CN106203077B - A kind of processing method of Copy Info, device and electronic equipment - Google Patents
A kind of processing method of Copy Info, device and electronic equipment Download PDFInfo
- Publication number
- CN106203077B CN106203077B CN201610486393.0A CN201610486393A CN106203077B CN 106203077 B CN106203077 B CN 106203077B CN 201610486393 A CN201610486393 A CN 201610486393A CN 106203077 B CN106203077 B CN 106203077B
- Authority
- CN
- China
- Prior art keywords
- duplication
- process handle
- handle
- application program
- library
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the present invention discloses processing method, device and the electronic equipment of a kind of Copy Info, is related to information security technology, is able to ascend the security protection efficiency of operating system.It include: to hook the kernel handler duplication object function when the Hook Function being previously implanted monitors to call kernel handler duplication object function;Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judging whether the successful target process handle of duplication matches with any protection process handle in pre-set protection process handle library;If matched, the process path information of the successful target process handle of duplication is obtained, the application program to be verified of the process path information MAP is extracted;If the application program to be verified extracted with it is pre-set identical wait intercept any application program to be intercepted in application library, close and described replicate successful target process handle.The present invention is suitable for whether monitoring objective process handle is copied illegally.
Description
Technical field
The present invention relates to information security technology more particularly to a kind of processing methods of Copy Info, device and electronic equipment.
Background technique
With gradually disclosing for operating system kernel layer technical detail, the malicious applications such as more and more trojan horses
Begin to use inner nuclear layer driver to protect the process of itself, the malicious application protected by inner nuclear layer driver into
Journey can terminate other processes in (kill) operating system, so that the process of malicious application can be according to malice
The intention of application provider, process or system process to user carry out malicious attack, may cause computer operation not
Stablize, or even cause the leakage of user information, brings very big economic loss to user.For example, in an operating system, figure
Managing process (csrss.exe process) can save the handle of all processes, and a process can be by handle copy function
(DuplicateHandle function) middle finger sets the goal process handle, it is hereby achieved that the target process handle of a duplication, it should
The target process handle of duplication can be used by other processes.In this way, the process of some malicious applications can pass through calling
Handle copy function, duplication is for the target process handle of the destination application of control to when advance from graphics management process
Cheng Zhong can indirectly achieve the purpose that obtain target process handle, to realize to the corresponding target of target process handle
The control of process.For example, starting or terminating the destination application of corresponding target process mapping.Wherein, process (Process)
It is the application program in computer about the primary operation activity on data acquisition system, is that Windows operating system carries out resource point
The basic unit matched and dispatched is the basis of Windows operating system structure.In computer configuation of the early stage towards process design
In, process is the basic execution entity of application program;In computer configuation of the present age towards threaded design, process is thread
Container.That is, application program is the description of instruction, data and its organizational form, process is the entity of application program.
Since the function that handle copy function (DuplicateHandle function) corresponds to operating system nucleus is kernel sentence
Handle replicates object function (kernel NtDuplicateObject function), thus, it is called in application layer process (program process)
When handle copy function carries out the duplication of target process handle, handle copy function needs to recall kernel handler duplication object function
It is operated to complete the duplication of target process handle, so that malicious application can use the principle, by calling directly
Core handle replicates object function to realize the control to destination application, causes the security protection efficiency of operating system lower,
Safety is not high.
Summary of the invention
In view of this, the embodiment of the present invention provides processing method, device and the electronic equipment of a kind of Copy Info, Neng Gouti
The security protection efficiency of lift operations system can be by calling directly in the processing method to solve existing Copy Info
Core handle replicates object function and realizes the control to destination application, so as to cause operating system security protection efficiency compared with
Low problem.
In a first aspect, the embodiment of the present invention provides a kind of processing method of Copy Info, comprising:
When the Hook Function being previously implanted monitors to call kernel handler duplication object function, the kernel handler is hooked
Replicate object function;
Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement duplication
Whether successful target process handle matches with any protection process handle in pre-set protection process handle library;
If matched, the process path information of the successful target process handle of duplication is obtained, the process is extracted
The application program to be verified of routing information mapping;
If the application program to be verified extracted any is answered with pre-set wait intercept in application library wait intercept
It is identical with program, close the successful target process handle of duplication.
With reference to first aspect, in the first embodiment of first aspect, the judgement replicates successful target process
Whether handle matches with any protection process handle in pre-set protection process handle library
Traverse the pre-set protection process handle library;
If any protection process handle and the successful target process handle of duplication in the protection process handle library
It is identical, it determines and replicates successful target process handle and any protection process handle phase in pre-set protection process handle library
Matching;
If all protection process handles and the successful target process sentence of duplication in the protection process handle library
Handle is all different, determine replicate in successful target process handle and pre-set protection process handle library all protect into
Journey handle does not match that.
With reference to first aspect, described to obtain the successful target of duplication in second of embodiment of first aspect
The process path information of process handle includes:
The process path information is obtained using the kernel objects of the successful target process handle of duplication.
With reference to first aspect, in the third embodiment of first aspect, the method also includes:
If the application program and pre-set wait intercept any application to be intercepted in application library extracted
Program is all different, and allows the application program to be verified to copy to the successful target process handle of duplication described to be tested
In the current process for demonstrate,proving application program.
With reference to first aspect, the first of first aspect any embodiment into the third, the of first aspect
In four kinds of embodiments, if in the application program to be verified of the extraction and pre-set wait intercept in application library
After any application program to be intercepted is identical, close before the successful target process handle of duplication, the method also includes:
It shows the application program to be verified of the extraction, and prompts the application program to be verified of the extraction will be described in write-in
Replicate successful target process handle;
The instruction that user chooses is received, if described instruction is to allow to instruct, notifies the to be verified using journey of the extraction
Sequence will be in the successful target process handle write-in current process of the duplication;If described instruction is refusal instruction, closing is executed
The step of duplication successful target process handle.
Second aspect, the embodiment of the present invention provide a kind of processing unit of Copy Info, comprising: hook module, matching mould
Block, application program extraction module and process handle processing module, wherein
Module is hooked, when for monitoring to call kernel handler duplication object function in the Hook Function being previously implanted, hook
State kernel handler duplication object function in residence;
Matching module, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds, such as
Fruit be judge to replicate successful target process handle whether with any protection process sentence in pre-set protection process handle library
Handle matches;
Application program extraction module obtains the process path of the successful target process handle of duplication if matched
Information extracts the application program to be verified of the process path information MAP;
Process handle processing module, if the application program to be verified and pre-set application library to be intercepted extracted
In any application program to be intercepted it is identical, close the successful target process handle of the duplication.
In conjunction with second aspect, in the first embodiment of second aspect, the matching module include: monitoring unit,
Traversal Unit and matching unit, wherein
Monitoring unit, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds;
Traversal Unit, if so, the traversal pre-set protection process handle library;
Matching unit, if any protection process handle and the successful target of duplication in the protection process handle library
Process handle is identical, determine replicate in successful target process handle and pre-set protection process handle library it is any protect into
Journey handle matches, if in the protection process handle library all protection process handle and the successful target of duplication into
Journey handle is all different, and determines all guarantors replicated in successful target process handle and pre-set protection process handle library
Shield process handle does not match that.
In conjunction with second aspect, in second of embodiment of second aspect, the application program extraction module include: into
Journey route information acquisition unit and application program extraction unit, wherein
Process path information acquisition unit utilizes the kernel of the successful target process handle of duplication if matched
Process path information described in object acquisition;
Application program extraction unit, for extracting the application program to be verified of the process path information MAP.
In conjunction with second aspect, in the third embodiment of second aspect, the process handle processing module is also used to
If the application program and pre-set wait intercept any application program to be intercepted in application library not extracted
It is identical, allow the application program to be verified to copy to the successful target process handle of duplication described to be verified using journey
In the current process of sequence.
In conjunction with second aspect, second aspect the first into the third any embodiment, the of second aspect
In four kinds of embodiments, the process handle processing module includes: matching treatment unit, display unit, instruction receiving unit, writes
Enter unit and process handle closing unit, wherein
Matching treatment unit, if the application program to be verified and pre-set wait intercept in application library extracted
Any application program to be intercepted is identical, notifies display unit;
Display unit for showing the application program to be verified of the extraction, and prompts the application to be verified of the extraction
The successful target process handle of duplication will be written in program;
Instruction receiving unit, for receiving the instruction of user's selection, if described instruction is to allow to instruct, notice write-in is single
Member;If described instruction is refusal instruction, notice screenshotss refuse unit;
Writing unit, for allowing the application program to be verified of the extraction by the successful target process handle of duplication
It is written in current process;
Process handle closing unit, for closing the successful target process handle of duplication.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, and the electronic equipment includes: shell, processor, deposits
Reservoir, circuit board and power circuit, wherein circuit board is placed in the space interior that shell surrounds, processor and memory setting
On circuit boards;Power circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing and can hold
Line program code;Processor is run and executable program code pair by reading the executable program code stored in memory
The program answered, for performing the following operations:
When the Hook Function being previously implanted monitors to call kernel handler duplication object function, the kernel handler is hooked
Replicate object function;
Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement duplication
Whether successful target process handle matches with any protection process handle in pre-set protection process handle library;
If matched, the process path information of the successful target process handle of duplication is obtained, the process is extracted
The application program to be verified of routing information mapping;
If the application program to be verified extracted any is answered with pre-set wait intercept in application library wait intercept
It is identical with program, close the successful target process handle of duplication.
Fourth aspect, the embodiment of the invention also provides a kind of storage mediums, described to apply journey for storing application program
Sequence is for executing a kind of processing method of Copy Info provided by the embodiment of the present invention.
5th aspect, the embodiment of the invention also provides a kind of application programs, are provided for executing the embodiment of the present invention
A kind of Copy Info processing method.
