CN106203069A - Method and device for intercepting dynamic link library file and terminal equipment - Google Patents
Method and device for intercepting dynamic link library file and terminal equipment Download PDFInfo
- Publication number
- CN106203069A CN106203069A CN201610482951.6A CN201610482951A CN106203069A CN 106203069 A CN106203069 A CN 106203069A CN 201610482951 A CN201610482951 A CN 201610482951A CN 106203069 A CN106203069 A CN 106203069A
- Authority
- CN
- China
- Prior art keywords
- dynamic link
- library file
- link library
- loading
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The embodiment of the invention discloses a method and a device for intercepting a dynamic link library file and terminal equipment, relates to the technical field of computers, and can realize interception of the dynamic link library file in a mode of loading a DLL (dynamic link library) in a read process by an import table without popping up an error prompt by a system. The method for intercepting the dynamic link library file comprises the following steps: when the system loads the dynamic link library file through the import table, acquiring the mapping information structure parameter in the callback function; according to the mapping information structure parameter, positioning an entry function address of the dynamic link library file; and writing an entry function exit instruction of the dynamic link library file into a memory corresponding to an entry function address of the dynamic link library file, and returning a successful loading instruction of the dynamic link library file to the system. The invention is suitable for system safety maintenance of the terminal equipment.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to the hold-up interception method of a kind of dynamic link library file, device and
Terminal unit.
Background technology
Along with Internet technology develops, virus, the rogue program technology such as wooden horse emerges in an endless stream, security of system software reply skill
Art scheme also needs day by day to update.Dynamic link library file (Dynamic Link Library is called for short DLL) is also rogue program
A kind of operating file, the DLL of these malice may be loaded in process operation.But, the DLL loading intercepting malice is also killed
The basic function of poison software.
The malice DLL hold-up interception method of existing antivirus software is the kernel function of hook establishment process session
NtCreateSection realizes.Generally when opening DLL session, malice DLL can be judged and intercept by antivirus software.
In prior art, the method for relevant process loading DLL has two kinds: a kind of is the application layer letter actively calling and loading dynamic link library
Number loadlibray loads DLL, and another kind is to read importing table to load DLL.In prior art, malice DLL is intercepted by antivirus software
Method can load DLL mode to intercept the application layer function loadlibray actively calling loading dynamic link library, and system is not
Miscue can be played.Table loading DLL mode is imported, by the DLL hold-up interception method of prior art, although permissible for reading
Realize the interception to malice DLL, but system can eject miscue, affects Consumer's Experience.
Summary of the invention
In view of this, the embodiment of the present invention provides the hold-up interception method of a kind of dynamic link library file, device and terminal unit,
Although can solve the problem that kernel function NtCreateSection of existing hook establishment process session can realize malice DLL
Interception, but the problem affecting Consumer's Experience owing to system can eject miscue.
First aspect, the embodiment of the present invention provides the hold-up interception method of a kind of dynamic link library file, including:
When system loads dynamic link library file by importing table, obtain the map information structure ginseng in call back function
Number;
According to described map information structural parameters, position the entrance function address of described dynamic link library file;
The entrance function exit instruction of dynamic link library file is write the entrance function ground of described dynamic link library file
The internal memory that location is corresponding, and the loading of dynamic link library file is successfully instructed return to described system.
In conjunction with first aspect, in the first embodiment of first aspect, the interception side of described dynamic link library file
Method, before the map information structural parameters in described acquisition call back function, also includes:
Preset loading callback module, has described call back function defined in described loading callback module.
In conjunction with the first embodiment of first aspect, in the second embodiment of first aspect, described preset add
Carry callback module employing and call kernel function realization.
In conjunction with the second embodiment of first aspect, in the third embodiment of first aspect, described by dynamically
The entrance function exit instruction of chained library file writes the internal memory that the entrance function address of described dynamic link library file is corresponding, and
The loading of dynamic link library file is successfully instructed and returns to described system step, including:
The loading obtaining dynamic link library file successfully instructs the entrance function exit instruction with dynamic link library file;
The entrance function exit instruction of described dynamic link library file is write the entrance letter of described dynamic link library file
The internal memory that number address is corresponding;
The loading of described dynamic link library file is successfully instructed and returns to described system, in order to described system realizes described
The interception of dynamic link library file.
