CN106022111B - Processing method and device for hiding pop-up window and electronic equipment - Google Patents
Processing method and device for hiding pop-up window and electronic equipment Download PDFInfo
- Publication number
- CN106022111B CN106022111B CN201610552211.5A CN201610552211A CN106022111B CN 106022111 B CN106022111 B CN 106022111B CN 201610552211 A CN201610552211 A CN 201610552211A CN 106022111 B CN106022111 B CN 106022111B
- Authority
- CN
- China
- Prior art keywords
- software process
- function
- window
- pop
- disabling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention discloses a processing method and device for hiding pop-up windows and electronic equipment, which can solve the problem that the safety of a system cannot be effectively protected due to the fact that malicious software cannot hide the pop-up windows in the prior art. The method comprises the following steps: detecting the behavior of calling a disabled or enabled window function by a software process; when detecting that a behavior of a software process calling a disabled or enabled window function exists, acquiring a first function index number transmitted when the software process calls the disabled or enabled window function; judging whether the first function index number is the same as a second function index number of a kernel corresponding to the function of the hidden pop-up window; if not, calling a forbidden or enabled window function to execute the operation corresponding to the first function index number, otherwise, judging whether the software process is a malicious software process; and if the software process is a malicious software process, refusing to perform the hidden pop-up window operation, and otherwise, calling a forbidden or enabled window function to execute the hidden pop-up window operation. The method and the device are suitable for processing the operation of hiding the pop-up window.
Description
Technical field
The present invention relates to technical field of system security more particularly to a kind of processing methods of hiding pop-up window, device
And electronic equipment.
Background technique
In computer systems, it is provided with ShowOwnedPopups function, belongs to specified window for show or hide
All pop-up windows.And rogue program can attack security software by way of hide window, lead to disappearing for security software
Breath transmitting processing is interrupted, and defense function failure, rogue program can endanger computer system.
Currently, malice pop-up window is not hidden in order to prevent, it is hook application layer under normal conditions
ShowOwnedPopups function, the function that ShowOwnedPopups function corresponds to system kernel are
NtUserCallHwndParamLock function.NtUserCallHwndParamLock function is a public function, Hen Duoying
It is all it with the function that the function of layer corresponds to kernel.NtUserCallHwndParamLock function with a feature index number come
Different layer functions of applying are distinguished, rogue program can be passed by the NtUserCallHwndParamLock function of calling kernel
Enter corresponding feature index number, to hide all pop-up windows of specified window, such rogue program can destroy calculating
Machine system environments.
Therefore, the processing method of existing hiding pop-up window, cannot prevent Malware from hiding pop-up window, lead
Cause system cannot be effectively protected safely.
Summary of the invention
In view of this, the embodiment of the present invention provides processing method, device and the electronic equipment of a kind of hiding pop-up window,
It can prevent Malware from hiding pop-up window, thus effective protection system safety.
In a first aspect, the embodiment of the present invention provides a kind of processing method of hiding pop-up window, comprising:
Inspection software process calls disabling or enables the behavior of window function function;
When detecting that software process calls disabling or enables the behavior of window function function, the software process is obtained
The feature index No. the first for calling disabling or being passed to when enabling window function function;
Judge the second feature index of the feature index No. first kernel corresponding with hiding pop-up window power function
It is number whether identical;
If not identical, disabling or enabling window function function is called to execute corresponding with the feature index No. first
Operation, otherwise judges whether the software process is malicious software process;
If the software process is malicious software process, refusal is hidden pop-up window operation, otherwise calls and prohibit
With or enable window function function execute hide pop-up window operation.
With reference to first aspect, in the first embodiment of first aspect, the hiding pop-up window power function
Feature index No. second of corresponding kernel is different under different systems.
With reference to first aspect, in second of embodiment of first aspect, it is described judge the software process whether be
Malicious software process includes:
Obtain the characteristic information of the software process;
The characteristic information of the software process is inquired in the feature database for being stored with malicious software process characteristic information;
If the characteristic information of the software process can be inquired, determine the software process for malicious software process, it is no
Then determine that the software process is not malicious software process.
