CN106127050A - Method and device for preventing system cursor from being maliciously modified and electronic equipment - Google Patents
Method and device for preventing system cursor from being maliciously modified and electronic equipment Download PDFInfo
- Publication number
- CN106127050A CN106127050A CN201610497062.7A CN201610497062A CN106127050A CN 106127050 A CN106127050 A CN 106127050A CN 201610497062 A CN201610497062 A CN 201610497062A CN 106127050 A CN106127050 A CN 106127050A
- Authority
- CN
- China
- Prior art keywords
- cursor
- function
- described process
- system default
- eigenvalue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a method and a device for preventing a system cursor from being maliciously modified and electronic equipment, relates to the technical field of computer security, and can effectively prevent a malicious program from modifying the system cursor and improve the security performance of a system. The method comprises the following steps: monitoring an event called by a process to modify a system default cursor function in an operating system; acquiring a process path of the process according to the monitored event; judging whether the process is a malicious program process or not according to the process path; and if the process is a malicious program process, refusing the process to modify a system default cursor. The method and the device are suitable for preventing malicious programs from modifying the system cursor, and the system safety performance is improved.
Description
Technical field
The present invention relates to computer security technique field, particularly relate to a kind of prevent system cursor by the side of malicious modification
Method, device and electronic equipment.
Background technology
In Window system, system default provides such as the cursor patterns such as standard arrow, little hourglass, cross linear light mark,
Each of which cursor corresponding cursor mark, system provides SetSystemCursor function, is used for revising appointing system
The cursor pattern that cursor mark is corresponding.Rogue program can use the method amendment system calling SetSystemCursor function
The acquiescence cursor pattern provided, is such as transparent pattern by system default optical mark revision, so may result in the invisible Mus of user
The cursor of mark movement.
At present, being not modified for protection system default cursor pattern, normally used defence method is hook application layer
SetSystemCursor function, so, the event calling SetSystemCursor function will be monitored by Hook Function,
Thus know that rogue program process is wanted to revise system default cursor in time, with timely prevention, this calls event.But, inventor
Find that SetSystemCursor function is NtUserSetSystemCursor function corresponding to the function of system kernel, if disliked
Meaning routine call NtUserSetSystemCursor function revises system default cursor, owing to the method is more hidden, at present
Prevention-Security software the most this malice is not called and takes safeguard procedures, such Malware just can be revised by this mode
System default cursor, destroys the acquiescence cursor pattern of system, and causes user cannot normally identify cursor.
Summary of the invention
In view of this, embodiment of the present invention offer is a kind of prevents system cursor by the method for malicious modification, device and electronics
Equipment, can effectively stop rogue program to revise system cursor, improve security of system performance.
First aspect, the embodiment of the present invention provide a kind of prevent system cursor by the method for malicious modification, including:
Monitor process is to revising the event that system default light scalar functions calls in operating system;
According to the described event listened to, obtain the process path of described process;
Judge whether described process is rogue program process according to described process path;
If described process is rogue program process, then refuse described process amendment system default cursor.
In conjunction with first aspect, in the first embodiment of first aspect, described system is Windows operating system;
Described amendment system default light scalar functions is the NtUserSetSystemCursor function of operating system nucleus layer;
Before revising, in monitor process is to operating system, the event that system default light scalar functions calls, described method
Also include: pre-set the Hook Function revising system default light scalar functions in hook operating system;
The event that amendment system default light scalar functions in operating system is called by monitor process, including: by described
Hook Function monitor process is to revising the event that system default light scalar functions calls in operating system.
In conjunction with the first embodiment of first aspect, in the second embodiment of first aspect, described refusal institute
State process amendment system default cursor, including:
Refuse information is returned to described process by described Hook Function;Or
Described Hook Function refusal calls NtUserSetSystemCursor function, with refusal amendment system default cursor.
In conjunction with first aspect, in the third embodiment of first aspect, described judge institute according to described process path
After whether process of stating is rogue program process, also include:
If described process is not rogue program process, then calls amendment system default light scalar functions, agree to that described process is repaiied
Change system default cursor.
In conjunction with first aspect, in the 4th kind of embodiment of first aspect, described judge institute according to described process path
State whether process is rogue program process, including:
According to the eigenvalue algorithm pre-set, obtain the eigenvalue of described process path respective file;
Judge in the feature database pre-set, if record has the eigenvalue of described process path respective file;
If in the feature database pre-set, record has the eigenvalue of described process path respective file, it is determined that described process
For rogue program process;If the feature database pre-set not recording the eigenvalue of described process path respective file, the most really
Fixed described process is not rogue program process;
Wherein, in the feature database pre-set described in, record has the feature of known malicious program process path respective file
Value.
In conjunction with the 4th kind of embodiment of first aspect, in the 5th kind of embodiment of first aspect, described judgement is pre-
In the feature database first arranged, if before record has the eigenvalue of described process path respective file, also include:
Statistics known malicious program process path;
According to the eigenvalue algorithm pre-set, obtain the feature of described known malicious program process path respective file
Value;
The eigenvalue of known malicious program process path respective file is stored in feature database.
In conjunction with the 4th kind or the 5th kind of embodiment of first aspect, in the 6th kind of implementation of first aspect, institute
Stating the eigenvalue algorithm pre-set is:
That asks for process path calculates Message Digest 5 value or the cryptographic Hash eigenvalue as process path respective file,
Or
The fileversion number eigenvalue as process path respective file is obtained from process path.
Second aspect, the embodiment of the present invention provide a kind of prevent system cursor by the device of malicious modification, including:
Monitor module, for monitor process to operating system is revised the event that system default light scalar functions calls;
Acquisition module, for the event listened to according to described monitoring module, obtains the process path of described process;
Judge module, for the described process path that gets according to described acquisition module, it is judged that whether described process is
Rogue program process;
Stop module, for when described judge module judges that described process is rogue program process, enter described in refusal
Cheng Xiugai system default cursor.
In conjunction with second aspect, in the first embodiment of second aspect, described operating system is that Windows operation is
During system, described monitoring module is previously provided with the NtUserSetSystemCursor function of hook operating system nucleus layer
Hook Function, described monitoring module by described Hook Function monitor process in operating system revise system default light scalar functions
The event called.
In conjunction with the first embodiment of second aspect, in the second embodiment of second aspect, described prevention mould
Block calls NtUserSetSystemCursor function by described Hook Function to described process return refuse information or refusal,
With refusal amendment system default cursor.
In conjunction with second aspect, in the third embodiment of second aspect, described prevention module, it is additionally operable to sentence described
Disconnected module is judged when described process is not rogue program process, calls amendment system default light scalar functions, agrees to described process
Amendment system default cursor.
In conjunction with second aspect, in the 4th kind of embodiment of second aspect, described judge module includes:
Eigenvalue calculation submodule, for according to the eigenvalue algorithm pre-set, obtaining described acquisition module and get
The eigenvalue of process path respective file;
Matched sub-block, for judging in the feature database pre-set, if record has described eigenvalue calculation submodule
The eigenvalue of the process path respective file got, if record has described process path correspondence literary composition in the feature database pre-set
The eigenvalue of part, it is determined that described process is rogue program process;If the feature database pre-set does not records described process
The eigenvalue of path respective file, it is determined that described process is not rogue program process;Wherein, the feature database pre-set described in
Middle record has the eigenvalue of known malicious program process path respective file.
In conjunction with the 4th kind of embodiment of second aspect, in the 5th kind of embodiment of second aspect, also include:
Feature database generation module, for statistics known malicious program process path in advance, and according to the feature pre-set
Value-based algorithm, obtains the eigenvalue of described known malicious program process path respective file and is stored in feature database.
In conjunction with the 4th kind or the 5th kind of embodiment of second aspect, in the 6th kind of embodiment of second aspect, institute
State eigenvalue calculation submodule specifically for asking for the calculating Message Digest 5 of the process path that described acquisition module gets
Value or cryptographic Hash are as the eigenvalue of process path respective file, or obtain from the process path that described acquisition module gets
Take the fileversion number eigenvalue as process path respective file.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, and described electronic equipment includes: housing, processor, deposit
Reservoir, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges
On circuit boards;Power circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing can be held
Line program code;Processor runs and executable program code pair by reading the executable program code of storage in memorizer
The program answered, prevents system cursor by the method for malicious modification described in aforementioned any embodiment for performing.
The a kind of of embodiment of the present invention offer prevents system cursor by the method for malicious modification, device and electronic equipment, leads to
Cross the event that amendment system default light scalar functions in operating system is called by monitor process, call when the process of having listened to and repair
When changing system default light scalar functions, obtain described process path, and judge whether described process is evil according to described process path
Meaning program process, if described process is rogue program process, then refuses described process amendment system default cursor.Thus can be effective
Ground stops rogue program amendment system cursor, improves security of system performance.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to
Other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is that the present invention prevents system cursor by the flow chart of the embodiment of the method one of malicious modification;
Fig. 2 is that the present invention prevents system cursor by the flow chart of the embodiment of the method two of malicious modification;
Fig. 3 is that the present invention prevents system cursor by the structural representation of the device embodiment one of malicious modification;
Fig. 4 is that the present invention prevents system cursor by the structural representation of the device embodiment three of malicious modification;
Fig. 5 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Prevent system cursor by the method for malicious modification, device and electronics to the embodiment of the present invention is a kind of below in conjunction with the accompanying drawings
Equipment is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole embodiments.Base
Embodiment in the present invention, those of ordinary skill in the art obtained under not making creative work premise all its
Its embodiment, broadly falls into the scope of protection of the invention.
Fig. 1 be the present invention prevent system cursor by the flow chart of the embodiment of the method one of malicious modification, as it is shown in figure 1, this
The method of embodiment may include that
Step 101, monitor process are to revising the event that system default light scalar functions calls in operating system.
In the present embodiment, the amendment system default light scalar functions that rogue program needs call operation system to provide could realize repairing
Change system default cursor.Therefore can intercept and capture malice journey in time by described amendment system default light scalar functions is monitored
Sequence system default to be revised light target message.After intercepting this message, it is rejected by rogue program process amendment system default light
Mark, thus effectively stop rogue program amendment system default cursor, improve security of system performance.
The described event that step 102, basis listen to, obtains the process path of described process.
In the present embodiment, such as according to the identifier PID of process, the function obtaining process path in calling system, just
Process path can be got.
Step 103, judge according to described process path whether described process is rogue program process;It is to perform step
104。
In the present embodiment, owing to rogue program process path is more fixing, thus can according to the routing information of current process,
Judge whether process is rogue program process.
In the present embodiment, as an optional mode, described process path can be obtained according to the eigenvalue algorithm pre-set
The eigenvalue of respective file;Then judge in the feature database pre-set, if record has described process path respective file
Eigenvalue;If in the feature database pre-set, record has the eigenvalue of described process path respective file, it is determined that described process
For rogue program process;If the feature database pre-set not recording the eigenvalue of described process path respective file, the most really
Fixed described process is not rogue program process.Wherein, feature database pre-sets, and the generation process of feature database is: statistics is
Know malicious process path;According to the eigenvalue algorithm pre-set, obtain described known malicious program process path respective file
Eigenvalue be stored in feature database.
Preferably, the eigenvalue algorithm pre-set is: ask for process path calculating Message Digest 5 (MD5) value or
Hash (HASH) value is as the eigenvalue of process path respective file, or obtains fileversion number from process path as entering
The eigenvalue of journey path respective file.
Step 104, refuse described process amendment system default cursor.
In the present embodiment, if current process is rogue program process, then refuse described process amendment system default cursor,
Thus effectively stop rogue program amendment system default cursor.
The present embodiment, by the monitoring of amendment system default light scalar functions in rogue program call operation system, having
Effect ground stops rogue program amendment system default cursor, reaches to improve the purpose of security of system performance.
What the present embodiment provided prevents system cursor by the method for malicious modification, is repaiied in operating system by monitor process
Change the event that system default light scalar functions calls, when the process of having listened to calls amendment system default light scalar functions, obtain
Take described process path, and judge whether described process is rogue program process according to described process path, if described process is
Rogue program process, then refuse described process amendment system default cursor.Rogue program thus can be effectively stoped to revise system
Cursor, improves security of system performance.
Fig. 2 is that the present invention prevents system cursor by the flow chart of the embodiment of the method two of malicious modification, and the present embodiment is used for
Windows operating system;Described amendment system default light scalar functions is operating system nucleus layer
NtUserSetSystemCursor function.The embodiment of the present invention is applicable to the security protection class such as Jinshan anti-virus software or Kingsoft bodyguard should
By program, the system default cursor of operating system is protected.As in figure 2 it is shown, the method for the present embodiment comprises the steps:
The event that NtUserSetSystemCursor function in operating system is called by step 201, monitor process.
In the present embodiment, by hook (Hook) the function monitor process that pre-sets in operating system
The event that NtUserSetSystemCursor function calls.Hook Function is actually a program segment processing message,
Called by system, it is linked into system.Whenever specific message sends, before not arriving purpose window, Hook Function is just
First capture this message, that is Hook Function first obtains control.At this moment Hook Function i.e. can be with this message of processed, it is also possible to
Do not deal with and continue to transmit this message, it is also possible to force the transmission of end.
In the present embodiment, Hook Function pre-build in security protection class application program such as Kingsoft before this step performs
NtUserSetSystemCursor function during the defence of poison despot drives, in this Hook Function hook operating system.Security protection
The defence of class application program drives and i.e. brings into operation after Windows starting operating system.
In the present embodiment, the original entry address of NtUserSetSystemCursor function is revised as in the present embodiment
The entry address of Hook Function.Malicious process when calling NtUserSetSystemCursor function, due to
The original entry address of NtUserSetSystemCursor function has been modified to the entrance ground of the Hook Function of the present embodiment
Location, then, when calling NtUserSetSystemCursor function, can skip to the execution of the Hook Function of the present embodiment, be achieved in
Supervision to NtUserSetSystemCursor function.In order to realize the readjustment to NtUserSetSystemCursor function,
Entrance ground at the Hook Function that the original entry address of NtUserSetSystemCursor function is revised as in the present embodiment
Before location, need the original entry address of NtUserSetSystemCursor function is preserved.
When step 202, Hook Function listen to the event that process calls NtUserSetSystemCursor function, obtain
The process path of described process.
In the present embodiment, NtUserSetSystemCursor function is called by malicious process, is by Windows
Operating system sends the message calling NtUserSetSystemCursor function, and this message can directly be intercepted and captured by Hook Function.Hook
Subfunction intercepts this message, is i.e. considered as listening to the event that NtUserSetSystemCursor function is called by process, then
Identifier PID according to process, the function obtaining process path in calling system, such as: GetModuleFileNameEx,
GetProcessImageFileName functions etc., just can get process path.
Step 203, judge according to described process path whether described process is rogue program process;It is to perform step
204, otherwise perform step 205.
In the present embodiment, the process of step 203 is similar with the step 103 of said method embodiment, and here is omitted.
Step 204, refuse described process amendment system default cursor.
In the present embodiment, return refuse information by described Hook Function to described process;Or described Hook Function is refused
Call absolutely NtUserSetSystemCursor function, to refuse described process amendment system default cursor.
Step 205, Hook Function call NtUserSetSystemCursor function, agree to that described process amendment system is write from memory
Recognize cursor.
In the present embodiment, when described process is not rogue program process, can be with call operation system kernel function
NtUserSetSystemCursor, agrees to that described process revises system default cursor.
What the present embodiment provided prevents system cursor by the method for malicious modification, can effectively stop rogue program to system
Acquiescence light target amendment, reaches to improve the purpose of security of system.
Use a specific embodiment below, the technical scheme of embodiment of the method shown in any one in Fig. 1~Fig. 2 is entered
Row describes in detail.
In user computer environment, there is a Malware A.Defence in Jinshan anti-virus software drive in Hook amendment system
System acquiescence light target NtUserSetSystemCursor function, when the process of Malware A notifies that its driver calls
NtUserSetSystemCursor function amendment system default light timestamp, this behavior will be intercepted, and return by defence driving
Return refusal so that Malware amendment system default cursor failure, thus preferably protection custom system is not destroyed.
Fig. 3 be the present invention prevent system cursor by the structural representation of the device embodiment one of malicious modification, such as Fig. 3 institute
Showing, the device of the present embodiment may include that monitoring module 11, for monitor process to revising system default cursor in operating system
The event that function calls;Acquisition module 12, for according to monitoring the event that module 11 listens to, obtaining entering of described process
Journey path;Judge module 13, for the described process path got according to acquisition module 12, it is judged that whether described process is to dislike
Meaning program process;Stoping module 14, for when judge module 13 judges that described process is rogue program process, refusal is described
Process amendment system default cursor.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1, and it realizes principle and skill
Art effect is similar to, and here is omitted.
Prevent system cursor by the device embodiment two of malicious modification in the present invention, maliciously repaiied when preventing system cursor
When the device changed is in Windows operating system, monitors and module 11 is previously provided with hook operating system nucleus layer
The Hook Function of NtUserSetSystemCursor function, monitors module 11 by described Hook Function monitor process to operation
The event that in system, NtUserSetSystemCursor function calls.Stop module 14 by described Hook Function to institute
Process of stating returns refuse information or refusal calls NtUserSetSystemCursor function, with refusal amendment system default cursor;
Module 14 is stoped to be additionally operable to, when judge module 13 judges that described process is not rogue program process, call amendment system default
Cursor NtUserSetSystemCursor function, agrees to that described process revises system default cursor.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 2, and it realizes principle and skill
Art effect is similar to, and here is omitted.
Fig. 4 be the present invention prevent system cursor by the structural representation of the device embodiment three of malicious modification, such as Fig. 4 institute
Showing, the device of the present embodiment is on the basis of Fig. 3 shown device structure, further, it is judged that module 13 includes:
Eigenvalue calculation submodule 131, for according to the eigenvalue algorithm pre-set, obtains acquisition module 12 and gets
The eigenvalue of process path respective file;Matched sub-block 132, for judging in the feature database pre-set, if record
There is the eigenvalue of the process path respective file that eigenvalue calculation submodule 131 gets, if the feature database pre-set is remembered
Record has the eigenvalue of described process path respective file, it is determined that described process is rogue program process;If the spy pre-set
Levy the eigenvalue not recording described process path respective file in storehouse, it is determined that described process is not rogue program process;Its
In, described in the feature database that pre-sets record have the eigenvalue of known malicious program process path respective file.
Preferably, in embodiment three, eigenvalue calculation submodule 131, get specifically for asking for acquisition module 12
Calculating Message Digest 5 (MD5) value of process path or Hash (HASH) value as the feature of process path respective file
Value, or from the process path that acquisition module 12 gets, obtain the fileversion number feature as process path respective file
Value.
Preferably, the system cursor that prevents shown in embodiment three is also included feature database generation module by the device of malicious modification
(Fig. 4 is not shown), for statistics known malicious program process path in advance, and according to the eigenvalue algorithm pre-set, obtains
The eigenvalue of described known malicious program process path respective file is also stored in feature database.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1 or Fig. 2, and it realizes former
Managing similar with technique effect, here is omitted.
The embodiment of the present invention also provides for a kind of electronic equipment.Fig. 5 is that the structure of one embodiment of electronic equipment of the present invention is shown
It is intended to, it is possible to achieve Fig. 1 of the present invention or the flow process of embodiment illustrated in fig. 2, as it is shown in figure 5, above-mentioned electronic equipment may include that shell
Body 21, processor 22, memorizer 23, circuit board 24 and power circuit 25, wherein, circuit board 24 is placed in the sky that housing 21 surrounds
Inside between, processor 22 and memorizer 23 are arranged on circuit board 24;Power circuit 25, for for each of above-mentioned electronic equipment
Circuit or device are powered;Memorizer 23 is used for storing executable program code;Processor 22 stores by reading in memorizer 23
Executable program code run the program corresponding with executable program code, for performing described in aforementioned any embodiment
Prevent system default cursor by the method for malicious modification.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset, functional mobile phone, and low
End mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and processes merit
Can, the most also possess mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes: audio frequency,
Video playback module (such as iPod), handheld device, e-book, and intelligent toy and portable car-mounted navigator.
(4) server: providing the equipment of the service of calculating, the composition of server includes that processor, hard disk, internal memory, system are total
Lines etc., server is similar with general computer architecture, but owing to needing to provide highly reliable service, is therefore processing energy
The aspects such as power, stability, reliability, safety, extensibility, manageability require higher.
(5) other have the electronic equipment of data interaction function.
It should be noted that in this article, the relational terms of such as first and second or the like is used merely to a reality
Body or operation separate with another entity or operating space, and deposit between not necessarily requiring or imply these entities or operating
Relation or order in any this reality.And, term " includes ", " comprising " or its any other variant are intended to
Comprising of nonexcludability, so that include that the process of a series of key element, method, article or equipment not only include that those are wanted
Element, but also include other key elements being not expressly set out, or also include for this process, method, article or equipment
Intrinsic key element.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that
Other identical element is there is also in including the process of described key element, method, article or equipment.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, be permissible
Instructing relevant hardware by computer program to complete, described program can be stored in a computer read/write memory medium
In, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic
Dish, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access
Memory, RAM) etc..
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited thereto, and any
Those familiar with the art in the technical scope that the invention discloses, the change that can readily occur in or replacement, all answer
Contain within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with scope of the claims.
Claims (10)
1. one kind prevents system cursor by the method for malicious modification, it is characterised in that including:
Monitor process is to revising the event that system default light scalar functions calls in operating system;
According to the described event listened to, obtain the process path of described process;
Judge whether described process is rogue program process according to described process path;
If described process is rogue program process, then refuse described process amendment system default cursor.
Prevent system cursor by the method for malicious modification the most as claimed in claim 1, it is characterised in that described system is
Windows operating system;Described amendment system default light scalar functions is operating system nucleus layer
NtUserSetSystemCursor function;
Before revising, in monitor process is to operating system, the event that system default light scalar functions calls, described method is also wrapped
Include: pre-set the Hook Function revising system default light scalar functions in hook operating system;
The event that amendment system default light scalar functions in operating system is called by described monitor process, including: by described
Hook Function monitor process is to revising the event that system default light scalar functions calls in operating system.
Prevent system cursor by the method for malicious modification the most as claimed in claim 2, it is characterised in that to enter described in described refusal
Cheng Xiugai system default cursor, including:
Refuse information is returned to described process by described Hook Function;Or
Described Hook Function refusal calls NtUserSetSystemCursor function, with refusal amendment system default cursor.
Prevent system cursor by the method for malicious modification the most as claimed in claim 1, it is characterised in that to enter described in described basis
After journey path judges whether described process is rogue program process, also include:
If described process is not rogue program process, then call amendment system default light scalar functions, agree to that the amendment of described process is
System acquiescence cursor.
Prevent system cursor by the method for malicious modification the most as claimed in claim 1, it is characterised in that to enter described in described basis
Journey path judges whether described process is rogue program process, including:
According to the eigenvalue algorithm pre-set, obtain the eigenvalue of described process path respective file;
Judge in the feature database pre-set, if record has the eigenvalue of described process path respective file;
If record has the eigenvalue of described process path respective file in the feature database pre-set, it is determined that described process is for disliking
Meaning program process;If the feature database pre-set not recording the eigenvalue of described process path respective file, it is determined that institute
Process of stating is not rogue program process;
Wherein, in the feature database pre-set described in, record has the eigenvalue of known malicious program process path respective file.
6. one kind prevents system cursor by the device of malicious modification, it is characterised in that including:
Monitor module, for monitor process to operating system is revised the event that system default light scalar functions calls;
Acquisition module, for the event listened to according to described monitoring module, obtains the process path of described process;
Judge module, for the described process path got according to described acquisition module, it is judged that whether described process is malice
Program process;
Stop module, for when described judge module judges that described process is rogue program process, refuse described process and repair
Change system default cursor.
Prevent system cursor by the device of malicious modification the most as claimed in claim 6, it is characterised in that described operating system is
During Windows operating system, described monitoring module is previously provided with hook operating system nucleus layer
The Hook Function of NtUserSetSystemCursor function, described monitoring module by described Hook Function monitor process to behaviour
Make system is revised the event that system default light scalar functions calls.
The most according to claim 7 prevent system cursor by the device of malicious modification, it is characterised in that described prevention module
NtUserSetSystemCursor function is called to described process return refuse information or refusal by described Hook Function, with
Refusal amendment system default cursor.
The most according to claim 6 prevent system cursor by the device of malicious modification, it is characterised in that described prevention mould
Block, is additionally operable to when described judge module judges that described process is not rogue program process, calls amendment system default cursor
Function, agrees to that described process revises system default cursor.
10. an electronic equipment, it is characterised in that described electronic equipment includes: housing, processor, memorizer, circuit board and electricity
Source circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges on circuit boards;Power supply
Circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing executable program code;Process
Device runs the program corresponding with executable program code by reading the executable program code of storage in memorizer, is used for holding
Row aforementioned any one of claim 1-5 described in prevent system cursor by the method for malicious modification.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610497062.7A CN106127050A (en) | 2016-06-29 | 2016-06-29 | Method and device for preventing system cursor from being maliciously modified and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610497062.7A CN106127050A (en) | 2016-06-29 | 2016-06-29 | Method and device for preventing system cursor from being maliciously modified and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106127050A true CN106127050A (en) | 2016-11-16 |
Family
ID=57284281
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610497062.7A Pending CN106127050A (en) | 2016-06-29 | 2016-06-29 | Method and device for preventing system cursor from being maliciously modified and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106127050A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108037972A (en) * | 2017-12-14 | 2018-05-15 | 威创集团股份有限公司 | A kind of method and device for hiding cursor completely |
CN109783316A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | The recognition methods and device, storage medium, computer equipment of system security log tampering |
CN111914251A (en) * | 2020-07-03 | 2020-11-10 | 上海理想信息产业(集团)有限公司 | Intelligent terminal safety protection method and system based on hybrid control technology |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101414339A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Method for protecting proceeding internal memory and ensuring drive program loading safety |
CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
CN102902919A (en) * | 2012-08-30 | 2013-01-30 | 北京奇虎科技有限公司 | Method, device and system for identifying and processing suspicious practices |
US20150007326A1 (en) * | 2012-06-26 | 2015-01-01 | Lynuxworks, Inc. | Systems and Methods Involving Features of Hardware Virtualization Such as Separation Kernel Hypervisors, Hypervisors, Hypervisor Guest Context, Hypervisor Contest, Rootkit Detection/Prevention, and/or Other Features |
-
2016
- 2016-06-29 CN CN201610497062.7A patent/CN106127050A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101414339A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Method for protecting proceeding internal memory and ensuring drive program loading safety |
CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
US20150007326A1 (en) * | 2012-06-26 | 2015-01-01 | Lynuxworks, Inc. | Systems and Methods Involving Features of Hardware Virtualization Such as Separation Kernel Hypervisors, Hypervisors, Hypervisor Guest Context, Hypervisor Contest, Rootkit Detection/Prevention, and/or Other Features |
CN102902919A (en) * | 2012-08-30 | 2013-01-30 | 北京奇虎科技有限公司 | Method, device and system for identifying and processing suspicious practices |
Non-Patent Citations (1)
Title |
---|
数学主义: "sandboxie的工作原理", 《HTTPS://BBS.KAFAN.CN/THREAD-1638740-1-1.HTML》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108037972A (en) * | 2017-12-14 | 2018-05-15 | 威创集团股份有限公司 | A kind of method and device for hiding cursor completely |
CN108037972B (en) * | 2017-12-14 | 2021-06-08 | 威创集团股份有限公司 | Method and device for completely hiding cursor |
CN109783316A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | The recognition methods and device, storage medium, computer equipment of system security log tampering |
CN109783316B (en) * | 2018-12-29 | 2022-07-05 | 奇安信安全技术(珠海)有限公司 | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment |
CN111914251A (en) * | 2020-07-03 | 2020-11-10 | 上海理想信息产业(集团)有限公司 | Intelligent terminal safety protection method and system based on hybrid control technology |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104125216A (en) | Method, system and terminal capable of improving safety of trusted execution environment | |
Shezan et al. | Read between the lines: An empirical measurement of sensitive applications of voice personal assistant systems | |
CN108270786A (en) | Right management method, device, storage medium and the intelligent terminal of application program | |
US11916936B2 (en) | Techniques for incentivized intrusion detection system | |
CN103975336A (en) | Encoding labels in values to capture information flows | |
CN106203092A (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
CN105844146A (en) | Method and device for protecting driver and electronic equipment | |
CN114244808B (en) | Offline illegal external connection method and device based on passive inspection of non-client mode | |
CN106127050A (en) | Method and device for preventing system cursor from being maliciously modified and electronic equipment | |
CN106022100A (en) | Method and device for intercepting installation of malicious program and electronic equipment | |
CN103763112A (en) | User identity protection method and apparatus | |
CN106203077A (en) | Processing method and device for copy information and electronic equipment | |
CN106534093A (en) | Terminal data processing method, device and system | |
CN106529312A (en) | Method and device for permission control of mobile terminal, and mobile terminal | |
CN106127034B (en) | A kind of method, apparatus that anti-locking system is maliciously closed and electronic equipment | |
CN106203107A (en) | Method and device for preventing system menu from being maliciously modified and electronic equipment | |
CN106529332A (en) | Permission control method and apparatus for mobile terminal, and mobile terminal | |
CN111723163B (en) | Information processing method, device and system | |
CN114528598A (en) | Method and device for determining file integrity of file system and electronic equipment | |
CN106127051A (en) | Method and device for preventing mouse from being maliciously captured and electronic equipment | |
CN106203119B (en) | Hide processing method, device and the electronic equipment of cursor | |
CN106203089A (en) | Method and device for preventing system color from being maliciously modified and electronic equipment | |
CN105956475A (en) | DLL file interception processing method and device and electronic equipment | |
CN106228062B (en) | A kind of method, apparatus and electronic equipment for the treatment of progress registration | |
CN106169049B (en) | A kind of method, apparatus and electronic equipment of the registration of processing thread |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20190110 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161116 |