message record wait create
The registry entry built is identical, if the second chained list exists the node data identical with registry entry to be created,
Then send to blocking module 13 and intercept instruction.
Blocking module 13 is according to the interception instruction received, former by stop performing in Windows operating system
Beginning NtSetvalueKey function, to stop program erection schedule to create registry entry.
The device of the present embodiment three, may be used for performing the technical scheme of embodiment of the method shown in Fig. 3, in fact
Existing principle is similar with technique effect, and here is omitted.
Fig. 7 is the structural representation that the present invention intercepts the device embodiment four that rogue program is installed, such as Fig. 7 institute
Showing, the device of the present embodiment four, on the basis of Fig. 4 shown device structure, also includes: configurable file is raw
Become module 14, for directory path and/or the registry entry of statistics known malicious program creation in advance, according to system
The data genaration counted can configure file and stores.
The embodiment of the present invention also provides for a kind of electronic equipment.Fig. 8 is one embodiment of electronic equipment of the present invention
Structural representation, it is possible to achieve Fig. 1 or Fig. 2 of the present invention or the flow process of embodiment illustrated in fig. 3, such as Fig. 8 institute
Showing, above-mentioned electronic equipment may include that housing 41, processor 42, memorizer 43, circuit board 44 and electricity
Source circuit 45, wherein, circuit board 44 is placed in the interior volume that housing 41 surrounds, processor 42 and storage
Device 43 is arranged on circuit board 44;Power circuit 45, is used for each circuit for above-mentioned electronic equipment or device
Part is powered;Memorizer 43 is used for storing executable program code;Processor 42 is by reading in memorizer 43
The executable program code of storage runs the program corresponding with executable program code, is used for performing aforementioned
The method intercepting rogue program installation described in one embodiment.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and with provide speech,
Data communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset,
Functional mobile phone, and low-end mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and place
Reason function, the most also possesses mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment
Deng, such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes:
Audio frequency, video playback module (such as iPod), handheld device, e-book, and intelligent toy and portable
Formula in-vehicle navigation apparatus.
(4) server: provide calculate service equipment, the composition of server include processor, hard disk, internal memory,
System bus etc., server is similar with general computer architecture, but owing to needing to provide highly reliable clothes
Business, therefore at aspects such as disposal ability, stability, reliability, safety, extensibility, manageabilitys
Require higher.
(5) other have the electronic equipment of data interaction function.
It should be noted that in this article, the relational terms of such as first and second or the like be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply these
Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " bag
Contain " or its any other variant be intended to comprising of nonexcludability, so that include a series of key element
Process, method, article or equipment not only include those key elements, but also include being not expressly set out
Other key elements, or also include the key element intrinsic for this process, method, article or equipment.?
In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that at bag
Include and the process of described key element, method, article or equipment there is also other identical element.
Each embodiment in this specification all uses relevant mode to describe, phase homophase between each embodiment
As part see mutually, what each embodiment stressed is the difference with other embodiments.
For device embodiment, owing to it is substantially similar to embodiment of the method, so the comparison described
Simply, relevant part sees the part of embodiment of the method and illustrates.
For convenience of description, describing apparatus above is to be divided into various units/modules to be respectively described with function.When
So, can be the function of each unit/module in same or multiple softwares and/or hardware when implementing the present invention
Realize.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method,
Can be by computer program and complete to instruct relevant hardware, described program can be stored in a calculating
In machine read/write memory medium, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.
Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory,
Or random store-memory body (Random Access Memory, RAM) etc. ROM).
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited to
This, any those familiar with the art, in the technical scope that the invention discloses, can readily occur in
Change or replacement, all should contain within protection scope of the present invention.Therefore, protection scope of the present invention
Should be as the criterion with scope of the claims.
Claims (10)
1. one kind intercepts the method that rogue program is installed, it is characterised in that including:
Monitoring system Program erection schedule will create directory and/or the event message of registry entry;Wherein,
Described event message includes directory path to be created and/or registry entry;
Judge in the configurable file pre-set, if record has described directory path to be created and/or note
Volume list item;Wherein, configurable file record has directory path and/or the registry entry stoping establishment;
If record has described directory path to be created and/or registry entry in described configurable file, then stop
Described program erection schedule creaties directory and/or registry entry.
Intercept the method that rogue program is installed the most according to claim 1, it is characterised in that described system
For Windows operating system;
Described monitoring system Program erection schedule will create directory and/or registry entry event message it
Before, described method also includes: pre-set the file of the file system binding described Windows operating system
System filter driver, described file system filter driver is used for driving File Open routine;
The event message that described monitoring system Program erection schedule will create directory, including: by described
The event that the described system Program erection schedule of file system filter driver monitoring will create directory disappears
Breath.
Intercept the method that rogue program is installed the most according to claim 2, it is characterised in that described judgement
In the configurable file pre-set, if record has described directory path to be created, including:
Read all preventions of record in the configurable file pre-set by described File Open routine to create
Directory path and be saved in the first chained list;Each node data of described first chained list is configurable file
The directory path that one prevention of middle record creates;
Judge that the node data in described first chained list is the most identical with described directory path to be created successively,
If described first chained list existing the node data identical with described directory path to be created, it is determined that described
In configurable file, record has described directory path to be created, otherwise, it is determined that in described configurable file
Do not record described directory path to be created.
Intercept the method that rogue program is installed the most according to claim 3, it is characterised in that described prevention
Described program erection schedule creaties directory, including:
Described file system filter driver calls the function IoCompleteRequest that completes of IRP and terminates institute
State File Open routine, and return to the file system of Windows operating system.
Intercept the method that rogue program is installed the most according to claim 1, it is characterised in that described system
For Windows operating system;
Described monitoring system Program erection schedule will create directory and/or registry entry event message it
Before, described method also includes: pre-set hook for arranging and the function of edit the registry key assignments
The Hook Function of NtSetvalueKey;
Described monitoring system Program erection schedule will create the event message of registry entry, including: pass through
Described Hook Function monitors described system Program erection schedule will create the event message of registry entry.
Interception rogue program the most according to claim 5 install method, it is characterised in that described in sentence
In the disconnected configurable file pre-set, if record has described registry entry to be created, including:
The note that in the configurable file pre-set, all preventions of record create is read by described Hook Function
Volume list item is also saved in the second chained list;Each node data of described second chained list is for remembering in configurable file
The registry entry that one prevention of record creates;
Judge that the node data in described second chained list is the most identical with described registry entry to be created successively,
If described second chained list existing the node data identical with described registry entry to be created, it is determined that described
In configurable file, record has described registry entry to be created, otherwise, it is determined that in described configurable file
Do not record described registry entry to be created.
Intercept the method that rogue program is installed the most according to claim 6, it is characterised in that described prevention
Described program erection schedule creates registry entry, including:
Stop performing the original NtSetvalueKey function in Windows operating system.
8., according to the method intercepting rogue program installation described in any one of claim 1 to 7, its feature exists
In, described monitoring system Program erection schedule will create directory and/or registry entry event message it
Before, also include:
The directory path of statistics known malicious program creation and/or registry entry;
Described configurable file is write according to the data counted on.
9. one kind intercepts the device that rogue program is installed, it is characterised in that including:
Monitoring module, will create directory and/or the thing of registry entry for monitoring system Program erection schedule
Part message;Wherein, described event message includes directory path to be created and/or registry entry;
Judge module, for judging in the configurable file pre-set, if record has described monitoring module
Directory path to be created in the described event message received and/or registry entry;Wherein, configurable file
Record has directory path and/or the registry entry stoping establishment;
Blocking module, in described judge module judges described configurable file record have described in wait to create
When the directory path built and/or registry entry, described program erection schedule is stoped to create directory and/or registration table
?.
Intercept the device that rogue program is installed the most according to claim 9, it is characterised in that described prison
Control module includes:
Catalogue monitoring submodule, for pre-setting the literary composition of the file system binding with Windows operating system
Part system filter driver, described file system filter driver is used for driving File Open routine;Institute
State catalogue monitoring submodule to be additionally operable to operate system by described file system filter driver monitoring Windows
The event message that system Program erection schedule will create directory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610327338.7A CN106022100A (en) | 2016-05-17 | 2016-05-17 | Method and device for intercepting installation of malicious program and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610327338.7A CN106022100A (en) | 2016-05-17 | 2016-05-17 | Method and device for intercepting installation of malicious program and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106022100A true CN106022100A (en) | 2016-10-12 |
Family
ID=57097338
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610327338.7A Pending CN106022100A (en) | 2016-05-17 | 2016-05-17 | Method and device for intercepting installation of malicious program and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106022100A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108459879A (en) * | 2018-01-17 | 2018-08-28 | 宇龙计算机通信科技(深圳)有限公司 | A kind of method preventing terminal crash, terminal |
| CN108734006A (en) * | 2018-05-25 | 2018-11-02 | 山东华软金盾软件股份有限公司 | A method of disabling Windows installation procedures |
| WO2019119850A1 (en) * | 2017-12-21 | 2019-06-27 | 中兴通讯股份有限公司 | Application software deployment method and device, and virtual machine |
| CN110674504A (en) * | 2019-09-25 | 2020-01-10 | 杭州安恒信息技术股份有限公司 | Malicious program cleaning method and device for windows |
| CN111783087A (en) * | 2020-06-02 | 2020-10-16 | Oppo广东移动通信有限公司 | Method and device for detecting malicious execution of executable file, terminal and storage medium |
| CN115794564A (en) * | 2023-02-07 | 2023-03-14 | 北京江民新科技术有限公司 | Process monitoring method and computer-readable storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101667236A (en) * | 2008-09-02 | 2010-03-10 | 北京瑞星国际软件有限公司 | Method and device for controlling driver installation |
| CN102004877A (en) * | 2010-11-19 | 2011-04-06 | 珠海市君天电子科技有限公司 | Method for monitoring source of computer virus |
| CN103019765A (en) * | 2012-11-15 | 2013-04-03 | 北京奇虎科技有限公司 | File redirection method, device and computer system |
| CN103235913A (en) * | 2013-04-03 | 2013-08-07 | 北京奇虎科技有限公司 | System, equipment and method used for identifying and intercepting bundled software |
| CN104679638A (en) * | 2013-12-02 | 2015-06-03 | 中国银联股份有限公司 | Method and device for monitoring file based on file property matching degree |
| CN104915593A (en) * | 2014-03-14 | 2015-09-16 | 北京奇虎科技有限公司 | Binding removing processing method and system for software |
| US9203862B1 (en) * | 2012-07-03 | 2015-12-01 | Bromium, Inc. | Centralized storage and management of malware manifests |
-
2016
- 2016-05-17 CN CN201610327338.7A patent/CN106022100A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101667236A (en) * | 2008-09-02 | 2010-03-10 | 北京瑞星国际软件有限公司 | Method and device for controlling driver installation |
| CN102004877A (en) * | 2010-11-19 | 2011-04-06 | 珠海市君天电子科技有限公司 | Method for monitoring source of computer virus |
| US9203862B1 (en) * | 2012-07-03 | 2015-12-01 | Bromium, Inc. | Centralized storage and management of malware manifests |
| CN103019765A (en) * | 2012-11-15 | 2013-04-03 | 北京奇虎科技有限公司 | File redirection method, device and computer system |
| CN103235913A (en) * | 2013-04-03 | 2013-08-07 | 北京奇虎科技有限公司 | System, equipment and method used for identifying and intercepting bundled software |
| CN104679638A (en) * | 2013-12-02 | 2015-06-03 | 中国银联股份有限公司 | Method and device for monitoring file based on file property matching degree |
| CN104915593A (en) * | 2014-03-14 | 2015-09-16 | 北京奇虎科技有限公司 | Binding removing processing method and system for software |
Non-Patent Citations (1)
| Title |
|---|
| 吴家碚等: "结构体与共同体", 《C语言程序设计与应用(高职)》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019119850A1 (en) * | 2017-12-21 | 2019-06-27 | 中兴通讯股份有限公司 | Application software deployment method and device, and virtual machine |
| CN108459879A (en) * | 2018-01-17 | 2018-08-28 | 宇龙计算机通信科技(深圳)有限公司 | A kind of method preventing terminal crash, terminal |
| CN108734006A (en) * | 2018-05-25 | 2018-11-02 | 山东华软金盾软件股份有限公司 | A method of disabling Windows installation procedures |
| CN110674504A (en) * | 2019-09-25 | 2020-01-10 | 杭州安恒信息技术股份有限公司 | Malicious program cleaning method and device for windows |
| CN111783087A (en) * | 2020-06-02 | 2020-10-16 | Oppo广东移动通信有限公司 | Method and device for detecting malicious execution of executable file, terminal and storage medium |
| CN115794564A (en) * | 2023-02-07 | 2023-03-14 | 北京江民新科技术有限公司 | Process monitoring method and computer-readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106022100A (en) | Method and device for intercepting installation of malicious program and electronic equipment | |
| CN102110220B (en) | Application program monitoring method and device | |
| CN106790001B (en) | Unified interface-based multi-system role authority management method and system | |
| CN102236764B (en) | Method and monitoring system for Android system to defend against desktop information attack | |
| JP5363305B2 (en) | Method for determining the ID of an electronic device | |
| EP2035968A1 (en) | Method and apparatus for searching rights object and mapping method and mapping apparatus for the same | |
| CN102024121A (en) | Platform security apparatus and method thereof | |
| CN103299658A (en) | Management of mobile applications | |
| CN103294950A (en) | High-power secret information stealing malicious code detection method and system based on backward tracing | |
| CN108170485A (en) | A kind of plug-in loading method, device and mobile terminal | |
| CN106169047A (en) | Method and device for opening monitoring camera and electronic equipment | |
| CN106055968A (en) | Permission setting method and device and electronic equipment | |
| CN102760096A (en) | Test data generation method, unit testing method and unit testing system | |
| CN108319849A (en) | Equipment strategy management system based on Android twin containers system and management domain implementation method | |
| CN104391846B (en) | Social application public's account searching method and system | |
| CN106126282A (en) | Injection method and device for dynamic link library file and terminal equipment | |
| CN107566375B (en) | Access control method and device | |
| CN103064678A (en) | Method and device for call control of hardware instruction | |
| CN106127034A (en) | Method and device for preventing system from being closed maliciously and electronic equipment | |
| CN102469083A (en) | User authentication method and apparatus thereof, and enterprise system | |
| CN106355100A (en) | Safety protection system and method | |
| CN106022090A (en) | User login information processing method, user login information processing device and electronic equipment | |
| CN103729604B (en) | A kind of method and apparatus in customer access area territory | |
| CN106127050A (en) | Method and device for preventing system cursor from being maliciously modified and electronic equipment | |
| CN103369533A (en) | Antitheft method and antitheft device of mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20190118 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161012 |
|
| RJ01 | Rejection of invention patent application after publication |