Second of embodiment with reference to first aspect, in the third embodiment of first aspect, in the detection
Before software process calls the behavior of disabling or enabling window function function, the method also includes:
Feature database is established, the characteristic information for the malicious software process that will acquire is stored in the feature database.
Second aspect, the embodiment of the present invention provide a kind of processing unit of hiding pop-up window, comprising:
Detection unit calls disabling for inspection software process or enables the behavior of window function function;
Acquiring unit, for having detected that software process calls disabling or enabling window function function when the detection unit
Behavior when, obtain feature index No. the first that the software process calls disabling or is passed to when enabling window function function;
First judging unit, in judging that the feature index No. first is corresponding with hiding pop-up window power function
Whether feature index No. the second of core is identical;
First processing units, for calling disabling or opening when the judging result of first judging unit is not identical
Operation corresponding with the feature index No. first is executed with window function function;
Second judgment unit, for when the judging result of first judging unit be it is identical when, judge the software into
Whether journey is malicious software process;
The second processing unit, for when the second judgment unit determines the software process for malicious software process,
Refusal is hidden pop-up window operation;
Third processing unit, for determining that the software process is not malicious software process when the second judgment unit
When, it calls disabling or enables window function function and execute and hide pop-up window operation.
In conjunction with second aspect, in the first embodiment of second aspect, the hiding pop-up window power function
Feature index No. second of corresponding kernel is different under different systems.
In conjunction with second aspect, in second of embodiment of second aspect, the second judgment unit includes:
Subelement is obtained, for obtaining the characteristic information of the software process;
Subelement is inquired, for inquiring the software process in the feature database for being stored with malicious software process characteristic information
Characteristic information;
Judgment sub-unit, for determining when the inquiry subelement can inquire the characteristic information of the software process
The software process is malicious software process, otherwise determines that the software process is not malicious software process.
In conjunction with second of embodiment of second aspect, in the third embodiment of second aspect, described device is also
Include:
Unit is established, for calling disabling in the detection unit inspection software process or enabling the row of window function function
Before, to establish feature database, the characteristic information for the malicious software process that will acquire is stored in the feature database.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, and the electronic equipment includes: shell, processor, deposits
Reservoir, circuit board and power circuit, wherein circuit board is placed in the space interior that shell surrounds, processor and memory setting
On circuit boards;Power circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing and can hold
Line program code;Processor is run and executable program code pair by reading the executable program code stored in memory
The program answered, for executing the processing method of aforementioned any hiding pop-up window.
Processing method, device and the electronic equipment of a kind of hiding pop-up window provided in an embodiment of the present invention, work as detection
To when thering is software process to call disabling or enabling the behavior of window function function, obtains the software process and call disabling or enable
Feature index No. the first being passed to when window function function judges the feature index No. first and hiding pop-up window function
Whether feature index No. the second that energy function corresponds to kernel is identical, if not identical, call disabling or enables window function function
Operation corresponding with the feature index No. first is executed, otherwise judges whether the software process is malicious software process,
If then refusal is hidden pop-up window operation, otherwise calls disabling or enable window function function and execute and hide Pop-up
Window operation.Compared with prior art, the present invention can disabled hook disabling or by way of enabling window function function
Or enable window function function execute before to malicious software process by way of kernel hide pop-up window behavior into
Row intercepts, and prevents Malware from hiding pop-up window, thus effective protection system safety.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow chart of the processing method embodiment one of the hiding pop-up window of the present invention;
Fig. 2 is the flow chart of the processing method embodiment two of the hiding pop-up window of the present invention;
Fig. 3 is the structural schematic diagram of the processing device embodiment one of the hiding pop-up window of the present invention;
Fig. 4 is the structural schematic diagram of the processing device embodiment two of the hiding pop-up window of the present invention;
Fig. 5 is the structural schematic diagram of electronic equipment embodiment of the present invention.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its
Its embodiment, shall fall within the protection scope of the present invention.
In following various embodiments of the present invention, NtUserCallHwndParamLock function is to disable or enable window function
Energy function, ShowOwnedPopups function are to hide pop-up window power function.
Fig. 1 is the flow chart of the processing method embodiment one of the hiding pop-up window of the present invention, as shown in Figure 1, this implementation
Example method may include:
Step S11, inspection software process calls the behavior of NtUserCallHwndParamLock function.
In the present embodiment, NtUserCallHwndParamLock function is a public function of inner nuclear layer, many to apply
It is all the NtUserCallHwndParamLock function that the function of layer, which corresponds to the function of kernel,.
Step S12, it when detecting that software process calls the behavior of NtUserCallHwndParamLock function, obtains
The feature index No. the first for taking the software process to be passed to when calling NtUserCallHwndParamLock function.
In the present embodiment, software process, can be incoming to inner nuclear layer when calling NtUserCallHwndParamLock function
Feature index No. first.
Specifically, aforesaid operations can be realized by Hook Function, the Hook Function with
NtUserCallHwndParamLock function is linked up with, when having detected software process calling
When NtUserCallHwndParamLock function, before executing NtUserCallHwndParamLock function, the hook letter
Number obtains feature index No. the first that software process is passed to inner nuclear layer.
Step S13, judge the second function of the feature index No. first kernel corresponding with ShowOwnedPopups function
Whether call number is identical, if not identical, thens follow the steps S14, no to then follow the steps S15.
In the present embodiment, the ShowOwnedPopups function is the second feature index of corresponding kernel using layer functions
It is number different under different systems.Specifically, the ShowOwnedPopups function corresponds to the second feature index of kernel
It is 98 number under XP system, is 100 under Win7 system, be 107 under Win8 system, is 111 under Win8.1 system,
It is 118 under Win10 system.
Specifically, the process of step S13 can be realized by the Hook Function in step S12.
Step S14, call the execution of NtUserCallHwndParamLock function corresponding with the feature index No. first
Operation.
In the present embodiment, if the second function of the feature index No. first kernel corresponding with ShowOwnedPopups function
Energy call number is not identical, shows that the corresponding operation of the software process is not to hide pop-up window, then can execute described soft
Part process.
Step S15, judge whether the software process is malicious software process, if the software process be Malware into
Journey thens follow the steps S16, no to then follow the steps S17.
In the present embodiment, Malware refers to virus, the journey of worm and Trojan Horse that malice task is executed in system
Sequence is implemented to control by destroying software process to system.
Specifically, the process of step S17 can be realized by the Hook Function in step S12.
Step S16, refusal is hidden pop-up window operation.
In the present embodiment, if the software process is malicious software process, executing hiding pop-up window operation may
System can be damaged safely, it is therefore desirable to pop-up window operation be hidden to this and intercepted, this operation is terminated.
Specifically, the process of step S17 can be realized by the Hook Function in step S12.
Step S17, it calls NtUserCallHwndParamLock function to execute and hides pop-up window operation.
In the present embodiment, if the software process is not malicious software process, shows that the software process is corresponding and hide
Pop-up window operation is normal operating, can permit this and hides pop-up window operation progress.
Specifically, the process of step S17 can be realized by the Hook Function in step S12.
The present embodiment is obtained when detecting that software process calls the behavior of NtUserCallHwndParamLock function
The feature index No. the first for taking the software process to be passed to when calling NtUserCallHwndParamLock function, judges institute
Whether the feature index No. the second for stating feature index No. the first kernel corresponding with ShowOwnedPopups function is identical, if not phase
Together, then NtUserCallHwndParamLock function is called to execute operation corresponding with the feature index No. first, otherwise
Judge whether the software process is malicious software process, if then refusal is hidden pop-up window operation, otherwise calls
NtUserCallHwndParamLock function, which executes, hides pop-up window operation.Compared with prior art, the present invention can lead to
The mode for crossing hook NtUserCallHwndParamLock function, before the execution of NtUserCallHwndParamLock function
The behavior for hiding pop-up window by way of kernel to malicious software process intercepts, and prevents Malware from hiding pop-up
Formula window, thus effective protection system safety.
