CN106169046A - Method and device for preventing message hook injection and terminal equipment - Google Patents
Method and device for preventing message hook injection and terminal equipment Download PDFInfo
- Publication number
- CN106169046A CN106169046A CN201610520243.7A CN201610520243A CN106169046A CN 106169046 A CN106169046 A CN 106169046A CN 201610520243 A CN201610520243 A CN 201610520243A CN 106169046 A CN106169046 A CN 106169046A
- Authority
- CN
- China
- Prior art keywords
- message hook
- registration function
- global message
- called
- hook
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention provides a method, a device and terminal equipment for preventing message hook injection. The method comprises the following steps: monitoring whether a global message hook registration function provided by an operating system kernel is called or not, and if so, running a preset hook function corresponding to the global message hook registration function; detecting the legality of a process for calling a global message hook registration function; and if the process is illegal, refusing the process to call the global message hook registration function. The method prevents the malicious call of the message hook registration function, and protects the safety of the operating system.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of prevent message hook from injecting method, device and
Terminal unit.
Background technology
Generally, operating system can provide the user global message hook registration function, as long as by a DLL (Dynamic
Link Library, dynamic link library) file registers into global message hook, when operating system has new process initiation or message
When changing, operating system will be loaded into the most chartered dll file in corresponding process, thus realizes dll file
Share.
But, some rogue program can utilize this global message hook registration function, is loaded in relevant process, to behaviour
The safety making system is destroyed.
Summary of the invention
It is an object of the invention to be intended to solve one of above-mentioned technical problem the most to a certain extent.
To this end, the first of the present invention purpose is to propose a kind of method preventing message hook from injecting, the method is being adjusted
Before global message hook registration function, the legitimacy of global message hook registration function is called in detection, when this process is illegal
Time refuse it global message hook registration function called, prevent message hook registration function from maliciously being called, protect behaviour
Make the safety of system.
Second object of the present invention is to propose a kind of terminal unit preventing message hook from injecting.
Third object of the present invention is to propose a kind of terminal unit.
Fourth object of the present invention is to propose another kind of terminal unit.
For reaching above-mentioned purpose, first aspect present invention embodiment prevent the method that message hook injects, including following step
Rapid: whether the global message hook registration function that monitor operating system kernel provides is called, if called, operation is preset
The Hook Function corresponding with described global message hook registration function;Entering of described global message hook registration function is called in detection
The legitimacy of journey;If described process is illegal, then refuses described process and call described global message hook registration function.
According to embodiments of the present invention prevent the method that message hook injects, complete monitoring that operating system nucleus provides
When office's message hook registration function is called, runs the Hook Function corresponding with global hook registration function preset, and detect
Call the legitimacy of the process of global message hook registration function, when process is illegal, refuses this process and call global message hook
Sub-registration function.The method is before calling global message hook registration function, and global message hook registration function is called in detection
Legitimacy, refuse it when this process is illegal and global message hook registration function called, prevent message hook register letter
Number is maliciously called, and protects the safety of operating system.
It addition, the method preventing message hook from injecting according to the above embodiment of the present invention can also have following additional
Technical characteristic:
In one embodiment of the invention, described method also includes: if described process is legal, then allow described process
Call described global message hook registration function.
In one embodiment of the invention, the global message hook registration letter provided at described monitor operating system kernel
Before number is the most called, also include: arrange and described global message hook in the defence with network security application drives
The Hook Function that registration function is corresponding.
In one embodiment of the invention, the conjunction of process of described global message hook registration function is called in described detection
Method, including:
The legitimacy of the process of described global message hook registration function is called according to default feature database detection.
In one embodiment of the invention, described feature database includes: include the white list of legitimate processes, and/or, including
The blacklist of illegal process.
For reaching above-mentioned purpose, second aspect present invention embodiment prevent the device that message hook injects, including monitoring mould
Block, whether the global message hook registration function provided for monitor operating system kernel is called;Run module, in institute
State monitoring module monitors to described global message hook registration function be called time, run preset with described global message hook
The Hook Function that registration function is corresponding;Detection module, calls the process of described global message hook registration function for detection
Legitimacy;Processing module, for when described process is illegal, refuses described process and calls described global message hook registration letter
Number.
According to embodiments of the present invention prevent the device that message hook injects, complete monitoring that operating system nucleus provides
When office's message hook registration function is called, runs the Hook Function corresponding with global hook registration function preset, and detect
Call the legitimacy of the process of global message hook registration function, when process is illegal, refuses this process and call global message hook
Sub-registration function.This device is before calling global message hook registration function, and global message hook registration function is called in detection
Legitimacy, refuse it when this process is illegal and global message hook registration function called, prevent message hook register letter
Number is maliciously called, and protects the safety of operating system.
It addition, the device preventing message hook from injecting according to the above embodiment of the present invention can also have following additional
Technical characteristic:
In one embodiment of the invention, described processing module, it is additionally operable to: when described process is legal, it is allowed to described
Process calls described global message hook registration function.
In one embodiment of the invention, described device also includes: arrange module, for having network security application
Defence drive in the Hook Function corresponding with described global message hook registration function is set, wherein.
In one embodiment of the invention, described detection module is used for:
The legitimacy of the process of described global message hook registration function is called according to default feature database detection.
In one embodiment of the invention, described feature database includes: include the white list of legitimate processes, and/or, including
The blacklist of illegal process.
For reaching above-mentioned purpose, the terminal unit of third aspect present invention embodiment, including: second aspect present invention embodiment
The described device preventing message hook from injecting.
Terminal unit according to embodiments of the present invention, is monitoring the global message hook registration that operating system nucleus provides
When function is called, run the Hook Function corresponding with global hook registration function preset, and global message hook is called in detection
The legitimacy of the process of sub-registration function, when process is illegal, refuses this process and calls global message hook registration function.This is eventually
End equipment is before calling global message hook registration function, and the legitimacy of global message hook registration function is called in detection, when
This process is refused it and is called global message hook registration function time illegal, prevent message hook registration function from maliciously being adjusted
With, protect the safety of operating system.
To achieve these goals, the terminal unit of fourth aspect present invention embodiment, including: following one or more groups
Part: processor, memorizer, power circuit, multimedia groupware, audio-frequency assembly, the interface of input/output (I/O), sensor group
Part, and communications component;Wherein, circuit board is placed in the interior volume that housing surrounds, described processor and described memorizer and sets
Put on described circuit board;Described power circuit, powers for each circuit or the device for terminal unit;Described memorizer is used
In storage executable program code;Described processor runs by reading the executable program code of storage in described memorizer
The program corresponding with described executable program code, for performing following steps:
Whether the global message hook registration function that monitor operating system kernel provides is called, if called, runs
The Hook Function corresponding with described global message hook registration function preset;
The legitimacy of the process of described global message hook registration function is called in detection;
If described process is illegal, then refuses described process and call described global message hook registration function.
Terminal unit according to embodiments of the present invention, is monitoring the global message hook registration that operating system nucleus provides
When function is called, run the Hook Function corresponding with global hook registration function preset, and global message hook is called in detection
The legitimacy of the process of sub-registration function, when process is illegal, refuses this process and calls global message hook registration function.This is eventually
End equipment is before calling global message hook registration function, and the legitimacy of global message hook registration function is called in detection, when
This process is refused it and is called global message hook registration function time illegal, prevent message hook registration function from maliciously being adjusted
With, protect the safety of operating system.
Aspect and advantage that the present invention adds will part be given in the following description, and part will become from the following description
Obtain substantially, or recognized by the practice of the present invention.
Accompanying drawing explanation
The present invention above-mentioned and/or that add aspect and advantage will become from the following description of the accompanying drawings of embodiments
Substantially with easy to understand, wherein:
Fig. 1 is the flow chart of the method preventing message hook from injecting according to an embodiment of the invention;
Fig. 2 is the flow chart of the method preventing message hook from injecting in accordance with another embodiment of the present invention;
Fig. 3 is the structural representation of the device preventing message hook from injecting according to an embodiment of the invention;
Fig. 4 is the structural representation of the device preventing message hook from injecting in accordance with another embodiment of the present invention;
Fig. 5 is the structural representation of terminal unit according to an embodiment of the invention;And
Fig. 6 is the structural representation of terminal unit in accordance with another embodiment of the present invention.
Detailed description of the invention
Embodiments of the invention are described below in detail, and the example of described embodiment is shown in the drawings, the most from start to finish
Same or similar label represents same or similar element or has the element of same or like function.Below with reference to attached
The embodiment that figure describes is exemplary, it is intended to is used for explaining the present invention, and is not considered as limiting the invention.
Below with reference to the accompanying drawings the method preventing message hook from injecting, device and the terminal unit of the embodiment of the present invention are described.
Fig. 1 is the flow chart of the method preventing message hook from injecting according to an embodiment of the invention.As it is shown in figure 1,
This method preventing message hook from injecting includes:
S110, whether the global message hook registration function that monitor operating system kernel provides is called, if called,
Run the Hook Function corresponding with global message hook registration function preset.
S120, the legitimacy of the process of global message hook registration function is called in detection.
S130, if process is illegal, then refuses described process and calls global message hook registration function.
Generally, operating system nucleus can provide global message hook registration function, as long as by this function by a DLL
(Dynamic Link Library, dynamic link library) file is registered into global message hook, when operating system has new process to open
Dynamic or time message changes, operating system will be loaded into the most chartered dll file in corresponding process.Wherein,
According to the difference of concrete application scenarios, the global message hook registration function that operating system nucleus provides is different.
Such as, when the global message hook registration function that operating system provides is SetWindowsHookEx function, DLL
File is overall by the kernel function NtUserSetWindowsHookEx function registration that SetWindowsHookEx function is corresponding
After message hook, when operating operating system and having new process initiation, operating system can be loaded into this process this dll file
In.
But, under some application scenarios, some performs the malicious process of malice task, such as virus, anthelmintic and Te Luo
Her wooden horse processes etc., can use and called the global message hook registration function that operating system nucleus provides, and injected global message
Hook, thus when operating system has new process initiation, this malicious process will be injected in this process, causes operation system
The destruction of system.
Therefore, in order to prevent malicious process by calling global message hook registration function, the safety of operating system is entered
Row destroys, and before allowing to call global message hook registration function, needs to judge to call global message hook registration function
Process is the most legal, thus decides whether to allow to call global message hook registration function according to judged result.
The embodiment of the present invention prevent the method that message hook injects, Hook Function is mounted with operating system, logical
Cross Hook Function to monitor in operating system nucleus, global message hook registration function call event, disappear whenever monitoring the overall situation
Breath hook registration function is when being called, and responds before this calls event in operating system, calls this by Hook Function capture complete
The process of office's message hook registration function, and judge that this process is the most legal.
Wherein it is desired to explanation, according to the difference of concrete application scenarios, default Hook Function can take various ways
The legitimacy of the current process of global message hook registration function is called in detection.
The first example, can comprise related legitimate or illegal process is correlated with by being correspondingly arranged in operating system this locality
The feature database of feature, and the legitimacy of the current process of global message hook registration function is called by feature database detection.
The second example, can arrange on the remote server and comprise related legitimate or the spy of illegal process correlated characteristic
Levy storehouse, and in Hook Function, arrange one carry out, with this remote server, the correlation function that information is mutual, thus in Hook Function
Correlation function, the relevant information calling the current process of global message hook registration function is sent to remote server, with
Call the legitimacy of the current process of global message hook registration function according to feature database detection for remote server.
The third example, prestores process reliable, believable binding secure ID, thus Hook Function capture is called complete
After the current process of office's message hook registration function, whether detection current process has above-mentioned secure ID to detect current process
Legitimacy.
In sum, the embodiment of the present invention prevent the method that message hook injects, carry monitoring operating system nucleus
When the global message hook registration function of confession is called, run the Hook Function corresponding with global hook registration function preset,
And detect the legitimacy of process calling global message hook registration function, when process is illegal, refuses this process and call the overall situation
Message hook registration function.The method is before calling global message hook registration function, and global message hook note is called in detection
The legitimacy of volume function, refuses it and calls global message hook registration function, prevent message hook when this process is illegal
Registration function is maliciously called, and protects the safety of operating system.
Fig. 2 is the flow chart of the method preventing message hook from injecting in accordance with another embodiment of the present invention.Such as Fig. 2 institute
Showing, this method preventing message hook from injecting includes:
S210, arranges the hook corresponding with global message hook registration function in the defence with network security application drives
Subfunction, wherein, Hook Function includes: call the feature of the process legitimacy of global message hook registration function for detection
Storehouse.
It should be appreciated that according to the difference of application scenarios, the Hook Function corresponding with global message hook registration function
Multiple positions of operating system can be arranged at, the embodiment of the present invention prevent in the method that message hook injects, by hook
Function setup in have network security application defence drive in, the beneficially integration of associated safety resource in operating system.
S220, whether the global message hook registration function that monitor operating system kernel provides is called, if called,
Run the Hook Function corresponding with global message hook registration function preset.
S230, the legitimacy of the process of global message hook registration function is called in detection.
Specifically, when the global message hook registration function monitoring operating system nucleus offer is called, run pre-
If the Hook Function corresponding with global message hook registration function, currently call global message hook registration function to determine
Process.
Wherein, it should be appreciated that Hook Function can use various ways to determine and call global message hook registration function
Process, in an embodiment of the present invention, the operation process path being called global message hook registration function by acquisition is determined
Current process.
S240, if process is illegal, then refusal process calls global message hook registration function.
S250, if process is legal, then allows process to call global message hook registration function.
Specifically, the present embodiment detects the conjunction of the process calling global message hook registration function according to the feature database preset
Method.If the process of detection global message hook registration function is illegal, then show to call this global message hook registration function
Process be probably malicious process, thus refuse this process and call global message hook registration function.If the overall situation is called in detection
The process of message hook registration function is legal, then allow current process to call global message hook registration function.
It should be noted that the particular content in feature database can be configured according to application needs, it is legal such as to include
The white list of process, and/or, including the blacklist of illegal process.It is illustrated below:
The first example, can include white list in feature database, the process that the progress information that comprises in white list is corresponding is to close
Method process, it is allowed to this process is called global message hook registration function and is not result in that operating system security is destroyed.
In this example, determine the current process calling global message hook registration function, believe according to the process of this process
Breath query characteristics storehouse, if inquiry obtains this progress information, mates with the progress information in white list, then it is assumed that this process is to close
Method process, therefore allows this process to call global message hook registration function.If inquiry obtains this progress information, with white list
In progress information do not mate, then it is assumed that this process is illegal process, therefore refuse this process call global message hook registration
Function.
The second example, comprises blacklist in feature database, the process that progress information that blacklist comprises is corresponding is illegally to enter
Journey, for instance it can be possible that the process that rogue program is corresponding, can cause if allowing this process to call global message hook registration function
Destruction to operating system security.
In this example, the current process calling global message hook registration function, entering according to this current process are determined
Journey information inquiry feature database, if the progress information that the progress information of this process comprises with blacklist mates, then it is assumed that this process
It is illegal process, therefore refuses this process and call global message hook registration function.If the progress information of this process and black name
The progress information singly comprised does not mates, then it is assumed that this process is legitimate processes, therefore allows this process to call global message hook
Registration function.
The third example, can comprise blacklist and white list in feature database, the progress information comprised in white list is corresponding
Process is legitimate processes, and the process that the progress information that comprises in blacklist is corresponding is illegal process.
In this example, determine the current process calling global message hook registration function, believe according to the process of this process
Breath query characteristics storehouse, if inquiry obtains this progress information, mates with the progress information of white list, then it is assumed that this process is legal
Process, therefore allows this process to call global message hook registration function;If the progress information of this process comprises with blacklist
Progress information coupling, then it is assumed that this process is illegal process, therefore refuses this process and calls global message hook registration function.
In sum, the embodiment of the present invention prevent the method that message hook injects, letter will be registered with global message hook
The Hook Function that number is corresponding is arranged in the defence driving with network security application, and then judges to call the overall situation by feature database
The legitimacy of message hook registration function process, only when this process is legal, just allows this process to note global message hook
Calling of volume function.Protect the safety of operating system further.
In order to realize above-described embodiment, the invention allows for a kind of device preventing message hook from injecting.Fig. 3 is basis
The structural representation preventing device that message hook injects of one embodiment of the invention.As it is shown on figure 3, this prevents message hook
The device injected also includes:
Detection module 310, whether the global message hook registration function provided for monitor operating system kernel is called;
Run module 320, for when monitoring module monitors to global message hook registration function is called, runs and preset
The Hook Function corresponding with global message hook registration function;
Detection module 330, calls the legitimacy of the process of global message hook registration function for detection;
Processing module 340, for when process is illegal, refuses described process and calls global message hook registration function.This
Inventive embodiments prevent the device that message hook injects, Hook Function is mounted with operating system, monitoring modular 310 leads to
Cross Hook Function to monitor in operating system nucleus, global message hook registration function call event, whenever monitoring modular 310 is supervised
Measure global message hook registration function when being called, run module 320 and run Hook Function, and existed by detection module 330
Operating system responds before this calls event, is called the process of this global message hook registration function by Hook Function capture,
And judge that this process is the most legal.
Specifically, after the current process of function is called in Hook Function capture, detection module 330 detects this current process
Legitimacy, if detection knows that current process is legal, processing module 340 allows current process to call global message hook registration letter
Number, to meet the properly functioning of related application.If detection module 330 detects the legitimacy of this current process, detection obtains
Knowing that current process is illegal, processing module 340 is refused current process and is called global message hook registration function, to protect operating system
Safety.
In sum, the embodiment of the present invention prevent the device that message hook injects, carry monitoring operating system nucleus
When the global message hook registration function of confession is called, run the Hook Function corresponding with global hook registration function preset,
And examine the legitimacy of process calling global message hook registration function, when process is illegal, refuses this process and call the overall situation and disappear
Breath hook registration function.This device is before calling global message hook registration function, and the registration of global message hook is called in detection
The legitimacy of function, refuses it and calls global message hook registration function, prevent message hook from noting when this process is illegal
Volume function is maliciously called, and protects the safety of operating system.
Fig. 4 is the structural representation of the device preventing message hook from injecting in accordance with another embodiment of the present invention.Such as Fig. 4
Shown in, on the basis of as shown in Figure 3, this device preventing message hook from injecting includes:
Module 350 is set, arranges in driving in the defence with network security application and register with global message hook
The Hook Function that function is corresponding.
It should be appreciated that according to the difference of application scenarios, the Hook Function corresponding with global message hook registration function
Can be arranged at multiple positions of operating system, the preventing of the embodiment of the present invention, in the device that message hook injects, arranges mould
Hook Function is arranged in the defence driving with network security application by block 350, beneficially associated safety money in operating system
The integration in source.
Specifically, detection module 330 calls the process of global message hook registration function according to default feature database detection
Legitimacy.If the process that global message hook registration function is called in detection module 330 detection is illegal, then show to call this complete
Office message hook registration function process be probably malicious process, processing module 340 thus refuse this process and call global message
Hook registration function.If the process that global message hook registration function is called in detection module 330 detection is legal, processing module
340 allow current process to call global message hook registration function.
It should be noted that the particular content in feature database can be configured according to application needs, it is legal such as to include
The white list of process, and/or, including the blacklist of illegal process.It is illustrated below:
The first example, can include white list in feature database, the process that the progress information that comprises in white list is corresponding is to close
Method process, it is allowed to this process is called global message hook registration function and is not result in the destruction to operating system security.
In this example, determine that the current process calling global message hook registration function, detection module 330 are entered according to this
The progress information query characteristics storehouse of journey, if inquiry obtains this progress information, mates with the progress information in white list, then it is assumed that
This process is legitimate processes, and therefore processing module 340 allows this process to call global message hook registration function.If detection mould
Block 330 inquiry obtains this progress information, does not mates with the progress information in white list, then it is assumed that this process is illegal process, because of
This processing module 340 is refused this process and is called global message hook registration function.
The second example, comprises blacklist in feature database, the process that progress information that blacklist comprises is corresponding is illegally to enter
Journey, for instance it can be possible that the process that rogue program is corresponding, can cause if allowing this process to call global message hook registration function
Destruction to operating system security.
In this example, determining the current process calling global message hook registration function, detection module 330 is according to deserving
The progress information query characteristics storehouse of front process, if the progress information that the progress information of this process comprises with blacklist mates, then
Thinking that this process is illegal process, therefore processing module 340 is refused this process and is called global message hook registration function.If inspection
Survey module 330 to detect the progress information that the progress information of this process comprises with blacklist and do not mate, then it is assumed that this process is legal
Process, therefore processing module 340 allows this process to call global message hook registration function.
The third example, can comprise blacklist and white list in feature database, the progress information comprised in white list is corresponding
Process is legitimate processes, and the process that the progress information that comprises in blacklist is corresponding is illegal process.
In this example, determine that the current process calling global message hook registration function, detection module 330 are entered according to this
The progress information query characteristics storehouse of journey, if inquiry obtains this progress information, mates with the progress information of white list, then it is assumed that should
Process is legitimate processes, and therefore processing module 340 allows this process to call global message hook registration function;If detected and mould
Block 330 detects the progress information that the progress information of this process comprises with blacklist and mates, then it is assumed that this process is illegal process, because of
This processing module 340 is refused this process and is called global message hook registration function.
It should be noted that the device preventing message hook from injecting of the embodiment of the present invention is retouched with above-mentioned combination Fig. 1 and Fig. 2
The embodiment of the method preventing message hook from injecting stated is corresponding, and the device preventing message hook from injecting of the embodiment of the present invention is real
Execute the details that example does not discloses, with reference to the description of the above-mentioned embodiment of the method to preventing message hook from injecting.
In sum, the embodiment of the present invention prevent the device that message hook injects, letter will be registered with global message hook
The Hook Function that number is corresponding is arranged in the defence driving with network security application, and then judges to call the overall situation by feature database
The legitimacy of message hook registration function process, only when this process is legal, just allows this process to note global message hook
Calling of volume function.Protect the safety of operating system further.
In order to realize above-described embodiment, the invention allows for a kind of terminal unit.
Fig. 5 is the structural representation of terminal unit according to an embodiment of the invention, as it is shown in figure 5, this terminal unit
Including the device 500 preventing message hook from injecting.
It should be noted that the description of the above-mentioned device 500 preventing message hook from injecting refers to above-mentioned combination Fig. 3 and Tu
The description of 4 pairs of devices preventing message hook from injecting, does not repeats them here.
In sum, the terminal unit of the embodiment of the present invention, monitoring the global message hook that operating system nucleus provides
When sub-registration function is called, run the Hook Function corresponding with global hook registration function preset, and the overall situation is called in detection
The legitimacy of the process of message hook registration function, when process is illegal, refuses this process and calls global message hook registration letter
Number.This terminal unit is before calling global message hook registration function, and the conjunction of global message hook registration function is called in detection
Method, refuses it and calls global message hook registration function, prevent message hook registration function quilt when this process is illegal
Malice is called, and protects the safety of operating system.
In order to realize above-described embodiment, the invention allows for another terminal unit.
Fig. 6 is the structural representation of terminal unit in accordance with another embodiment of the present invention, as shown in Figure 6, terminal unit
1000 can be mobile phone etc..
Seeing Fig. 6, terminal unit 1000 can include following one or more assembly: processor 1001, memorizer 1002,
Power circuit 1003, multimedia groupware 1004, audio-frequency assembly 1005, the interface 1006 of input/output (I/O), sensor cluster
1007, and communications component 1008.
Power circuit 1003, powers for each circuit or the device for terminal unit;Memorizer 1002 can for storage
Perform program code;Processor 1001 runs by reading the executable program code of storage in memorizer 1002 and can perform
The program that program code is corresponding, for performing following steps:
Whether the global message hook registration function that monitor operating system kernel provides is called, if called, runs
The Hook Function corresponding with global message hook registration function preset;
The legitimacy of the process of global message hook registration function is called in detection;
If process is illegal, then refuses described process and call global message hook registration function.
It should be noted that the above-mentioned description to terminal unit 1000 refers to above-mentioned combination Fig. 1 and Fig. 2 to preventing message
The description of the method that hook injects, does not repeats them here.
In sum, the terminal unit of the embodiment of the present invention, monitoring the global message hook that operating system nucleus provides
When sub-registration function is called, run the Hook Function corresponding with global hook registration function preset, and the overall situation is called in detection
The legitimacy of the process of message hook registration function, when process is illegal, refuses this process and calls global message hook registration letter
Number.This terminal unit is before calling global message hook registration function, and the conjunction of global message hook registration function is called in detection
Method, refuses it and calls global message hook registration function, prevent message hook registration function quilt when this process is illegal
Malice is called, and protects the safety of operating system.
Additionally, term " first ", " second " are only used for describing purpose, and it is not intended that instruction or hint relative importance
Or the implicit quantity indicating indicated technical characteristic.Thus, define " first ", the feature of " second " can express or
Implicitly include at least one this feature.In describing the invention, " multiple " are meant that at least two, such as two, three
Individual etc., unless otherwise expressly limited specifically.
In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " specifically show
Example " or the description of " some examples " etc. means to combine this embodiment or example describes specific features, structure, material or spy
Point is contained at least one embodiment or the example of the present invention.In this manual, to the schematic representation of above-mentioned term not
Identical embodiment or example must be directed to.And, the specific features of description, structure, material or feature can be in office
One or more embodiments or example combine in an appropriate manner.Additionally, in the case of the most conflicting, the skill of this area
The feature of the different embodiments described in this specification or example and different embodiment or example can be tied by art personnel
Close and combination.
Although above it has been shown and described that embodiments of the invention, it is to be understood that above-described embodiment is example
Property, it is impossible to being interpreted as limitation of the present invention, those of ordinary skill in the art within the scope of the invention can be to above-mentioned
Embodiment is changed, revises, replaces and modification.
Claims (12)
1. the method preventing message hook from injecting, it is characterised in that comprise the following steps:
Whether the global message hook registration function that monitor operating system kernel provides is called, if called, run and presets
The Hook Function corresponding with described global message hook registration function;
The legitimacy of the process of described global message hook registration function is called in detection;
If described process is illegal, then refuses described process and call described global message hook registration function.
2. the method for claim 1, it is characterised in that also include:
If described process is legal, then described process is allowed to call described global message hook registration function.
3. the method for claim 1, it is characterised in that at the global message hook that described monitor operating system kernel provides
Before sub-registration function is the most called, also include:
In the defence with network security application drives, the hook letter corresponding with described global message hook registration function is set
Number.
4. the method for claim 1, it is characterised in that described global message hook registration function is called in described detection
The legitimacy of process, including:
The legitimacy of the process of described global message hook registration function is called according to default feature database detection.
5. method as claimed in claim 4, it is characterised in that described feature database includes:
Including the white list of legitimate processes, and/or, including the blacklist of illegal process.
6. the device preventing message hook from injecting, it is characterised in that including:
Monitoring modular, whether the global message hook registration function provided for monitor operating system kernel is called;
Run module, for when described monitoring module monitors to described global message hook registration function is called, run pre-
If the Hook Function corresponding with described global message hook registration function;
Detection module, calls the legitimacy of the process of described global message hook registration function for detection;
Processing module, for when described process is illegal, refuses described process and calls described global message hook registration function.
7. device as claimed in claim 6, it is characterised in that described processing module, is additionally operable to:
When described process is legal, it is allowed to described process calls described global message hook registration function.
8. device as claimed in claim 6, it is characterised in that also include:
Module is set, arranges and described global message hook registration function in driving in the defence with network security application
Corresponding Hook Function.
9. device as claimed in claim 6, it is characterised in that described detection module is used for:
The legitimacy of the process of described global message hook registration function is called according to default feature database detection.
10. device as claimed in claim 9, it is characterised in that described feature database includes:
Including the white list of legitimate processes, and/or, including the blacklist of illegal process.
11. 1 kinds of terminal units, it is characterised in that include that the message hook that prevents as described in any one of claim 6-10 injects
Device.
12. 1 kinds of terminal units, it is characterised in that including: following one or more assemblies: processor, memorizer, power supply electricity
Road, multimedia groupware, audio-frequency assembly, the interface of input/output (I/O), sensor cluster, and communications component;Wherein, circuit
Plate is placed in the interior volume that housing surrounds, described processor and described memorizer and is arranged on described circuit board;Described power supply
Circuit, powers for each circuit or the device for terminal unit;Described memorizer is used for storing executable program code;Described
Processor runs corresponding with described executable program code by reading the executable program code of storage in described memorizer
Program, for perform following steps:
Whether the global message hook registration function that monitor operating system kernel provides is called, if called, run and presets
The Hook Function corresponding with described global message hook registration function;
The legitimacy of the process of described global message hook registration function is called in detection;
If described process is illegal, then refuses described process and call described global message hook registration function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610520243.7A CN106169046A (en) | 2016-07-04 | 2016-07-04 | Method and device for preventing message hook injection and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610520243.7A CN106169046A (en) | 2016-07-04 | 2016-07-04 | Method and device for preventing message hook injection and terminal equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106169046A true CN106169046A (en) | 2016-11-30 |
Family
ID=58066163
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610520243.7A Pending CN106169046A (en) | 2016-07-04 | 2016-07-04 | Method and device for preventing message hook injection and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106169046A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107256349A (en) * | 2017-06-13 | 2017-10-17 | 广州阿里巴巴文学信息技术有限公司 | Dynamic base method for preventing fraudulent-using, device, electronic equipment and readable storage medium storing program for executing |
| CN108196900A (en) * | 2017-12-08 | 2018-06-22 | 五八有限公司 | The register method and device of component |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1983296A (en) * | 2005-12-12 | 2007-06-20 | 北京瑞星国际软件有限公司 | Method and device for preventing illegal programm from scavenging |
| US20120079594A1 (en) * | 2010-09-27 | 2012-03-29 | Hyun Cheol Jeong | Malware auto-analysis system and method using kernel callback mechanism |
| CN102831344A (en) * | 2012-07-27 | 2012-12-19 | 北京奇虎科技有限公司 | Course handling method and device |
| CN104539584A (en) * | 2014-12-05 | 2015-04-22 | 北京奇虎科技有限公司 | Anti-injection method for browser, browser client and device |
-
2016
- 2016-07-04 CN CN201610520243.7A patent/CN106169046A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1983296A (en) * | 2005-12-12 | 2007-06-20 | 北京瑞星国际软件有限公司 | Method and device for preventing illegal programm from scavenging |
| US20120079594A1 (en) * | 2010-09-27 | 2012-03-29 | Hyun Cheol Jeong | Malware auto-analysis system and method using kernel callback mechanism |
| CN102831344A (en) * | 2012-07-27 | 2012-12-19 | 北京奇虎科技有限公司 | Course handling method and device |
| CN104539584A (en) * | 2014-12-05 | 2015-04-22 | 北京奇虎科技有限公司 | Anti-injection method for browser, browser client and device |
Non-Patent Citations (1)
| Title |
|---|
| 吴标: "基于程序行为分析的文件防篡改软件的设计与实现", 《计算机系统应用》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107256349A (en) * | 2017-06-13 | 2017-10-17 | 广州阿里巴巴文学信息技术有限公司 | Dynamic base method for preventing fraudulent-using, device, electronic equipment and readable storage medium storing program for executing |
| CN108196900A (en) * | 2017-12-08 | 2018-06-22 | 五八有限公司 | The register method and device of component |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8626125B2 (en) | Apparatus and method for securing mobile terminal | |
| CN109829309A (en) | Terminal device system protection method and device | |
| CN104361285B (en) | The safety detection method and device of mobile device application program | |
| CN106203111A (en) | Method and device for preventing clipboard data from being modified and terminal equipment | |
| CN114329489A (en) | Web application program vulnerability attack detection method, server, electronic equipment and storage medium | |
| CN104427089A (en) | Mobile terminal and mobile terminal authority management method | |
| CN105429943B (en) | Information processing method and terminal thereof | |
| CN106934272B (en) | Application information verification method and device | |
| CN105808256A (en) | Method and system for constructing legal stack return value by avoiding function call detection | |
| CN106169046A (en) | Method and device for preventing message hook injection and terminal equipment | |
| CN110677391B (en) | Third-party link verification method based on URL Scheme technology and related equipment | |
| CN109376072B (en) | Application program development method and device based on third-party component library | |
| CN103369520B (en) | The intention anticipation system and method for the application program questionable conduct of mobile terminal | |
| CN106357684A (en) | Login method and device of game application | |
| CN106709337A (en) | Malicious bundled software processing method and apparatus | |
| CN106203189A (en) | Equipment data acquisition method and device and terminal equipment | |
| CN106203079A (en) | Cursor processing method and device and terminal equipment | |
| CN106127041A (en) | Method and device for preventing clipboard data from being monitored and terminal equipment | |
| CN103823702A (en) | Application installation method and electronic equipment | |
| CN107818260B (en) | Method and device for guaranteeing system safety | |
| CN106203119A (en) | Processing method and device for hiding cursor and electronic equipment | |
| KR101417334B1 (en) | Method of blocking intrusion in mobile device and mobile device enabling the method | |
| CN106156622A (en) | Service process registration method and device and terminal equipment | |
| CN106203112A (en) | Cursor processing method and device and terminal equipment | |
| CN106127085A (en) | Method and device for preventing keyboard input data from being modified and terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20181213 Address after: 519030 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161130 |
|
| RJ01 | Rejection of invention patent application after publication |