In conjunction with the second embodiment of first aspect, in the 4th kind of embodiment of first aspect, described dynamic chain
Connect during the loading of library file successfully instructs and carry described loading success flag.
Second aspect, the embodiment of the present invention provides the blocking apparatus of a kind of dynamic link library file, including:
Parameter acquiring unit, for when system loads dynamic link library file by importing table, obtaining in call back function
Map information structural parameters;
Positioning unit, for according to described map information structural parameters, positions the entrance letter of described dynamic link library file
Number address;
Information process unit, for writing described dynamic link library by the entrance function exit instruction of dynamic link library file
The internal memory that the entrance function address of file is corresponding, and the loading of dynamic link library file is successfully instructed return to described system.
In conjunction with second aspect, in the first embodiment of second aspect, this device, also include:
Preset unit, for preset loading callback module, has described call back function defined in described loading callback module.
In conjunction with the first embodiment of second aspect, in the second embodiment of second aspect, described preset add
Carry callback module employing and call kernel function realization.
In conjunction with the second embodiment of second aspect, in the third embodiment of second aspect, at described information
Reason unit includes:
Instruction obtains subelement, successfully instructs and dynamic link library file for obtaining the loading of dynamic link library file
Entrance function exit instruction;Information amendment subelement, for writing the entrance function exit instruction of described dynamic link library file
Enter the internal memory that the entrance function address of described dynamic link library file is corresponding;Information sends subelement, for by described dynamic chain
Connect the loading of library file successfully to instruct and return to described system, in order to described system realizes blocking of described dynamic link library file
Cut.
In conjunction with the second embodiment of second aspect, in the 4th kind of embodiment of second aspect, described dynamic chain
Connect during the loading of library file successfully instructs and carry described loading success flag.
The third aspect, the embodiment of the present invention provides a kind of terminal unit, and described terminal unit includes: housing, processor, deposit
Reservoir, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges
On circuit boards;Power circuit, powers for each circuit or the device for above-mentioned terminal unit;Memorizer is used for storing can be held
Line program code;Processor runs and executable program code pair by reading the executable program code of storage in memorizer
The program answered, for performing the hold-up interception method of aforementioned arbitrary described dynamic link library file.
The embodiment of the present invention provide the hold-up interception method of a kind of dynamic link library file, device and terminal unit, by
When system introducing table loads dynamic link library file, position described dynamic chain according to the map information structural parameters in call back function
Connect the entrance function address of library file, by the entrance function exit instruction of dynamic link library file is write described dynamic link
The internal memory that the entrance function address of library file is corresponding, and the loading of dynamic link library file is successfully instructed return to described system
System, it is achieved that the loading intercepting dynamic link library file makes system encroach on from described dynamic link library file.Wherein, described
The entrance function exit instruction of dynamic link library file can realize system and exit entrance function, no longer performs in entrance function
Any function, the loading of described dynamic link library file successfully instructs, in order to described system determines described dynamic link library file
Load successfully, so that system will not send miscue because intercepting dynamic link library file such that it is able to solve existing
The problem that some systems eject miscue.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to
Other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the hold-up interception method embodiment one of the dynamic link library file of the present invention;
Fig. 2 is the flow chart of the hold-up interception method embodiment two of the dynamic link library file of the present invention;
Fig. 3 is the structural representation of the blocking apparatus embodiment one of the dynamic link library file of the present invention;
Fig. 4 is the structural representation of the blocking apparatus embodiment two of the dynamic link library file of the present invention;
Fig. 5 is the structural representation of one embodiment of terminal unit of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawings the embodiment of the present invention is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole embodiments.Base
Embodiment in the present invention, those of ordinary skill in the art obtained under not making creative work premise all its
Its embodiment, broadly falls into the scope of protection of the invention.