Fig. 2 is the flow chart of the processing method embodiment two of the hiding pop-up window of the present invention, as shown in Fig. 2, this implementation
Example method may include:
Step S21, feature database is established, the characteristic information for the malicious software process that will acquire is stored in the feature database
In.
In the present embodiment, feature database can be established according to the malicious software process that security software in system monitors, it will
The characteristic information of the malicious software process monitored is stored in the feature database, alternatively, user can add manually malice it is soft
The characteristic information of part process is into the feature database.Wherein, the characteristic information of software process can be characterized code, each software into
Journey has unique condition code.
Further, the feature database can also be updated according to the real-time monitoring situation of security software.
Step S22, inspection software process calls the behavior of NtUserCallHwndParamLock function.
In the present embodiment, inspection software process call NtUserCallHwndParamLock function behavior process and
The step S11 of above method embodiment is similar, and details are not described herein again.
Step S23, it when detecting that software process calls the behavior of NtUserCallHwndParamLock function, obtains
The feature index No. the first for taking the software process to be passed to when calling NtUserCallHwndParamLock function.
In the present embodiment, it is passed to when obtaining the software process calling NtUserCallHwndParamLock function
The process of feature index No. first is similar with the step S12 of above method embodiment, and details are not described herein again.
Step S24, judge the second function of the feature index No. first kernel corresponding with ShowOwnedPopups function
Whether call number is identical, if not identical, thens follow the steps S25, no to then follow the steps S26 and step S27.
In the present embodiment, the second of the feature index No. first kernel corresponding with ShowOwnedPopups function is judged
Whether identical feature index number process be similar with the step S13 of above method embodiment, and details are not described herein again.
Step S25, call the execution of NtUserCallHwndParamLock function corresponding with the feature index No. first
Operation.
In the present embodiment, NtUserCallHwndParamLock function is called to execute and the first feature index phase
The process of corresponding operation is similar with the step S14 of above method embodiment, and details are not described herein again.
Step S26, the characteristic information of the software process is obtained.
In the present embodiment, the characteristic information of the software process can be characterized code, and each software process has unique
Condition code.
Specifically, the process of step S26 can be realized by the Hook Function in step S12.
Step S27, the feature of the software process is inquired in the feature database for being stored with malicious software process characteristic information
Information determines that the software process for malicious software process, executes step if the characteristic information of the software process can be inquired
Otherwise rapid S28 determines that the software process is not malicious software process, execute step S29.
In the present embodiment, Malware refers to virus, the journey of worm and Trojan Horse that malice task is executed in system
Sequence is implemented to control by destroying software process to system.
Specifically, the process of step S27 can be realized by the Hook Function in step S12.
Step S28, refusal is hidden pop-up window operation.
In the present embodiment, refusal is hidden the process of pop-up window operation and the step S16 of above method embodiment
Similar, details are not described herein again.
Step S29, it calls NtUserCallHwndParamLock function to execute and hides pop-up window operation.
In the present embodiment, NtUserCallHwndParamLock function is called to execute the mistake for hiding pop-up window operation
Journey is similar with the step S17 of above method embodiment, and details are not described herein again.
The present embodiment is obtained when detecting that software process calls the behavior of NtUserCallHwndParamLock function
The feature index No. the first for taking the software process to be passed to when calling NtUserCallHwndParamLock function, judges institute
Whether the feature index No. the second for stating feature index No. the first kernel corresponding with ShowOwnedPopups function is identical, if not phase
Together, then NtUserCallHwndParamLock function is called to execute operation corresponding with the feature index No. first, otherwise
It is described soft to judge that the characteristic information of the software process is inquired in the feature database for being stored with malicious software process characteristic information
Whether part process is malicious software process, if then refusal is hidden pop-up window operation, is otherwise called
NtUserCallHwndParamLock function, which executes, hides pop-up window operation.Compared with prior art, the present invention can lead to
The mode for crossing hook NtUserCallHwndParamLock function, before the execution of NtUserCallHwndParamLock function
The behavior for hiding pop-up window by way of kernel to malicious software process intercepts, and prevents Malware from hiding pop-up
Formula window, thus effective protection system safety.
Fig. 3 is the structural schematic diagram of the processing device embodiment one of the hiding pop-up window of the present invention, as shown in figure 3, this
The device of embodiment may include: detection unit 11, acquiring unit 12, the first judging unit 13, first processing units 14, second
Judging unit 15, the second processing unit 16, third processing unit 17, wherein detection unit 11 is called for inspection software process
The behavior of NtUserCallHwndParamLock function;Acquiring unit 12, for having detected software when the detection unit 11
When process calls the behavior of NtUserCallHwndParamLock function, obtains the software process and call
Feature index No. the first being passed to when NtUserCallHwndParamLock function;First judging unit 13, for judging
Whether the feature index No. the second for stating feature index No. the first kernel corresponding with ShowOwnedPopups function is identical;At first
Unit 14 is managed, for calling when the judging result of first judging unit 13 is not identical
NtUserCallHwndParamLock function executes operation corresponding with the feature index No. first;Second judgment unit
15, for judging whether the software process is Malware when the judging result of first judging unit 13 is identical
Process;The second processing unit 16, for when the second judgment unit 15 determines the software process for malicious software process,
Refusal is hidden pop-up window operation;Third processing unit 17, for when the second judgment unit 15 determine it is described soft
When part process is not malicious software process, calls NtUserCallHwndParamLock function to execute and hide pop-up window behaviour
Make.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill
Art effect is similar, and details are not described herein again.
Further, the ShowOwnedPopups function corresponds to feature index No. the second of kernel in different systems
Under it is different.
Further, the ShowOwnedPopups function corresponds to feature index No. the second of kernel 98 under XP system,
It is 100 under Win7 system, is 107 under Win8 system, be 111 under Win8.1 system, is 118 under Win10 system.
Fig. 4 is the structural schematic diagram of the processing device embodiment two of the hiding pop-up window of the present invention, as shown in figure 4, this
On the basis of the device of embodiment apparatus structure shown in Fig. 3, further, the second judgment unit 15 includes:
Subelement 151 is obtained, for obtaining the characteristic information of the software process;
Subelement 152 is inquired, for inquiring the software in the feature database for being stored with malicious software process characteristic information
The characteristic information of process;
Judgment sub-unit 153, for the characteristic information of the software process can be inquired when the inquiry subelement 152
When, the software process is determined for malicious software process, otherwise determines that the software process is not malicious software process.
Further, described device further include:
Unit 18 is established, for calling in the 11 inspection software process of detection unit
Before the behavior of NtUserCallHwndParamLock function, feature database is established, the feature for the malicious software process that will acquire
Information is stored in the feature database.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1 or Fig. 2, realize former
Reason is similar with technical effect, and details are not described herein again.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.
For Installation practice, since it is substantially similar to the method embodiment, so the comparison of description is simple
Single, the relevent part can refer to the partial explaination of embodiments of method.
Expression or logic and/or step described otherwise above herein in flow charts, for example, being considered use
In the order list for the executable instruction for realizing logic function, may be embodied in any computer-readable medium, for
Instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be held from instruction
The instruction fetch of row system, device or equipment and the system executed instruction) it uses, or combine these instruction execution systems, device or set
It is standby and use.For the purpose of this specification, " computer-readable medium ", which can be, any may include, stores, communicates, propagates or pass
Defeated program is for instruction execution system, device or equipment or the dress used in conjunction with these instruction execution systems, device or equipment
It sets.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electricity of one or more wirings
Interconnecting piece (electronic device), portable computer diskette box (magnetic device), random access memory (RAM), read-only memory
(ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk is read-only deposits
Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other are suitable
Medium, because can then be edited, be interpreted or when necessary with it for example by carrying out optical scanner to paper or other media
His suitable method is handled electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.
In the above-described embodiment, multiple steps or method can be with storages in memory and by suitable instruction execution
The software or firmware that system executes are realized.For example, in another embodiment, can be used if realized with hardware
Any one of following technology well known in the art or their combination are realized: being had for realizing logic function to data-signal
The discrete logic of the logic gates of energy, the specific integrated circuit with suitable combinational logic gate circuit, programmable gate
Array (PGA), field programmable gate array (FPGA) etc..
The embodiment of the present invention also provides a kind of electronic equipment, and the electronic equipment includes described in aforementioned any embodiment
Device.
Fig. 5 is the structural schematic diagram of electronic equipment embodiment of the present invention, may be implemented to implement shown in Fig. 1 or Fig. 2 of the present invention
The process of example, as shown in figure 5, above-mentioned electronic equipment may include: shell 31, processor 32, memory 33, circuit board 34 and electricity
Source circuit 35, wherein circuit board 34 is placed in the space interior that shell 31 surrounds, and processor 32 and memory 33 are arranged in circuit
On plate 34;Power circuit 35, for each circuit or the device power supply for above-mentioned electronic equipment;Memory 33 is for storing and can hold
Line program code;Processor 32 is run and executable program generation by reading the executable program code stored in memory 33
The corresponding program of code, for executing the processing method of aforementioned any hiding pop-up window.
Processor 32 to the specific implementation procedures of above-mentioned steps and processor 32 by operation executable program code come
The step of further executing may refer to the description of Fig. 1 of the present invention or embodiment illustrated in fig. 2, and details are not described herein.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment: the characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes: smart phone (such as iPhone), multimedia handset, functional mobile phone and low
Hold mobile phone etc..
(2) super mobile personal computer equipment: this kind of equipment belongs to the scope of personal computer, there is calculating and processing function
Can, generally also have mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind of equipment can show and play multimedia content.Such equipment include: audio,
Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server: providing the equipment of the service of calculating, and the composition of server includes that processor, hard disk, memory, system are total
Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy
Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium
In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
For convenience of description, description apparatus above is to be divided into various units/modules with function to describe respectively.Certainly, exist
Implement to realize each unit/module function in the same or multiple software and or hardware when the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can
It realizes by means of software and necessary general hardware platform.Based on this understanding, technical solution of the present invention essence
On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product
It can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that a computer equipment
(can be personal computer, server or the network equipment etc.) executes the certain of each embodiment or embodiment of the invention
Method described in part.
Claims (9)
1. a kind of processing method of hiding pop-up window characterized by comprising
Inspection software process calls disabling or enables the behavior of window function function;Wherein, the disabling or enabling window function
Function is NtUserCallHwndParamLock function;
When detecting that software process calls disabling or enables the behavior of window function function, obtains the software process and call
Feature index No. the first being passed to when disabling or enabling window function function;
Judging feature index No. the second of the feature index No. first kernel corresponding with hiding pop-up window power function is
It is no identical;
If not identical, call disabling or enable window function function execution behaviour corresponding with the feature index No. first
Make, otherwise judges whether the software process is malicious software process;
If the software process be malicious software process, refusal be hidden pop-up window operation, otherwise call disabling or
It enables window function function and executes and hide pop-up window operation.
2. the processing method of hiding pop-up window according to claim 1, which is characterized in that the hiding Pop-up window
Feature index No. the second that mouth power function corresponds to kernel is different under different systems.
3. the processing method of hiding pop-up window according to claim 1, which is characterized in that the judgement software
Whether process is that malicious software process includes:
Obtain the characteristic information of the software process;
The characteristic information of the software process is inquired in the feature database for being stored with malicious software process characteristic information;
If the characteristic information of the software process can be inquired, determine that the software process for malicious software process, is otherwise sentenced
The fixed software process is not malicious software process.
4. the processing method of hiding pop-up window according to claim 3, which is characterized in that the inspection software into
Before journey calls the behavior of disabling or enabling window function function, the method also includes:
Feature database is established, the characteristic information for the malicious software process that will acquire is stored in the feature database.
5. a kind of processing unit of hiding pop-up window characterized by comprising
Detection unit calls disabling for inspection software process or enables the behavior of window function function;Wherein, it is described disabling or
Enabling window function function is NtUserCallHwndParamLock function;
Acquiring unit, for detecting that software process calls the row of disabling or enabling window function function when the detection unit
For when, obtain feature index No. the first that the software process calls disabling or is passed to when enabling window function function;
First judging unit, for judging the feature index No. first kernel corresponding with hiding pop-up window power function
Whether feature index No. the second is identical;
First processing units, for when the judging result of first judging unit is not identical, calling disabling or enabling window
Mouth power function executes operation corresponding with the feature index No. first;
Second judgment unit, for judging that the software process is when the judging result of first judging unit is identical
No is malicious software process;
The second processing unit, for when the second judgment unit determines the software process for malicious software process, refusal
It is hidden pop-up window operation;
Third processing unit, for adjusting when the second judgment unit determines that the software process is not malicious software process
Pop-up window operation is hidden with disabling or enabling window function function and execute.
6. the processing unit of hiding pop-up window according to claim 5, which is characterized in that the hiding Pop-up window
Feature index No. the second that mouth power function corresponds to kernel is different under different systems.
7. the processing unit of hiding pop-up window according to claim 5, which is characterized in that the second judgment unit
Include:
Subelement is obtained, for obtaining the characteristic information of the software process;
Subelement is inquired, for inquiring the spy of the software process in the feature database for being stored with malicious software process characteristic information
Reference breath;
Judgment sub-unit, for when the inquiry subelement can inquire the characteristic information of the software process, described in judgement
Software process is malicious software process, otherwise determines that the software process is not malicious software process.
8. the processing unit of hiding pop-up window according to claim 7, which is characterized in that described device further include:
Establish unit, for the detection unit inspection software process call disabling or enable window function function behavior it
Before, feature database is established, the characteristic information for the malicious software process that will acquire is stored in the feature database.
9. a kind of electronic equipment, which is characterized in that the electronic equipment includes: shell, processor, memory, circuit board and electricity
Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply
Circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing executable program code;Processing
Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding
The processing method of any hiding pop-up window of row preceding claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610552211.5A CN106022111B (en) | 2016-07-13 | 2016-07-13 | Processing method and device for hiding pop-up window and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610552211.5A CN106022111B (en) | 2016-07-13 | 2016-07-13 | Processing method and device for hiding pop-up window and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106022111A CN106022111A (en) | 2016-10-12 |
| CN106022111B true CN106022111B (en) | 2019-01-22 |
Family
ID=57118074
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610552211.5A Active CN106022111B (en) | 2016-07-13 | 2016-07-13 | Processing method and device for hiding pop-up window and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106022111B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110309647B (en) * | 2019-06-28 | 2022-02-25 | 北京乐蜜科技有限责任公司 | Processing method and device for application program, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101996072A (en) * | 2009-08-21 | 2011-03-30 | 联想(北京)有限公司 | Window management method and computer of operating system |
| CN102394859A (en) * | 2011-07-27 | 2012-03-28 | 哈尔滨安天科技股份有限公司 | Method and system for detecting file stealing Trojan based on thread behavior |
| CN102999725A (en) * | 2012-12-13 | 2013-03-27 | 北京奇虎科技有限公司 | Malicious code processing method and malicious code processing system |
| CN103294941A (en) * | 2012-02-22 | 2013-09-11 | 腾讯科技(深圳)有限公司 | Method for accessing private space and mobile device |
| TW201415280A (en) * | 2012-08-31 | 2014-04-16 | Cloud Cover Safety Inc | A method and service for securing a system networked to a cloud computing environment from malicious code attacks |
| CN105373383A (en) * | 2015-11-13 | 2016-03-02 | 珠海市君天电子科技有限公司 | Display and hiding control method and device for application program window |
| CN105447348A (en) * | 2015-11-13 | 2016-03-30 | 珠海市君天电子科技有限公司 | Display window hiding method and device and user terminal |
-
2016
- 2016-07-13 CN CN201610552211.5A patent/CN106022111B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101996072A (en) * | 2009-08-21 | 2011-03-30 | 联想(北京)有限公司 | Window management method and computer of operating system |
| CN102394859A (en) * | 2011-07-27 | 2012-03-28 | 哈尔滨安天科技股份有限公司 | Method and system for detecting file stealing Trojan based on thread behavior |
| CN103294941A (en) * | 2012-02-22 | 2013-09-11 | 腾讯科技(深圳)有限公司 | Method for accessing private space and mobile device |
| TW201415280A (en) * | 2012-08-31 | 2014-04-16 | Cloud Cover Safety Inc | A method and service for securing a system networked to a cloud computing environment from malicious code attacks |
| CN102999725A (en) * | 2012-12-13 | 2013-03-27 | 北京奇虎科技有限公司 | Malicious code processing method and malicious code processing system |
| CN105373383A (en) * | 2015-11-13 | 2016-03-02 | 珠海市君天电子科技有限公司 | Display and hiding control method and device for application program window |
| CN105447348A (en) * | 2015-11-13 | 2016-03-30 | 珠海市君天电子科技有限公司 | Display window hiding method and device and user terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106022111A (en) | 2016-10-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210152592A1 (en) | System and method for determining actions to counter a cyber attack on computing devices based on attack vectors | |
| Wang et al. | Quantitative security risk assessment of android permissions and applications | |
| CN104361285B (en) | The safety detection method and device of mobile device application program | |
| CN104021467A (en) | Method and device for protecting payment security of mobile terminal and mobile terminal | |
| US20160094569A1 (en) | Behavioral detection of malware agents | |
| CN106201468A (en) | Screen capture processing method and device and electronic equipment | |
| CN106203092A (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
| CN106126291B (en) | A kind of method, apparatus and electronic equipment for deleting malicious file | |
| CN106203119B (en) | Hide processing method, device and the electronic equipment of cursor | |
| CN105095758B (en) | Screen locking applied program processing method, device and mobile terminal | |
| CN105868625B (en) | Method and device for intercepting restart deletion of file | |
| CN103595731A (en) | System and method for protecting account security | |
| CN106203069B (en) | A kind of hold-up interception method of dynamic link library file, device and terminal device | |
| CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
| CN106022111B (en) | Processing method and device for hiding pop-up window and electronic equipment | |
| CN106127034B (en) | A kind of method, apparatus that anti-locking system is maliciously closed and electronic equipment | |
| CN106302519A (en) | The method of a kind of internet security management and terminal | |
| CN107070878B (en) | System and method for virus isolation of monitored application | |
| CN106203115B (en) | A kind of means of defence of application program, device and electronic equipment | |
| CN106203114A (en) | Application program protection method and device and electronic equipment | |
| CN105447348B (en) | A kind of hidden method of display window, device and user terminal | |
| CN105787302B (en) | A kind of processing method of application program, device and electronic equipment | |
| CN106201032B (en) | Modify processing method, device and the electronic equipment of double click interval time | |
| CN106203118B (en) | Processing method and device for modifying flicker time of insertion mark and electronic equipment | |
| CN111723163B (en) | Information processing method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190124 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |