CN106127049B - A kind of method, apparatus and electronic equipment for removing rogue program - Google Patents
A kind of method, apparatus and electronic equipment for removing rogue program Download PDFInfo
- Publication number
- CN106127049B CN106127049B CN201610493611.3A CN201610493611A CN106127049B CN 106127049 B CN106127049 B CN 106127049B CN 201610493611 A CN201610493611 A CN 201610493611A CN 106127049 B CN106127049 B CN 106127049B
- Authority
- CN
- China
- Prior art keywords
- file
- rogue program
- paging
- threshold
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0629—Configuration or reconfiguration of storage systems
- G06F3/0635—Configuration or reconfiguration of storage systems by changing the path, e.g. traffic rerouting, path reconfiguration
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Human Computer Interaction (AREA)
- Computer Networks & Wireless Communication (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a kind of method, apparatus and electronic equipment for removing rogue program.Wherein method includes: to determine the file path of rogue program when detecting in operating system there are when rogue program;Paging file is created according to the file path of rogue program, and rogue program is purged by the file size of paging file.This method can achieve the purpose of complete deletion, is conducive to break through the purpose that file is deleted in rogue program pressure, to improve deletion success rate, and improves system security protection.
Description
Technical field
The present invention relates to technical field of system security more particularly to a kind of method, apparatus and electricity for removing rogue program
Sub- equipment.
Background technique
With the fast development of Internet technology, the rogue programs technology such as virus, wooden horse emerges one after another.In the related technology,
There are when rogue program in the operating system for detecting terminal, pass through deletion function usually in the application layer of operating system
(such as DeleteFile function, NtDeleteFile function) deletes rogue program file.But due to individual malice journeys
Sequence can protect the rogue program not to be deleted to achieve the purpose that self-protection, so needle using the driver of itself load
To this rogue program, which can not successfully be deleted by above-mentioned delet method, so that the rogue program still can shadow
The safety for ringing operating system exists and deletes the problems such as success rate is low, system security protection is poor.
Summary of the invention
The purpose of the present invention is intended to solve above-mentioned one of technical problem at least to a certain extent.
For this purpose, the first purpose of this invention is to propose a kind of method for removing rogue program.This method can achieve
The purpose of complete deletion is conducive to break through the purpose that file is deleted in rogue program pressure, so that deletion success rate is improved, and
Improve system security protection.
Second object of the present invention is to propose a kind of device for removing rogue program.
Third object of the present invention is to propose a kind of electronic equipment.
Fourth object of the present invention is to propose a kind of storage medium.
5th purpose of the invention is to propose a kind of application program.
In order to achieve the above object, the method for the removing rogue program of first aspect present invention embodiment, comprising: grasped when detecting
Make to determine the file path of the rogue program there are when rogue program in system;According to the file path of the rogue program
Paging file is created, and the rogue program is purged by the file size of the paging file.
The method of the removing rogue program of the embodiment of the present invention can when detecting in operating system there are when rogue program
It determines the file path of rogue program, and paging file is created according to the file path of rogue program, and pass through paging file
File size is purged rogue program.Pass through the paging file of creation system, the file path of the paging file is
Rogue program can be substituted for paging file in this way, and pass through paging file by the file path of rogue program to be cleaned
File size is conducive to break through malice journey to control the file size of the rogue program of replacement to achieve the purpose that complete deletion
Sequence forces the purpose for deleting file, to improve deletion success rate, and improves system security protection.
Wherein, in one embodiment of the invention, the operating system is Windows NT operating system.
According to one embodiment of present invention, described that paging file, packet are created according to the file path of the rogue program
It includes: obtaining paging file creation function from dynamic link library;Function is created by the rogue program by the paging file
File path of the file path as the paging file, and pass through the paging file and create the text of paging described in function setup
The minimum value of the file size of part is first threshold, and the maximum value that the file size of the paging file is arranged is the second threshold
Value, to realize the creation of the paging file, wherein the first threshold is less than the second threshold.
Wherein, in an embodiment of the present invention, the dynamic link library is the library Ntdll.dll;The paging file creation
Function is NtCreatePagingFile function;The first threshold is 0, and the second threshold is 1.