Processing method, device and the electronic equipment of a kind of Copy Info provided in an embodiment of the present invention, by being infused in advance
When the Hook Function entered monitors to call kernel handler duplication object function, the kernel handler duplication object function is hooked;Prison
Survey whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement replicates successful target
Whether process handle matches with any protection process handle in pre-set protection process handle library;If matched, obtain
The process path information for taking the successful target process handle of duplication, extracts the to be verified of process path information MAP and answers
Use program;If the application program to be verified and pre-set wait intercept any application to be intercepted in application library extracted
Program is identical, closes the successful target process handle of duplication, is able to ascend the security protection efficiency of operating system, to solve
In the processing method of existing Copy Info, target can be answered to realize by calling directly kernel handler duplication object function
With the control of program, so as to cause the lower problem of the security protection efficiency of operating system.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the processing method flow diagram of one Copy Info of the embodiment of the present invention;
Fig. 2 is the processing device structure diagram of two Copy Info of the embodiment of the present invention;
Fig. 3 is the structural schematic diagram of electronic equipment one embodiment of the present invention.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its
Its embodiment, shall fall within the protection scope of the present invention.
Embodiment one
Fig. 1 is the processing method flow diagram of one Copy Info of the embodiment of the present invention, as shown in Figure 1, the present embodiment
Method may include:
Step 101, it when the Hook Function being previously implanted monitors to call kernel handler duplication object function, hooks described
Kernel handler replicates object function;
In this step, as an alternative embodiment, it includes: kernel that kernel handler, which replicates object function,
NtDuplicateObject function.
In the present embodiment, as an alternative embodiment, the Hook Function is located in the inner nuclear layer of operating system.
In the embodiment of the present invention, hook (Hook) function of injection applies layer process for monitoring, i.e., positioned at application layer
The function call relevant operation of program process, and the correlation function and pre-set any letter called in application layer process
When number matches, the function of the calling is intercepted, turns to be handled by the Hook Function injected, and return to respective handling result.
As an alternative embodiment, Hook Function can be injected when security application defends driver application load,
Wherein,
Hook Function is one section of program code segments of message processing facility in Windows operating system, driver application
Subprogram code segment can be set to monitor certain message (operation) of specified window, and supervised by the program code segments
Depending on specified window can be what other processes were created.The Hook Mechanism that Hook Function has passes through Windows operating system
It calls, the Hook Function with priority control is linked into Windows operating system, allow Hook Function to intercept and capture Windows and grasp
The message or particular event for making system sending are not reached whenever message in Windows operating system or particular event sending
Before purpose window, Hook Function can first capture the message or particular event, so as to working process (change) message or
Particular event can not also deal with and continue to transmit, can also force the transmitting of end message or particular event.
In the embodiment of the present invention, by injecting Hook Function in defence driver application to hook kernel handler duplication
Object function, if the corresponding application layer process of application program is by sending process handle duplicate requests, operation to operating system
System applies layer process according to the creation of received process handle duplicate requests accordingly, this calls kernel handler multiple using layer process
When object function processed is to replicate target process handle, the Hook Function of the embodiment of the present invention will be first called, thus according to hook
The interception rule of function carries out respective handling.
In the embodiment of the present invention, as an alternative embodiment, the application layer process is an application program to operating system
When sending process handle duplicate requests, process that the operating system is created according to the process handle duplicate requests.
As an alternative embodiment, (applying layer process) calling kernel handler duplication object function includes:
Kernel handler duplication object function is called directly using layer process.
As another alternative embodiment, include: using layer process calling kernel handler duplication object function
Handle copy function is called using layer process, the handle copy function calls the kernel handler to replicate object letter
Number.
Step 102, monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so,
Judge the successful target process handle of duplication whether with any protection process handle phase in pre-set protection process handle library
Matching;
In the embodiment of the present invention, hook kernel handler duplication object function after, to kernel handler replicate object function into
Row monitoring judges the process handle that kernel handler duplication object function is saved by traversal figure managing process, if can be from
Target process handle is found in the process handle that graphics management process saves, if it is possible to be found, be shown to may be implemented to target
Process handle is successfully, reproduced;If failing to find, terminate process.
In kernel handler duplication object function target process sentence can be found from the process handle that graphics management process saves
After handle, it is thus necessary to determine that whether the target process handle found is to need process handle to be protected, if it is not, then can permit interior
Core handle replicates object function and target process handle is copied to the current process for calling kernel handler duplication object function, with right
The corresponding target process of target process handle or destination application are controlled.If the target process handle found is needs
The process handle of protection, then need according to the present embodiment method handled.
In the present embodiment, as an alternative embodiment, judge to replicate successful target process handle whether with preset
Protection process handle library in any protection process handle match and include:
Traverse the pre-set protection process handle library;
If any protection process handle and the successful target process handle of duplication in the protection process handle library
It is identical, it determines and replicates successful target process handle and any protection process handle phase in pre-set protection process handle library
Matching;
If all protection process handles and the successful target process sentence of duplication in the protection process handle library
Handle is all different, determine replicate in successful target process handle and pre-set protection process handle library all protect into
Journey handle does not match that.
In the present embodiment, as an alternative embodiment, protect process handle library can based on need user security to be protected with
And operating system security is configured.
Step 103, if matched, the process path information of the successful target process handle of duplication is obtained, is extracted
The application program to be verified of the process path information MAP;
In this step, as an alternative embodiment, the process path letter of the successful target process handle of duplication is obtained
Breath includes:
The process path information is obtained using the kernel objects of the successful target process handle of duplication.
In the embodiment of the present invention, the process path information of successful target process handle is replicated by obtaining, and then can be with
The application program for sending process handle duplicate requests to request duplicating process handle is known, so as to according to the application journey known
Sequence judges whether it is malicious application.
Step 104, if extract application program to be verified with pre-set wait intercept any in application library
Application program to be intercepted is identical, closes the successful target process handle of duplication.
In the present embodiment, successful target process handle is replicated by closing, realizes and refuses the application program to be verified
Call the purpose of the kernel handler duplication object function.
In the present embodiment, the application program to be verified of extraction is scanned for matching in application library wait intercept, is sentenced
Whether the disconnected corresponding application program of application layer process for calling kernel handler duplication object function is application program to be intercepted, if
With it is pre-set not identical wait intercept any application program to be intercepted in application library, then can determine initiation process sentence
The application program of handle duplicate requests is normal application, to carry out normal target process handle duplication.
Thus, as an alternative embodiment, this method can also include:
If the application program and pre-set wait intercept any application to be intercepted in application library extracted
Program is all different, and allows the application program to be verified to copy to the successful target process handle of duplication described to be tested
In the current process for demonstrate,proving application program.
In the present embodiment, current process be initiate to call the corresponding application program of kernel handler duplication object function into
Journey.
In the present embodiment, if the application program extracted is with pre-set wait intercept any in application library
Application program to be intercepted is identical, then it is assumed that the corresponding application layer process of the application program to be verified be malicious application into
Journey is intercepted, then closes the successful target process handle of duplication, terminate this operation, return to refusal, so that refusal should
The process handle duplicate requests of application program, so that application program fails to the request of duplicating process handle.
For example, there are an application program A in consumer electronic devices, it is assumed that by the anti-of a certain security application
Hook Function is injected in imperial driving, hooks and replicates object function to the kernel handler of executive process handle duplication, in this way, when answering
The corresponding driver application of the application program is notified to call kernel handler duplication object function with the process of program A, to multiple
When making corresponding process handle, the Hook Function being infused in the defence driving of a certain security application is successful to the duplication
The process path information of process handle is judged, if the corresponding application matches of process path information wait intercepting using journey
Sequence library returns to refusal, the process handle of duplication is written in current process so that application program A can not achieve, thus more preferably
The safety of ground lifting operating system.
In the embodiment of the present invention, as an alternative embodiment, application library to be intercepted can be existed by related technical personnel
For network server by the analysis run to each application program, choosing to cause potential security threat to user information automatically
Application program forms application library to be intercepted, and the application library to be intercepted of formation is issued to each electronic equipment, electronics
Equipment receives the application library to be intercepted that network server issues and is saved.It certainly, can also be by user in practical application
Application library to be intercepted is being locally located, the embodiment of the present invention is not construed as limiting this.
As another alternative embodiment, if being locally located application library to be intercepted by user, this method can be with
Include:
The corresponding application information of the successful target process handle of the duplication of closing is reported to pre-set
Network server.
In this step, user setting or by operating system automatically by the successful target process handle pair of the duplication of closing
The relevant information for the application program answered is reported, and the application program that each electronic equipment reports can be counted in order to network server
Information, and according to statistics, determine which application program is malicious application, and the risk that the malicious application is arranged mentions
Show, so that corresponding risk is prompted when user downloads the malicious application, for example, prompting the application program that can adjust automatically
Process handle duplication is carried out with kernel handler duplication object function, allows users to whether careful consideration downloads this using journey
Sequence, to avoid to electronic equipment bring security risk.
As an alternative embodiment, if in the application program to be verified and pre-set application to be intercepted of the extraction
After any application program to be intercepted in program library is identical, close before the successful target process handle of duplication, the party
Method further include:
It shows the application program to be verified of the extraction, and prompts the application program to be verified of the extraction will be described in write-in
Replicate successful target process handle;
The instruction that user chooses is received, if described instruction is to allow to instruct, notifies the to be verified using journey of the extraction
Sequence will be in the successful target process handle write-in current process of the duplication;If described instruction is refusal instruction, closing is executed
The step of duplication successful target process handle.
From the foregoing, it can be seen that the processing method of Copy Info of the embodiment of the present invention, monitors in the Hook Function being previously implanted
When calling kernel handler duplication object function, the kernel handler duplication object function is hooked;Monitor the kernel handler duplication
Whether object function duplication target process handle succeeds, if so, judge to replicate successful target process handle whether in advance
Any protection process handle matches in the protection process handle library of setting;If matched, the successful mesh of duplication is obtained
The process path information for marking process handle, extracts the application program to be verified of the process path information MAP;If extracted
Application program to be verified with it is pre-set identical wait intercept any application program to be intercepted in application library, described in closing
Replicate successful target process handle.In this way, object function is replicated by hooking kernel handler, when application call kernel sentence
When handle replicates object function progress process handle duplication, can intercept application program in time will replicate successful process handle write-in
The behavior of current process, protects operating system not to be destroyed, to preferably protect the safety of operating system, improves operation system
The security protection efficiency of system, enhances the safety of operating system.
Embodiment two
Fig. 2 is the processing device structure diagram of two Copy Info of the embodiment of the present invention, as shown in Fig. 2, the present embodiment
Device may include: to hook module 21, matching module 22, application program extraction module 23 and process handle processing module
24, wherein
Module 21 is hooked, when for monitoring to call kernel handler duplication object function in the Hook Function being previously implanted,
Hook the kernel handler duplication object function;
In the present embodiment, as an alternative embodiment, it is kernel that kernel handler, which replicates object function,
NtDuplicateObject function.
In the present embodiment, as an alternative embodiment, the Hook Function is located in the inner nuclear layer of operating system.
As an alternative embodiment, Hook Function can be injected when security application defends driver application load.
In the embodiment of the present invention, as an alternative embodiment, the application layer process is an application program to operating system
When sending process handle duplicate requests, process that the operating system is created according to the process handle duplicate requests.
As an alternative embodiment, calling kernel handler duplication object function includes:
Kernel handler duplication object function is called directly using layer process;Or
Handle copy function is called using layer process, the handle copy function calls the kernel handler to replicate object letter
Number.
Matching module 22, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds,
If so, judge the successful target process handle of duplication whether with any protection process in pre-set protection process handle library
Handle matches;
In the embodiment of the present invention, hook kernel handler duplication object function after, to kernel handler replicate object function into
Row monitoring judges the process handle that kernel handler duplication object function is saved by traversal figure managing process, if can be from
Target process handle is found in the process handle that graphics management process saves, if it is possible to be found, be shown to may be implemented to target
Process handle is successfully, reproduced;If failing to find, terminate process.
In the present embodiment, as an alternative embodiment, matching module 22 includes: monitoring unit, Traversal Unit and matching
Unit (not shown), wherein
Monitoring unit, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds;
Traversal Unit, if so, the traversal pre-set protection process handle library;
Matching unit, if any protection process handle and the successful target of duplication in the protection process handle library
Process handle is identical, determine replicate in successful target process handle and pre-set protection process handle library it is any protect into
Journey handle matches, if in the protection process handle library all protection process handle and the successful target of duplication into
Journey handle is all different, and determines all guarantors replicated in successful target process handle and pre-set protection process handle library
Shield process handle does not match that.
Application program extraction module 23 obtains the process road of the successful target process handle of duplication if matched
Diameter information extracts the application program to be verified of the process path information MAP;
In the present embodiment, as an alternative embodiment, application program extraction module 23 includes: process path acquisition of information list
Member and application program extraction unit (not shown), wherein
Process path information acquisition unit utilizes the kernel of the successful target process handle of duplication if matched
Process path information described in object acquisition;
Application program extraction unit, for extracting the application program to be verified of the process path information MAP.
Process handle processing module 24, if the application program to be verified and pre-set application program to be intercepted extracted
Any application program to be intercepted in library is identical, closes the successful target process handle of duplication.
In the present embodiment, successful target process handle is replicated by closing, realizes and refuses the application call institute
State the purpose of kernel handler duplication object function.I.e. in the present embodiment, if extract the application program with it is pre-set
It is identical wait intercept any application program to be intercepted in application library, then it is assumed that this using layer process be malicious application into
Journey is intercepted, then closes the successful target process handle of duplication, terminate this operation, return to refusal, so that refusal should
The process handle duplicate requests of application program, so that application program fails to the request of duplicating process handle.
In the present embodiment, as an alternative embodiment, process handle processing module 24 includes: matching treatment unit, shows
Unit, instruction receiving unit, writing unit and process handle closing unit (not shown), wherein
Matching treatment unit, if the application program to be verified and pre-set wait intercept in application library extracted
Any application program to be intercepted is identical, notifies display unit;
Display unit for showing the application program to be verified of the extraction, and prompts the application to be verified of the extraction
The successful target process handle of duplication will be written in program;
Instruction receiving unit, for receiving the instruction of user's selection, if described instruction is to allow to instruct, notice write-in is single
Member;If described instruction is refusal instruction, notice screenshotss refuse unit;
Writing unit, for allowing the application program to be verified of the extraction by the successful target process handle of duplication
It is written in current process;
Process handle closing unit, for closing the successful target process handle of duplication.
In the present embodiment, as an alternative embodiment, if process handle processing module 24 is also used to the described of extraction and answers
It is all different with program and pre-set any application program to be intercepted wait intercept in application library, allows (or notice)
The successful target process handle of duplication is copied to the current of the application program to be verified by the application program to be verified
In process.
In the present embodiment, the application program to be verified of extraction is scanned for matching in application library wait intercept, is sentenced
Whether the disconnected corresponding application program of application layer process for calling kernel handler duplication object function is application program to be intercepted, if
With it is pre-set not identical wait intercept any application program to be intercepted in application library, then can determine initiation process sentence
The application program of handle duplicate requests is normal application, to carry out normal target process handle duplication.
In the present embodiment, as yet another alternative embodiment, process handle processing module 24 can be also used for the institute that will be closed
The successful target process handle information reporting of duplication will be written to pre-set network server by stating.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill
Art effect is similar, and details are not described herein again.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.
For Installation practice, since it is substantially similar to the method embodiment, so the comparison of description is simple
Single, the relevent part can refer to the partial explaination of embodiments of method.
Expression or logic and/or step described otherwise above herein in flow charts, for example, being considered use
In the order list for the executable instruction for realizing logic function, may be embodied in any computer-readable medium, for
Instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be held from instruction
The instruction fetch of row system, device or equipment and the system executed instruction) it uses, or combine these instruction execution systems, device or set
It is standby and use.For the purpose of this specification, " computer-readable medium ", which can be, any may include, stores, communicates, propagates or pass
Defeated program is for instruction execution system, device or equipment or the dress used in conjunction with these instruction execution systems, device or equipment
It sets.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electricity of one or more wirings
Interconnecting piece (electronic device), portable computer diskette box (magnetic device), random access memory (RAM), read-only memory
(ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk is read-only deposits
Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other are suitable
Medium, because can then be edited, be interpreted or when necessary with it for example by carrying out optical scanner to paper or other media
His suitable method is handled electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.
In the above-described embodiment, multiple steps or method can be with storages in memory and by suitable instruction execution
The software or firmware that system executes are realized.For example, in another embodiment, can be used if realized with hardware
Any one of following technology well known in the art or their combination are realized: being had for realizing logic function to data-signal
The discrete logic of the logic gates of energy, the specific integrated circuit with suitable combinational logic gate circuit, programmable gate
Array (PGA), field programmable gate array (FPGA) etc..
The embodiment of the present invention also provides a kind of electronic equipment, and the electronic equipment includes dress described in aforementioned any embodiment
It sets.
Fig. 3 is the structural schematic diagram of electronic equipment one embodiment of the present invention, may be implemented to implement shown in Fig. 1-2 of the present invention
The process of example, as shown in figure 3, above-mentioned electronic equipment may include: shell 31, processor 32, memory 33, circuit board 34 and electricity
Source circuit 35, wherein circuit board 34 is placed in the space interior that shell 31 surrounds, and processor 32 and memory 33 are arranged in circuit
On plate 34;Power circuit 35, for each circuit or the device power supply for above-mentioned electronic equipment;Memory 33 is for storing and can hold
Line program code;Processor 32 is run and executable program generation by reading the executable program code stored in memory 33
The corresponding program of code, for performing the following operations:
When the Hook Function being previously implanted monitors to call kernel handler duplication object function, the kernel handler is hooked
Replicate object function;
Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement duplication
Whether successful target process handle matches with any protection process handle in pre-set protection process handle library;
If matched, the process path information of the successful target process handle of duplication is obtained, the process is extracted
The application program to be verified of routing information mapping;
If the application program to be verified extracted any is answered with pre-set wait intercept in application library wait intercept
It is identical with program, close the successful target process handle of duplication.
Processor 32 to the specific implementation procedures of above-mentioned steps and processor 32 by operation executable program code come
The step of further executing may refer to the description of Fig. 1-2 illustrated embodiment of the present invention, and details are not described herein.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment: the characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes: smart phone (such as iPhone), multimedia handset, functional mobile phone and low
Hold mobile phone etc..
(2) super mobile personal computer equipment: this kind of equipment belongs to the scope of personal computer, there is calculating and processing function
Can, generally also have mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind of equipment can show and play multimedia content.Such equipment include: audio,
Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server: providing the equipment of the service of calculating, and the composition of server includes that processor, hard disk, memory, system are total
Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy
Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
The embodiment of the invention also provides a kind of storage mediums, and for storing application program, the application program is for holding
A kind of processing method of Copy Info provided by the row embodiment of the present invention.
The embodiment of the invention also provides a kind of application programs, for executing a kind of duplication provided by the embodiment of the present invention
The processing method of information.
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium
In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
For convenience of description, description apparatus above is to be divided into various units/modules with function to describe respectively.Certainly, exist
Implement to realize each unit/module function in the same or multiple software and or hardware when the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that this
Invention can be realized by means of software and necessary general hardware platform.Based on this understanding, of the invention
Technical solution substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions use so that
One computer equipment (can be personal computer, server or the network equipment etc.) execute each embodiment of the present invention or
Method described in certain parts of person's embodiment.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (11)
1. a kind of processing method of Copy Info characterized by comprising
When the Hook Function being previously implanted monitors to call kernel handler duplication object function, the kernel handler duplication is hooked
Object function;
Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement replicates successfully
Target process handle whether match with any protection process handle in pre-set protection process handle library;
If matched, the process path information of the successful target process handle of duplication is obtained, the process path is extracted
The application program to be verified of information MAP;
If extract application program to be verified and it is pre-set wait intercept in application library it is any wait intercept apply journey
Sequence is identical, closes the successful target process handle of duplication.
2. the processing method of Copy Info according to claim 1, which is characterized in that the judgement replicates successful target
Whether process handle matches with any protection process handle in pre-set protection process handle library
Traverse the pre-set protection process handle library;
If any protection process handle is identical as the successful target process handle of duplication in the protection process handle library,
Determine that replicate successful target process handle matches with any protection process handle in pre-set protection process handle library;
If all protection process handles and the successful target process handle of duplication are equal in the protection process handle library
It is not identical, determine all protection process sentences replicated in successful target process handle and pre-set protection process handle library
Handle does not match that.
3. the processing method of Copy Info according to claim 1, which is characterized in that described to obtain the duplication successfully
The process path information of target process handle includes:
The process path information is obtained using the kernel objects of the successful target process handle of duplication.
4. the processing method of Copy Info according to claim 1, which is characterized in that the method also includes:
If the application program and pre-set wait intercept any application program to be intercepted in application library extracted
It is all different, allows the application program to be verified that the successful target process handle of duplication is copied to described to be verified answer
With in the current process of program.
5. the processing method of Copy Info according to any one of claims 1 to 4, which is characterized in that if mentioned described
The application program to be verified taken with it is pre-set wait intercept any application program to be intercepted in application library it is identical after,
It closes before the successful target process handle of duplication, the method also includes:
It shows the application program to be verified of the extraction, and prompts the application program to be verified of the extraction that the duplication will be written
Successful target process handle;
The instruction that user chooses is received, if described instruction is to allow to instruct, notifies that the application program to be verified of the extraction will
In the successful target process handle write-in current process of duplication;If described instruction is refusal instruction, execute described in closing
The step of replicating successful target process handle.
6. a kind of processing unit of Copy Info characterized by comprising hook module, matching module, application program and extract mould
Block and process handle processing module, wherein
Module being hooked, when for monitoring to call kernel handler duplication object function in the Hook Function being previously implanted, hooking institute
State kernel handler duplication object function;
Matching module, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds, if so,
Judge the successful target process handle of duplication whether with any protection process handle phase in pre-set protection process handle library
Matching;
Application program extraction module obtains the process path information of the successful target process handle of duplication if matched,
Extract the application program to be verified of the process path information MAP;
Process handle processing module, if the application program to be verified and pre-set wait intercept in application library extracted
Any application program to be intercepted is identical, closes the successful target process handle of duplication.
7. the processing unit of Copy Info according to claim 6, which is characterized in that the matching module includes: monitoring
Unit, Traversal Unit and matching unit, wherein
Monitoring unit, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds;
Traversal Unit, if so, the traversal pre-set protection process handle library;
Matching unit, if any protection process handle and the successful target process of duplication in the protection process handle library
Handle is identical, determines and replicates any protection process sentence in successful target process handle and pre-set protection process handle library
Handle matches, if protection process handle and the successful target process sentence of duplication all in the protection process handle library
Handle is all different, determine replicate in successful target process handle and pre-set protection process handle library all protect into
Journey handle does not match that.
8. the processing unit of Copy Info according to claim 6, which is characterized in that the application program extraction module packet
It includes: process path information acquisition unit and application program extraction unit, wherein
Process path information acquisition unit utilizes the kernel objects of the successful target process handle of duplication if matched
Obtain the process path information;
Application program extraction unit, for extracting the application program to be verified of the process path information MAP.
9. the processing unit method of Copy Info according to claim 6, which is characterized in that the process handle processing module
If be also used to extract the application program and it is pre-set wait intercept in application library it is any wait intercept apply journey
Sequence is all different, and allows the application program to be verified to copy to the successful target process handle of duplication described to be verified
In the current process of application program.
10. according to the processing unit of the described in any item Copy Infos of claim 6 to 9, which is characterized in that the process handle
Processing module includes: matching treatment unit, display unit, instruction receiving unit, writing unit and process handle closing unit,
Wherein,
Matching treatment unit, if the application program to be verified extracted is with pre-set wait intercept any in application library
Application program to be intercepted is identical, notifies display unit;
Display unit for showing the application program to be verified of the extraction, and prompts the application program to be verified of the extraction
The successful target process handle of duplication will be written;
Instruction receiving unit, if described instruction is to allow to instruct, notifies writing unit for receiving the instruction of user's selection;
If described instruction is refusal instruction, notice screenshotss refuse unit;
Writing unit, for allowing the application program to be verified of the extraction that the successful target process handle of duplication is written
In current process;
Process handle closing unit, for closing the successful target process handle of duplication.
11. a kind of electronic equipment, which is characterized in that the electronic equipment includes: shell, processor, memory, circuit board and electricity
Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply
Circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing executable program code;Processing
Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding
The following operation of row:
When the Hook Function being previously implanted monitors to call kernel handler duplication object function, the kernel handler duplication is hooked
Object function;
Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement replicates successfully
Target process handle whether match with any protection process handle in pre-set protection process handle library;
If matched, the process path information of the successful target process handle of duplication is obtained, the process path is extracted
The application program to be verified of information MAP;
If extract application program to be verified and it is pre-set wait intercept in application library it is any wait intercept apply journey
Sequence is identical, closes the successful target process handle of duplication.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610486393.0A CN106203077B (en) | 2016-06-28 | 2016-06-28 | A kind of processing method of Copy Info, device and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610486393.0A CN106203077B (en) | 2016-06-28 | 2016-06-28 | A kind of processing method of Copy Info, device and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106203077A CN106203077A (en) | 2016-12-07 |
CN106203077B true CN106203077B (en) | 2019-06-07 |
Family
ID=57462153
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610486393.0A Active CN106203077B (en) | 2016-06-28 | 2016-06-28 | A kind of processing method of Copy Info, device and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106203077B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107194244A (en) * | 2017-04-13 | 2017-09-22 | 福建省天奕网络科技有限公司 | The guard method of VR game memory data and its system |
CN108446553B (en) * | 2018-03-22 | 2021-11-12 | 北京金山安全软件有限公司 | Process protection method and device and electronic equipment |
CN112395595B (en) * | 2019-08-15 | 2023-08-01 | 奇安信安全技术(珠海)有限公司 | Method and device for monitoring instruction execution sequence, storage medium and computer equipment |
CN111162990B (en) * | 2019-12-17 | 2023-05-09 | 上海掌门科技有限公司 | Method and equipment for presenting message notification |
CN112269521A (en) * | 2020-10-30 | 2021-01-26 | 维沃移动通信有限公司 | Data processing method and device and electronic equipment |
CN114462388A (en) * | 2022-02-11 | 2022-05-10 | 阿里巴巴(中国)有限公司 | Handle management or communication method, electronic device, storage medium, and program product |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102902919A (en) * | 2012-08-30 | 2013-01-30 | 北京奇虎科技有限公司 | Method, device and system for identifying and processing suspicious practices |
CN104217164A (en) * | 2014-09-11 | 2014-12-17 | 工业和信息化部电子第五研究所 | Method and device for detecting malicious software of intelligent mobile terminal |
CN105138901A (en) * | 2015-08-03 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | White list-based cloud host active defense implementation method |
CN105184166A (en) * | 2015-10-21 | 2015-12-23 | 南京大学 | Kernel-based Android application real-time behavior analysis method and system |
CN105224862A (en) * | 2015-09-25 | 2016-01-06 | 北京北信源软件股份有限公司 | A kind of hold-up interception method of office shear plate and device |
CN105550585A (en) * | 2016-03-02 | 2016-05-04 | 腾讯科技(深圳)有限公司 | Application security testing method, device and system |
-
2016
- 2016-06-28 CN CN201610486393.0A patent/CN106203077B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102902919A (en) * | 2012-08-30 | 2013-01-30 | 北京奇虎科技有限公司 | Method, device and system for identifying and processing suspicious practices |
CN104217164A (en) * | 2014-09-11 | 2014-12-17 | 工业和信息化部电子第五研究所 | Method and device for detecting malicious software of intelligent mobile terminal |
CN105138901A (en) * | 2015-08-03 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | White list-based cloud host active defense implementation method |
CN105224862A (en) * | 2015-09-25 | 2016-01-06 | 北京北信源软件股份有限公司 | A kind of hold-up interception method of office shear plate and device |
CN105184166A (en) * | 2015-10-21 | 2015-12-23 | 南京大学 | Kernel-based Android application real-time behavior analysis method and system |
CN105550585A (en) * | 2016-03-02 | 2016-05-04 | 腾讯科技(深圳)有限公司 | Application security testing method, device and system |
Also Published As
Publication number | Publication date |
---|---|
CN106203077A (en) | 2016-12-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106203077B (en) | A kind of processing method of Copy Info, device and electronic equipment | |
CN106201468B (en) | A kind of processing method of screenshotss, device and electronic equipment | |
CN105183307B (en) | Application messages display control method and device | |
CN105844146B (en) | Method and device for protecting driver and electronic equipment | |
CN104392175B (en) | Cloud application attack processing method, apparatus and system in a kind of cloud computing system | |
CN107306286A (en) | The processing method and processing device of offline work attendance | |
CN105844155B (en) | Macro-virus searching and killing method and system | |
Mažeika et al. | Integrating security requirements engineering into MBSE: Profile and guidelines | |
CN103577750A (en) | Privacy authority management method and device | |
CN106203092A (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
CN104239797B (en) | Active defense method and device | |
CN106096034A (en) | application log management method and device | |
US20190222585A1 (en) | Artificial intelligence system and method for threat anticipation | |
CN107466031A (en) | A kind of method and terminal for protecting data | |
CN104615662B (en) | A kind of method, apparatus and terminal device handling data | |
CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
CN109241302A (en) | A kind of comment authorization method, device and the terminal device of online course | |
CN106127034B (en) | A kind of method, apparatus that anti-locking system is maliciously closed and electronic equipment | |
CN105389241B (en) | The performance test methods and system of the anti-harassment instrument of mobile terminal | |
Mateus-Coelho et al. | Exploring cyber criminals and data privacy measures | |
CN109905366A (en) | Terminal device safe verification method, device, readable storage medium storing program for executing and terminal device | |
CN110177369A (en) | Intelligent communication monitoring method, device and computer readable storage medium | |
CN106203119B (en) | Hide processing method, device and the electronic equipment of cursor | |
CN108520186A (en) | Record screen method, mobile terminal and computer readable storage medium | |
CN106169049B (en) | A kind of method, apparatus and electronic equipment of the registration of processing thread |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20190117 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |