CN106203093A - Process protection method and device and terminal - Google Patents
Process protection method and device and terminal Download PDFInfo
- Publication number
- CN106203093A CN106203093A CN201610513099.4A CN201610513099A CN106203093A CN 106203093 A CN106203093 A CN 106203093A CN 201610513099 A CN201610513099 A CN 201610513099A CN 106203093 A CN106203093 A CN 106203093A
- Authority
- CN
- China
- Prior art keywords
- parameter
- function
- target
- attributes
- current system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a process protection method, a process protection device and a terminal. The method comprises the following steps: creating a hook function, wherein the hook function comprises a first parameter and a second parameter, the first parameter is used for storing a process handle of a process, and the second parameter is used for storing data information for setting process attributes; replacing the function address of the hook function with the original function address of the kernel function for setting the process attribute in the SSDT; judging whether the current system meets the process protection condition or not according to the first parameter and the second parameter; and if the current system meets the process protection condition, intercepting the attribute setting of the target process through a hook function. The purpose of process protection is achieved by intercepting the function of setting the process attribute, the target process such as the process of a safety element in a terminal system is protected, the defense capability of the target process is improved, and the protection of the safety of a user terminal and the system is facilitated.
Description
Technical field
The present invention relates to security technology area, particularly relate to a kind of process protection method, device and terminal.
Background technology
Along with the fast development of Internet technology, the rogue program technology such as virus, wooden horse emerges in an endless stream.Indivedual rogue programs
Can utilize special code that the fail-safe software in terminal system is attacked, as terminated the process corresponding to this fail-safe software, make
The process corresponding to this fail-safe software that obtains just cannot normally protect terminal after being moved to end, and destroys the safety protective ring of terminal system
Border.Therefore, the most effectively intercept rogue program malice target end process action to protect target process, have become as urgently
Problem to be solved.
Summary of the invention
The purpose of the present invention is intended to solve one of above-mentioned technical problem the most to a certain extent.
To this end, the first of the present invention purpose is to propose a kind of process protection method.The method can utilize interception to set
Put the function of Process Attributes to reach the purpose of Process Protection, be conducive to protecting target process, such as the safety unit in terminal system
The process of part, improves the defence capability of target process, is conducive to user terminal, the protection of security of system.
Second object of the present invention is to propose a kind of Process Protection device.
Third object of the present invention is to propose a kind of terminal.
Fourth object of the present invention is to propose another kind of terminal.
For reaching above-mentioned purpose, the process protection method of first aspect present invention embodiment, including: create Hook Function, its
In, described Hook Function comprises the first parameter and the second parameter, described first parameter is for preserving the process handle of process, institute
State the second parameter for preserving the data message arranging Process Attributes;The function address replacement system of described Hook Function is serviced
For arranging the original function address of the kernel function of Process Attributes in descriptor table SSDT table;According to described first parameter and institute
State the second parameter and judge whether current system meets Process Protection condition;If described current system meets described Process Protection bar
Part, then intercept the attribute to target process by described Hook Function and arrange.
Process protection method according to embodiments of the present invention, can first create Hook Function, wherein, comprise in Hook Function
One parameter and the second parameter, the first parameter is for preserving the process handle of process, and the second parameter arranges Process Attributes for preservation
Data message, and will the function address replacement system service descriptor table SSDT table of Hook Function be used for arranging Process Attributes
The original function address of kernel function, afterwards, judge whether current system meets process according to the first parameter and the second parameter
Protective condition, if meeting, then intercepts the attribute to target process by Hook Function and arranges.I.e. accurate by hook kernel function
Intercept the malicious act that the attribute to target process is arranged, to avoid the asking of exiting due to target program memory inaccessible
Topic, for Process Protection aspect, utilizes to intercept and arranges the function of Process Attributes to reach the purpose of Process Protection, be conducive to protecting
Protect target process, such as the process of the safety element in terminal system, improve the defence capability of target process, be conducive to user eventually
End, the protection of security of system.
According to one embodiment of present invention, described current system is judged according to described first parameter and described second parameter
Whether meet Process Protection condition, including: judge whether the process corresponding to the process handle in described first parameter is target
Process;If the process corresponding to process handle in described first parameter is described target process, then determine whether described
Whether the second parameter is predetermined threshold value for the parameter value corresponding to described target process;If in described second parameter for
Parameter value corresponding to described target process is described predetermined threshold value, then judge that described current system meets described Process Protection bar
Part.
According to one embodiment of present invention, described method also includes: if the process handle institute in described first parameter
Corresponding process is not described target process, or, for the parameter value corresponding to described target process in described second parameter
It is not described predetermined threshold value, then judges that described current system is unsatisfactory for described Process Protection condition.
According to one embodiment of present invention, the process corresponding to process handle in described first parameter of described judgement is
No for target process, including: obtain corresponding process path according to the process handle in described first parameter;Mate described correspondence
Process path in whether comprise described target process;If comprised, then judge that the process corresponding to described process handle is institute
State target process.
Wherein, in one embodiment of the invention, described predetermined threshold value is for indicating the inaccessible authority of process to belong to
Property.
According to one embodiment of present invention, the described attribute setting by the interception of described Hook Function to target process,
Including: generate denied access information by described Hook Function, and exit described Hook Function according to described denied access information
Execution.
According to one embodiment of present invention, will the function address replacement SSDT table of described Hook Function be used for arranging
Before the original function address of the kernel function of Process Attributes, described method also includes: obtain described use from described SSDT table
In the original function address of the kernel function arranging Process Attributes, and preserve described original function address.
According to one embodiment of present invention, when judging that described current system is unsatisfactory for described Process Protection condition, institute
Method of stating also includes: according to the original function address of described preservation, and that calls in described SSDT table described belongs to for arranging process
The kernel function of property;According to the described kernel function for arranging Process Attributes, described current system is carried out Process Attributes to set
Put.
For reaching above-mentioned purpose, the Process Protection device of second aspect present invention embodiment, including: creation module, it is used for creating
Building Hook Function, wherein, comprise the first parameter and the second parameter in described Hook Function, described first parameter is used for preserving process
Process handle, described second parameter arranges the data message of Process Attributes for preserving;Function address replacement module, being used for will
For arranging the kernel function of Process Attributes in the function address replacement system service descriptor table SSDT table of described Hook Function
Original function address;According to described first parameter and described second parameter, judge module, for judging that current system is the fullest
Foot Process Protection condition;Blocking module, for when current system meets described Process Protection condition, by described Hook Function
Intercept the attribute to target process to arrange.
Process Protection device according to embodiments of the present invention, can create Hook Function, wherein, hook letter by creation module
Comprising the first parameter and the second parameter in number, the first parameter is for preserving the process handle of process, and the second parameter sets for preservation
Putting the data message of Process Attributes, function address replacement module is by the function address replacement system service descriptor table of Hook Function
For arranging the original function address of the kernel function of Process Attributes in SSDT table, it is judged that module is according to the first parameter and the second ginseng
Number judges whether current system meets Process Protection condition, if meeting, blocking module then intercepts to enter target by Hook Function
The attribute of journey is arranged.I.e. accurately intercept the malicious act that the attribute to target process is arranged, to avoid by hook kernel function
The problem exited due to target program memory inaccessible, for Process Protection aspect, utilizes interception to arrange Process Attributes
Function reach the purpose of Process Protection, be conducive to protecting target process, such as the process of the safety element in terminal system, carry
The defence capability of high target process, is conducive to user terminal, the protection of security of system.
According to one embodiment of present invention, described judge module includes: the first judging unit, is used for judging described first
Whether the process corresponding to process handle in parameter is target process;Second judging unit, in described first parameter
The process corresponding to process handle when being described target process, determine whether described second parameter is entered for described target
Whether the parameter value corresponding to journey is predetermined threshold value;Identifying unit, for right for described target process in the second parameter
When the parameter value answered is described predetermined threshold value, it is determined that described current system meets described Process Protection condition.
According to one embodiment of present invention, the process handle institute that described identifying unit is additionally operable in described first parameter
Corresponding process is not described target process, or, for the parameter value corresponding to described target process in described second parameter
When being not described predetermined threshold value, it is determined that described current system is unsatisfactory for described Process Protection condition.
According to one embodiment of present invention, described first judging unit specifically for: according in described first parameter
Process handle obtains corresponding process path;Mate and whether the process path of described correspondence comprises described target process;Institute
State in the process path of correspondence when comprising described target process, it is determined that the process corresponding to described process handle is that described target is entered
Journey.
Wherein, in one embodiment of the invention, described predetermined threshold value is for indicating the inaccessible authority of process to belong to
Property.
According to one embodiment of present invention, described blocking module specifically for: by described Hook Function generate refusal
Access information, and the execution of described Hook Function is exited according to described denied access information.
According to one embodiment of present invention, described device also includes: preserve module, for replacing at described function address
The function address of described Hook Function is replaced in SSDT table and is used for arranging the original function of the kernel function of Process Attributes by module
Before address, from described SSDT table, obtain the original function address of the described kernel function for arranging Process Attributes, and protect
Deposit described original function address.
According to one embodiment of present invention, described device also includes: function call module, for judging current system
When being unsatisfactory for described Process Protection condition, according to the original function address of described preservation, call the described use in described SSDT table
In the kernel function arranging Process Attributes;Process Attributes arranges module, for according to the described kernel for arranging Process Attributes
Function carries out the setting of Process Attributes to described current system.
For reaching above-mentioned purpose, the terminal of third aspect present invention embodiment, including: entering of second aspect present invention embodiment
Journey protection device.
Terminal according to embodiments of the present invention, can create Hook Function, wherein, hook letter by the creation module in terminal
Comprising the first parameter and the second parameter in number, the first parameter is for preserving the process handle of process, and the second parameter sets for preservation
Putting the data message of Process Attributes, function address replacement module is by the function address replacement system service descriptor table of Hook Function
For arranging the original function address of the kernel function of Process Attributes in SSDT table, it is judged that module is according to the first parameter and the second ginseng
Number judges whether current system meets Process Protection condition, if meeting, blocking module then intercepts to enter target by Hook Function
The attribute of journey is arranged.I.e. accurately intercept the malicious act that the attribute to target process is arranged, to avoid by hook kernel function
The problem exited due to target program memory inaccessible, for Process Protection aspect, utilizes interception to arrange Process Attributes
Function reach the purpose of Process Protection, be conducive to protecting target process, such as the process of the safety element in terminal system, carry
The defence capability of high target process, is conducive to user terminal, the protection of security of system.
For reaching above-mentioned purpose, the terminal of fourth aspect present invention embodiment, including: housing, processor, memorizer, circuit
Plate and power circuit, wherein, described circuit board is placed in the interior volume that described housing surrounds, described processor and described storage
Device is arranged on described circuit board;Described power circuit, powers for each circuit or the device for described terminal;Described storage
Device is used for storing executable program code;Described processor comes by reading the executable program code of storage in described memorizer
Run the program corresponding with described executable program code, for performing following steps: create Hook Function, wherein, described
Hook Function comprises the first parameter and the second parameter, described first parameter for preserving the process handle of process, described second
Parameter arranges the data message of Process Attributes for preserving;By the function address replacement system service descriptor of described Hook Function
For arranging the original function address of the kernel function of Process Attributes in table SSDT table;According to described first parameter and described second
Parameter judges whether current system meets Process Protection condition;If described current system meets described Process Protection condition, then
Intercept the attribute to target process by described Hook Function to arrange.
Terminal according to embodiments of the present invention, can first create Hook Function, wherein, Hook Function comprises the first parameter and
Second parameter, the first parameter is for preserving the process handle of process, and the second parameter is for preserving the data letter arranging Process Attributes
Breath, and the function address replacement system service descriptor table SSDT table of Hook Function will be used for arranging the kernel letter of Process Attributes
According to the first parameter and the second parameter, the original function address of number, afterwards, judges whether current system meets Process Protection condition,
If meeting, then intercept the attribute to target process by Hook Function and arrange.I.e. accurately intercepted mesh by hook kernel function
The malicious act that the attribute of mark process is arranged, to avoid the problem exited due to target program memory inaccessible, from process
For protection aspect, utilize to intercept the function of Process Attributes is set to reach the purpose of Process Protection, be conducive to protection target to enter
Journey, such as the process of the safety element in terminal system, improves the defence capability of target process, is conducive to user terminal, system
The protection of safety.
Aspect and advantage that the present invention adds will part be given in the following description, and part will become from the following description
Obtain substantially, or recognized by the practice of the present invention.
Accompanying drawing explanation
The present invention above-mentioned and/or that add aspect and advantage will become from the following description of the accompanying drawings of embodiments
Substantially with easy to understand, wherein,
Fig. 1 is the flow chart of process protection method according to an embodiment of the invention;
Fig. 2 is the flow chart of the process protection method according to one specific embodiment of the present invention;
Fig. 3 is the structured flowchart of Process Protection device according to an embodiment of the invention;
Fig. 4 is the structured flowchart of judge module according to an embodiment of the invention;
Fig. 5 is the structured flowchart of the Process Protection device according to one specific embodiment of the present invention;
Fig. 6 is the structured flowchart of the Process Protection device according to another specific embodiment of the present invention.
Detailed description of the invention
Embodiments of the invention are described below in detail, and the example of described embodiment is shown in the drawings, the most from start to finish
Same or similar label represents same or similar element or has the element of same or like function.Below with reference to attached
The embodiment that figure describes is exemplary, it is intended to is used for explaining the present invention, and is not considered as limiting the invention.
Along with the fast development of Internet technology, the rogue program technology such as virus, wooden horse emerges in an endless stream.Indivedual rogue programs
Can utilize special code that the fail-safe software (such as poison despot's fail-safe software etc.) in terminal system is attacked, as soft in terminated this safety
Process corresponding to part so that the kernel process corresponding to this fail-safe software just cannot normally protect terminal after being moved to end, destroys
The safeguard protection environment of terminal system.
In prior art, target process guard method typically utilization hook end process kernel function (as
NtTerminiateProcess function) realize the interception of the process to rogue program, i.e. by hook end process kernel letter
Number, to intercept the process of rogue program, reaches target process (kernel process as corresponding to the fail-safe software in terminal system)
The purpose of protection.But, above-mentioned Process Protection mode is that the process to rogue program is prevented and processes, it is possible that block
Cut rogue program process before, this target process (kernel process as corresponding to the fail-safe software in terminal system) by
Rogue program terminates, and still can destroy the safeguard protection environment of terminal system.
To this end, the present invention proposes a kind of process protection method, device and terminal, by carrying out pre-from target process side
Prevent and process, can fundamentally avoid causing terminal system safety protective ring due to rogue program malice target end process
Border is destroyed.Specifically, below with reference to the accompanying drawings process protection method, device and terminal according to embodiments of the present invention described.
Fig. 1 is the flow chart of process protection method according to an embodiment of the invention.As it is shown in figure 1, this Process Protection
Method may include that
S101, creates Hook Function, wherein, comprises the first parameter and the second parameter in Hook Function, and the first parameter is used for
The process handle of preservation process, the second parameter arranges the data message of Process Attributes for preserving.
First, the process that implements introducing rogue program target end process can be as follows: assumes that the present invention implements
The process protection method of example can be applicable to terminal, and as a example by the operating system of this terminal is for Windows operating system, maliciously journey
Sequence can be opened in target process, and calling system service descriptor table SSDT table by kernel function NtOpenProcess function
For arranging the kernel function (such as NtProtectVirtualMemory function) of Process Attributes by the nucleus module of target process
It is set to inaccessible attribute, so, when target process uses this nucleus module memory headroom, due to this nucleus module
Attribute is arranged to inaccessible, and the exception that may result in target process exits, and has thus reached the mesh that target process terminates
's.
To this end, the process protection method of the embodiment of the present invention utilizes being used in the above-mentioned SSDT table of hook to arrange Process Attributes
Kernel function, to realize the interception that the attribute of target process is arranged by rogue program, i.e. can first create a Hook Function
(such as NewNtProtectVirtualMemory function), can comprise the first parameter and the second parameter in this Hook Function, wherein,
First parameter can be used for the process handle of the process of preserving, it will be understood that this process handle is the operation mark value of process, because of
This, can operate the arbitrary act of the process of correspondence by this operation mark value (i.e. process handle);Second parameter can be used for protecting
Deposit the data message that Process Attributes is set, if this second parameter can be that AccessProtection parameter (is used for indicating access right
Limit attribute), can be that this second parameter gives different parameter values according to actual needs, to realize the genus of the access rights to process
The setting of property.
S102, will be used for arranging Process Attributes in the function address replacement system service descriptor table SSDT table of Hook Function
The original function address of kernel function.
Specifically, while creating Hook Function, also need to replace in SSDT table the function address of this Hook Function to use
In the original function address of the kernel function arranging Process Attributes, to realize the extension of this kernel function for arranging Process Attributes
Hook, in order to call this Hook Function by the function address of this Hook Function in Hook Function, and come by this Hook Function
Reach the purpose to target process protection.
According to the first parameter and the second parameter, S103, judges whether current system meets Process Protection condition.
Specifically, owing to the process handle in the first parameter is the operation mark value of process, can by this operation mark value
To operate the arbitrary act of this process, so, first can judge whether current system has according to the process handle in the first parameter right
Target process carries out the behavior operated, if having, judges whether current system has for this target according to the second parameter the most further
Process carries out the setting (being such as set to inaccessible Authorization Attributes) of Authorization Attributes, if having, then can determine that current system meet into
Journey protective condition, otherwise, can determine that current system is unsatisfactory for Process Protection condition.Concrete implementation mode can be found in subsequent implementation
The specific descriptions of example.
S104, if current system meets Process Protection condition, then intercepts the attribute to target process by Hook Function
Arrange.
Specifically, in one embodiment of the invention, Process Protection condition is met at current system, in current system
There are and target process is carried out Authorization Attributes behavior is set, as the Authorization Attributes of target process being set to inaccessible power
During limit attribute, denied access information can be generated by Hook Function, and exit the execution of Hook Function according to denied access information.
More specifically, when current system meets Process Protection condition, can directly return a refusal in Hook Function
The state accessed, and exit the execution of this Hook Function, would not go to original in arranging Process Attributes with this
Kernel function, the system that is thus not carried out really arranges that step of Process Attributes, thus reaches to stop rogue program to mesh
The purpose that the Authorization Attributes of mark process is configured.
Process protection method according to embodiments of the present invention, can first create Hook Function, wherein, comprise in Hook Function
One parameter and the second parameter, the first parameter is for preserving the process handle of process, and the second parameter arranges Process Attributes for preservation
Data message, and will the function address replacement system service descriptor table SSDT table of Hook Function be used for arranging Process Attributes
The original function address of kernel function, afterwards, judge whether current system meets process according to the first parameter and the second parameter
Protective condition, if meeting, then intercepts the attribute to target process by Hook Function and arranges.I.e. accurate by hook kernel function
Intercept the malicious act that the attribute to target process is arranged, to avoid the asking of exiting due to target program memory inaccessible
Topic, for Process Protection aspect, utilizes to intercept and arranges the function of Process Attributes to reach the purpose of Process Protection, be conducive to protecting
Protect target process, such as the process of the safety element in terminal system, improve the defence capability of target process, be conducive to user eventually
End, the protection of security of system.
Fig. 2 is the flow chart of the process protection method according to one specific embodiment of the present invention.As in figure 2 it is shown, this process
Guard method may include that
S201, creates Hook Function, wherein, comprises the first parameter and the second parameter in Hook Function, and the first parameter is used for
The process handle of preservation process, the second parameter arranges the data message of Process Attributes for preserving.
S202, will be used for arranging Process Attributes in the function address replacement system service descriptor table SSDT table of Hook Function
The original function address of kernel function.
For the follow-up purpose that can reach target process protection, further, by the function address of Hook Function
In replacement system service descriptor table SSDT table before the original function address of the kernel function that Process Attributes is set, the party
Method may also include that the original function address obtaining the kernel function for arranging Process Attributes from SSDT table, and preserves original
Function address.It is to say, while creating Hook Function, also this can be found from SSDT table for arranging Process Attributes
The original function address of kernel function (such as NtProtectVirtualMemory function), and preserve this original function address, with
Continue after an action of the bowels and judging that current system is unsatisfactory for Process Protection condition, time i.e. without carrying out intercepting operation, original according to this preservation
Function address is to realize the attribute of process is arranged function.
S203, it is judged that whether the process corresponding to process handle in the first parameter is target process.
As a kind of example, it is judged that whether the process corresponding to process handle in the first parameter is the concrete of target process
The process of realization can comprise the following steps that
2031) corresponding process path is obtained according to the process handle in the first parameter;
2032) whether the process path that coupling is corresponding comprises target process;
2033) if comprised, then the process corresponding to determinating processes handle is target process.
For example, it is assumed that the process protection method of the embodiment of the present invention is applied to terminal, the operating system of this terminal is
Windows operating system, can be first parameter by the process handle in the first parameter, call kernel function
ZwQueryInformationProcess function obtains the process path corresponding to this process handle, afterwards, can mate this process
Whether path comprises target process, if this target process can be poison despot's fail-safe softwares such as kxescore.exe, kxetray.exe
Corresponding process, if comprising, then the process corresponding to this process handle that can determine that is target process, otherwise, it is determined that this process
Process corresponding to handle is not target process.
S204, if the process corresponding to the process handle in the first parameter is target process, then determines whether second
Whether parameter is predetermined threshold value for the parameter value corresponding to target process.
Wherein, in one embodiment of the invention, this predetermined threshold value may be used to indicate the inaccessible authority genus of process
Property.
Specifically, when the process corresponding to the process handle in judging the first parameter is target process, it may be determined that this is years old
For the parameter value corresponding to this target process in two parameters, and determine whether whether this parameter value is predetermined threshold value, if so,
Then can determine that current system meets Process Protection condition, otherwise, can determine that this current system is unsatisfactory for Process Protection condition.
For example, it is assumed that the process protection method of the embodiment of the present invention is applied to terminal, the operating system of this terminal is
Windows operating system, after the process corresponding to process handle in judging the first parameter is target process, can obtain hook
The second parameter (if this second parameter can be AccessProtection) in subfunction NewNtProtectVirtualMemory
For the parameter value corresponding to target process, if this parameter value AccessProtection=PAGE_NOACCESS (should
PAGE_NOACCESS can be regarded as above-mentioned predetermined threshold value), then explanation current system has program carry out target process can not
The setting of access rights attribute, i.e. arranges the inaccessible attribute of target process, so can determine that current system meets process and protects
Guard strip part.
S205, if being predetermined threshold value for the parameter value corresponding to target process in the second parameter, then by hook letter
Number intercepts the attribute to target process and arranges.
Specifically, when judging that current system meets Process Protection condition, corresponding to the process handle in the i.e. first parameter
Process is when being predetermined threshold value for the parameter value corresponding to target process in target process, and the second parameter, and journey can be described
Sequence is inaccessible state at the Process Attributes arranging target process, the most just can directly return a refusal in Hook Function
The state accessed, and exit the execution of this Hook Function, would not go to original in arranging Process Attributes with this
Kernel function, the system that is thus not carried out really arranges that step of Process Attributes, thus reaches to stop rogue program to mesh
The purpose that the Authorization Attributes of mark process is configured.
S206, if the process corresponding to the process handle in the first parameter is not target process, or, in the second parameter
It is not predetermined threshold value for the parameter value corresponding to target process, then according to the original function address preserved, calls in SSDT table
For arranging the kernel function of Process Attributes.
Specifically, when the process corresponding to the process handle in the first parameter is not target process, or, in the second parameter
It is not predetermined threshold value for the parameter value corresponding to target process, i.e. judges when current system is unsatisfactory for Process Protection condition, this
The behavior that the attribute of process is arranged by Shi Wuxu intercepts, can be according to the kernel letter for arranging Process Attributes preserved before
The original function address of number, to call this kernel function being used for arranging Process Attributes in SSDT table.
S207, according to the setting that current system carries out Process Attributes for arranging the kernel function of Process Attributes.
It is to say, when judging that current system is unsatisfactory for Process Protection condition, this that can call in SSDT table is used for setting
Put the kernel function of Process Attributes to complete real to arrange Process Attributes function.
According to the first parameter of Hook Function, process protection method according to embodiments of the present invention, judges that current system is
No there are the malicious operation behavior to target process, if existing, then determining whether that current system is according to the second parameter
No there are the Process Attributes for this target process and conduct interviews the setting of authority, if existing, then can determine that current system is full
Foot Process Protection condition, now can intercept the attribute to target process by Hook Function and arrange, to protect target process.The most logical
Cross twice Rule of judgment to judge whether current system there are the malicious act of the Process Attributes arranging target process, improve
Result of determination.
Corresponding with the process protection method that above-mentioned several embodiments provide, a kind of embodiment of the present invention also provides for one
Process Protection device, the Process Protection that the Process Protection device provided due to the embodiment of the present invention provides with above-mentioned several embodiments
Method is corresponding, and therefore the embodiment in aforementioned process guard method is also applied for the Process Protection dress that the present embodiment provides
Put, be not described in detail in the present embodiment.Fig. 3 is the structural frames of Process Protection device according to an embodiment of the invention
Figure.As it is shown on figure 3, this Process Protection device may include that creation module 100, function address replacement module 200, judge module
300 and blocking module 400.
Specifically, creation module 100 can be used for creating Hook Function, wherein, comprises the first parameter and the in Hook Function
Two parameters, the first parameter is for preserving the process handle of process, and the second parameter arranges the data message of Process Attributes for preserving.
Function address replacement module 200 can be used for the function address replacement system service descriptor table SSDT of Hook Function
For arranging the original function address of the kernel function of Process Attributes in table.
Judge module 300 can be used for judging whether current system meets Process Protection bar according to the first parameter and the second parameter
Part.
Blocking module 400 can be used for when current system meets Process Protection condition, is intercepted target by Hook Function
The attribute of process is arranged.Specifically, in an embodiment of the present invention, this blocking module 400 can be generated by Hook Function and refuse
Access absolutely information, and exit the execution of Hook Function according to denied access information.
In order to improve result of determination, can judge whether current system there are by twice Rule of judgment and target is set
The malicious act of the Process Attributes of process.Specifically, as a kind of example, in one embodiment of the invention, such as Fig. 4 institute
Showing, this judge module 300 may include that the first judging unit the 310, second judging unit 320 and identifying unit 330.Wherein,
One judging unit 310 can be used for judging whether the process corresponding to the process handle in the first parameter is target process.Second sentences
Disconnected unit 320 can be used for the process corresponding to the process handle in the first parameter when being target process, determines whether second
Whether parameter is predetermined threshold value for the parameter value corresponding to target process.Identifying unit 330 can be used in the second parameter
When being predetermined threshold value for the parameter value corresponding to target process, it is determined that current system meets Process Protection condition.Wherein, at this
In one embodiment of invention, this predetermined threshold value may be used to indicate the inaccessible Authorization Attributes of process.
As one embodiment alternatively, the process handle institute that this identifying unit 330 can be additionally used in the first parameter is right
The process answered is not target process, or, when the second parameter is not predetermined threshold value for the parameter value corresponding to target process,
Judge that current system is unsatisfactory for Process Protection condition.
As a kind of example, above-mentioned first judging unit 310 judges the process corresponding to the process handle in the first parameter
The process that implements being whether target process can be as follows: obtains corresponding process road according to the process handle in the first parameter
Footpath;Whether the process path that coupling is corresponding comprises target process;When comprising target process in corresponding process path, it is determined that
Process corresponding to process handle is target process.
In order to reach the purpose to target process protection, further, in one embodiment of the invention, such as figure
Shown in 5, this device may also include that preservation module 500.Wherein, preserve module 500 to can be used at function address replacement module 200
Before the function address of Hook Function is replaced the original function address being used for arranging the kernel function of Process Attributes in SSDT table,
From SSDT table, obtain the original function address that being used for, the kernel function of Process Attributes is set, and preserve original function address.
Further, in one embodiment of the invention, as shown in Figure 6, on the basis of as shown in Figure 5, this device
May also include that function call module 600 and Process Attributes arrange module 700.Wherein, function call module 600 can be used for sentencing
Determine current system when being unsatisfactory for Process Protection condition, according to the original function address preserved, call in SSDT table for arranging
The kernel function of Process Attributes.Process Attributes arranges module 700 and can be used for according to for arranging the kernel function pair of Process Attributes
Current system carries out the setting of Process Attributes.Thus, it is judged that when current system is unsatisfactory for Process Protection condition, by calling SSDT
This in table is used for the kernel function arranging Process Attributes to complete real to arrange Process Attributes function.
Process Protection device according to embodiments of the present invention, can first pass through creation module and create Hook Function, wherein, hook
Comprising the first parameter and the second parameter in function, the first parameter is for preserving the process handle of process, and the second parameter is used for preserving
Arranging the data message of Process Attributes, function address replacement module is by the function address replacement system service descriptor of Hook Function
For arranging the original function address of the kernel function of Process Attributes in table SSDT table, it is judged that module is according to the first parameter and second
Parameter judges whether current system meets Process Protection condition, if meeting, blocking module is then intercepted target by Hook Function
The attribute of process is arranged.I.e. accurately intercept the malicious act that the attribute to target process is arranged, to keep away by hook kernel function
The problem exempting to exit due to target program memory inaccessible, for Process Protection aspect, utilizes interception to arrange process and belongs to
The function of property reaches the purpose of Process Protection, is conducive to protecting target process, such as the process of the safety element in terminal system,
Improve the defence capability of target process, be conducive to user terminal, the protection of security of system.
In order to realize above-described embodiment, the invention allows for a kind of terminal, it is any of the above-described that this terminal includes the present invention
Process Protection device described in individual embodiment.
Terminal according to embodiments of the present invention, can create Hook Function, wherein, hook letter by the creation module in terminal
Comprising the first parameter and the second parameter in number, the first parameter is for preserving the process handle of process, and the second parameter sets for preservation
Putting the data message of Process Attributes, function address replacement module is by the function address replacement system service descriptor table of Hook Function
For arranging the original function address of the kernel function of Process Attributes in SSDT table, it is judged that module is according to the first parameter and the second ginseng
Number judges whether current system meets Process Protection condition, if meeting, blocking module then intercepts to enter target by Hook Function
The attribute of journey is arranged.I.e. accurately intercept the malicious act that the attribute to target process is arranged, to avoid by hook kernel function
The problem exited due to target program memory inaccessible, for Process Protection aspect, utilizes interception to arrange Process Attributes
Function reach the purpose of Process Protection, be conducive to protecting target process, such as the process of the safety element in terminal system, carry
The defence capability of high target process, is conducive to user terminal, the protection of security of system.
In order to realize above-described embodiment, the invention allows for a kind of terminal, including: housing, processor, memorizer, electricity
Road plate and power circuit, wherein, described circuit board is placed in the interior volume that described housing surrounds, described processor and described deposit
Reservoir is arranged on described circuit board;Described power circuit, powers for each circuit or the device for described terminal;Described deposit
Reservoir is used for storing executable program code;Described processor is by reading the executable program code of storage in described memorizer
Run the program corresponding with described executable program code, for performing following steps:
S101 ', creates Hook Function, wherein, comprises the first parameter and the second parameter in Hook Function, and the first parameter is used for
The process handle of preservation process, the second parameter arranges the data message of Process Attributes for preserving.
S102 ', belongs to being used for the process that arranges in the function address replacement system service descriptor table SSDT table of Hook Function
The original function address of the kernel function of property.
According to the first parameter and the second parameter, S103 ', judges whether current system meets Process Protection condition.
S104 ', if current system meets Process Protection condition, then intercepts the attribute to target process by Hook Function
Arrange.
Terminal according to embodiments of the present invention, can first create Hook Function, wherein, Hook Function comprises the first parameter and
Second parameter, the first parameter is for preserving the process handle of process, and the second parameter is for preserving the data letter arranging Process Attributes
Breath, and the function address replacement system service descriptor table SSDT table of Hook Function will be used for arranging the kernel letter of Process Attributes
According to the first parameter and the second parameter, the original function address of number, afterwards, judges whether current system meets Process Protection condition,
If meeting, then intercept the attribute to target process by Hook Function and arrange.I.e. accurately intercepted mesh by hook kernel function
The malicious act that the attribute of mark process is arranged, to avoid the problem exited due to target program memory inaccessible, from process
For protection aspect, utilize to intercept the function of Process Attributes is set to reach the purpose of Process Protection, be conducive to protection target to enter
Journey, such as the process of the safety element in terminal system, improves the defence capability of target process, is conducive to user terminal, system
The protection of safety.
In describing the invention, it is to be understood that term " first ", " second " are only used for describing purpose, and can not
It is interpreted as instruction or hint relative importance or the implicit quantity indicating indicated technical characteristic.Thus, define " the
One ", the feature of " second " can express or implicitly include at least one this feature.In describing the invention, " multiple "
It is meant that at least two, such as two, three etc., unless otherwise expressly limited specifically.
In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " specifically show
Example " or the description of " some examples " etc. means to combine this embodiment or example describes specific features, structure, material or spy
Point is contained at least one embodiment or the example of the present invention.In this manual, to the schematic representation of above-mentioned term not
Identical embodiment or example must be directed to.And, the specific features of description, structure, material or feature can be in office
One or more embodiments or example combine in an appropriate manner.Additionally, in the case of the most conflicting, the skill of this area
The feature of the different embodiments described in this specification or example and different embodiment or example can be tied by art personnel
Close and combination.
In flow chart or at this, any process described otherwise above or method description are construed as, and expression includes
One or more is for realizing the module of code, fragment or the portion of the executable instruction of the step of specific logical function or process
Point, and the scope of the preferred embodiment of the present invention includes other realization, wherein can not by shown or discuss suitable
Sequence, including according to involved function by basic mode simultaneously or in the opposite order, performs function, and this should be by the present invention
Embodiment person of ordinary skill in the field understood.
Represent in flow charts or the logic described otherwise above at this and/or step, for example, it is possible to be considered as to use
In the sequencing list of the executable instruction realizing logic function, may be embodied in any computer-readable medium, for
Instruction execution system, device or equipment (system such as computer based system, including processor or other can hold from instruction
Row system, device or equipment instruction fetch also perform the system instructed) use, or combine these instruction execution systems, device or set
Standby and use.For the purpose of this specification, " computer-readable medium " can be any can to comprise, store, communicate, propagate or pass
Defeated program is for instruction execution system, device or equipment or combines these instruction execution systems, device or equipment and the dress that uses
Put.The more specifically example (non-exhaustive list) of computer-readable medium includes following: have the electricity of one or more wiring
Connecting portion (electronic installation), portable computer diskette box (magnetic device), random access memory (RAM), read only memory
(ROM), erasable read only memory (EPROM or flash memory), the fiber device edited, and portable optic disk is read-only deposits
Reservoir (CDROM).It addition, computer-readable medium can even is that and can print the paper of described program thereon or other are suitable
Medium, because then can carry out editing, interpreting or if desired with it such as by paper or other media are carried out optical scanning
His suitable method is processed to electronically obtain described program, is then stored in computer storage.
Should be appreciated that each several part of the present invention can realize by hardware, software, firmware or combinations thereof.Above-mentioned
In embodiment, the software that multiple steps or method in memory and can be performed by suitable instruction execution system with storage
Or firmware realizes.Such as, if realized with hardware, with the most the same, available well known in the art under
Any one or their combination in row technology realize: have the logic gates for data signal realizes logic function
Discrete logic, there is the special IC of suitable combination logic gate circuit, programmable gate array (PGA), on-the-spot
Programmable gate array (FPGA) etc..
Those skilled in the art are appreciated that and realize all or part of step that above-described embodiment method is carried
Suddenly the program that can be by completes to instruct relevant hardware, and described program can be stored in a kind of computer-readable storage medium
In matter, this program upon execution, including one or a combination set of the step of embodiment of the method.
Additionally, each functional unit in each embodiment of the present invention can be integrated in a processing module, it is also possible to
It is that unit is individually physically present, it is also possible to two or more unit are integrated in a module.Above-mentioned integrated mould
Block both can realize to use the form of hardware, it would however also be possible to employ the form of software function module realizes.Described integrated module is such as
When fruit is using the form realization of software function module and as independent production marketing or use, it is also possible to be stored in a computer
In read/write memory medium.
Storage medium mentioned above can be read only memory, disk or CD etc..Although having shown that above and retouching
Embodiments of the invention are stated, it is to be understood that above-described embodiment is exemplary, it is impossible to be interpreted as the limit to the present invention
System, above-described embodiment can be changed, revise, replace and become by those of ordinary skill in the art within the scope of the invention
Type.
Claims (10)
1. a process protection method, it is characterised in that comprise the following steps:
Creating Hook Function, wherein, comprise the first parameter and the second parameter in described Hook Function, described first parameter is used for protecting
Depositing into the process handle of journey, described second parameter arranges the data message of Process Attributes for preserving;
To the function address replacement system service descriptor table SSDT table of described Hook Function be used for arranging in Process Attributes
The original function address of kernel function;
Judge whether current system meets Process Protection condition according to described first parameter and described second parameter;
If described current system meets described Process Protection condition, then intercept the genus to target process by described Hook Function
Property arrange.
2. process protection method as claimed in claim 1, it is characterised in that described according to described first parameter and described second
Parameter judges whether current system meets Process Protection condition, including:
Judge whether the process corresponding to process handle in described first parameter is target process;
If the process corresponding to process handle in described first parameter is described target process, then determine whether described
Whether two parameters are predetermined threshold value for the parameter value corresponding to described target process;
If described second parameter is described predetermined threshold value for the parameter value corresponding to described target process, then judge described
Current system meets described Process Protection condition.
3. process protection method as claimed in claim 2, it is characterised in that also include:
If the process corresponding to process handle in described first parameter is not described target process, or, described second ginseng
Number is not described predetermined threshold value for the parameter value corresponding to described target process, then judges that described current system is unsatisfactory for institute
State Process Protection condition.
4. process protection method as claimed in claim 2 or claim 3, it is characterised in that entering in described first parameter of described judgement
Whether the process corresponding to journey handle is target process, including:
Corresponding process path is obtained according to the process handle in described first parameter;
Mate and whether the process path of described correspondence comprises described target process;
If comprised, then judge that process corresponding to described process handle is as described target process.
5. as claimed in claim 2 or claim 3 process protection method, it is characterised in that wherein, described predetermined threshold value be used for indicating into
The inaccessible Authorization Attributes of journey.
6. process protection method as claimed in claim 1, it is characterised in that described intercepted target by described Hook Function
The attribute of process is arranged, including:
Generate denied access information by described Hook Function, and exit described Hook Function according to described denied access information
Perform.
7. the process protection method as according to any one of claim 1 to 6, it is characterised in that by described Hook Function
Function address is replaced in SSDT table before the original function address of the kernel function arranging Process Attributes, and described method is also wrapped
Include:
From described SSDT table, obtain the original function address of the described kernel function for arranging Process Attributes, and preserve described
Original function address.
8. process protection method as claimed in claim 7, it is characterised in that judging that described current system enters described in being unsatisfactory for
During journey protective condition, described method also includes:
Original function address according to described preservation, calls the described kernel letter for arranging Process Attributes in described SSDT table
Number;
According to the described kernel function for arranging Process Attributes, described current system is carried out the setting of Process Attributes.
9. a Process Protection device, it is characterised in that including:
Creation module, is used for creating Hook Function, wherein, comprises the first parameter and the second parameter in described Hook Function, described
First parameter is for preserving the process handle of process, and described second parameter arranges the data message of Process Attributes for preserving;
Function address replacement module, for by the function address replacement system service descriptor table SSDT table of described Hook Function
For arranging the original function address of the kernel function of Process Attributes;
According to described first parameter and described second parameter, judge module, for judging whether current system meets Process Protection bar
Part;
Blocking module, for when current system meets described Process Protection condition, is intercepted target by described Hook Function
The attribute of process is arranged.
10. a terminal, it is characterised in that including: housing, processor, memorizer, circuit board and power circuit, wherein, described
Circuit board is placed in the interior volume that described housing surrounds, described processor and described memorizer and is arranged on described circuit board;
Described power circuit, powers for each circuit or the device for described terminal;Described memorizer is used for storing executable program
Code;Described processor runs and described executable program by reading the executable program code of storage in described memorizer
The program that code is corresponding, for performing following steps:
Creating Hook Function, wherein, comprise the first parameter and the second parameter in described Hook Function, described first parameter is used for protecting
Depositing into the process handle of journey, described second parameter arranges the data message of Process Attributes for preserving;
To the function address replacement system service descriptor table SSDT table of described Hook Function be used for arranging in Process Attributes
The original function address of kernel function;
Judge whether current system meets Process Protection condition according to described first parameter and described second parameter;
If described current system meets described Process Protection condition, then intercept the genus to target process by described Hook Function
Property arrange.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610513099.4A CN106203093A (en) | 2016-06-30 | 2016-06-30 | Process protection method and device and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610513099.4A CN106203093A (en) | 2016-06-30 | 2016-06-30 | Process protection method and device and terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106203093A true CN106203093A (en) | 2016-12-07 |
Family
ID=57464326
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610513099.4A Pending CN106203093A (en) | 2016-06-30 | 2016-06-30 | Process protection method and device and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106203093A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107194244A (en) * | 2017-04-13 | 2017-09-22 | 福建省天奕网络科技有限公司 | The guard method of VR game memory data and its system |
| CN107566843A (en) * | 2017-10-09 | 2018-01-09 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
| CN107729132A (en) * | 2017-10-09 | 2018-02-23 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
| CN108563589A (en) * | 2018-04-08 | 2018-09-21 | 深圳市沃特沃德股份有限公司 | Terminal device obtains the method and device of input equipment type |
| CN109446755A (en) * | 2018-09-30 | 2019-03-08 | 龙芯中科技术有限公司 | The guard method of kernel hooking function, device, equipment and storage medium |
| CN112182558A (en) * | 2020-09-28 | 2021-01-05 | 大唐高鸿信安(浙江)信息科技有限公司 | Process protection method, marking method, device and equipment |
| CN114675892A (en) * | 2022-04-12 | 2022-06-28 | 杭州雾联科技有限公司 | Display parameter setting method, device, equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080127344A1 (en) * | 2006-11-08 | 2008-05-29 | Mcafee, Inc. | Method and system for detecting windows rootkit that modifies the kernel mode system service dispatch table |
| CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
| CN102142069A (en) * | 2011-05-05 | 2011-08-03 | 北京思创银联科技股份有限公司 | Method for hiding folders |
| CN102147845A (en) * | 2011-04-18 | 2011-08-10 | 北京思创银联科技股份有限公司 | Process monitoring method |
| CN102819703A (en) * | 2012-07-19 | 2012-12-12 | 北京奇虎科技有限公司 | Method and equipment used for preventing webpage attack |
| CN103413071A (en) * | 2013-07-09 | 2013-11-27 | 北京深思数盾科技有限公司 | Method for protecting data in software |
| CN105590060A (en) * | 2015-12-21 | 2016-05-18 | 北京金山安全软件有限公司 | Target application program protection method and device |
-
2016
- 2016-06-30 CN CN201610513099.4A patent/CN106203093A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080127344A1 (en) * | 2006-11-08 | 2008-05-29 | Mcafee, Inc. | Method and system for detecting windows rootkit that modifies the kernel mode system service dispatch table |
| CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
| CN102147845A (en) * | 2011-04-18 | 2011-08-10 | 北京思创银联科技股份有限公司 | Process monitoring method |
| CN102142069A (en) * | 2011-05-05 | 2011-08-03 | 北京思创银联科技股份有限公司 | Method for hiding folders |
| CN102819703A (en) * | 2012-07-19 | 2012-12-12 | 北京奇虎科技有限公司 | Method and equipment used for preventing webpage attack |
| CN103413071A (en) * | 2013-07-09 | 2013-11-27 | 北京深思数盾科技有限公司 | Method for protecting data in software |
| CN105590060A (en) * | 2015-12-21 | 2016-05-18 | 北京金山安全软件有限公司 | Target application program protection method and device |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107194244A (en) * | 2017-04-13 | 2017-09-22 | 福建省天奕网络科技有限公司 | The guard method of VR game memory data and its system |
| CN107566843A (en) * | 2017-10-09 | 2018-01-09 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
| CN107729132A (en) * | 2017-10-09 | 2018-02-23 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
| CN107566843B (en) * | 2017-10-09 | 2019-07-09 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
| CN107729132B (en) * | 2017-10-09 | 2019-10-25 | 武汉斗鱼网络科技有限公司 | A kind of video decoding process guard method and device |
| CN108563589A (en) * | 2018-04-08 | 2018-09-21 | 深圳市沃特沃德股份有限公司 | Terminal device obtains the method and device of input equipment type |
| CN109446755A (en) * | 2018-09-30 | 2019-03-08 | 龙芯中科技术有限公司 | The guard method of kernel hooking function, device, equipment and storage medium |
| CN112182558A (en) * | 2020-09-28 | 2021-01-05 | 大唐高鸿信安(浙江)信息科技有限公司 | Process protection method, marking method, device and equipment |
| CN112182558B (en) * | 2020-09-28 | 2024-09-24 | 大唐高鸿信安(浙江)信息科技有限公司 | Process protection method, marking method, device and equipment |
| CN114675892A (en) * | 2022-04-12 | 2022-06-28 | 杭州雾联科技有限公司 | Display parameter setting method, device, equipment and storage medium |
| CN114675892B (en) * | 2022-04-12 | 2024-09-17 | 杭州雾联科技有限公司 | Display parameter setting method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106203093A (en) | Process protection method and device and terminal | |
| CN105930739B (en) | A kind of method and terminal for preventing file deleted | |
| WO2015124018A1 (en) | Method and apparatus for application access based on intelligent terminal device | |
| JP3081619B2 (en) | Computer systems and security methods | |
| CN102667712B (en) | System, method and apparatus for simultaneous definition and enforcement of access-control and integrity policies | |
| CN107800724A (en) | Cloud main frame anti-crack method, system and processing equipment | |
| CN108683652A (en) | A kind of method and device of the processing attack of Behavior-based control permission | |
| CN105868878B (en) | The Risk Identification Method and device of MAC Address | |
| CN106971120A (en) | A kind of method, device and computing device for realizing file protection | |
| CN106203092A (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
| US11750619B2 (en) | Modify assigned privilege levels and limit access to resources | |
| CN107944292A (en) | A kind of private data guard method and system | |
| CN107045605A (en) | A kind of real-time metrics method and device | |
| CN106682504B (en) | A kind of method, apparatus for preventing file from maliciously being edited and electronic equipment | |
| Casanovas et al. | A European framework for regulating data and metadata markets | |
| CN106203119B (en) | Hide processing method, device and the electronic equipment of cursor | |
| CN107368738A (en) | A kind of anti-Root method and devices of smart machine | |
| CN115130138B (en) | Data security protection method, system, storage medium and equipment | |
| CN106534101A (en) | File protection method, safety system client and file protection system | |
| CN107818034A (en) | The method and device of the running space of process in monitoring calculation machine equipment | |
| CN113672925B (en) | Method and device for preventing lux software attack, storage medium and electronic equipment | |
| CN115292708A (en) | Execution permission analysis method and device based on bytecode | |
| Issalillah et al. | Relevance of Privacy within the Sphere of Human Rights: A Critical Analysis of Personal Data Protection | |
| CN113518055B (en) | Data security protection processing method and device, storage medium and terminal | |
| CN106909838A (en) | A kind of method and device of hooking system service call |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20181210 Address after: 519030 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161207 |