CN106127049B - A kind of method, apparatus and electronic equipment for removing rogue program - Google Patents

A kind of method, apparatus and electronic equipment for removing rogue program Download PDF

Info

Publication number
CN106127049B
CN106127049B CN201610493611.3A CN201610493611A CN106127049B CN 106127049 B CN106127049 B CN 106127049B CN 201610493611 A CN201610493611 A CN 201610493611A CN 106127049 B CN106127049 B CN 106127049B
Authority
CN
China
Prior art keywords
file
rogue program
paging
threshold
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610493611.3A
Other languages
Chinese (zh)
Other versions
CN106127049A (en
Inventor
李文靖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Zhuhai Seal Interest Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Seal Interest Technology Co Ltd filed Critical Zhuhai Seal Interest Technology Co Ltd
Priority to CN201610493611.3A priority Critical patent/CN106127049B/en
Publication of CN106127049A publication Critical patent/CN106127049A/en
Application granted granted Critical
Publication of CN106127049B publication Critical patent/CN106127049B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0629Configuration or reconfiguration of storage systems
    • G06F3/0635Configuration or reconfiguration of storage systems by changing the path, e.g. traffic rerouting, path reconfiguration

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Human Computer Interaction (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a kind of method, apparatus and electronic equipment for removing rogue program.Wherein method includes: to determine the file path of rogue program when detecting in operating system there are when rogue program;Paging file is created according to the file path of rogue program, and rogue program is purged by the file size of paging file.This method can achieve the purpose of complete deletion, is conducive to break through the purpose that file is deleted in rogue program pressure, to improve deletion success rate, and improves system security protection.

Description

A kind of method, apparatus and electronic equipment for removing rogue program
Technical field
The present invention relates to technical field of system security more particularly to a kind of method, apparatus and electricity for removing rogue program Sub- equipment.
Background technique
With the fast development of Internet technology, the rogue programs technology such as virus, wooden horse emerges one after another.In the related technology, There are when rogue program in the operating system for detecting terminal, pass through deletion function usually in the application layer of operating system (such as DeleteFile function, NtDeleteFile function) deletes rogue program file.But due to individual malice journeys Sequence can protect the rogue program not to be deleted to achieve the purpose that self-protection, so needle using the driver of itself load To this rogue program, which can not successfully be deleted by above-mentioned delet method, so that the rogue program still can shadow The safety for ringing operating system exists and deletes the problems such as success rate is low, system security protection is poor.
Summary of the invention
The purpose of the present invention is intended to solve above-mentioned one of technical problem at least to a certain extent.
For this purpose, the first purpose of this invention is to propose a kind of method for removing rogue program.This method can achieve The purpose of complete deletion is conducive to break through the purpose that file is deleted in rogue program pressure, so that deletion success rate is improved, and Improve system security protection.
Second object of the present invention is to propose a kind of device for removing rogue program.
Third object of the present invention is to propose a kind of electronic equipment.
Fourth object of the present invention is to propose a kind of storage medium.
5th purpose of the invention is to propose a kind of application program.
In order to achieve the above object, the method for the removing rogue program of first aspect present invention embodiment, comprising: grasped when detecting Make to determine the file path of the rogue program there are when rogue program in system;According to the file path of the rogue program Paging file is created, and the rogue program is purged by the file size of the paging file.
The method of the removing rogue program of the embodiment of the present invention can when detecting in operating system there are when rogue program It determines the file path of rogue program, and paging file is created according to the file path of rogue program, and pass through paging file File size is purged rogue program.Pass through the paging file of creation system, the file path of the paging file is Rogue program can be substituted for paging file in this way, and pass through paging file by the file path of rogue program to be cleaned File size is conducive to break through malice journey to control the file size of the rogue program of replacement to achieve the purpose that complete deletion Sequence forces the purpose for deleting file, to improve deletion success rate, and improves system security protection.
Wherein, in one embodiment of the invention, the operating system is Windows NT operating system.
According to one embodiment of present invention, described that paging file, packet are created according to the file path of the rogue program It includes: obtaining paging file creation function from dynamic link library;Function is created by the rogue program by the paging file File path of the file path as the paging file, and pass through the paging file and create the text of paging described in function setup The minimum value of the file size of part is first threshold, and the maximum value that the file size of the paging file is arranged is the second threshold Value, to realize the creation of the paging file, wherein the first threshold is less than the second threshold.
Wherein, in an embodiment of the present invention, the dynamic link library is the library Ntdll.dll;The paging file creation Function is NtCreatePagingFile function;The first threshold is 0, and the second threshold is 1.
According to one embodiment of present invention, before creating paging file according to the file path of the rogue program, The method also includes: function can be deleted by file by, which judging whether, directly deletes the rogue program;If can pass through File deletes function and directly deletes the rogue program, then deletes function by the file and directly delete the rogue program; If can not delete function by file directly deletes the rogue program, created according to the file path of the rogue program Build paging file.
In order to achieve the above object, the device of the removing rogue program of second aspect of the present invention embodiment, comprising: determining module, For, there are when rogue program, determining the file path of the rogue program in detecting operating system;Creation module is used for Paging file is created according to the file path of the rogue program;Module is removed, for big by the file of the paging file It is small that the rogue program is purged.
The device of the removing rogue program of the embodiment of the present invention, can exist in detecting operating system by determining module When rogue program, the file path of rogue program is determined, creation module creates paging file according to the file path of rogue program, Module is removed to be purged rogue program by the file size of paging file.The paging file for passing through creation system, should The file path of paging file is the file path of rogue program to be cleaned, rogue program can be substituted for paging in this way File, and the file size of the rogue program of replacement is controlled by the file size of paging file, to reach complete deletion Purpose is conducive to break through the purpose that file is deleted in rogue program pressure, to improve deletion success rate, and improves system Security protection.
Wherein, in one embodiment of the invention, the operating system is Windows NT operating system.
According to one embodiment of present invention, the creation module includes: acquiring unit, for obtaining from dynamic link library Paging file is taken to create function;Creating unit, for creating function for the file of the rogue program by the paging file File path of the path as the paging file, and pass through the text of paging file described in paging file creation function setup The minimum value of part size is first threshold, and the maximum value that the file size of the paging file is arranged is second threshold, with reality The creation of the existing paging file, wherein the first threshold is less than the second threshold.
Wherein, in an embodiment of the present invention, the dynamic link library is the library Ntdll.dll;The paging file creation Function is NtCreatePagingFile function;The first threshold is 0, and the second threshold is 1.
According to one embodiment of present invention, described device further include: judgment module, for according to the rogue program File path creation paging file before, judge whether can by file delete function directly delete the rogue program; Removing module, for leading to when judgment module judgement can delete function by file and directly delete the rogue program It crosses the file deletion function and directly deletes the rogue program;Wherein, the creation module is also used to: in the judgment module When judgement can not directly delete the rogue program by file deletion function, created according to the file path of the rogue program Build paging file.
In order to achieve the above object, the electronic equipment of third aspect present invention embodiment, comprising: shell, processor, memory, Circuit board and power circuit, wherein the circuit board is placed in the space interior that the shell surrounds, the processor and described Memory is arranged on the circuit board;The power circuit, for each circuit or the device power supply for the electronic equipment; The memory is for storing executable program code;The processor is by reading the executable journey stored in the memory Sequence code runs program corresponding with the executable program code, for executing following steps: when detecting operation system There are when rogue program in system, the file path of the rogue program is determined;It is created according to the file path of the rogue program Paging file, and the rogue program is purged by the file size of the paging file.
The electronic equipment of the embodiment of the present invention, when detecting that there are when rogue program in operating system, it may be determined that malice journey The file path of sequence, and paging file is created according to the file path of rogue program, and pass through the file size pair of paging file Rogue program is purged.Pass through the paging file of creation system, the file path of the paging file is evil to be cleaned Rogue program, can be substituted for paging file by the file path for program of anticipating in this way, and by the file size of paging file come The file size of the rogue program of replacement is controlled, to achieve the purpose that complete deletion, being conducive to breakthrough rogue program pressure will be literary The purpose that part is deleted, to improve deletion success rate, and improves system security protection.
In order to achieve the above object, fourth aspect present invention embodiment proposes a kind of storage medium, wherein the storage medium is used In storage application program, the application program for executing the malice of removing described in first aspect present invention embodiment at runtime The method of program.
In order to achieve the above object, fifth aspect present invention embodiment proposes a kind of application program, wherein the application program For executing the method for removing rogue program described in first aspect present invention embodiment at runtime.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partially become from the following description Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments Obviously and it is readily appreciated that, in which:
Fig. 1 is the flow chart of the method according to an embodiment of the invention for removing rogue program;
Fig. 2 is the flow chart of the method for removing rogue program accord to a specific embodiment of that present invention;
Fig. 3 is the structural block diagram of the device according to an embodiment of the invention for removing rogue program;
Fig. 4 is the structural block diagram of the device of removing rogue program accord to a specific embodiment of that present invention;
Fig. 5 is the structural block diagram of the device of the removing rogue program of another specific embodiment according to the present invention;
Fig. 6 is the structural schematic diagram of electronic equipment according to an embodiment of the invention.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached The embodiment of figure description is exemplary, it is intended to is used to explain the present invention, and is not considered as limiting the invention.
Below with reference to the accompanying drawings it describes the method, apparatus according to an embodiment of the present invention for removing rogue program and electronics is set It is standby.
Fig. 1 is the flow chart of the method according to an embodiment of the invention for removing rogue program.It should be noted that this The method of the removing rogue program of inventive embodiments can be applied to the device of the removing rogue program of the embodiment of the present invention, the removing The device of rogue program can be configured in the electronic equipment of the embodiment of the present invention, which should have operating system, and should Electronic equipment may include but be not limited to terminal etc..
As shown in Figure 1, the method for the removing rogue program may include:
S110 determines the file path of rogue program when detecting in operating system there are when rogue program.
For example, it is assumed that the method for the removing rogue program of the embodiment of the present invention can be applied to the security software of terminal In, the security software can to the operating system of terminal carry out safety detection, when in the operating system for detect terminal exist malice When program, it may be determined that storage location of the rogue program in the operating system, the i.e. file path of the rogue program.
As an example, the specific implementation process detected in the operating system of terminal with the presence or absence of rogue program can be such as Under: the file of terminal can be scanned, if scanning is not present in the white list comprising legitimate files to some program or file In, then it is believed that the program or file are rogue program.It is appreciated that whether there is malice journey in the operating system of detection terminal Sequence can also have other modes, and details are not described herein.
S120 creates paging file according to the file path of rogue program, and by the file size of paging file to evil Meaning program is purged.Wherein, in one embodiment of the invention, which can be Windows NT operating system.
Specifically, after obtaining the file path of rogue program, paging file, the file road of the paging file can be created Diameter is the file path of the rogue program, so that the paging file replaces the rogue program, and sets created paging text The file size of part, and realize by the file size of the paging file removing to the rogue program.
Specifically, in one embodiment of the invention, paging file can first being obtained from dynamic link library and creates letter Number can create function using the file path of rogue program as the file path of paging file, and lead to later by paging file The minimum value for crossing the file size of paging file creation function setup paging file is first threshold, and the text of paging file is arranged The maximum value of part size is second threshold, to realize the creation of paging file, wherein first threshold is less than second threshold.In addition, Above-mentioned dynamic link library can be the library Ntdll.dll;It is NtCreatePagingFile function that paging file, which creates function,;First threshold Value is 0, second threshold 1.
More specifically, can first define one for paging file so that operating system is Windows NT operating system as an example The function pointer for creating function (such as NtCreatePagingFile function), such as assumes the entitled FPN- of the function pointer NtCreatePagingFile, in the application layer of operating system, call function address obtain function from dynamic link library (such as The library Ntdll.dll) in obtain the function address of paging file creation function, for example, can be by function representation GetProcAddress(ntdll.dll,"NtCreatePagingFile").In the function for getting paging file creation function After address, the function address which creates function can be assigned to function pointer FPN- NtCreatePagingFile。
It is appreciated that the paging file in dynamic link library ntdll.dll creates function NtCreatePagingFile Function prototype can be as follows:
Wherein, first parameter " PageFileName " of the NtCreatePagingFile function indicates point to be created The file path of page file, second parameter " MiniumSize " indicate the minimum of the file size of paging file to be created Value, third parameter " MaxiumSize " indicate the maximum value of the file size of paging file to be created.
By paging file creation function function address be assigned to function pointer FPN-NtCreatePagingFile it Afterwards, callable function pointer FPN-NtCreatePagingFile is to call paging file to create function NtCreatePagingFile, and using the file path of rogue program as first in the NtCreatePagingFile function A parameter value, using above-mentioned first threshold as second parameter value and using above-mentioned third threshold value as third parameter value, So that the creation for realizing paging file by the NtCreatePagingFile function.
Finally, being purged by the file size of the paging file created to rogue program.Wherein, it is with first threshold 0, for second threshold is 1, the file size of the paging file of creation is 0KB, i.e., the malice that the paging file is replaced at this time The file size of program is 0KB, that is, is blanked the original data of the rogue program, and the file attribute of this document at this time A system file is become, that is, has become paging file, has achieved the purpose that thoroughly remove rogue program.
The method of the removing rogue program of the embodiment of the present invention can when detecting in operating system there are when rogue program It determines the file path of rogue program, and paging file is created according to the file path of rogue program, and pass through paging file File size is purged rogue program.Pass through the paging file of creation system, the file path of the paging file is Rogue program can be substituted for paging file in this way, and pass through paging file by the file path of rogue program to be cleaned File size is conducive to break through malice journey to control the file size of the rogue program of replacement to achieve the purpose that complete deletion Sequence forces the purpose for deleting file, to improve deletion success rate, and improves system security protection.
Fig. 2 is the flow chart of the method for removing rogue program accord to a specific embodiment of that present invention.
In order to improve availability and feasibility, in one embodiment of the invention, in the file according to rogue program Before path creates paging file, first the rogue program can be judged, to judge whether the rogue program can be by normal The file delet method of rule is deleted, if can be with, directly progress file deletion, if cannot, then pass through creation paging File is purged rogue program.Specifically, as shown in Fig. 2, the method for the removing rogue program may include:
S210 determines the file path of rogue program when detecting in operating system there are when rogue program.
S220, function can be deleted by file by, which judging whether, directly deletes rogue program.
It is appreciated that since some rogue programs can be deleted by file delet method conventional in the prior art It removes, therefore before carrying out Force Deletion rogue program, can obtained without carrying out Force Deletion to the rogue program at this time After the file path of rogue program, judge whether rogue program corresponding to this document path can delete function by file (such as DeleteFile function, NtDeleteFile function) is directly deleted.
S230, if it is possible to function be deleted by file and directly delete rogue program, then it is direct to delete function by file Delete rogue program.
S240, if can not delete function by file directly deletes rogue program, according to the file of rogue program Path creates paging file, and is purged by the file size of paging file to rogue program.
Wherein, in one embodiment of the invention, which can be Windows NT operating system.
Specifically, in one embodiment of the invention, paging file can first being obtained from dynamic link library and creates letter Number can create function using the file path of rogue program as the file path of paging file, and lead to later by paging file The minimum value for crossing the file size of paging file creation function setup paging file is first threshold, and the text of paging file is arranged The maximum value of part size is second threshold, to realize the creation of paging file, wherein first threshold is less than second threshold.In addition, Above-mentioned dynamic link library can be the library Ntdll.dll;It is NtCreatePagingFile function that paging file, which creates function,;First threshold Value is 0, second threshold 1.
The method of the removing rogue program of the embodiment of the present invention is creating paging file according to the file path of rogue program Before, first the rogue program can be judged, to judge whether the rogue program can be by conventional file delet method It is deleted, if can be with, directly progress file deletion, if cannot, then by creation paging file come to rogue program It is purged.I.e. by the increase to prior art, on rare occasion, rogue program is not available file and deletes function When deletion, rogue program is forced the paging file for being substituted for system by the mode that creation paging file can be used, Be conducive to break through the purpose that file is deleted in rogue program pressure, have positive effect safely to system, and it is available to improve raising Property and feasibility.
In order to realize above-described embodiment, the invention also provides a kind of devices for removing rogue program.
Fig. 3 is the structural block diagram of the device according to an embodiment of the invention for removing rogue program.As shown in figure 3, should The device for removing rogue program may include: determining module 100, creation module 200 and removing module 300.
Specifically, it is determined that module 100 can be used for determining rogue program there are when rogue program in detecting operating system File path.
For example, it is assumed that the device of the removing rogue program of the embodiment of the present invention can be applied to the security software of terminal In, the security software can to the operating system of terminal carry out safety detection, when in the operating system for detect terminal exist malice When program, determining module 100 can determine storage location of the rogue program in the operating system, the i.e. file of the rogue program Path.
As an example, the specific implementation process detected in the operating system of terminal with the presence or absence of rogue program can be such as Under: the file of terminal can be scanned, if scanning is not present in the white list comprising legitimate files to some program or file In, then it is believed that the program or file are rogue program.It is appreciated that whether there is malice journey in the operating system of detection terminal Sequence can also have other modes, and details are not described herein.
Creation module 200 can be used for creating paging file according to the file path of rogue program.Wherein, in reality of the invention It applies in example, aforesaid operations system can be Windows NT operating system.More specifically, obtaining rogue program in determining module 100 File path after, creation module 200 can create paging file, and the file path of the paging file is the rogue program File path so that the paging file replaces the rogue program, and sets the file size of created paging file, so that after Continue the file size by the paging file to realize the removing to the rogue program.
Specifically, in one embodiment of the invention, as shown in figure 4, the creation module 200 may include: to obtain Unit 210 and creating unit 220.Wherein, acquiring unit 210 can be used for obtaining paging file creation letter from dynamic link library Number.Creating unit 220 can be used for creating function by paging file using the file path of rogue program as the text of paging file Part path, and creating the minimum value of the file size of function setup paging file by paging file is first threshold, and is arranged The maximum value of the file size of paging file is second threshold, to realize the creation of paging file, wherein first threshold is less than the Two threshold values.In addition, dynamic link library can be the library Ntdll.dll;It can be NtCreatePagingFile that paging file, which creates function, Function;First threshold can be 0, and second threshold can be 1.
More specifically, acquiring unit 210 can first define a needle so that operating system is Windows NT operating system as an example To the function pointer of paging file creation function (such as NtCreatePagingFile function), the title of the function pointer is such as assumed For FPN-NtCreatePagingFile, in the application layer of operating system, acquiring unit 210 can be by calling function address to obtain Function is taken to obtain the function address of paging file creation function from dynamic link library (such as library Ntdll.dll), for example, passing through letter Number expression can be GetProcAddress (ntdll.dll, " NtCreatePagingFile ").It is got in acquiring unit 210 After paging file creates the function address of function, the function address which can be created function by creating unit 220 is assigned It is worth and gives function pointer FPN-NtCreatePagingFile.
It is appreciated that the paging file in dynamic link library ntdll.dll creates function NtCreatePagingFile Function prototype can be as noted above.
Wherein, first parameter " PageFileName " of the NtCreatePagingFile function indicates point to be created The file path of page file, second parameter " MiniumSize " indicate the minimum of the file size of paging file to be created Value, third parameter " MaxiumSize " indicate the maximum value of the file size of paging file to be created.
The function address of paging file creation function is being assigned to function pointer FPN- by creating unit 220 After NtCreatePagingFile, callable function pointer FPN-NtCreatePagingFile is to call paging file to create Function NtCreatePagingFile, and using the file path of rogue program as in the NtCreatePagingFile function First parameter value is joined using above-mentioned first threshold as second parameter value and using above-mentioned third threshold value as third Numerical value, so that the creation for realizing paging file by the NtCreatePagingFile function.
Removing module 300 can be used for being purged rogue program by the file size of paging file.For example, with first For threshold value is 0, second threshold is 1, the file size of the paging file of creation is 0KB, and removing module 300 can be according to the paging The file size of the rogue program is become the file size with the paging file by the file size of file, i.e. the text of the paging at this time The file size for the rogue program that part is replaced is 0KB, that is, is blanked the original data of the rogue program, and at this time should The file attribute of file has become a system file, that is, becomes paging file, has reached the mesh for thoroughly removing rogue program 's.
In order to improve availability and feasibility, further, in one embodiment of the invention, as shown in figure 5, should The device for removing rogue program may also include that judgment module 400 and removing module 500.Specifically, judgment module 400 can be used for Before creating paging file according to the file path of rogue program, function can be deleted by file by, which judging whether, is directly deleted Rogue program.Removing module 500 can be used for judging that can delete function by file directly deletes malice journey in judgment module 400 When sequence, function is deleted by file and directly deletes rogue program.Wherein, in an embodiment of the present invention, creation module 200 may be used also For: when the judgement of judgment module 400 can not delete function by file and directly delete rogue program, according to rogue program File path creates paging file.As a result, by the increase to prior art, on rare occasion, rogue program can not When deletion using file deletion function, rogue program pressure is substituted for by the mode that creation paging file can be used The paging file of system is conducive to break through the purpose that file is deleted in rogue program pressure, has positive effect safely to system, and It improves and improves availability and feasibility.
The device of the removing rogue program of the embodiment of the present invention, can exist in detecting operating system by determining module When rogue program, the file path of rogue program is determined, creation module creates paging file according to the file path of rogue program, Module is removed to be purged rogue program by the file size of paging file.The paging file for passing through creation system, should The file path of paging file is the file path of rogue program to be cleaned, rogue program can be substituted for paging in this way File, and the file size of the rogue program of replacement is controlled by the file size of paging file, to reach complete deletion Purpose is conducive to break through the purpose that file is deleted in rogue program pressure, to improve deletion success rate, and improves system Security protection.
In order to realize above-described embodiment, the invention also provides a kind of electronic equipment.
Fig. 6 is the structural schematic diagram of electronic equipment according to an embodiment of the invention.As shown in fig. 6, the electronic equipment Can include: shell 61, processor 62, memory 63, circuit board 64 and power circuit 65, wherein circuit board 64 is placed in shell 61 space interiors surrounded, processor 62 and memory 63 are arranged on circuit board 64;Power circuit 65, for being electronic equipment Each circuit or device power supply;Memory 63 is for storing executable program code;Processor 62 is by reading memory 63 The executable program code of middle storage runs program corresponding with executable program code, for executing following steps:
S110 ' determines the file path of rogue program when detecting in operating system there are when rogue program.
S120 ' creates paging file according to the file path of rogue program, and by the file size of paging file to evil Meaning program is purged.
The electronic equipment of the embodiment of the present invention, when detecting that there are when rogue program in operating system, it may be determined that malice journey The file path of sequence, and paging file is created according to the file path of rogue program, and pass through the file size pair of paging file Rogue program is purged.Pass through the paging file of creation system, the file path of the paging file is evil to be cleaned Rogue program, can be substituted for paging file by the file path for program of anticipating in this way, and by the file size of paging file come The file size of the rogue program of replacement is controlled, to achieve the purpose that complete deletion, being conducive to breakthrough rogue program pressure will be literary The purpose that part is deleted, to improve deletion success rate, and improves system security protection.
In order to realize above-described embodiment, the invention also provides a kind of storage mediums, and the storage medium is for storing application Program, the application program can be used for executing the side that rogue program is removed described in any of the above-described a embodiment of the present invention at runtime Method.
In order to realize above-described embodiment, the invention also provides a kind of application program, which can be used for running The method of rogue program is removed described in any of the above-described a embodiment of the Shi Zhihang present invention.
In the description of the present invention, it is to be understood that, term " first ", " second " are used for description purposes only, and cannot It is interpreted as indication or suggestion relative importance or implicitly indicates the quantity of indicated technical characteristic.Define as a result, " the One ", the feature of " second " can explicitly or implicitly include at least one of the features.In the description of the present invention, " multiple " It is meant that at least two, such as two, three etc., unless otherwise specifically defined.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office It can be combined in any suitable manner in one or more embodiment or examples.In addition, without conflicting with each other, the skill of this field Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples It closes and combines.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention Embodiment person of ordinary skill in the field understood.
Expression or logic and/or step described otherwise above herein in flow charts, for example, being considered use In the order list for the executable instruction for realizing logic function, may be embodied in any computer-readable medium, for Instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be held from instruction The instruction fetch of row system, device or equipment and the system executed instruction) it uses, or combine these instruction execution systems, device or set It is standby and use.For the purpose of this specification, " computer-readable medium ", which can be, any may include, stores, communicates, propagates or pass Defeated program is for instruction execution system, device or equipment or the dress used in conjunction with these instruction execution systems, device or equipment It sets.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electricity of one or more wirings Interconnecting piece (electronic device), portable computer diskette box (magnetic device), random access memory (RAM), read-only memory (ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk is read-only deposits Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other are suitable Medium, because can then be edited, be interpreted or when necessary with it for example by carrying out optical scanner to paper or other media His suitable method is handled electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in a processing module It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer In read/write memory medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..Although having been shown and retouching above The embodiment of the present invention is stated, it is to be understood that above-described embodiment is exemplary, and should not be understood as to limit of the invention System, those skilled in the art can be changed above-described embodiment, modify, replace and become within the scope of the invention Type.

Claims (11)

1. a kind of method for removing rogue program, which comprises the following steps:
When detecting in operating system there are when rogue program, the file path of the rogue program is determined;
Paging file is created according to the file path of the rogue program, and by the file size of the paging file to described Rogue program is purged, wherein the minimum value of the file size of the paging file of creation is first threshold, point of the creation The maximum value of the file size of page file is second threshold, and the first threshold is less than the second threshold.
2. removing the method for rogue program as described in claim 1, which is characterized in that wherein, the operating system is Windows NT operating system.
3. removing the method for rogue program as claimed in claim 1 or 2, which is characterized in that described according to the rogue program File path create paging file, comprising:
Paging file is obtained from dynamic link library creates function;
Function is created using the file path of the rogue program as the file road of the paging file by the paging file Diameter, and be first threshold by the minimum value that the paging file creates the file size of paging file described in function setup, and The maximum value that the file size of the paging file is arranged is second threshold, to realize the creation of the paging file, wherein institute First threshold is stated less than the second threshold.
4. removing the method for rogue program as claimed in claim 3, which is characterized in that the dynamic link library is The library Ntdll.dll;The paging file creation function is NtCreatePagingFile function;The first threshold is 0, described Second threshold is 1.
5. removing the method for rogue program as described in claim 1, which is characterized in that in the file according to the rogue program Before path creates paging file, the method also includes:
Function can be deleted by file by, which judging whether, directly deletes the rogue program;
If can delete function by file directly deletes the rogue program, function is deleted by the file and is directly deleted Except the rogue program;
If can not delete function by file directly deletes the rogue program, according to the file road of the rogue program Diameter creates paging file.
6. a kind of device for removing rogue program characterized by comprising
Determining module, for, there are when rogue program, determining the file path of the rogue program in detecting operating system;
Creation module, for creating paging file according to the file path of the rogue program, wherein the paging file of creation The minimum value of file size is first threshold, and the maximum value of the file size of the paging file of the creation is second threshold, institute First threshold is stated less than the second threshold;
Module is removed, the rogue program is purged for the file size by the paging file.
7. removing the device of rogue program as claimed in claim 6, which is characterized in that wherein, the operating system is Windows NT operating system.
8. the device of removing rogue program as claimed in claims 6 or 7, which is characterized in that the creation module includes:
Acquiring unit creates function for obtaining paging file from dynamic link library;
Creating unit, for creating function using the file path of the rogue program as the paging by the paging file The file path of file, and be by the minimum value that the paging file creates the file size of paging file described in function setup First threshold, and the maximum value that the file size of the paging file is arranged is second threshold, to realize the paging file Creation, wherein the first threshold is less than the second threshold.
9. removing the device of rogue program as claimed in claim 8, which is characterized in that the dynamic link library is The library Ntdll.dll;The paging file creation function is NtCreatePagingFile function;The first threshold is 0, described Second threshold is 1.
10. removing the device of rogue program as claimed in claim 6, which is characterized in that further include:
Judgment module, for judging whether to lead to before creating paging file according to the file path of the rogue program It crosses file deletion function and directly deletes the rogue program;
Removing module directly deletes the rogue program for that can delete function by file in judgment module judgement When, function is deleted by the file and directly deletes the rogue program;
Wherein, the creation module is also used to: can not be deleted function by file in judgment module judgement and directly be deleted When the rogue program, paging file is created according to the file path of the rogue program.
11. a kind of electronic equipment characterized by comprising shell, processor, memory, circuit board and power circuit, wherein The circuit board is placed in the space interior that the shell surrounds, and the processor and the memory are arranged in the circuit board On;The power circuit, for each circuit or the device power supply for the electronic equipment;The memory is for storing and can hold Line program code;The processor is held to run with described by reading the executable program code stored in the memory The corresponding program of line program code, for executing following steps:
When detecting in operating system there are when rogue program, the file path of the rogue program is determined;
Paging file is created according to the file path of the rogue program, and by the file size of the paging file to described Rogue program is purged, wherein the minimum value of the file size of the paging file of creation is first threshold, point of the creation The maximum value of the file size of page file is second threshold, and the first threshold is less than the second threshold.
CN201610493611.3A 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for removing rogue program Active CN106127049B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610493611.3A CN106127049B (en) 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for removing rogue program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610493611.3A CN106127049B (en) 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for removing rogue program

Publications (2)

Publication Number Publication Date
CN106127049A CN106127049A (en) 2016-11-16
CN106127049B true CN106127049B (en) 2019-03-26

Family

ID=57284562

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610493611.3A Active CN106127049B (en) 2016-06-28 2016-06-28 A kind of method, apparatus and electronic equipment for removing rogue program

Country Status (1)

Country Link
CN (1) CN106127049B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007142615A2 (en) * 2005-02-18 2007-12-13 Credant Technologies, Inc. System and method for intelligence based security
CN102722680B (en) * 2012-06-07 2014-11-05 腾讯科技(深圳)有限公司 Method and system for removing rogue programs
CN105631332A (en) * 2015-12-24 2016-06-01 北京奇虎科技有限公司 Malicious program processing method and apparatus

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9223642B2 (en) * 2013-03-15 2015-12-29 Super Talent Technology, Corp. Green NAND device (GND) driver with DRAM data persistence for enhanced flash endurance and performance

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007142615A2 (en) * 2005-02-18 2007-12-13 Credant Technologies, Inc. System and method for intelligence based security
CN102722680B (en) * 2012-06-07 2014-11-05 腾讯科技(深圳)有限公司 Method and system for removing rogue programs
CN105631332A (en) * 2015-12-24 2016-06-01 北京奇虎科技有限公司 Malicious program processing method and apparatus

Also Published As

Publication number Publication date
CN106127049A (en) 2016-11-16

Similar Documents

Publication Publication Date Title
CN105930739B (en) A kind of method and terminal for preventing file deleted
CN102932370B (en) A kind of security sweep method, equipment and system
CN117195307A (en) Configurable annotations for privacy-sensitive user content
CN107797739A (en) Mobile terminal and its display control method, device and computer-readable recording medium
CN104881291B (en) Control method and device of default browser and terminal
CN107066440A (en) The input control method and system of vertical setting of types text
KR20140061313A (en) Method for displaying information on a display device of a terminal
CN105335197B (en) The starting control method and device of application program in terminal
CN104808898A (en) Terminal
CN105260674A (en) Screen capture processing method and apparatus and intelligent terminal
CN106127009A (en) The display packing of a kind of icon and terminal
CN108989704B (en) Image generation method and device and terminal equipment
CN107846418A (en) Fire wall Initiative Defence System and means of defence
CN106250152A (en) Mobile terminal control method and device and mobile terminal
CN106203093A (en) Process protection method and device and terminal
CN104517049A (en) Terminal unlocking method
CN103455436B (en) A kind of RAM detection method and system
CN106776908A (en) Data clearing method, device and terminal
CN104808916A (en) Screen-shooting method
CN105446752B (en) Triggering method and device of control in application program and mobile terminal
US11580248B2 (en) Data loss prevention
CN106127049B (en) A kind of method, apparatus and electronic equipment for removing rogue program
CN110457114A (en) Application cluster dispositions method and device
CN107015719A (en) Notify reminding method and device
CN107748642A (en) Adjust method, apparatus, storage medium and the electronic equipment of picture

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20181211

Address after: 519030 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Applicant after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing

Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant