CN106203077B - A kind of processing method of Copy Info, device and electronic equipment - Google Patents

A kind of processing method of Copy Info, device and electronic equipment Download PDF

Info

Publication number
CN106203077B
CN106203077B CN201610486393.0A CN201610486393A CN106203077B CN 106203077 B CN106203077 B CN 106203077B CN 201610486393 A CN201610486393 A CN 201610486393A CN 106203077 B CN106203077 B CN 106203077B
Authority
CN
China
Prior art keywords
duplication
process handle
handle
application program
library
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610486393.0A
Other languages
Chinese (zh)
Other versions
CN106203077A (en
Inventor
杨峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Zhuhai Seal Interest Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Seal Interest Technology Co Ltd filed Critical Zhuhai Seal Interest Technology Co Ltd
Priority to CN201610486393.0A priority Critical patent/CN106203077B/en
Publication of CN106203077A publication Critical patent/CN106203077A/en
Application granted granted Critical
Publication of CN106203077B publication Critical patent/CN106203077B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the present invention discloses processing method, device and the electronic equipment of a kind of Copy Info, is related to information security technology, is able to ascend the security protection efficiency of operating system.It include: to hook the kernel handler duplication object function when the Hook Function being previously implanted monitors to call kernel handler duplication object function;Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judging whether the successful target process handle of duplication matches with any protection process handle in pre-set protection process handle library;If matched, the process path information of the successful target process handle of duplication is obtained, the application program to be verified of the process path information MAP is extracted;If the application program to be verified extracted with it is pre-set identical wait intercept any application program to be intercepted in application library, close and described replicate successful target process handle.The present invention is suitable for whether monitoring objective process handle is copied illegally.

Description

A kind of processing method of Copy Info, device and electronic equipment
Technical field
The present invention relates to information security technology more particularly to a kind of processing methods of Copy Info, device and electronic equipment.
Background technique
With gradually disclosing for operating system kernel layer technical detail, the malicious applications such as more and more trojan horses Begin to use inner nuclear layer driver to protect the process of itself, the malicious application protected by inner nuclear layer driver into Journey can terminate other processes in (kill) operating system, so that the process of malicious application can be according to malice The intention of application provider, process or system process to user carry out malicious attack, may cause computer operation not Stablize, or even cause the leakage of user information, brings very big economic loss to user.For example, in an operating system, figure Managing process (csrss.exe process) can save the handle of all processes, and a process can be by handle copy function (DuplicateHandle function) middle finger sets the goal process handle, it is hereby achieved that the target process handle of a duplication, it should The target process handle of duplication can be used by other processes.In this way, the process of some malicious applications can pass through calling Handle copy function, duplication is for the target process handle of the destination application of control to when advance from graphics management process Cheng Zhong can indirectly achieve the purpose that obtain target process handle, to realize to the corresponding target of target process handle The control of process.For example, starting or terminating the destination application of corresponding target process mapping.Wherein, process (Process) It is the application program in computer about the primary operation activity on data acquisition system, is that Windows operating system carries out resource point The basic unit matched and dispatched is the basis of Windows operating system structure.In computer configuation of the early stage towards process design In, process is the basic execution entity of application program;In computer configuation of the present age towards threaded design, process is thread Container.That is, application program is the description of instruction, data and its organizational form, process is the entity of application program.
Since the function that handle copy function (DuplicateHandle function) corresponds to operating system nucleus is kernel sentence Handle replicates object function (kernel NtDuplicateObject function), thus, it is called in application layer process (program process) When handle copy function carries out the duplication of target process handle, handle copy function needs to recall kernel handler duplication object function It is operated to complete the duplication of target process handle, so that malicious application can use the principle, by calling directly Core handle replicates object function to realize the control to destination application, causes the security protection efficiency of operating system lower, Safety is not high.
Summary of the invention
In view of this, the embodiment of the present invention provides processing method, device and the electronic equipment of a kind of Copy Info, Neng Gouti The security protection efficiency of lift operations system can be by calling directly in the processing method to solve existing Copy Info Core handle replicates object function and realizes the control to destination application, so as to cause operating system security protection efficiency compared with Low problem.
In a first aspect, the embodiment of the present invention provides a kind of processing method of Copy Info, comprising:
When the Hook Function being previously implanted monitors to call kernel handler duplication object function, the kernel handler is hooked Replicate object function;
Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement duplication Whether successful target process handle matches with any protection process handle in pre-set protection process handle library;
If matched, the process path information of the successful target process handle of duplication is obtained, the process is extracted The application program to be verified of routing information mapping;
If the application program to be verified extracted any is answered with pre-set wait intercept in application library wait intercept It is identical with program, close the successful target process handle of duplication.
With reference to first aspect, in the first embodiment of first aspect, the judgement replicates successful target process Whether handle matches with any protection process handle in pre-set protection process handle library
Traverse the pre-set protection process handle library;
If any protection process handle and the successful target process handle of duplication in the protection process handle library It is identical, it determines and replicates successful target process handle and any protection process handle phase in pre-set protection process handle library Matching;
If all protection process handles and the successful target process sentence of duplication in the protection process handle library Handle is all different, determine replicate in successful target process handle and pre-set protection process handle library all protect into Journey handle does not match that.
With reference to first aspect, described to obtain the successful target of duplication in second of embodiment of first aspect The process path information of process handle includes:
The process path information is obtained using the kernel objects of the successful target process handle of duplication.
With reference to first aspect, in the third embodiment of first aspect, the method also includes:
If the application program and pre-set wait intercept any application to be intercepted in application library extracted Program is all different, and allows the application program to be verified to copy to the successful target process handle of duplication described to be tested In the current process for demonstrate,proving application program.
With reference to first aspect, the first of first aspect any embodiment into the third, the of first aspect In four kinds of embodiments, if in the application program to be verified of the extraction and pre-set wait intercept in application library After any application program to be intercepted is identical, close before the successful target process handle of duplication, the method also includes:
It shows the application program to be verified of the extraction, and prompts the application program to be verified of the extraction will be described in write-in Replicate successful target process handle;
The instruction that user chooses is received, if described instruction is to allow to instruct, notifies the to be verified using journey of the extraction Sequence will be in the successful target process handle write-in current process of the duplication;If described instruction is refusal instruction, closing is executed The step of duplication successful target process handle.
Second aspect, the embodiment of the present invention provide a kind of processing unit of Copy Info, comprising: hook module, matching mould Block, application program extraction module and process handle processing module, wherein
Module is hooked, when for monitoring to call kernel handler duplication object function in the Hook Function being previously implanted, hook State kernel handler duplication object function in residence;
Matching module, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds, such as Fruit be judge to replicate successful target process handle whether with any protection process sentence in pre-set protection process handle library Handle matches;
Application program extraction module obtains the process path of the successful target process handle of duplication if matched Information extracts the application program to be verified of the process path information MAP;
Process handle processing module, if the application program to be verified and pre-set application library to be intercepted extracted In any application program to be intercepted it is identical, close the successful target process handle of the duplication.
In conjunction with second aspect, in the first embodiment of second aspect, the matching module include: monitoring unit, Traversal Unit and matching unit, wherein
Monitoring unit, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds;
Traversal Unit, if so, the traversal pre-set protection process handle library;
Matching unit, if any protection process handle and the successful target of duplication in the protection process handle library Process handle is identical, determine replicate in successful target process handle and pre-set protection process handle library it is any protect into Journey handle matches, if in the protection process handle library all protection process handle and the successful target of duplication into Journey handle is all different, and determines all guarantors replicated in successful target process handle and pre-set protection process handle library Shield process handle does not match that.
In conjunction with second aspect, in second of embodiment of second aspect, the application program extraction module include: into Journey route information acquisition unit and application program extraction unit, wherein
Process path information acquisition unit utilizes the kernel of the successful target process handle of duplication if matched Process path information described in object acquisition;
Application program extraction unit, for extracting the application program to be verified of the process path information MAP.
In conjunction with second aspect, in the third embodiment of second aspect, the process handle processing module is also used to If the application program and pre-set wait intercept any application program to be intercepted in application library not extracted It is identical, allow the application program to be verified to copy to the successful target process handle of duplication described to be verified using journey In the current process of sequence.
In conjunction with second aspect, second aspect the first into the third any embodiment, the of second aspect In four kinds of embodiments, the process handle processing module includes: matching treatment unit, display unit, instruction receiving unit, writes Enter unit and process handle closing unit, wherein
Matching treatment unit, if the application program to be verified and pre-set wait intercept in application library extracted Any application program to be intercepted is identical, notifies display unit;
Display unit for showing the application program to be verified of the extraction, and prompts the application to be verified of the extraction The successful target process handle of duplication will be written in program;
Instruction receiving unit, for receiving the instruction of user's selection, if described instruction is to allow to instruct, notice write-in is single Member;If described instruction is refusal instruction, notice screenshotss refuse unit;
Writing unit, for allowing the application program to be verified of the extraction by the successful target process handle of duplication It is written in current process;
Process handle closing unit, for closing the successful target process handle of duplication.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, and the electronic equipment includes: shell, processor, deposits Reservoir, circuit board and power circuit, wherein circuit board is placed in the space interior that shell surrounds, processor and memory setting On circuit boards;Power circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing and can hold Line program code;Processor is run and executable program code pair by reading the executable program code stored in memory The program answered, for performing the following operations:
When the Hook Function being previously implanted monitors to call kernel handler duplication object function, the kernel handler is hooked Replicate object function;
Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement duplication Whether successful target process handle matches with any protection process handle in pre-set protection process handle library;
If matched, the process path information of the successful target process handle of duplication is obtained, the process is extracted The application program to be verified of routing information mapping;
If the application program to be verified extracted any is answered with pre-set wait intercept in application library wait intercept It is identical with program, close the successful target process handle of duplication.
Fourth aspect, the embodiment of the invention also provides a kind of storage mediums, described to apply journey for storing application program Sequence is for executing a kind of processing method of Copy Info provided by the embodiment of the present invention.
5th aspect, the embodiment of the invention also provides a kind of application programs, are provided for executing the embodiment of the present invention A kind of Copy Info processing method.
Processing method, device and the electronic equipment of a kind of Copy Info provided in an embodiment of the present invention, by being infused in advance When the Hook Function entered monitors to call kernel handler duplication object function, the kernel handler duplication object function is hooked;Prison Survey whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement replicates successful target Whether process handle matches with any protection process handle in pre-set protection process handle library;If matched, obtain The process path information for taking the successful target process handle of duplication, extracts the to be verified of process path information MAP and answers Use program;If the application program to be verified and pre-set wait intercept any application to be intercepted in application library extracted Program is identical, closes the successful target process handle of duplication, is able to ascend the security protection efficiency of operating system, to solve In the processing method of existing Copy Info, target can be answered to realize by calling directly kernel handler duplication object function With the control of program, so as to cause the lower problem of the security protection efficiency of operating system.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the processing method flow diagram of one Copy Info of the embodiment of the present invention;
Fig. 2 is the processing device structure diagram of two Copy Info of the embodiment of the present invention;
Fig. 3 is the structural schematic diagram of electronic equipment one embodiment of the present invention.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its Its embodiment, shall fall within the protection scope of the present invention.
Embodiment one
Fig. 1 is the processing method flow diagram of one Copy Info of the embodiment of the present invention, as shown in Figure 1, the present embodiment Method may include:
Step 101, it when the Hook Function being previously implanted monitors to call kernel handler duplication object function, hooks described Kernel handler replicates object function;
In this step, as an alternative embodiment, it includes: kernel that kernel handler, which replicates object function, NtDuplicateObject function.
In the present embodiment, as an alternative embodiment, the Hook Function is located in the inner nuclear layer of operating system.
In the embodiment of the present invention, hook (Hook) function of injection applies layer process for monitoring, i.e., positioned at application layer The function call relevant operation of program process, and the correlation function and pre-set any letter called in application layer process When number matches, the function of the calling is intercepted, turns to be handled by the Hook Function injected, and return to respective handling result.
As an alternative embodiment, Hook Function can be injected when security application defends driver application load, Wherein,
Hook Function is one section of program code segments of message processing facility in Windows operating system, driver application Subprogram code segment can be set to monitor certain message (operation) of specified window, and supervised by the program code segments Depending on specified window can be what other processes were created.The Hook Mechanism that Hook Function has passes through Windows operating system It calls, the Hook Function with priority control is linked into Windows operating system, allow Hook Function to intercept and capture Windows and grasp The message or particular event for making system sending are not reached whenever message in Windows operating system or particular event sending Before purpose window, Hook Function can first capture the message or particular event, so as to working process (change) message or Particular event can not also deal with and continue to transmit, can also force the transmitting of end message or particular event.
In the embodiment of the present invention, by injecting Hook Function in defence driver application to hook kernel handler duplication Object function, if the corresponding application layer process of application program is by sending process handle duplicate requests, operation to operating system System applies layer process according to the creation of received process handle duplicate requests accordingly, this calls kernel handler multiple using layer process When object function processed is to replicate target process handle, the Hook Function of the embodiment of the present invention will be first called, thus according to hook The interception rule of function carries out respective handling.
In the embodiment of the present invention, as an alternative embodiment, the application layer process is an application program to operating system When sending process handle duplicate requests, process that the operating system is created according to the process handle duplicate requests.
As an alternative embodiment, (applying layer process) calling kernel handler duplication object function includes:
Kernel handler duplication object function is called directly using layer process.
As another alternative embodiment, include: using layer process calling kernel handler duplication object function
Handle copy function is called using layer process, the handle copy function calls the kernel handler to replicate object letter Number.
Step 102, monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, Judge the successful target process handle of duplication whether with any protection process handle phase in pre-set protection process handle library Matching;
In the embodiment of the present invention, hook kernel handler duplication object function after, to kernel handler replicate object function into Row monitoring judges the process handle that kernel handler duplication object function is saved by traversal figure managing process, if can be from Target process handle is found in the process handle that graphics management process saves, if it is possible to be found, be shown to may be implemented to target Process handle is successfully, reproduced;If failing to find, terminate process.
In kernel handler duplication object function target process sentence can be found from the process handle that graphics management process saves After handle, it is thus necessary to determine that whether the target process handle found is to need process handle to be protected, if it is not, then can permit interior Core handle replicates object function and target process handle is copied to the current process for calling kernel handler duplication object function, with right The corresponding target process of target process handle or destination application are controlled.If the target process handle found is needs The process handle of protection, then need according to the present embodiment method handled.
In the present embodiment, as an alternative embodiment, judge to replicate successful target process handle whether with preset Protection process handle library in any protection process handle match and include:
Traverse the pre-set protection process handle library;
If any protection process handle and the successful target process handle of duplication in the protection process handle library It is identical, it determines and replicates successful target process handle and any protection process handle phase in pre-set protection process handle library Matching;
If all protection process handles and the successful target process sentence of duplication in the protection process handle library Handle is all different, determine replicate in successful target process handle and pre-set protection process handle library all protect into Journey handle does not match that.
In the present embodiment, as an alternative embodiment, protect process handle library can based on need user security to be protected with And operating system security is configured.
Step 103, if matched, the process path information of the successful target process handle of duplication is obtained, is extracted The application program to be verified of the process path information MAP;
In this step, as an alternative embodiment, the process path letter of the successful target process handle of duplication is obtained Breath includes:
The process path information is obtained using the kernel objects of the successful target process handle of duplication.
In the embodiment of the present invention, the process path information of successful target process handle is replicated by obtaining, and then can be with The application program for sending process handle duplicate requests to request duplicating process handle is known, so as to according to the application journey known Sequence judges whether it is malicious application.
Step 104, if extract application program to be verified with pre-set wait intercept any in application library Application program to be intercepted is identical, closes the successful target process handle of duplication.
In the present embodiment, successful target process handle is replicated by closing, realizes and refuses the application program to be verified Call the purpose of the kernel handler duplication object function.
In the present embodiment, the application program to be verified of extraction is scanned for matching in application library wait intercept, is sentenced Whether the disconnected corresponding application program of application layer process for calling kernel handler duplication object function is application program to be intercepted, if With it is pre-set not identical wait intercept any application program to be intercepted in application library, then can determine initiation process sentence The application program of handle duplicate requests is normal application, to carry out normal target process handle duplication.
Thus, as an alternative embodiment, this method can also include:
If the application program and pre-set wait intercept any application to be intercepted in application library extracted Program is all different, and allows the application program to be verified to copy to the successful target process handle of duplication described to be tested In the current process for demonstrate,proving application program.
In the present embodiment, current process be initiate to call the corresponding application program of kernel handler duplication object function into Journey.
In the present embodiment, if the application program extracted is with pre-set wait intercept any in application library Application program to be intercepted is identical, then it is assumed that the corresponding application layer process of the application program to be verified be malicious application into Journey is intercepted, then closes the successful target process handle of duplication, terminate this operation, return to refusal, so that refusal should The process handle duplicate requests of application program, so that application program fails to the request of duplicating process handle.
For example, there are an application program A in consumer electronic devices, it is assumed that by the anti-of a certain security application Hook Function is injected in imperial driving, hooks and replicates object function to the kernel handler of executive process handle duplication, in this way, when answering The corresponding driver application of the application program is notified to call kernel handler duplication object function with the process of program A, to multiple When making corresponding process handle, the Hook Function being infused in the defence driving of a certain security application is successful to the duplication The process path information of process handle is judged, if the corresponding application matches of process path information wait intercepting using journey Sequence library returns to refusal, the process handle of duplication is written in current process so that application program A can not achieve, thus more preferably The safety of ground lifting operating system.
In the embodiment of the present invention, as an alternative embodiment, application library to be intercepted can be existed by related technical personnel For network server by the analysis run to each application program, choosing to cause potential security threat to user information automatically Application program forms application library to be intercepted, and the application library to be intercepted of formation is issued to each electronic equipment, electronics Equipment receives the application library to be intercepted that network server issues and is saved.It certainly, can also be by user in practical application Application library to be intercepted is being locally located, the embodiment of the present invention is not construed as limiting this.
As another alternative embodiment, if being locally located application library to be intercepted by user, this method can be with Include:
The corresponding application information of the successful target process handle of the duplication of closing is reported to pre-set Network server.
In this step, user setting or by operating system automatically by the successful target process handle pair of the duplication of closing The relevant information for the application program answered is reported, and the application program that each electronic equipment reports can be counted in order to network server Information, and according to statistics, determine which application program is malicious application, and the risk that the malicious application is arranged mentions Show, so that corresponding risk is prompted when user downloads the malicious application, for example, prompting the application program that can adjust automatically Process handle duplication is carried out with kernel handler duplication object function, allows users to whether careful consideration downloads this using journey Sequence, to avoid to electronic equipment bring security risk.
As an alternative embodiment, if in the application program to be verified and pre-set application to be intercepted of the extraction After any application program to be intercepted in program library is identical, close before the successful target process handle of duplication, the party Method further include:
It shows the application program to be verified of the extraction, and prompts the application program to be verified of the extraction will be described in write-in Replicate successful target process handle;
The instruction that user chooses is received, if described instruction is to allow to instruct, notifies the to be verified using journey of the extraction Sequence will be in the successful target process handle write-in current process of the duplication;If described instruction is refusal instruction, closing is executed The step of duplication successful target process handle.
From the foregoing, it can be seen that the processing method of Copy Info of the embodiment of the present invention, monitors in the Hook Function being previously implanted When calling kernel handler duplication object function, the kernel handler duplication object function is hooked;Monitor the kernel handler duplication Whether object function duplication target process handle succeeds, if so, judge to replicate successful target process handle whether in advance Any protection process handle matches in the protection process handle library of setting;If matched, the successful mesh of duplication is obtained The process path information for marking process handle, extracts the application program to be verified of the process path information MAP;If extracted Application program to be verified with it is pre-set identical wait intercept any application program to be intercepted in application library, described in closing Replicate successful target process handle.In this way, object function is replicated by hooking kernel handler, when application call kernel sentence When handle replicates object function progress process handle duplication, can intercept application program in time will replicate successful process handle write-in The behavior of current process, protects operating system not to be destroyed, to preferably protect the safety of operating system, improves operation system The security protection efficiency of system, enhances the safety of operating system.
Embodiment two
Fig. 2 is the processing device structure diagram of two Copy Info of the embodiment of the present invention, as shown in Fig. 2, the present embodiment Device may include: to hook module 21, matching module 22, application program extraction module 23 and process handle processing module 24, wherein
Module 21 is hooked, when for monitoring to call kernel handler duplication object function in the Hook Function being previously implanted, Hook the kernel handler duplication object function;
In the present embodiment, as an alternative embodiment, it is kernel that kernel handler, which replicates object function, NtDuplicateObject function.
In the present embodiment, as an alternative embodiment, the Hook Function is located in the inner nuclear layer of operating system.
As an alternative embodiment, Hook Function can be injected when security application defends driver application load.
In the embodiment of the present invention, as an alternative embodiment, the application layer process is an application program to operating system When sending process handle duplicate requests, process that the operating system is created according to the process handle duplicate requests.
As an alternative embodiment, calling kernel handler duplication object function includes:
Kernel handler duplication object function is called directly using layer process;Or
Handle copy function is called using layer process, the handle copy function calls the kernel handler to replicate object letter Number.
Matching module 22, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds, If so, judge the successful target process handle of duplication whether with any protection process in pre-set protection process handle library Handle matches;
In the embodiment of the present invention, hook kernel handler duplication object function after, to kernel handler replicate object function into Row monitoring judges the process handle that kernel handler duplication object function is saved by traversal figure managing process, if can be from Target process handle is found in the process handle that graphics management process saves, if it is possible to be found, be shown to may be implemented to target Process handle is successfully, reproduced;If failing to find, terminate process.
In the present embodiment, as an alternative embodiment, matching module 22 includes: monitoring unit, Traversal Unit and matching Unit (not shown), wherein
Monitoring unit, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds;
Traversal Unit, if so, the traversal pre-set protection process handle library;
Matching unit, if any protection process handle and the successful target of duplication in the protection process handle library Process handle is identical, determine replicate in successful target process handle and pre-set protection process handle library it is any protect into Journey handle matches, if in the protection process handle library all protection process handle and the successful target of duplication into Journey handle is all different, and determines all guarantors replicated in successful target process handle and pre-set protection process handle library Shield process handle does not match that.
Application program extraction module 23 obtains the process road of the successful target process handle of duplication if matched Diameter information extracts the application program to be verified of the process path information MAP;
In the present embodiment, as an alternative embodiment, application program extraction module 23 includes: process path acquisition of information list Member and application program extraction unit (not shown), wherein
Process path information acquisition unit utilizes the kernel of the successful target process handle of duplication if matched Process path information described in object acquisition;
Application program extraction unit, for extracting the application program to be verified of the process path information MAP.
Process handle processing module 24, if the application program to be verified and pre-set application program to be intercepted extracted Any application program to be intercepted in library is identical, closes the successful target process handle of duplication.
In the present embodiment, successful target process handle is replicated by closing, realizes and refuses the application call institute State the purpose of kernel handler duplication object function.I.e. in the present embodiment, if extract the application program with it is pre-set It is identical wait intercept any application program to be intercepted in application library, then it is assumed that this using layer process be malicious application into Journey is intercepted, then closes the successful target process handle of duplication, terminate this operation, return to refusal, so that refusal should The process handle duplicate requests of application program, so that application program fails to the request of duplicating process handle.
In the present embodiment, as an alternative embodiment, process handle processing module 24 includes: matching treatment unit, shows Unit, instruction receiving unit, writing unit and process handle closing unit (not shown), wherein
Matching treatment unit, if the application program to be verified and pre-set wait intercept in application library extracted Any application program to be intercepted is identical, notifies display unit;
Display unit for showing the application program to be verified of the extraction, and prompts the application to be verified of the extraction The successful target process handle of duplication will be written in program;
Instruction receiving unit, for receiving the instruction of user's selection, if described instruction is to allow to instruct, notice write-in is single Member;If described instruction is refusal instruction, notice screenshotss refuse unit;
Writing unit, for allowing the application program to be verified of the extraction by the successful target process handle of duplication It is written in current process;
Process handle closing unit, for closing the successful target process handle of duplication.
In the present embodiment, as an alternative embodiment, if process handle processing module 24 is also used to the described of extraction and answers It is all different with program and pre-set any application program to be intercepted wait intercept in application library, allows (or notice) The successful target process handle of duplication is copied to the current of the application program to be verified by the application program to be verified In process.
In the present embodiment, the application program to be verified of extraction is scanned for matching in application library wait intercept, is sentenced Whether the disconnected corresponding application program of application layer process for calling kernel handler duplication object function is application program to be intercepted, if With it is pre-set not identical wait intercept any application program to be intercepted in application library, then can determine initiation process sentence The application program of handle duplicate requests is normal application, to carry out normal target process handle duplication.
In the present embodiment, as yet another alternative embodiment, process handle processing module 24 can be also used for the institute that will be closed The successful target process handle information reporting of duplication will be written to pre-set network server by stating.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill Art effect is similar, and details are not described herein again.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.
For Installation practice, since it is substantially similar to the method embodiment, so the comparison of description is simple Single, the relevent part can refer to the partial explaination of embodiments of method.
Expression or logic and/or step described otherwise above herein in flow charts, for example, being considered use In the order list for the executable instruction for realizing logic function, may be embodied in any computer-readable medium, for Instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be held from instruction The instruction fetch of row system, device or equipment and the system executed instruction) it uses, or combine these instruction execution systems, device or set It is standby and use.For the purpose of this specification, " computer-readable medium ", which can be, any may include, stores, communicates, propagates or pass Defeated program is for instruction execution system, device or equipment or the dress used in conjunction with these instruction execution systems, device or equipment It sets.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electricity of one or more wirings Interconnecting piece (electronic device), portable computer diskette box (magnetic device), random access memory (RAM), read-only memory (ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk is read-only deposits Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other are suitable Medium, because can then be edited, be interpreted or when necessary with it for example by carrying out optical scanner to paper or other media His suitable method is handled electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.
In the above-described embodiment, multiple steps or method can be with storages in memory and by suitable instruction execution The software or firmware that system executes are realized.For example, in another embodiment, can be used if realized with hardware Any one of following technology well known in the art or their combination are realized: being had for realizing logic function to data-signal The discrete logic of the logic gates of energy, the specific integrated circuit with suitable combinational logic gate circuit, programmable gate Array (PGA), field programmable gate array (FPGA) etc..
The embodiment of the present invention also provides a kind of electronic equipment, and the electronic equipment includes dress described in aforementioned any embodiment It sets.
Fig. 3 is the structural schematic diagram of electronic equipment one embodiment of the present invention, may be implemented to implement shown in Fig. 1-2 of the present invention The process of example, as shown in figure 3, above-mentioned electronic equipment may include: shell 31, processor 32, memory 33, circuit board 34 and electricity Source circuit 35, wherein circuit board 34 is placed in the space interior that shell 31 surrounds, and processor 32 and memory 33 are arranged in circuit On plate 34;Power circuit 35, for each circuit or the device power supply for above-mentioned electronic equipment;Memory 33 is for storing and can hold Line program code;Processor 32 is run and executable program generation by reading the executable program code stored in memory 33 The corresponding program of code, for performing the following operations:
When the Hook Function being previously implanted monitors to call kernel handler duplication object function, the kernel handler is hooked Replicate object function;
Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement duplication Whether successful target process handle matches with any protection process handle in pre-set protection process handle library;
If matched, the process path information of the successful target process handle of duplication is obtained, the process is extracted The application program to be verified of routing information mapping;
If the application program to be verified extracted any is answered with pre-set wait intercept in application library wait intercept It is identical with program, close the successful target process handle of duplication.
Processor 32 to the specific implementation procedures of above-mentioned steps and processor 32 by operation executable program code come The step of further executing may refer to the description of Fig. 1-2 illustrated embodiment of the present invention, and details are not described herein.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment: the characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data Communication is main target.This Terminal Type includes: smart phone (such as iPhone), multimedia handset, functional mobile phone and low Hold mobile phone etc..
(2) super mobile personal computer equipment: this kind of equipment belongs to the scope of personal computer, there is calculating and processing function Can, generally also have mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind of equipment can show and play multimedia content.Such equipment include: audio, Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server: providing the equipment of the service of calculating, and the composition of server includes that processor, hard disk, memory, system are total Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
The embodiment of the invention also provides a kind of storage mediums, and for storing application program, the application program is for holding A kind of processing method of Copy Info provided by the row embodiment of the present invention.
The embodiment of the invention also provides a kind of application programs, for executing a kind of duplication provided by the embodiment of the present invention The processing method of information.
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
For convenience of description, description apparatus above is to be divided into various units/modules with function to describe respectively.Certainly, exist Implement to realize each unit/module function in the same or multiple software and or hardware when the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that this
Invention can be realized by means of software and necessary general hardware platform.Based on this understanding, of the invention Technical solution substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should Computer software product can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions use so that One computer equipment (can be personal computer, server or the network equipment etc.) execute each embodiment of the present invention or Method described in certain parts of person's embodiment.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.

Claims (11)

1. a kind of processing method of Copy Info characterized by comprising
When the Hook Function being previously implanted monitors to call kernel handler duplication object function, the kernel handler duplication is hooked Object function;
Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement replicates successfully Target process handle whether match with any protection process handle in pre-set protection process handle library;
If matched, the process path information of the successful target process handle of duplication is obtained, the process path is extracted The application program to be verified of information MAP;
If extract application program to be verified and it is pre-set wait intercept in application library it is any wait intercept apply journey Sequence is identical, closes the successful target process handle of duplication.
2. the processing method of Copy Info according to claim 1, which is characterized in that the judgement replicates successful target Whether process handle matches with any protection process handle in pre-set protection process handle library
Traverse the pre-set protection process handle library;
If any protection process handle is identical as the successful target process handle of duplication in the protection process handle library, Determine that replicate successful target process handle matches with any protection process handle in pre-set protection process handle library;
If all protection process handles and the successful target process handle of duplication are equal in the protection process handle library It is not identical, determine all protection process sentences replicated in successful target process handle and pre-set protection process handle library Handle does not match that.
3. the processing method of Copy Info according to claim 1, which is characterized in that described to obtain the duplication successfully The process path information of target process handle includes:
The process path information is obtained using the kernel objects of the successful target process handle of duplication.
4. the processing method of Copy Info according to claim 1, which is characterized in that the method also includes:
If the application program and pre-set wait intercept any application program to be intercepted in application library extracted It is all different, allows the application program to be verified that the successful target process handle of duplication is copied to described to be verified answer With in the current process of program.
5. the processing method of Copy Info according to any one of claims 1 to 4, which is characterized in that if mentioned described The application program to be verified taken with it is pre-set wait intercept any application program to be intercepted in application library it is identical after, It closes before the successful target process handle of duplication, the method also includes:
It shows the application program to be verified of the extraction, and prompts the application program to be verified of the extraction that the duplication will be written Successful target process handle;
The instruction that user chooses is received, if described instruction is to allow to instruct, notifies that the application program to be verified of the extraction will In the successful target process handle write-in current process of duplication;If described instruction is refusal instruction, execute described in closing The step of replicating successful target process handle.
6. a kind of processing unit of Copy Info characterized by comprising hook module, matching module, application program and extract mould Block and process handle processing module, wherein
Module being hooked, when for monitoring to call kernel handler duplication object function in the Hook Function being previously implanted, hooking institute State kernel handler duplication object function;
Matching module, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds, if so, Judge the successful target process handle of duplication whether with any protection process handle phase in pre-set protection process handle library Matching;
Application program extraction module obtains the process path information of the successful target process handle of duplication if matched, Extract the application program to be verified of the process path information MAP;
Process handle processing module, if the application program to be verified and pre-set wait intercept in application library extracted Any application program to be intercepted is identical, closes the successful target process handle of duplication.
7. the processing unit of Copy Info according to claim 6, which is characterized in that the matching module includes: monitoring Unit, Traversal Unit and matching unit, wherein
Monitoring unit, for monitoring whether the kernel handler duplication object function duplication target process handle succeeds;
Traversal Unit, if so, the traversal pre-set protection process handle library;
Matching unit, if any protection process handle and the successful target process of duplication in the protection process handle library Handle is identical, determines and replicates any protection process sentence in successful target process handle and pre-set protection process handle library Handle matches, if protection process handle and the successful target process sentence of duplication all in the protection process handle library Handle is all different, determine replicate in successful target process handle and pre-set protection process handle library all protect into Journey handle does not match that.
8. the processing unit of Copy Info according to claim 6, which is characterized in that the application program extraction module packet It includes: process path information acquisition unit and application program extraction unit, wherein
Process path information acquisition unit utilizes the kernel objects of the successful target process handle of duplication if matched Obtain the process path information;
Application program extraction unit, for extracting the application program to be verified of the process path information MAP.
9. the processing unit method of Copy Info according to claim 6, which is characterized in that the process handle processing module If be also used to extract the application program and it is pre-set wait intercept in application library it is any wait intercept apply journey Sequence is all different, and allows the application program to be verified to copy to the successful target process handle of duplication described to be verified In the current process of application program.
10. according to the processing unit of the described in any item Copy Infos of claim 6 to 9, which is characterized in that the process handle Processing module includes: matching treatment unit, display unit, instruction receiving unit, writing unit and process handle closing unit, Wherein,
Matching treatment unit, if the application program to be verified extracted is with pre-set wait intercept any in application library Application program to be intercepted is identical, notifies display unit;
Display unit for showing the application program to be verified of the extraction, and prompts the application program to be verified of the extraction The successful target process handle of duplication will be written;
Instruction receiving unit, if described instruction is to allow to instruct, notifies writing unit for receiving the instruction of user's selection; If described instruction is refusal instruction, notice screenshotss refuse unit;
Writing unit, for allowing the application program to be verified of the extraction that the successful target process handle of duplication is written In current process;
Process handle closing unit, for closing the successful target process handle of duplication.
11. a kind of electronic equipment, which is characterized in that the electronic equipment includes: shell, processor, memory, circuit board and electricity Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply Circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing executable program code;Processing Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding The following operation of row:
When the Hook Function being previously implanted monitors to call kernel handler duplication object function, the kernel handler duplication is hooked Object function;
Monitor whether the kernel handler duplication object function duplication target process handle succeeds, if so, judgement replicates successfully Target process handle whether match with any protection process handle in pre-set protection process handle library;
If matched, the process path information of the successful target process handle of duplication is obtained, the process path is extracted The application program to be verified of information MAP;
If extract application program to be verified and it is pre-set wait intercept in application library it is any wait intercept apply journey Sequence is identical, closes the successful target process handle of duplication.
CN201610486393.0A 2016-06-28 2016-06-28 A kind of processing method of Copy Info, device and electronic equipment Active CN106203077B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610486393.0A CN106203077B (en) 2016-06-28 2016-06-28 A kind of processing method of Copy Info, device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610486393.0A CN106203077B (en) 2016-06-28 2016-06-28 A kind of processing method of Copy Info, device and electronic equipment

Publications (2)

Publication Number Publication Date
CN106203077A CN106203077A (en) 2016-12-07
CN106203077B true CN106203077B (en) 2019-06-07

Family

ID=57462153

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610486393.0A Active CN106203077B (en) 2016-06-28 2016-06-28 A kind of processing method of Copy Info, device and electronic equipment

Country Status (1)

Country Link
CN (1) CN106203077B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107194244A (en) * 2017-04-13 2017-09-22 福建省天奕网络科技有限公司 The guard method of VR game memory data and its system
CN108446553B (en) * 2018-03-22 2021-11-12 北京金山安全软件有限公司 Process protection method and device and electronic equipment
CN112395595B (en) * 2019-08-15 2023-08-01 奇安信安全技术(珠海)有限公司 Method and device for monitoring instruction execution sequence, storage medium and computer equipment
CN111162990B (en) * 2019-12-17 2023-05-09 上海掌门科技有限公司 Method and equipment for presenting message notification
CN112269521A (en) * 2020-10-30 2021-01-26 维沃移动通信有限公司 Data processing method and device and electronic equipment
CN114462388A (en) * 2022-02-11 2022-05-10 阿里巴巴(中国)有限公司 Handle management or communication method, electronic device, storage medium, and program product

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102902919A (en) * 2012-08-30 2013-01-30 北京奇虎科技有限公司 Method, device and system for identifying and processing suspicious practices
CN104217164A (en) * 2014-09-11 2014-12-17 工业和信息化部电子第五研究所 Method and device for detecting malicious software of intelligent mobile terminal
CN105138901A (en) * 2015-08-03 2015-12-09 浪潮电子信息产业股份有限公司 White list-based cloud host active defense implementation method
CN105184166A (en) * 2015-10-21 2015-12-23 南京大学 Kernel-based Android application real-time behavior analysis method and system
CN105224862A (en) * 2015-09-25 2016-01-06 北京北信源软件股份有限公司 A kind of hold-up interception method of office shear plate and device
CN105550585A (en) * 2016-03-02 2016-05-04 腾讯科技(深圳)有限公司 Application security testing method, device and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102902919A (en) * 2012-08-30 2013-01-30 北京奇虎科技有限公司 Method, device and system for identifying and processing suspicious practices
CN104217164A (en) * 2014-09-11 2014-12-17 工业和信息化部电子第五研究所 Method and device for detecting malicious software of intelligent mobile terminal
CN105138901A (en) * 2015-08-03 2015-12-09 浪潮电子信息产业股份有限公司 White list-based cloud host active defense implementation method
CN105224862A (en) * 2015-09-25 2016-01-06 北京北信源软件股份有限公司 A kind of hold-up interception method of office shear plate and device
CN105184166A (en) * 2015-10-21 2015-12-23 南京大学 Kernel-based Android application real-time behavior analysis method and system
CN105550585A (en) * 2016-03-02 2016-05-04 腾讯科技(深圳)有限公司 Application security testing method, device and system

Also Published As

Publication number Publication date
CN106203077A (en) 2016-12-07

Similar Documents

Publication Publication Date Title
CN106203077B (en) A kind of processing method of Copy Info, device and electronic equipment
CN106201468B (en) A kind of processing method of screenshotss, device and electronic equipment
CN105183307B (en) Application messages display control method and device
CN105844146B (en) Method and device for protecting driver and electronic equipment
CN104392175B (en) Cloud application attack processing method, apparatus and system in a kind of cloud computing system
CN107306286A (en) The processing method and processing device of offline work attendance
CN105844155B (en) Macro-virus searching and killing method and system
Mažeika et al. Integrating security requirements engineering into MBSE: Profile and guidelines
CN103577750A (en) Privacy authority management method and device
CN106203092A (en) Method and device for intercepting shutdown of malicious program and electronic equipment
CN104239797B (en) Active defense method and device
CN106096034A (en) application log management method and device
US20190222585A1 (en) Artificial intelligence system and method for threat anticipation
CN107466031A (en) A kind of method and terminal for protecting data
CN104615662B (en) A kind of method, apparatus and terminal device handling data
CN106682493B (en) A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment
CN109241302A (en) A kind of comment authorization method, device and the terminal device of online course
CN106127034B (en) A kind of method, apparatus that anti-locking system is maliciously closed and electronic equipment
CN105389241B (en) The performance test methods and system of the anti-harassment instrument of mobile terminal
Mateus-Coelho et al. Exploring cyber criminals and data privacy measures
CN109905366A (en) Terminal device safe verification method, device, readable storage medium storing program for executing and terminal device
CN110177369A (en) Intelligent communication monitoring method, device and computer readable storage medium
CN106203119B (en) Hide processing method, device and the electronic equipment of cursor
CN108520186A (en) Record screen method, mobile terminal and computer readable storage medium
CN106169049B (en) A kind of method, apparatus and electronic equipment of the registration of processing thread

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20190117

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Applicant after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing

Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

GR01 Patent grant
GR01 Patent grant