Fig. 1 is the flow chart of the hold-up interception method embodiment one of the dynamic link library file of the present invention, as it is shown in figure 1, this reality
The method executing example may include that
Step 101, when system loads dynamic link library file by importing table, obtain the map information in call back function
Structural parameters.
In the present embodiment, the map information structural parameter P IMAGE_INFO in described call back function preserves and to add
The base address of the DLL carried.
Step 102, according to described map information structural parameters, position the entrance function ground of described dynamic link library file
Location.
In the present embodiment, owing to described map information structural parameters preserving the base address of DLL to be loaded,
The base address of the DLL loaded can navigate to the entrance function address of DLL to be loaded.Entrance function is the most described to be loaded
The function address being first carried out of DLL.If described entrance function returns unsuccessfully to system, i.e. DLL can load failure, and system is also
Miscue can be played;If described entrance function returns successfully to system, i.e. DLL can load successfully, and system will not bullet mistake carry
Show.
Step 103, entering the entrance function exit instruction described dynamic link library file of write of dynamic link library file
The internal memory that mouthful function address is corresponding, and the loading of dynamic link library file is successfully instructed return to described system.
In the present embodiment, the entrance function exit instruction of described dynamic link library file can realize allowing system exit entrance
Function, no longer performs any function in entrance function, and the loading of described dynamic link library file successfully instructs, and can make described
System thinks that described dynamic link library file loads successfully, so that system will not be sent out because intercepting dynamic link library file
Make mistake prompting such that it is able to solves the problem that existing system ejects miscue.
In the present embodiment, by call back function by corresponding for the entrance function address of the dynamic link library file of described location
Internal memory is modified, i.e. the entrance function exit instruction of described dynamic link library file is write described dynamic link library file
Internal memory corresponding to entrance function address, and returned the loading of described dynamic link library file to system by described call back function
Success instructs.Concretely, it is simply that the loading of described dynamic link library file is successfully instructed the system of returning to by call back function, i.e.
It is revised as the stress state information of dynamic link library file by force loading success flag, is successfully instructed by described loading and carry
The loading success of dynamic link library file described in described loading success flag notice system, such that it is able to it is wrong to avoid system to send bullet
Prompting by mistake.
The hold-up interception method of a kind of dynamic link library file that the embodiment of the present invention provides, dynamic by loading at system introducing table
During state chained library file, position the entrance letter of described dynamic link library file according to the map information structural parameters in call back function
Number address, by writing the entrance function of described dynamic link library file by the entrance function exit instruction of dynamic link library file
The internal memory that address is corresponding, and the loading of dynamic link library file is successfully instructed return to described system, it is achieved that intercept dynamically
The loading of chained library file makes system encroach on from described dynamic link library file.Wherein, described dynamic link library file
Entrance function exit instruction can realize system and exit entrance function, no longer performs any function in entrance function, described dynamic
The loading of state chained library file successfully instructs, in order to described system determines that described dynamic link library file loads successfully, so that
The system of obtaining will not send miscue because intercepting dynamic link library file such that it is able to solves existing system and ejects mistake
The problem of prompting.
Fig. 2 is hold-up interception method embodiment two flow chart of the dynamic link library file of the present invention, as in figure 2 it is shown, this enforcement
Example, on the basis of embodiment of the method shown in Fig. 1, also includes preset loading callback module, has defined in described loading callback module
Described call back function.The method of the present embodiment specifically includes:
Step 201, preset loading callback module, have described call back function defined in described loading callback module.
In the present embodiment, it is not necessary to hook kernel function, but described preset loading callback module uses and calls kernel function
Realize.Such as: can use that to call windows kernel function PsSetLoadImageNotifyRoutine preset described to realize
Load callback module, define described call back function i.e. map information structure function ImageNotifyRoutine.By preset institute
Stating loading callback module, system all can go to call back function when follow-up all importing tables load dynamic link library file
I.e. map information structure function ImageNotifyRoutine.
Step 202, when system loads dynamic link library file by importing table, obtain the map information in call back function
Structural parameters.
In the present embodiment, the process of the map information structural parameters in acquisition call back function and the step of said method embodiment
Rapid 101 are similar to, and here is omitted.
Step 203, according to described map information structural parameters, position the entrance function ground of described dynamic link library file
Location.
In the present embodiment, position process and the said method embodiment of the entrance function address of described dynamic link library file
Step 102 be similar to, here is omitted.
Step 204, the loading obtaining dynamic link library file successfully instruct and the entrance function of dynamic link library file moves back
Go out instruction;
Step 205, the entrance function exit instruction of described dynamic link library file is write described dynamic link library file
Internal memory corresponding to entrance function address, and the loading of described dynamic link library file successfully instructed return to described system.
In the present embodiment, the entrance function exit instruction of dynamic link library file is write described dynamic link library file
The internal memory that entrance function address is corresponding, and the loading of dynamic link library file is successfully instructed return to described system process and
The step 103 of said method embodiment is similar to, and here is omitted.
It should be noted that the entrance function exit instruction of dynamic link library file is write described dynamic link library herein
The internal memory that the entrance function address of file is corresponding, and the loading of dynamic link library file is successfully instructed return to described system
Process, can be realized by assembly statement mov eax 1 and ret 8;Wherein, described assembly statement mov eax 1 represents return
Value is placed on eax depositor, and described return value is 1, i.e. returns and loads successfully.Only return loads successfully herein, and system is run
Process on the loader of DLL just will be considered that described DLL has loaded successfully, do not make miscue, if returning unsuccessfully, then
System can point out mistake.Can realize described system by assembly statement ret 8 and exit described entrance function, described system will not
Performing any function in entrance function again, work including some module initializations, the most described DLL cannot be loaded, reach
To the effect intercepted.
The present embodiment, can realize system by the entrance function exit instruction of described dynamic link library file and exit entrance
Function, no longer performs any function in entrance function, thus realizes the interception of described dynamic link library file;By to system
The loading returning described dynamic link library file successfully instructs so that described system determines that described dynamic link library file loads into
Merit, so that system will not send miscue because intercepting dynamic link library file such that it is able to solve existing system
The problem that system ejects miscue.
It should be noted that technical solution of the present invention can apply in client driver, 32 systems can be supported
With 64 systems.
Fig. 3 is the structural representation of the blocking apparatus embodiment one of the dynamic link library file of the present invention, as it is shown on figure 3,
The device of the present embodiment may include that parameter acquiring unit 11, positioning unit 12 and information process unit 13;Wherein, described ginseng
Number acquiring unit 11, for when system loads dynamic link library file by importing table, obtaining the reflection letter in call back function
Breath structural parameters;Described positioning unit 12, for according to described map information structural parameters, positions described dynamic link library file
Entrance function address;Described information process unit 13, for writing the entrance function exit instruction of dynamic link library file
The internal memory that the entrance function address of described dynamic link library file is corresponding, and the loading of dynamic link library file is successfully instructed return
Back to described system.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1, and it realizes principle and skill
Art effect is similar to, and here is omitted.
Fig. 4 is the structural representation of the blocking apparatus embodiment two of dynamic link library file of the present invention, as shown in Figure 4, and this
The device of embodiment, on the basis of Fig. 3 shown device structure, also includes: preset unit 14;Described preset unit 14, for pre-
Put loading callback module, defined in described loading callback module, have described call back function.Described preset loading callback module uses
Call kernel function to realize.
It should be noted that described information process unit includes: instruction obtains subelement, is used for obtaining dynamic link library text
The loading of part successfully instructs the entrance function exit instruction with dynamic link library file;Information amendment subelement, for by described
The entrance function exit instruction of dynamic link library file writes corresponding interior in the entrance function address of described dynamic link library file
Deposit;Information sends subelement, returns to described system for the loading of described dynamic link library file successfully being instructed, in order to institute
The system of stating realizes the interception of described dynamic link library file.
Successfully mark also, it should be noted the loading of described dynamic link library file carries described loading in successfully instructing
Know.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1 or Fig. 2, and it realizes former
Managing similar with technique effect, here is omitted.
The blocking apparatus of a kind of dynamic link library file that the embodiment of the present invention provides, dynamic by loading at system introducing table
During state chained library file, position the entrance letter of described dynamic link library file according to the map information structural parameters in call back function
Number address, by writing the entrance function of described dynamic link library file by the entrance function exit instruction of dynamic link library file
The internal memory that address is corresponding, and the loading of dynamic link library file is successfully instructed return to described system, it is achieved that intercept dynamically
The loading of chained library file makes system encroach on from described dynamic link library file.Wherein, described dynamic link library file
Entrance function exit instruction can realize system and exit entrance function, no longer performs any function in entrance function, described dynamic
The loading of state chained library file successfully instructs, in order to described system determines that described dynamic link library file loads successfully, so that
The system of obtaining will not send miscue because intercepting dynamic link library file such that it is able to solves existing system and ejects mistake
The problem of prompting.
It should be noted that in this article, the relational terms of such as first and second or the like is used merely to a reality
Body or operation separate with another entity or operating space, and deposit between not necessarily requiring or imply these entities or operating
Relation or order in any this reality.And, term " includes ", " comprising " or its any other variant are intended to
Comprising of nonexcludability, so that include that the process of a series of key element, method, article or equipment not only include that those are wanted
Element, but also include other key elements being not expressly set out, or also include for this process, method, article or equipment
Intrinsic key element.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that
Including process, method, article or the equipment of described key element there is also other identical element.
Each embodiment in this specification all uses relevant mode to describe, identical similar portion between each embodiment
Dividing and see mutually, what each embodiment stressed is the difference with other embodiments.
For device embodiment, owing to it is substantially similar to embodiment of the method, so the comparison described is simple
Single, relevant part sees the part of embodiment of the method and illustrates.
Represent in flow charts or the logic described otherwise above at this and/or step, for example, it is possible to be considered as to use
In the sequencing list of the executable instruction realizing logic function, may be embodied in any computer-readable medium, for
Instruction execution system, device or equipment (system such as computer based system, including processor or other can hold from instruction
Row system, device or equipment instruction fetch also perform the system instructed) use, or combine these instruction execution systems, device or set
Standby and use.For the purpose of this specification, " computer-readable medium " can be any can to comprise, store, communicate, propagate or pass
Defeated program is for instruction execution system, device or equipment or combines these instruction execution systems, device or equipment and the dress that uses
Put.The more specifically example (non-exhaustive list) of computer-readable medium includes following: have the electricity of one or more wiring
Connecting portion (electronic installation), portable computer diskette box (magnetic device), random access memory (RAM), read only memory
(ROM), erasable read only memory (EPROM or flash memory), the fiber device edited, and portable optic disk is read-only deposits
Reservoir (CDROM).It addition, computer-readable medium can even is that and can print the paper of described program thereon or other are suitable
Medium, because then can carry out editing, interpreting or if desired with it such as by paper or other media are carried out optical scanning
His suitable method is processed to electronically obtain described program, is then stored in computer storage.
Should be appreciated that each several part of the present invention can realize by hardware, software, firmware or combinations thereof.
In the above-described embodiment, multiple steps or method can be with storing in memory and by suitably instructing execution
Software or firmware that system performs realize.Such as, if realized with hardware, with the most the same, available
Any one or their combination in following technology well known in the art realize: have for data signal realizes logic merit
The discrete logic of the logic gates of energy, has the special IC of suitable combination logic gate circuit, programmable gate
Array (PGA), field programmable gate array (FPGA) etc..
The embodiment of the present invention also provides for a kind of terminal unit, and described terminal unit comprises the dress described in aforementioned any embodiment
Put.
Fig. 5 is the structural representation of one embodiment of terminal unit of the present invention, it is possible to achieve implement shown in Fig. 1-2 of the present invention
The flow process of example, as it is shown in figure 5, above-mentioned terminal unit may include that housing 41, processor 42, memorizer 43, circuit board 44 and electricity
Source circuit 45, wherein, circuit board 44 is placed in the interior volume that housing 41 surrounds, processor 42 and memorizer 43 and is arranged on circuit
On plate 44;Power circuit 45, powers for each circuit or the device for above-mentioned terminal unit;Memorizer 43 is used for storing can be held
Line program code;Processor 42 runs and executable program generation by reading the executable program code of storage in memorizer 43
The program that code is corresponding, for performing the hold-up interception method of the dynamic link library file described in aforementioned any embodiment.
Processor 42 to concrete process and the processor 42 of performing of above-mentioned steps by running executable program code
The step performed further, may refer to the description of Fig. 1-2 illustrated embodiment of the present invention, does not repeats them here.
This terminal unit exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset, functional mobile phone, and low
End mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and processes merit
Can, the most also possess mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes: audio frequency,
Video player (such as iPod), handheld device, e-book, and intelligent toy and portable car-mounted navigator.
(4) server: providing the equipment of the service of calculating, the composition of server includes that processor, hard disk, internal memory, system are total
Lines etc., server is similar with general computer architecture, but owing to needing to provide highly reliable service, is therefore processing energy
The aspects such as power, stability, reliability, safety, extensibility, manageability require higher.
(5) other have the terminal unit of data interaction function.
Those skilled in the art are appreciated that and realize all or part of step that above-described embodiment method is carried
Suddenly the program that can be by completes to instruct relevant hardware, and described program can be stored in a kind of computer-readable storage medium
In matter, this program upon execution, including one or a combination set of the step of embodiment of the method.
The embodiment of the present invention provide a kind of terminal unit, by system introducing table load dynamic link library file time,
The entrance function address of described dynamic link library file is positioned, by moving according to the map information structural parameters in call back function
The entrance function exit instruction of state chained library file writes the internal memory that the entrance function address of described dynamic link library file is corresponding,
And the loading of dynamic link library file successfully instructed return to described system, it is achieved that intercept the loading of dynamic link library file
System is encroached on from described dynamic link library file.Wherein, the entrance function exit instruction of described dynamic link library file
The system that can realize exits entrance function, no longer performs any function in entrance function, adding of described dynamic link library file
Carry and successfully instruct, in order to described system determines that described dynamic link library file loads successfully, so that system will not be because of blocking
Cut dynamic link library file and send miscue such that it is able to solve the problem that existing system ejects miscue.
For convenience of description, describing apparatus above is to be divided into various units/modules to be respectively described with function.Certainly, exist
Implement the function of each unit/module to be realized in same or multiple softwares and/or hardware during the present invention.
As seen through the above description of the embodiments, those skilled in the art it can be understood that to the present invention can
The mode adding required general hardware platform by software realizes.Based on such understanding, technical scheme essence
On the part that in other words prior art contributed can embody with the form of software product, this computer software product
Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that a computer equipment
(can be personal computer, server, or the network equipment etc.) performs some of each embodiment of the present invention or embodiment
Method described in part.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, be permissible
Instructing relevant hardware by computer program to complete, described program can be stored in a computer read/write memory medium
In, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic
Dish, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access
Memory, RAM) etc..
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited thereto, and any
Those familiar with the art in the technical scope that the invention discloses, the change that can readily occur in or replacement, all answer
Contain within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with scope of the claims.
Claims (9)
1. the hold-up interception method of a dynamic link library file, it is characterised in that including:
When system loads dynamic link library file by importing table, obtain the map information structural parameters in call back function;
According to described map information structural parameters, position the entrance function address of described dynamic link library file;
The entrance function exit instruction of dynamic link library file is write the entrance function address pair of described dynamic link library file
The internal memory answered, and the loading of dynamic link library file is successfully instructed return to described system.
The hold-up interception method of dynamic link library file the most according to claim 1, it is characterised in that obtain readjustment letter described
Before map information structural parameters in number, the method also includes:
Preset loading callback module, has described call back function defined in described loading callback module.
The hold-up interception method of dynamic link library file the most according to claim 2, it is characterised in that described preset loading is adjusted back
Module uses calls kernel function realization.
4. according to the hold-up interception method of the dynamic link library file described in any one in claim 1-3, it is characterised in that described
By corresponding for the entrance function address of the entrance function exit instruction described dynamic link library file of write of dynamic link library file
Internal memory, and the loading of dynamic link library file is successfully instructed return to described system step, including:
The loading obtaining dynamic link library file successfully instructs the entrance function exit instruction with dynamic link library file;
The entrance function exit instruction of described dynamic link library file is write the entrance function ground of described dynamic link library file
The internal memory that location is corresponding;
The loading of described dynamic link library file is successfully instructed and returns to described system, in order to described system realize described dynamically
The interception of chained library file.
5. the blocking apparatus of a dynamic link library file, it is characterised in that including:
Parameter acquiring unit, for when system loads dynamic link library file by importing table, obtaining reflecting in call back function
As message structure parameter;
Positioning unit, for according to described map information structural parameters, positioning the entrance function ground of described dynamic link library file
Location;
Information process unit, for writing described dynamic link library file by the entrance function exit instruction of dynamic link library file
Internal memory corresponding to entrance function address, and the loading of dynamic link library file successfully instructed return to described system.
The blocking apparatus of dynamic link library file the most according to claim 5, it is characterised in that this device also includes:
Preset unit, for preset loading callback module, has described call back function defined in described loading callback module.
The blocking apparatus of dynamic link library file the most according to claim 6, it is characterised in that described preset loading is adjusted back
Module uses calls kernel function realization.
8. according to the blocking apparatus of the dynamic link library file described in any one in claim 5-7, it is characterised in that described
Information process unit includes:
Instruction obtains subelement, successfully instructs the entrance with dynamic link library file for obtaining the loading of dynamic link library file
Function exit instruction;
Information amendment subelement, for writing described dynamic link by the entrance function exit instruction of described dynamic link library file
The internal memory that the entrance function address of library file is corresponding;
Information sends subelement, returns to described system for the loading of described dynamic link library file successfully being instructed, in order to
Described system realizes the interception of described dynamic link library file.
9. a terminal unit, it is characterised in that described terminal unit includes: housing, processor, memorizer, circuit board and electricity
Source circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges on circuit boards;Power supply
Circuit, powers for each circuit or the device for above-mentioned terminal unit;Memorizer is used for storing executable program code;Process
Device runs the program corresponding with executable program code by reading the executable program code of storage in memorizer, is used for holding
The hold-up interception method of row dynamic link library file described in aforementioned any claim 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610482951.6A CN106203069B (en) | 2016-06-27 | 2016-06-27 | A kind of hold-up interception method of dynamic link library file, device and terminal device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610482951.6A CN106203069B (en) | 2016-06-27 | 2016-06-27 | A kind of hold-up interception method of dynamic link library file, device and terminal device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106203069A true CN106203069A (en) | 2016-12-07 |
CN106203069B CN106203069B (en) | 2019-10-15 |
Family
ID=57461353
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610482951.6A Active CN106203069B (en) | 2016-06-27 | 2016-06-27 | A kind of hold-up interception method of dynamic link library file, device and terminal device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106203069B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108491237A (en) * | 2018-03-29 | 2018-09-04 | 山东华软金盾软件股份有限公司 | A kind of hidden Dll file method for implanting |
CN112506448A (en) * | 2020-12-01 | 2021-03-16 | 北京鸿腾智能科技有限公司 | Printing auditing method, equipment, storage medium and device based on printer |
CN113778870A (en) * | 2021-09-07 | 2021-12-10 | 杭州雾联科技有限公司 | Blue screen callback method, device, equipment and computer readable storage medium |
CN114816401A (en) * | 2022-04-13 | 2022-07-29 | 上海弘玑信息技术有限公司 | Interface element positioning method, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1886728A (en) * | 2003-09-04 | 2006-12-27 | 科学园株式会社 | False code prevention method and prevention program and the program recording medium |
US20080016314A1 (en) * | 2006-07-12 | 2008-01-17 | Lixin Li | Diversity-based security system and method |
CN104123492A (en) * | 2014-07-21 | 2014-10-29 | 蓝盾信息安全技术有限公司 | Windows process protection method |
CN104252477A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Method and device for controlling webpage pop-up window |
CN105204903A (en) * | 2015-09-24 | 2015-12-30 | 北京金山安全软件有限公司 | Process module loading interception method and device |
-
2016
- 2016-06-27 CN CN201610482951.6A patent/CN106203069B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1886728A (en) * | 2003-09-04 | 2006-12-27 | 科学园株式会社 | False code prevention method and prevention program and the program recording medium |
US20080016314A1 (en) * | 2006-07-12 | 2008-01-17 | Lixin Li | Diversity-based security system and method |
CN104252477A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Method and device for controlling webpage pop-up window |
CN104123492A (en) * | 2014-07-21 | 2014-10-29 | 蓝盾信息安全技术有限公司 | Windows process protection method |
CN105204903A (en) * | 2015-09-24 | 2015-12-30 | 北京金山安全软件有限公司 | Process module loading interception method and device |
Non-Patent Citations (1)
Title |
---|
ZAZAZABO 等: "如何利用映像回调(PsSetLoadImageNotifyRoutine)来拦截dll加载", 《HTTPS://BBS.PEDIY.COM/THREAD-208240.HTM》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108491237A (en) * | 2018-03-29 | 2018-09-04 | 山东华软金盾软件股份有限公司 | A kind of hidden Dll file method for implanting |
CN108491237B (en) * | 2018-03-29 | 2020-11-27 | 山东华软金盾软件股份有限公司 | Hidden Dll file injection method |
CN112506448A (en) * | 2020-12-01 | 2021-03-16 | 北京鸿腾智能科技有限公司 | Printing auditing method, equipment, storage medium and device based on printer |
CN113778870A (en) * | 2021-09-07 | 2021-12-10 | 杭州雾联科技有限公司 | Blue screen callback method, device, equipment and computer readable storage medium |
CN114816401A (en) * | 2022-04-13 | 2022-07-29 | 上海弘玑信息技术有限公司 | Interface element positioning method, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106203069B (en) | 2019-10-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106203069A (en) | Method and device for intercepting dynamic link library file and terminal equipment | |
CN106126282A (en) | Injection method and device for dynamic link library file and terminal equipment | |
CN106970978A (en) | Data sharing method and device | |
CN108427649B (en) | Access management method, terminal device, system and storage medium of USB interface | |
CN106777184A (en) | A kind of page loading method, device and electronic equipment | |
CN105912362B (en) | A kind of method, apparatus and electronic equipment loading plug-in unit | |
US20180084423A1 (en) | Authentication using dynamic verbal questions based on social and geospatial history | |
US20160306988A1 (en) | Providing secure access to data in mobile devices | |
CN111414739B (en) | Excel data entry component, entry method and device | |
CN110750793B (en) | Vulnerability scanning method and device | |
CN106126291B (en) | A kind of method, apparatus and electronic equipment for deleting malicious file | |
CN106301885A (en) | The method and system of uniform traffic management | |
US20170163787A1 (en) | Method and electronic device for upgrading or downgrading system | |
CN108228628A (en) | Wide table generating method and its device in a kind of structured query language database | |
CN106250244A (en) | Method and device for releasing mutual exclusion lock and electronic equipment | |
CN107592338A (en) | More new system, method and the relevant device of a kind of dynamic base | |
US20190310316A1 (en) | Optimized testing of quantum-logic circuits | |
CN107835181A (en) | Right management method, device, medium and the electronic equipment of server cluster | |
CN102841782A (en) | Global variable managing method and device | |
CN108228248A (en) | A kind of determining method and apparatus of dependence | |
CN110262832A (en) | Application program permission judgment method and device and electronic equipment | |
CN107016281A (en) | Permission setting method and device of application program and electronic equipment | |
CN106203107A (en) | Method and device for preventing system menu from being maliciously modified and electronic equipment | |
US10740218B2 (en) | Method and device for determining usage log | |
US11776556B2 (en) | Unified deep neural network model for acoustic echo cancellation and residual echo suppression |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20190110 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |