CN106022111A - Processing method and device for hiding pop-up window and electronic equipment - Google Patents
Processing method and device for hiding pop-up window and electronic equipment Download PDFInfo
- Publication number
- CN106022111A CN106022111A CN201610552211.5A CN201610552211A CN106022111A CN 106022111 A CN106022111 A CN 106022111A CN 201610552211 A CN201610552211 A CN 201610552211A CN 106022111 A CN106022111 A CN 106022111A
- Authority
- CN
- China
- Prior art keywords
- software process
- window
- function
- pop
- hiding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a processing method and device for hiding pop-up windows and electronic equipment, which can solve the problem that the safety of a system cannot be effectively protected due to the fact that malicious software cannot hide the pop-up windows in the prior art. The method comprises the following steps: detecting the behavior of calling a disabled or enabled window function by a software process; when detecting that a behavior of a software process calling a disabled or enabled window function exists, acquiring a first function index number transmitted when the software process calls the disabled or enabled window function; judging whether the first function index number is the same as a second function index number of a kernel corresponding to the function of the hidden pop-up window; if not, calling a forbidden or enabled window function to execute the operation corresponding to the first function index number, otherwise, judging whether the software process is a malicious software process; and if the software process is a malicious software process, refusing to perform the hidden pop-up window operation, and otherwise, calling a forbidden or enabled window function to execute the hidden pop-up window operation. The method and the device are suitable for processing the operation of hiding the pop-up window.
Description
Technical field
The present invention relates to technical field of system security, particularly relate to a kind of hiding pop-up window processing method,
Device and electronic equipment.
Background technology
In computer systems, it is provided that have ShowOwnedPopups function, belong to finger for show or hide
Determine all pop-up windows of window.And rogue program can attack fail-safe software by the way of hide window,
The message transmission causing fail-safe software processes and is interrupted, and defense function lost efficacy, and rogue program just can endanger calculating
Machine system.
At present, in order to prevent malice pop-up window not to be hidden, it is hook application layer under normal circumstances
ShowOwnedPopups function, ShowOwnedPopups function corresponding to the function of system kernel is
NtUserCallHwndParamLock function.NtUserCallHwndParamLock function is a public letter
Number, the function of the function correspondence kernel of a lot of application layers is all it.NtUserCallHwndParamLock function
Distinguishing different application layer functions with a feature index number, rogue program can be by calling kernel
NtUserCallHwndParamLock function, incoming corresponding feature index number, hide the institute of specified window
Having pop-up window, such rogue program just can destruction of computer systems environment.
Therefore, the processing method of existing hiding pop-up window, it is impossible to prevent Malware from hiding Pop-up
Window, causes security of system not to be effectively protected.
Summary of the invention
In view of this, the embodiment of the present invention provides processing method, device and the electricity of a kind of hiding pop-up window
Subset, it is possible to prevent Malware from hiding pop-up window, thus effectively protect security of system.
First aspect, the embodiment of the present invention provides the processing method of a kind of hiding pop-up window, including:
Inspection software process is called disabling or enables the behavior of window function function;
When detecting that software process calls disabling or enables the behavior of window function function, obtain described soft
Part process is called disabling or enables feature index No. the first incoming during window function function;
Judge the second function of described feature index No. first and the hiding corresponding kernel of pop-up window power function
Call number is the most identical;
If differing, then call disabling or enable the execution of window function function and described first feature index phase
Corresponding operation, otherwise judges whether described software process is malicious software process;
If described software process is malicious software process, then refusal is hidden pop-up window operation, otherwise
Call disabling or enable window function function execution hiding pop-up window operation.
In conjunction with first aspect, in the first embodiment of first aspect, described hiding pop-up window merit
Feature index No. second of energy function correspondence kernel is different under different systems.
In conjunction with first aspect, in the second embodiment of first aspect, the described software process of described judgement
Whether it is that malicious software process includes:
Obtain the characteristic information of described software process;
The feature letter of described software process is inquired about in storage has the feature database of malicious software process characteristic information
Breath;
If the characteristic information of described software process can be inquired, then judge that described software process enters as Malware
Journey, otherwise judges that described software process is not malicious software process.
In conjunction with the second embodiment of first aspect, in the third embodiment of first aspect, in institute
State inspection software process call disabling or enable window function function behavior before, described method also includes:
Set up feature database, the characteristic information of the malicious software process got is stored in described feature database.
Second aspect, the embodiment of the present invention provides the processing means of a kind of hiding pop-up window, including:
Detector unit, calls disabling for inspection software process or enables the behavior of window function function;
When described detector unit, acquiring unit, for having detected that software process calls disabling or enables window merit
Can the behavior of function time, obtain described software process and call disabling or enable during window function function incoming
Feature index No. first;
First judging unit, is used for judging described feature index No. first and hiding pop-up window power function
Feature index No. second of corresponding kernel is the most identical;
First processing unit, for when the judged result of described first judging unit is for differing, calls taboo
With or enable window function function and perform the operation corresponding with described feature index No. first;
Second judging unit, for when the judged result of described first judging unit is identical, it is judged that described
Whether software process is malicious software process;
When described second judging unit, second processing unit, for judging that described software process enters as Malware
Cheng Shi, refusal is hidden pop-up window operation;
When described second judging unit, 3rd processing unit, for judging that described software process is not Malware
During process, call disabling or enable window function function execution hiding pop-up window operation.
In conjunction with second aspect, in the first embodiment of second aspect, described hiding pop-up window merit
Feature index No. second of energy function correspondence kernel is different under different systems.
In conjunction with second aspect, in the second embodiment of second aspect, described second judging unit includes:
Obtain subelement, for obtaining the characteristic information of described software process;
Inquiry subelement is described soft for inquiring about in storing the feature database having malicious software process characteristic information
The characteristic information of part process;
Judgment sub-unit, is used for when described inquiry subelement can inquire the characteristic information of described software process,
Judge that described software process, as malicious software process, otherwise judges that described software process is not malicious software process.
In conjunction with the second embodiment of second aspect, in the third embodiment of second aspect, described
Device also includes:
Set up unit, for calling disabling in described detector unit inspection software process or enabling window function letter
Before the behavior of number, set up feature database, the characteristic information of the malicious software process got is stored in described
In feature database.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, and described electronic equipment includes: housing,
Processor, memorizer, circuit board and power circuit, wherein, circuit board is placed in the space that housing surrounds
Portion, processor and memorizer are arranged on circuit boards;Power circuit, for for each of above-mentioned electronic equipment
Circuit or device are powered;Memorizer is used for storing executable program code;Processor is by reading in memorizer
The executable program code of storage runs the program corresponding with executable program code, is used for performing aforementioned
The processing method of the hiding pop-up window described in.
The processing method of a kind of hiding pop-up window, device and the electronic equipment that the embodiment of the present invention provides,
When detecting that software process calls disabling or enables the behavior of window function function, obtain described software and enter
Journey is called disabling or enables feature index No. the first incoming during window function function, it is judged that described first merit
Energy call number is the most identical with feature index No. the second of the hiding corresponding kernel of pop-up window power function, if
Differ, then call disabling or enable window function function and perform corresponding with described feature index No. first
Operation, otherwise judges whether described software process is malicious software process, if then refusal is hidden ejecting
Formula window operation, otherwise calls disabling or enables window function function execution hiding pop-up window operation.With
Prior art is compared, and the present invention can be by the way of hook disables or enable window function function, in disabling
Or before enabling the execution of window function function, malicious software process is hidden pop-up window by the way of kernel
Behavior intercept, prevent Malware from hiding pop-up window, thus effectively protect security of system.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to enforcement
In example or description of the prior art, the required accompanying drawing used is briefly described, it should be apparent that, describe below
In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying
On the premise of going out creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart that the present invention hides the processing method embodiment one of pop-up window;
Fig. 2 is the flow chart that the present invention hides the processing method embodiment two of pop-up window;
Fig. 3 is the structural representation that the present invention hides the processing means embodiment one of pop-up window;
Fig. 4 is the structural representation that the present invention hides the processing means embodiment two of pop-up window;
Fig. 5 is the structural representation of electronic equipment embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawings the embodiment of the present invention is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole realities
Execute example.Based on the embodiment in the present invention, those of ordinary skill in the art are not before making creative work
Put all other embodiments obtained, broadly fall into the scope of protection of the invention.
In following various embodiments of the present invention, NtUserCallHwndParamLock function is for disabling or enables window
Mouth power function, ShowOwnedPopups function is for hiding pop-up window power function.
Fig. 1 is the flow chart that the present invention hides the processing method embodiment one of pop-up window, as it is shown in figure 1,
The method of the present embodiment may include that
Step S11, inspection software process call the behavior of NtUserCallHwndParamLock function.
In the present embodiment, NtUserCallHwndParamLock function is a public function of inner nuclear layer, very
The function of the function correspondence kernel of many application layers is all this NtUserCallHwndParamLock function.
Step S12, when detecting that software process calls the behavior of NtUserCallHwndParamLock function
Time, obtain described software process and call the first merit incoming during NtUserCallHwndParamLock function
Can call number.
In the present embodiment, software process, can be inwardly when calling NtUserCallHwndParamLock function
The incoming feature index No. first of stratum nucleare.
Specifically, aforesaid operations can be realized by Hook Function, this Hook Function with
NtUserCallHwndParamLock function is linked up with, when having detected that software process calls
During NtUserCallHwndParamLock function, perform NtUserCallHwndParamLock function it
Before, this Hook Function obtains feature index No. the first of the incoming inner nuclear layer of software process.
Step S13, judge described feature index No. first kernel corresponding with ShowOwnedPopups function
Feature index No. second is the most identical, if differing, then performs step S14, otherwise performs step S15.
In the present embodiment, described ShowOwnedPopups function is application layer function, the second of corresponding kernel
Feature index number is different under different systems.Specifically, described ShowOwnedPopups function pair
The feature index No. the second answering kernel is 98 under XP system, is 100, at Win8 under Win7 system
It is 107 under system, is 111 under Win8.1 system, be 118 under Win10 system.
Specifically, the process of step S13 can be realized by the Hook Function in step S12.
Step S14, call NtUserCallHwndParamLock function perform with described feature index No. first
Corresponding operation.
In the present embodiment, if described feature index No. first kernel corresponding with ShowOwnedPopups function
Feature index No. second differs, and shows that the operation that described software process is corresponding is not to hide pop-up window,
Then can perform described software process.
Step S15, judge whether described software process is malicious software process, if described software process is malice
Software process, then perform step S16, otherwise perform step S17.
In the present embodiment, Malware refers to perform the malice virus of task, anthelmintic and Troy wood in system
The program of horse, implements to control to system by destroying software process.
Specifically, the process of step S17 can be realized by the Hook Function in step S12.
Step S16, refusal are hidden pop-up window operation.
In the present embodiment, if described software process is malicious software process, then perform to hide pop-up window behaviour
Security of system may be damaged by work, it is therefore desirable to intercepts the operation of this hiding pop-up window,
Terminate this operation.
Specifically, the process of step S17 can be realized by the Hook Function in step S12.
Step S17, call NtUserCallHwndParamLock function perform hide pop-up window operation.
In the present embodiment, if described software process is not malicious software process, then show that this software process is corresponding
Hiding pop-up window operation be normal operating, can allow this hiding pop-up window operation carry out.
Specifically, the process of step S17 can be realized by the Hook Function in step S12.
The present embodiment, when detecting that software process calls the row of NtUserCallHwndParamLock function
For time, obtain described software process and call during NtUserCallHwndParamLock function incoming first
Feature index number, it is judged that the of described feature index No. first kernel corresponding with ShowOwnedPopups function
Feature indexs No. two are the most identical, if differing, then call NtUserCallHwndParamLock function and hold
The operation that row is corresponding with described feature index No. first, otherwise judges whether described software process is that malice is soft
Part process, if then refusal is hidden pop-up window operation, otherwise calls
NtUserCallHwndParamLock function performs to hide pop-up window operation.Compared with prior art, originally
Invention can by hook NtUserCallHwndParamLock function by the way of,
Malicious software process is hidden before performing by the way of kernel by NtUserCallHwndParamLock function
The behavior of pop-up window intercepts, and prevents Malware from hiding pop-up window, thus effectively protects system
System safety.
Fig. 2 is the flow chart that the present invention hides the processing method embodiment two of pop-up window, as in figure 2 it is shown,
The method of the present embodiment may include that
Step S21, set up feature database, the characteristic information of the malicious software process got is stored in described spy
Levy in storehouse.
In the present embodiment, feature database can be set up according to the malicious software process that fail-safe software in system monitors,
The characteristic information of the malicious software process monitored is stored in described feature database, or, user is permissible
Manually add in the characteristic information extremely described feature database of malicious software process.Wherein, the feature letter of software process
Breath can be characterized code, and each software process has unique condition code.
Further, it is also possible to according to the real-time monitoring situation of fail-safe software, described feature database is updated.
Step S22, inspection software process call the behavior of NtUserCallHwndParamLock function.
In the present embodiment, inspection software process calls the behavior of NtUserCallHwndParamLock function
Process is similar with step S11 of said method embodiment, and here is omitted.
Step S23, when detecting that software process calls the behavior of NtUserCallHwndParamLock function
Time, obtain described software process and call the first merit incoming during NtUserCallHwndParamLock function
Can call number.
In the present embodiment, obtain described software process and call NtUserCallHwndParamLock function time institute
The process of the first incoming feature index number is similar with step S12 of said method embodiment, the most superfluous
State.
Step S24, judge described feature index No. first kernel corresponding with ShowOwnedPopups function
Feature index No. second is the most identical, if differing, then performs step S25, otherwise performs step S26 and step
Rapid S27.
In the present embodiment, it is judged that described feature index No. first kernel corresponding with ShowOwnedPopups function
The most identical process of feature index No. the second similar with step S13 of said method embodiment, the most not
Repeat again.
Step S25, call NtUserCallHwndParamLock function perform with described feature index No. first
Corresponding operation.
In the present embodiment, call NtUserCallHwndParamLock function and perform and described first function rope
The process of the operation that quotation marks are corresponding is similar with step S14 of said method embodiment, and here is omitted.
Step S26, obtain the characteristic information of described software process.
In the present embodiment, the characteristic information of described software process can be characterized code, and each software process has
Unique condition code.
Specifically, the process of step S26 can be realized by the Hook Function in step S12.
Step S27, in storage has the feature database of malicious software process characteristic information, inquire about described software process
Characteristic information, if the characteristic information of described software process can be inquired, then judges that described software process is as malice
Software process, performs step S28, otherwise judges that described software process is not malicious software process, performs step
S29。
In the present embodiment, Malware refers to perform the malice virus of task, anthelmintic and Troy wood in system
The program of horse, implements to control to system by destroying software process.
Specifically, the process of step S27 can be realized by the Hook Function in step S12.
Step S28, refusal are hidden pop-up window operation.
In the present embodiment, refusal is hidden process and the step of said method embodiment of pop-up window operation
Rapid S16 is similar to, and here is omitted.
Step S29, call NtUserCallHwndParamLock function perform hide pop-up window operation.
In the present embodiment, call NtUserCallHwndParamLock function and perform to hide pop-up window behaviour
The process made is similar with step S17 of said method embodiment, and here is omitted.
The present embodiment, when detecting that software process calls the row of NtUserCallHwndParamLock function
For time, obtain described software process and call during NtUserCallHwndParamLock function incoming first
Feature index number, it is judged that the of described feature index No. first kernel corresponding with ShowOwnedPopups function
Feature indexs No. two are the most identical, if differing, then call NtUserCallHwndParamLock function and hold
The operation that row is corresponding with described feature index No. first, otherwise has malicious software process characteristic information in storage
Feature database in inquire about the characteristic information of described software process to judge that whether described software process is as Malware
Process, if then refusal is hidden pop-up window operation, otherwise calls
NtUserCallHwndParamLock function performs to hide pop-up window operation.Compared with prior art, originally
Invention can by hook NtUserCallHwndParamLock function by the way of,
Malicious software process is hidden before performing by the way of kernel by NtUserCallHwndParamLock function
The behavior of pop-up window intercepts, and prevents Malware from hiding pop-up window, thus effectively protects system
System safety.
Fig. 3 is the structural representation that the present invention hides the processing means embodiment one of pop-up window, such as Fig. 3
Shown in, the device of the present embodiment may include that detector unit 11, acquiring unit the 12, first judging unit 13,
First processing unit the 14, second judging unit the 15, second processing unit the 16, the 3rd processing unit 17, its
In, detector unit 11, the row of NtUserCallHwndParamLock function is called for inspection software process
For;When described detector unit 11, acquiring unit 12, for having detected that software process calls
During the behavior of NtUserCallHwndParamLock function, obtain described software process and call
Feature index No. the first incoming during NtUserCallHwndParamLock function;First judging unit 13,
For judging the second function rope of described feature index No. first kernel corresponding with ShowOwnedPopups function
Quotation marks are the most identical;First processing unit 14, is used for when the judged result of described first judging unit 13 is not
Time identical, call NtUserCallHwndParamLock function and perform relative with described feature index No. first
The operation answered;Second judging unit 15, is used for when the judged result of described first judging unit 13 is identical,
Judge whether described software process is malicious software process;Second processing unit 16, is used for when described second sentences
When disconnected unit 15 judges described software process as malicious software process, refusal is hidden pop-up window operation;
When described second judging unit 15,3rd processing unit 17, for judging that described software process is not Malware
During process, call NtUserCallHwndParamLock function and perform to hide pop-up window operation.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1, and it realizes
Principle is similar with technique effect, and here is omitted.
Further, feature index No. the second of described ShowOwnedPopups function correspondence kernel is in difference
System under different.
Further, feature index No. the second of described ShowOwnedPopups function correspondence kernel is at XP
Under system 98, it is 100 under Win7 system, is 107 under Win8 system, under Win8.1 system is
111, it is 118 under Win10 system.
Fig. 4 is the structural representation that the present invention hides the processing means embodiment two of pop-up window, such as Fig. 4
Shown in, the device of the present embodiment is on the basis of Fig. 3 shown device structure, and further, described second sentences
Disconnected unit 15 includes:
Obtain subelement 151, for obtaining the characteristic information of described software process;
Inquiry subelement 152, for there being inquiry in the feature database of malicious software process characteristic information described in storage
The characteristic information of software process;
Judgment sub-unit 153, for inquiring the feature of described software process when described inquiry subelement 152
During information, it is determined that described software process is malicious software process, otherwise judge that described software process is not malice
Software process.
Further, described device also includes:
Set up unit 18, for calling in described detector unit 11 inspection software process
Before the behavior of NtUserCallHwndParamLock function, set up feature database, the Malware that will get
The characteristic information of process is stored in described feature database.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1 or Fig. 2,
It is similar with technique effect that it realizes principle, and here is omitted.
It should be noted that in this article, the relational terms of such as first and second or the like be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply these
Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " bag
Contain " or its any other variant be intended to comprising of nonexcludability, so that include a series of key element
Process, method, article or equipment not only include those key elements, but also include being not expressly set out
Other key elements, or also include the key element intrinsic for this process, method, article or equipment.?
In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that at bag
Include and the process of described key element, method, article or equipment there is also other identical element.
Each embodiment in this specification all uses relevant mode to describe, phase homophase between each embodiment
As part see mutually, what each embodiment stressed is the difference with other embodiments.
For device embodiment, owing to it is substantially similar to embodiment of the method, so describe
Fairly simple, relevant part sees the part of embodiment of the method and illustrates.
Represent in flow charts or the logic described otherwise above at this and/or step, for example, it is possible to recognized
For being the sequencing list of executable instruction for realizing logic function, may be embodied in any computer
In computer-readable recording medium, (such as computer based system, include place for instruction execution system, device or equipment
The reason system of device or other can be from instruction execution system, device or equipment instruction fetch the system performing instruction)
Use, or combine these instruction execution systems, device or equipment and use.For the purpose of this specification, " calculate
Machine computer-readable recording medium " can be any can to comprise, store, communicate, propagate or transmission procedure is held for instruction
Row system, device or equipment or combine these instruction execution systems, device or equipment and the device that uses.Meter
The more specifically example (non-exhaustive list) of calculation machine computer-readable recording medium includes following: have one or more cloth
The electrical connection section (electronic installation) of line, portable computer diskette box (magnetic device), random access memory
(RAM), read only memory (ROM), erasable edit read only memory (EPROM or flash are deposited
Reservoir), fiber device, and portable optic disk read only memory (CDROM).It addition, computer-readable
Medium can even is that paper or other the suitable media that can print described program thereon, because can be such as
By paper or other media are carried out optical scanning, then carry out editing, interpreting or suitable with other if desired
Mode is processed to electronically obtain described program, is then stored in computer storage.
Should be appreciated that each several part of the present invention can realize by hardware, software, firmware or combinations thereof.
In the above-described embodiment, multiple steps or method can be with storing in memory and by suitably referring to
Software that execution system performs or firmware is made to realize.Such as, if realized with hardware and real at another
As executing in mode, can realize by any one in following technology well known in the art or their combination:
There is the discrete logic of logic gates for data signal realizes logic function, have suitably
The special IC of combination logic gate circuit, programmable gate array (PGA), field programmable gate array
(FPGA) etc..
The embodiment of the present invention also provides for a kind of electronic equipment, and described electronic equipment comprises aforementioned arbitrary enforcement
Device described in example.
Fig. 5 is the structural representation of electronic equipment embodiment of the present invention, it is possible to achieve Fig. 1 or Fig. 2 of the present invention
The flow process of illustrated embodiment, as it is shown in figure 5, above-mentioned electronic equipment may include that housing 31, processor 32,
Memorizer 33, circuit board 34 and power circuit 35, wherein, circuit board 34 is placed in what housing 31 surrounded
Interior volume, processor 32 and memorizer 33 are arranged on circuit board 34;Power circuit 35, for for
Each circuit or the device of stating electronic equipment are powered;Memorizer 33 is used for storing executable program code;Process
Device 32 runs and executable program code pair by reading the executable program code of storage in memorizer 33
The program answered, for performing the processing method of aforementioned arbitrary described hiding pop-up window.
Processor 32 to concrete process and the processor 32 of performing of above-mentioned steps by running executable program
The step that code performs further, may refer to the description of Fig. 1 of the present invention or embodiment illustrated in fig. 2,
This repeats no more.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and with provide speech,
Data communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset,
Functional mobile phone, and low-end mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and place
Reason function, the most also possesses mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC set
Standby etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes:
Audio frequency, video player (such as iPod), handheld device, e-book, and intelligent toy and portable
In-vehicle navigation apparatus.
(4) server: provide calculate service equipment, the composition of server include processor, hard disk, internal memory,
System bus etc., server is similar with general computer architecture, but owing to needing to provide highly reliable clothes
Business, therefore at aspects such as disposal ability, stability, reliability, safety, extensibility, manageabilitys
Require higher.
(5) other have the electronic equipment of data interaction function.
Those skilled in the art are appreciated that and realize the whole or portion that above-described embodiment method is carried
The program that can be by step by step completes to instruct relevant hardware, and described program can be stored in a kind of meter
In calculation machine readable storage medium storing program for executing, this program upon execution, including one or a combination set of the step of embodiment of the method.
For convenience of description, describing apparatus above is to be divided into various units/modules to be respectively described with function.When
So, can be the function of each unit/module in same or multiple softwares and/or hardware when implementing the present invention
Realize.
As seen through the above description of the embodiments, those skilled in the art is it can be understood that arrive this
Invention can add the mode of required general hardware platform by software and realize.Based on such understanding, this
The part that prior art is contributed by bright technical scheme the most in other words can be with the form of software product
Embodying, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc,
CD etc., including some instructions with so that computer equipment (can be personal computer, server,
Or the network equipment etc.) perform each embodiment of the present invention or the method described in some part of embodiment.
Claims (9)
1. the processing method of a hiding pop-up window, it is characterised in that including:
Inspection software process is called disabling or enables the behavior of window function function;
When detecting that software process calls disabling or enables the behavior of window function function, obtain described soft
Part process is called disabling or enables feature index No. the first incoming during window function function;
Judge the second function of described feature index No. first and the hiding corresponding kernel of pop-up window power function
Call number is the most identical;
If differing, then call disabling or enable the execution of window function function and described first feature index phase
Corresponding operation, otherwise judges whether described software process is malicious software process;
If described software process is malicious software process, then refusal is hidden pop-up window operation, otherwise
Call disabling or enable window function function execution hiding pop-up window operation.
The processing method of hiding pop-up window the most according to claim 1, it is characterised in that described
Hide pop-up window power function correspondence kernel feature index No. the second under different systems the most not
With.
The processing method of hiding pop-up window the most according to claim 1, it is characterised in that described
Judge whether described software process is that malicious software process includes:
Obtain the characteristic information of described software process;
The feature letter of described software process is inquired about in storage has the feature database of malicious software process characteristic information
Breath;
If the characteristic information of described software process can be inquired, then judge that described software process enters as Malware
Journey, otherwise judges that described software process is not malicious software process.
The processing method of hiding pop-up window the most according to claim 3, it is characterised in that in institute
State inspection software process call disabling or enable window function function behavior before, described method also includes:
Set up feature database, the characteristic information of the malicious software process got is stored in described feature database.
5. the processing means of a hiding pop-up window, it is characterised in that including:
Detector unit, calls disabling for inspection software process or enables the behavior of window function function;
When described detector unit, acquiring unit, for having detected that software process calls disabling or enables window merit
Can the behavior of function time, obtain described software process and call disabling or enable during window function function incoming
Feature index No. first;
First judging unit, is used for judging described feature index No. first and hiding pop-up window power function
Feature index No. second of corresponding kernel is the most identical;
First processing unit, for when the judged result of described first judging unit is for differing, calls taboo
With or enable window function function and perform the operation corresponding with described feature index No. first;
Second judging unit, for when the judged result of described first judging unit is identical, it is judged that described
Whether software process is malicious software process;
When described second judging unit, second processing unit, for judging that described software process enters as Malware
Cheng Shi, refusal is hidden pop-up window operation;
When described second judging unit, 3rd processing unit, for judging that described software process is not Malware
During process, call disabling or enable window function function execution hiding pop-up window operation.
The processing means of hiding pop-up window the most according to claim 5, it is characterised in that described
Hide pop-up window power function correspondence kernel feature index No. the second under different systems the most not
With.
The processing means of hiding pop-up window the most according to claim 5, it is characterised in that described
Second judging unit includes:
Obtain subelement, for obtaining the characteristic information of described software process;
Inquiry subelement is described soft for inquiring about in storing the feature database having malicious software process characteristic information
The characteristic information of part process;
Judgment sub-unit, is used for when described inquiry subelement can inquire the characteristic information of described software process,
Judge that described software process, as malicious software process, otherwise judges that described software process is not malicious software process.
The processing means of hiding pop-up window the most according to claim 7, it is characterised in that described
Device also includes:
Set up unit, for calling disabling in described detector unit inspection software process or enabling window function letter
Before the behavior of number, set up feature database, the characteristic information of the malicious software process got is stored in described
In feature database.
9. an electronic equipment, it is characterised in that described electronic equipment includes: housing, processor, storage
Device, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and
Memorizer is arranged on circuit boards;Power circuit, for supplying for each circuit of above-mentioned electronic equipment or device
Electricity;Memorizer is used for storing executable program code;Processor is by performing of storing in reading memorizer
Program code runs the program corresponding with executable program code, is used for performing aforementioned any claim 1-4
The processing method of described hiding pop-up window.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610552211.5A CN106022111B (en) | 2016-07-13 | 2016-07-13 | Processing method and device for hiding pop-up window and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610552211.5A CN106022111B (en) | 2016-07-13 | 2016-07-13 | Processing method and device for hiding pop-up window and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106022111A true CN106022111A (en) | 2016-10-12 |
| CN106022111B CN106022111B (en) | 2019-01-22 |
Family
ID=57118074
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610552211.5A Active CN106022111B (en) | 2016-07-13 | 2016-07-13 | Processing method and device for hiding pop-up window and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106022111B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110309647A (en) * | 2019-06-28 | 2019-10-08 | 北京金山安全软件有限公司 | Processing method and device for application program, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101996072A (en) * | 2009-08-21 | 2011-03-30 | 联想(北京)有限公司 | Window management method and computer of operating system |
| CN102394859A (en) * | 2011-07-27 | 2012-03-28 | 哈尔滨安天科技股份有限公司 | Method and system for detecting file stealing Trojan based on thread behavior |
| CN102999725A (en) * | 2012-12-13 | 2013-03-27 | 北京奇虎科技有限公司 | Malicious code processing method and malicious code processing system |
| CN103294941A (en) * | 2012-02-22 | 2013-09-11 | 腾讯科技(深圳)有限公司 | Method for accessing private space and mobile device |
| TW201415280A (en) * | 2012-08-31 | 2014-04-16 | Cloud Cover Safety Inc | A method and service for securing a system networked to a cloud computing environment from malicious code attacks |
| CN105373383A (en) * | 2015-11-13 | 2016-03-02 | 珠海市君天电子科技有限公司 | Display and hiding control method and device for application program window |
| CN105447348A (en) * | 2015-11-13 | 2016-03-30 | 珠海市君天电子科技有限公司 | Display window hiding method and device and user terminal |
-
2016
- 2016-07-13 CN CN201610552211.5A patent/CN106022111B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101996072A (en) * | 2009-08-21 | 2011-03-30 | 联想(北京)有限公司 | Window management method and computer of operating system |
| CN102394859A (en) * | 2011-07-27 | 2012-03-28 | 哈尔滨安天科技股份有限公司 | Method and system for detecting file stealing Trojan based on thread behavior |
| CN103294941A (en) * | 2012-02-22 | 2013-09-11 | 腾讯科技(深圳)有限公司 | Method for accessing private space and mobile device |
| TW201415280A (en) * | 2012-08-31 | 2014-04-16 | Cloud Cover Safety Inc | A method and service for securing a system networked to a cloud computing environment from malicious code attacks |
| CN102999725A (en) * | 2012-12-13 | 2013-03-27 | 北京奇虎科技有限公司 | Malicious code processing method and malicious code processing system |
| CN105373383A (en) * | 2015-11-13 | 2016-03-02 | 珠海市君天电子科技有限公司 | Display and hiding control method and device for application program window |
| CN105447348A (en) * | 2015-11-13 | 2016-03-30 | 珠海市君天电子科技有限公司 | Display window hiding method and device and user terminal |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110309647A (en) * | 2019-06-28 | 2019-10-08 | 北京金山安全软件有限公司 | Processing method and device for application program, electronic equipment and storage medium |
| CN110309647B (en) * | 2019-06-28 | 2022-02-25 | 北京乐蜜科技有限责任公司 | Processing method and device for application program, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106022111B (en) | 2019-01-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9183383B1 (en) | System and method of limiting the operation of trusted applications in presence of suspicious programs | |
| CN106156619A (en) | Application safety means of defence and device | |
| CN106203092A (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
| CN106169047A (en) | Method and device for opening monitoring camera and electronic equipment | |
| CN106201468A (en) | Screen capture processing method and device and electronic equipment | |
| CN104361285B (en) | The safety detection method and device of mobile device application program | |
| CN104506495A (en) | Intelligent network APT attack threat analysis method | |
| CN114065204A (en) | File-free Trojan horse searching and killing method and device | |
| CN106126291A (en) | Method and device for deleting malicious file and electronic equipment | |
| CN106203077A (en) | Processing method and device for copy information and electronic equipment | |
| CN106203119A (en) | Processing method and device for hiding cursor and electronic equipment | |
| CN108334404A (en) | The operation method and device of application program | |
| CN106127034B (en) | A kind of method, apparatus that anti-locking system is maliciously closed and electronic equipment | |
| CN106682493A (en) | Method and device for preventing process from being maliciously ended and electronic equipment | |
| CN106022117A (en) | Method and device for preventing system environment variable from being modified and electronic equipment | |
| CN106022120A (en) | File monitoring processing method and device and electronic equipment | |
| CN111314370B (en) | Method and device for detecting service vulnerability attack behavior | |
| CN106203114A (en) | Application program protection method and device and electronic equipment | |
| CN106022111A (en) | Processing method and device for hiding pop-up window and electronic equipment | |
| CN106203115A (en) | Application program protection method and device and electronic equipment | |
| CN106022109A (en) | Method and device for preventing thread from being suspended and electronic equipment | |
| CN106203189A (en) | Equipment data acquisition method and device and terminal equipment | |
| CN106127051A (en) | Method and device for preventing mouse from being maliciously captured and electronic equipment | |
| CN103034806B (en) | Process method and the terminal of operation | |
| CN106201032B (en) | Modify processing method, device and the electronic equipment of double click interval time |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190124 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
| TR01 | Transfer of patent right |