According to one embodiment of present invention, before creating paging file according to the file path of the rogue program,
The method also includes: function can be deleted by file by, which judging whether, directly deletes the rogue program;If can pass through
File deletes function and directly deletes the rogue program, then deletes function by the file and directly delete the rogue program;
If can not delete function by file directly deletes the rogue program, created according to the file path of the rogue program
Build paging file.
In order to achieve the above object, the device of the removing rogue program of second aspect of the present invention embodiment, comprising: determining module,
For, there are when rogue program, determining the file path of the rogue program in detecting operating system;Creation module is used for
Paging file is created according to the file path of the rogue program;Module is removed, for big by the file of the paging file
It is small that the rogue program is purged.
The device of the removing rogue program of the embodiment of the present invention, can exist in detecting operating system by determining module
When rogue program, the file path of rogue program is determined, creation module creates paging file according to the file path of rogue program,
Module is removed to be purged rogue program by the file size of paging file.The paging file for passing through creation system, should
The file path of paging file is the file path of rogue program to be cleaned, rogue program can be substituted for paging in this way
File, and the file size of the rogue program of replacement is controlled by the file size of paging file, to reach complete deletion
Purpose is conducive to break through the purpose that file is deleted in rogue program pressure, to improve deletion success rate, and improves system
Security protection.
Wherein, in one embodiment of the invention, the operating system is Windows NT operating system.
According to one embodiment of present invention, the creation module includes: acquiring unit, for obtaining from dynamic link library
Paging file is taken to create function;Creating unit, for creating function for the file of the rogue program by the paging file
File path of the path as the paging file, and pass through the text of paging file described in paging file creation function setup
The minimum value of part size is first threshold, and the maximum value that the file size of the paging file is arranged is second threshold, with reality
The creation of the existing paging file, wherein the first threshold is less than the second threshold.
Wherein, in an embodiment of the present invention, the dynamic link library is the library Ntdll.dll;The paging file creation
Function is NtCreatePagingFile function;The first threshold is 0, and the second threshold is 1.
According to one embodiment of present invention, described device further include: judgment module, for according to the rogue program
File path creation paging file before, judge whether can by file delete function directly delete the rogue program;
Removing module, for leading to when judgment module judgement can delete function by file and directly delete the rogue program
It crosses the file deletion function and directly deletes the rogue program;Wherein, the creation module is also used to: in the judgment module
When judgement can not directly delete the rogue program by file deletion function, created according to the file path of the rogue program
Build paging file.
In order to achieve the above object, the electronic equipment of third aspect present invention embodiment, comprising: shell, processor, memory,
Circuit board and power circuit, wherein the circuit board is placed in the space interior that the shell surrounds, the processor and described
Memory is arranged on the circuit board;The power circuit, for each circuit or the device power supply for the electronic equipment;
The memory is for storing executable program code;The processor is by reading the executable journey stored in the memory
Sequence code runs program corresponding with the executable program code, for executing following steps: when detecting operation system
There are when rogue program in system, the file path of the rogue program is determined;It is created according to the file path of the rogue program
Paging file, and the rogue program is purged by the file size of the paging file.
The electronic equipment of the embodiment of the present invention, when detecting that there are when rogue program in operating system, it may be determined that malice journey
The file path of sequence, and paging file is created according to the file path of rogue program, and pass through the file size pair of paging file
Rogue program is purged.Pass through the paging file of creation system, the file path of the paging file is evil to be cleaned
Rogue program, can be substituted for paging file by the file path for program of anticipating in this way, and by the file size of paging file come
The file size of the rogue program of replacement is controlled, to achieve the purpose that complete deletion, being conducive to breakthrough rogue program pressure will be literary
The purpose that part is deleted, to improve deletion success rate, and improves system security protection.
In order to achieve the above object, fourth aspect present invention embodiment proposes a kind of storage medium, wherein the storage medium is used
In storage application program, the application program for executing the malice of removing described in first aspect present invention embodiment at runtime
The method of program.
In order to achieve the above object, fifth aspect present invention embodiment proposes a kind of application program, wherein the application program
For executing the method for removing rogue program described in first aspect present invention embodiment at runtime.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partially become from the following description
Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments
Obviously and it is readily appreciated that, in which:
Fig. 1 is the flow chart of the method according to an embodiment of the invention for removing rogue program;
Fig. 2 is the flow chart of the method for removing rogue program accord to a specific embodiment of that present invention;
Fig. 3 is the structural block diagram of the device according to an embodiment of the invention for removing rogue program;
Fig. 4 is the structural block diagram of the device of removing rogue program accord to a specific embodiment of that present invention;
Fig. 5 is the structural block diagram of the device of the removing rogue program of another specific embodiment according to the present invention;
Fig. 6 is the structural schematic diagram of electronic equipment according to an embodiment of the invention.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, it is intended to is used to explain the present invention, and is not considered as limiting the invention.
Below with reference to the accompanying drawings it describes the method, apparatus according to an embodiment of the present invention for removing rogue program and electronics is set
It is standby.
Fig. 1 is the flow chart of the method according to an embodiment of the invention for removing rogue program.It should be noted that this
The method of the removing rogue program of inventive embodiments can be applied to the device of the removing rogue program of the embodiment of the present invention, the removing
The device of rogue program can be configured in the electronic equipment of the embodiment of the present invention, which should have operating system, and should
Electronic equipment may include but be not limited to terminal etc..
As shown in Figure 1, the method for the removing rogue program may include:
S110 determines the file path of rogue program when detecting in operating system there are when rogue program.
For example, it is assumed that the method for the removing rogue program of the embodiment of the present invention can be applied to the security software of terminal
In, the security software can to the operating system of terminal carry out safety detection, when in the operating system for detect terminal exist malice
When program, it may be determined that storage location of the rogue program in the operating system, the i.e. file path of the rogue program.
As an example, the specific implementation process detected in the operating system of terminal with the presence or absence of rogue program can be such as
Under: the file of terminal can be scanned, if scanning is not present in the white list comprising legitimate files to some program or file
In, then it is believed that the program or file are rogue program.It is appreciated that whether there is malice journey in the operating system of detection terminal
Sequence can also have other modes, and details are not described herein.
S120 creates paging file according to the file path of rogue program, and by the file size of paging file to evil
Meaning program is purged.Wherein, in one embodiment of the invention, which can be Windows NT operating system.
Specifically, after obtaining the file path of rogue program, paging file, the file road of the paging file can be created
Diameter is the file path of the rogue program, so that the paging file replaces the rogue program, and sets created paging text
The file size of part, and realize by the file size of the paging file removing to the rogue program.
Specifically, in one embodiment of the invention, paging file can first being obtained from dynamic link library and creates letter
Number can create function using the file path of rogue program as the file path of paging file, and lead to later by paging file
The minimum value for crossing the file size of paging file creation function setup paging file is first threshold, and the text of paging file is arranged
The maximum value of part size is second threshold, to realize the creation of paging file, wherein first threshold is less than second threshold.In addition,
Above-mentioned dynamic link library can be the library Ntdll.dll;It is NtCreatePagingFile function that paging file, which creates function,;First threshold
Value is 0, second threshold 1.
More specifically, can first define one for paging file so that operating system is Windows NT operating system as an example
The function pointer for creating function (such as NtCreatePagingFile function), such as assumes the entitled FPN- of the function pointer
NtCreatePagingFile, in the application layer of operating system, call function address obtain function from dynamic link library (such as
The library Ntdll.dll) in obtain the function address of paging file creation function, for example, can be by function representation
GetProcAddress(ntdll.dll,"NtCreatePagingFile").In the function for getting paging file creation function
After address, the function address which creates function can be assigned to function pointer FPN-
NtCreatePagingFile。
It is appreciated that the paging file in dynamic link library ntdll.dll creates function NtCreatePagingFile
Function prototype can be as follows:
Wherein, first parameter " PageFileName " of the NtCreatePagingFile function indicates point to be created
The file path of page file, second parameter " MiniumSize " indicate the minimum of the file size of paging file to be created
Value, third parameter " MaxiumSize " indicate the maximum value of the file size of paging file to be created.
By paging file creation function function address be assigned to function pointer FPN-NtCreatePagingFile it
Afterwards, callable function pointer FPN-NtCreatePagingFile is to call paging file to create function
NtCreatePagingFile, and using the file path of rogue program as first in the NtCreatePagingFile function
A parameter value, using above-mentioned first threshold as second parameter value and using above-mentioned third threshold value as third parameter value,
So that the creation for realizing paging file by the NtCreatePagingFile function.
Finally, being purged by the file size of the paging file created to rogue program.Wherein, it is with first threshold
0, for second threshold is 1, the file size of the paging file of creation is 0KB, i.e., the malice that the paging file is replaced at this time
The file size of program is 0KB, that is, is blanked the original data of the rogue program, and the file attribute of this document at this time
A system file is become, that is, has become paging file, has achieved the purpose that thoroughly remove rogue program.
The method of the removing rogue program of the embodiment of the present invention can when detecting in operating system there are when rogue program
It determines the file path of rogue program, and paging file is created according to the file path of rogue program, and pass through paging file
File size is purged rogue program.Pass through the paging file of creation system, the file path of the paging file is
Rogue program can be substituted for paging file in this way, and pass through paging file by the file path of rogue program to be cleaned
File size is conducive to break through malice journey to control the file size of the rogue program of replacement to achieve the purpose that complete deletion
Sequence forces the purpose for deleting file, to improve deletion success rate, and improves system security protection.
Fig. 2 is the flow chart of the method for removing rogue program accord to a specific embodiment of that present invention.
In order to improve availability and feasibility, in one embodiment of the invention, in the file according to rogue program
Before path creates paging file, first the rogue program can be judged, to judge whether the rogue program can be by normal
The file delet method of rule is deleted, if can be with, directly progress file deletion, if cannot, then pass through creation paging
File is purged rogue program.Specifically, as shown in Fig. 2, the method for the removing rogue program may include:
S210 determines the file path of rogue program when detecting in operating system there are when rogue program.
S220, function can be deleted by file by, which judging whether, directly deletes rogue program.
It is appreciated that since some rogue programs can be deleted by file delet method conventional in the prior art
It removes, therefore before carrying out Force Deletion rogue program, can obtained without carrying out Force Deletion to the rogue program at this time
After the file path of rogue program, judge whether rogue program corresponding to this document path can delete function by file
(such as DeleteFile function, NtDeleteFile function) is directly deleted.
S230, if it is possible to function be deleted by file and directly delete rogue program, then it is direct to delete function by file
Delete rogue program.
S240, if can not delete function by file directly deletes rogue program, according to the file of rogue program
Path creates paging file, and is purged by the file size of paging file to rogue program.
Wherein, in one embodiment of the invention, which can be Windows NT operating system.
Specifically, in one embodiment of the invention, paging file can first being obtained from dynamic link library and creates letter
Number can create function using the file path of rogue program as the file path of paging file, and lead to later by paging file
The minimum value for crossing the file size of paging file creation function setup paging file is first threshold, and the text of paging file is arranged
The maximum value of part size is second threshold, to realize the creation of paging file, wherein first threshold is less than second threshold.In addition,
Above-mentioned dynamic link library can be the library Ntdll.dll;It is NtCreatePagingFile function that paging file, which creates function,;First threshold
Value is 0, second threshold 1.
The method of the removing rogue program of the embodiment of the present invention is creating paging file according to the file path of rogue program
Before, first the rogue program can be judged, to judge whether the rogue program can be by conventional file delet method
It is deleted, if can be with, directly progress file deletion, if cannot, then by creation paging file come to rogue program
It is purged.I.e. by the increase to prior art, on rare occasion, rogue program is not available file and deletes function
When deletion, rogue program is forced the paging file for being substituted for system by the mode that creation paging file can be used,
Be conducive to break through the purpose that file is deleted in rogue program pressure, have positive effect safely to system, and it is available to improve raising
Property and feasibility.
In order to realize above-described embodiment, the invention also provides a kind of devices for removing rogue program.
Fig. 3 is the structural block diagram of the device according to an embodiment of the invention for removing rogue program.As shown in figure 3, should
The device for removing rogue program may include: determining module 100, creation module 200 and removing module 300.
Specifically, it is determined that module 100 can be used for determining rogue program there are when rogue program in detecting operating system
File path.
For example, it is assumed that the device of the removing rogue program of the embodiment of the present invention can be applied to the security software of terminal
In, the security software can to the operating system of terminal carry out safety detection, when in the operating system for detect terminal exist malice
When program, determining module 100 can determine storage location of the rogue program in the operating system, the i.e. file of the rogue program
Path.
As an example, the specific implementation process detected in the operating system of terminal with the presence or absence of rogue program can be such as
Under: the file of terminal can be scanned, if scanning is not present in the white list comprising legitimate files to some program or file
In, then it is believed that the program or file are rogue program.It is appreciated that whether there is malice journey in the operating system of detection terminal
Sequence can also have other modes, and details are not described herein.
Creation module 200 can be used for creating paging file according to the file path of rogue program.Wherein, in reality of the invention
It applies in example, aforesaid operations system can be Windows NT operating system.More specifically, obtaining rogue program in determining module 100
File path after, creation module 200 can create paging file, and the file path of the paging file is the rogue program
File path so that the paging file replaces the rogue program, and sets the file size of created paging file, so that after
Continue the file size by the paging file to realize the removing to the rogue program.
Specifically, in one embodiment of the invention, as shown in figure 4, the creation module 200 may include: to obtain
Unit 210 and creating unit 220.Wherein, acquiring unit 210 can be used for obtaining paging file creation letter from dynamic link library
Number.Creating unit 220 can be used for creating function by paging file using the file path of rogue program as the text of paging file
Part path, and creating the minimum value of the file size of function setup paging file by paging file is first threshold, and is arranged
The maximum value of the file size of paging file is second threshold, to realize the creation of paging file, wherein first threshold is less than the
Two threshold values.In addition, dynamic link library can be the library Ntdll.dll;It can be NtCreatePagingFile that paging file, which creates function,
Function;First threshold can be 0, and second threshold can be 1.
More specifically, acquiring unit 210 can first define a needle so that operating system is Windows NT operating system as an example
To the function pointer of paging file creation function (such as NtCreatePagingFile function), the title of the function pointer is such as assumed
For FPN-NtCreatePagingFile, in the application layer of operating system, acquiring unit 210 can be by calling function address to obtain
Function is taken to obtain the function address of paging file creation function from dynamic link library (such as library Ntdll.dll), for example, passing through letter
Number expression can be GetProcAddress (ntdll.dll, " NtCreatePagingFile ").It is got in acquiring unit 210
After paging file creates the function address of function, the function address which can be created function by creating unit 220 is assigned
It is worth and gives function pointer FPN-NtCreatePagingFile.
It is appreciated that the paging file in dynamic link library ntdll.dll creates function NtCreatePagingFile
Function prototype can be as noted above.
Wherein, first parameter " PageFileName " of the NtCreatePagingFile function indicates point to be created
The file path of page file, second parameter " MiniumSize " indicate the minimum of the file size of paging file to be created
Value, third parameter " MaxiumSize " indicate the maximum value of the file size of paging file to be created.
The function address of paging file creation function is being assigned to function pointer FPN- by creating unit 220
After NtCreatePagingFile, callable function pointer FPN-NtCreatePagingFile is to call paging file to create
Function NtCreatePagingFile, and using the file path of rogue program as in the NtCreatePagingFile function
First parameter value is joined using above-mentioned first threshold as second parameter value and using above-mentioned third threshold value as third
Numerical value, so that the creation for realizing paging file by the NtCreatePagingFile function.
Removing module 300 can be used for being purged rogue program by the file size of paging file.For example, with first
For threshold value is 0, second threshold is 1, the file size of the paging file of creation is 0KB, and removing module 300 can be according to the paging
The file size of the rogue program is become the file size with the paging file by the file size of file, i.e. the text of the paging at this time
The file size for the rogue program that part is replaced is 0KB, that is, is blanked the original data of the rogue program, and at this time should
The file attribute of file has become a system file, that is, becomes paging file, has reached the mesh for thoroughly removing rogue program
's.
In order to improve availability and feasibility, further, in one embodiment of the invention, as shown in figure 5, should
The device for removing rogue program may also include that judgment module 400 and removing module 500.Specifically, judgment module 400 can be used for
Before creating paging file according to the file path of rogue program, function can be deleted by file by, which judging whether, is directly deleted
Rogue program.Removing module 500 can be used for judging that can delete function by file directly deletes malice journey in judgment module 400
When sequence, function is deleted by file and directly deletes rogue program.Wherein, in an embodiment of the present invention, creation module 200 may be used also
For: when the judgement of judgment module 400 can not delete function by file and directly delete rogue program, according to rogue program
File path creates paging file.As a result, by the increase to prior art, on rare occasion, rogue program can not
When deletion using file deletion function, rogue program pressure is substituted for by the mode that creation paging file can be used
The paging file of system is conducive to break through the purpose that file is deleted in rogue program pressure, has positive effect safely to system, and
It improves and improves availability and feasibility.
The device of the removing rogue program of the embodiment of the present invention, can exist in detecting operating system by determining module
When rogue program, the file path of rogue program is determined, creation module creates paging file according to the file path of rogue program,
Module is removed to be purged rogue program by the file size of paging file.The paging file for passing through creation system, should
The file path of paging file is the file path of rogue program to be cleaned, rogue program can be substituted for paging in this way
File, and the file size of the rogue program of replacement is controlled by the file size of paging file, to reach complete deletion
Purpose is conducive to break through the purpose that file is deleted in rogue program pressure, to improve deletion success rate, and improves system
Security protection.
In order to realize above-described embodiment, the invention also provides a kind of electronic equipment.
Fig. 6 is the structural schematic diagram of electronic equipment according to an embodiment of the invention.As shown in fig. 6, the electronic equipment
Can include: shell 61, processor 62, memory 63, circuit board 64 and power circuit 65, wherein circuit board 64 is placed in shell
61 space interiors surrounded, processor 62 and memory 63 are arranged on circuit board 64;Power circuit 65, for being electronic equipment
Each circuit or device power supply;Memory 63 is for storing executable program code;Processor 62 is by reading memory 63
The executable program code of middle storage runs program corresponding with executable program code, for executing following steps:
S110 ' determines the file path of rogue program when detecting in operating system there are when rogue program.
S120 ' creates paging file according to the file path of rogue program, and by the file size of paging file to evil
Meaning program is purged.
The electronic equipment of the embodiment of the present invention, when detecting that there are when rogue program in operating system, it may be determined that malice journey
The file path of sequence, and paging file is created according to the file path of rogue program, and pass through the file size pair of paging file
Rogue program is purged.Pass through the paging file of creation system, the file path of the paging file is evil to be cleaned
Rogue program, can be substituted for paging file by the file path for program of anticipating in this way, and by the file size of paging file come
The file size of the rogue program of replacement is controlled, to achieve the purpose that complete deletion, being conducive to breakthrough rogue program pressure will be literary
The purpose that part is deleted, to improve deletion success rate, and improves system security protection.
In order to realize above-described embodiment, the invention also provides a kind of storage mediums, and the storage medium is for storing application
Program, the application program can be used for executing the side that rogue program is removed described in any of the above-described a embodiment of the present invention at runtime
Method.
In order to realize above-described embodiment, the invention also provides a kind of application program, which can be used for running
The method of rogue program is removed described in any of the above-described a embodiment of the Shi Zhihang present invention.
In the description of the present invention, it is to be understood that, term " first ", " second " are used for description purposes only, and cannot
It is interpreted as indication or suggestion relative importance or implicitly indicates the quantity of indicated technical characteristic.Define as a result, " the
One ", the feature of " second " can explicitly or implicitly include at least one of the features.In the description of the present invention, " multiple "
It is meant that at least two, such as two, three etc., unless otherwise specifically defined.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office
It can be combined in any suitable manner in one or more embodiment or examples.In addition, without conflicting with each other, the skill of this field
Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples
It closes and combines.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes
It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion
Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable
Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention
Embodiment person of ordinary skill in the field understood.
Expression or logic and/or step described otherwise above herein in flow charts, for example, being considered use
In the order list for the executable instruction for realizing logic function, may be embodied in any computer-readable medium, for
Instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be held from instruction
The instruction fetch of row system, device or equipment and the system executed instruction) it uses, or combine these instruction execution systems, device or set
It is standby and use.For the purpose of this specification, " computer-readable medium ", which can be, any may include, stores, communicates, propagates or pass
Defeated program is for instruction execution system, device or equipment or the dress used in conjunction with these instruction execution systems, device or equipment
It sets.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electricity of one or more wirings
Interconnecting piece (electronic device), portable computer diskette box (magnetic device), random access memory (RAM), read-only memory
(ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk is read-only deposits
Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other are suitable
Medium, because can then be edited, be interpreted or when necessary with it for example by carrying out optical scanner to paper or other media
His suitable method is handled electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned
In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage
Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware
Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal
Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene
Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium
In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in a processing module
It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as
Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer
In read/write memory medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..Although having been shown and retouching above
The embodiment of the present invention is stated, it is to be understood that above-described embodiment is exemplary, and should not be understood as to limit of the invention
System, those skilled in the art can be changed above-described embodiment, modify, replace and become within the scope of the invention
Type.
Claims (11)
1. a kind of method for removing rogue program, which comprises the following steps:
When detecting in operating system there are when rogue program, the file path of the rogue program is determined;
Paging file is created according to the file path of the rogue program, and by the file size of the paging file to described
Rogue program is purged, wherein the minimum value of the file size of the paging file of creation is first threshold, point of the creation
The maximum value of the file size of page file is second threshold, and the first threshold is less than the second threshold.
2. removing the method for rogue program as described in claim 1, which is characterized in that wherein, the operating system is
Windows NT operating system.
3. removing the method for rogue program as claimed in claim 1 or 2, which is characterized in that described according to the rogue program
File path create paging file, comprising:
Paging file is obtained from dynamic link library creates function;
Function is created using the file path of the rogue program as the file road of the paging file by the paging file
Diameter, and be first threshold by the minimum value that the paging file creates the file size of paging file described in function setup, and
The maximum value that the file size of the paging file is arranged is second threshold, to realize the creation of the paging file, wherein institute
First threshold is stated less than the second threshold.
4. removing the method for rogue program as claimed in claim 3, which is characterized in that the dynamic link library is
The library Ntdll.dll;The paging file creation function is NtCreatePagingFile function;The first threshold is 0, described
Second threshold is 1.
5. removing the method for rogue program as described in claim 1, which is characterized in that in the file according to the rogue program
Before path creates paging file, the method also includes:
Function can be deleted by file by, which judging whether, directly deletes the rogue program;
If can delete function by file directly deletes the rogue program, function is deleted by the file and is directly deleted
Except the rogue program;
If can not delete function by file directly deletes the rogue program, according to the file road of the rogue program
Diameter creates paging file.
6. a kind of device for removing rogue program characterized by comprising
Determining module, for, there are when rogue program, determining the file path of the rogue program in detecting operating system;
Creation module, for creating paging file according to the file path of the rogue program, wherein the paging file of creation
The minimum value of file size is first threshold, and the maximum value of the file size of the paging file of the creation is second threshold, institute
First threshold is stated less than the second threshold;
Module is removed, the rogue program is purged for the file size by the paging file.
7. removing the device of rogue program as claimed in claim 6, which is characterized in that wherein, the operating system is
Windows NT operating system.
8. the device of removing rogue program as claimed in claims 6 or 7, which is characterized in that the creation module includes:
Acquiring unit creates function for obtaining paging file from dynamic link library;
Creating unit, for creating function using the file path of the rogue program as the paging by the paging file
The file path of file, and be by the minimum value that the paging file creates the file size of paging file described in function setup
First threshold, and the maximum value that the file size of the paging file is arranged is second threshold, to realize the paging file
Creation, wherein the first threshold is less than the second threshold.
9. removing the device of rogue program as claimed in claim 8, which is characterized in that the dynamic link library is
The library Ntdll.dll;The paging file creation function is NtCreatePagingFile function;The first threshold is 0, described
Second threshold is 1.
10. removing the device of rogue program as claimed in claim 6, which is characterized in that further include:
Judgment module, for judging whether to lead to before creating paging file according to the file path of the rogue program
It crosses file deletion function and directly deletes the rogue program;
Removing module directly deletes the rogue program for that can delete function by file in judgment module judgement
When, function is deleted by the file and directly deletes the rogue program;
Wherein, the creation module is also used to: can not be deleted function by file in judgment module judgement and directly be deleted
When the rogue program, paging file is created according to the file path of the rogue program.
11. a kind of electronic equipment characterized by comprising shell, processor, memory, circuit board and power circuit, wherein
The circuit board is placed in the space interior that the shell surrounds, and the processor and the memory are arranged in the circuit board
On;The power circuit, for each circuit or the device power supply for the electronic equipment;The memory is for storing and can hold
Line program code;The processor is held to run with described by reading the executable program code stored in the memory
The corresponding program of line program code, for executing following steps:
When detecting in operating system there are when rogue program, the file path of the rogue program is determined;
Paging file is created according to the file path of the rogue program, and by the file size of the paging file to described
Rogue program is purged, wherein the minimum value of the file size of the paging file of creation is first threshold, point of the creation
The maximum value of the file size of page file is second threshold, and the first threshold is less than the second threshold.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610493611.3A CN106127049B (en) | 2016-06-28 | 2016-06-28 | A kind of method, apparatus and electronic equipment for removing rogue program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610493611.3A CN106127049B (en) | 2016-06-28 | 2016-06-28 | A kind of method, apparatus and electronic equipment for removing rogue program |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106127049A CN106127049A (en) | 2016-11-16 |
CN106127049B true CN106127049B (en) | 2019-03-26 |
Family
ID=57284562
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610493611.3A Active CN106127049B (en) | 2016-06-28 | 2016-06-28 | A kind of method, apparatus and electronic equipment for removing rogue program |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106127049B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007142615A2 (en) * | 2005-02-18 | 2007-12-13 | Credant Technologies, Inc. | System and method for intelligence based security |
CN102722680B (en) * | 2012-06-07 | 2014-11-05 | 腾讯科技(深圳)有限公司 | Method and system for removing rogue programs |
CN105631332A (en) * | 2015-12-24 | 2016-06-01 | 北京奇虎科技有限公司 | Malicious program processing method and apparatus |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9223642B2 (en) * | 2013-03-15 | 2015-12-29 | Super Talent Technology, Corp. | Green NAND device (GND) driver with DRAM data persistence for enhanced flash endurance and performance |
-
2016
- 2016-06-28 CN CN201610493611.3A patent/CN106127049B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007142615A2 (en) * | 2005-02-18 | 2007-12-13 | Credant Technologies, Inc. | System and method for intelligence based security |
CN102722680B (en) * | 2012-06-07 | 2014-11-05 | 腾讯科技(深圳)有限公司 | Method and system for removing rogue programs |
CN105631332A (en) * | 2015-12-24 | 2016-06-01 | 北京奇虎科技有限公司 | Malicious program processing method and apparatus |
Also Published As
Publication number | Publication date |
---|---|
CN106127049A (en) | 2016-11-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105930739B (en) | A kind of method and terminal for preventing file deleted | |
CN102932370B (en) | A kind of security sweep method, equipment and system | |
CN117195307A (en) | Configurable annotations for privacy-sensitive user content | |
CN107797739A (en) | Mobile terminal and its display control method, device and computer-readable recording medium | |
CN104881291B (en) | Control method and device of default browser and terminal | |
CN107066440A (en) | The input control method and system of vertical setting of types text | |
KR20140061313A (en) | Method for displaying information on a display device of a terminal | |
CN105335197B (en) | The starting control method and device of application program in terminal | |
CN104808898A (en) | Terminal | |
CN105260674A (en) | Screen capture processing method and apparatus and intelligent terminal | |
CN106127009A (en) | The display packing of a kind of icon and terminal | |
CN108989704B (en) | Image generation method and device and terminal equipment | |
CN107846418A (en) | Fire wall Initiative Defence System and means of defence | |
CN106250152A (en) | Mobile terminal control method and device and mobile terminal | |
CN106203093A (en) | Process protection method and device and terminal | |
CN104517049A (en) | Terminal unlocking method | |
CN103455436B (en) | A kind of RAM detection method and system | |
CN106776908A (en) | Data clearing method, device and terminal | |
CN104808916A (en) | Screen-shooting method | |
CN105446752B (en) | Triggering method and device of control in application program and mobile terminal | |
US11580248B2 (en) | Data loss prevention | |
CN106127049B (en) | A kind of method, apparatus and electronic equipment for removing rogue program | |
CN110457114A (en) | Application cluster dispositions method and device | |
CN107015719A (en) | Notify reminding method and device | |
CN107748642A (en) | Adjust method, apparatus, storage medium and the electronic equipment of picture |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20181211 Address after: 519030 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant |