CN106203097A - Method and device for protecting software and electronic equipment - Google Patents

Method and device for protecting software and electronic equipment Download PDF

Info

Publication number
CN106203097A
CN106203097A CN201610556525.2A CN201610556525A CN106203097A CN 106203097 A CN106203097 A CN 106203097A CN 201610556525 A CN201610556525 A CN 201610556525A CN 106203097 A CN106203097 A CN 106203097A
Authority
CN
China
Prior art keywords
window
software
target
belongs
look
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610556525.2A
Other languages
Chinese (zh)
Inventor
李文靖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201610556525.2A priority Critical patent/CN106203097A/en
Publication of CN106203097A publication Critical patent/CN106203097A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a method, a device and electronic equipment for protecting software, wherein the method comprises the following steps: when capturing the operation of searching the software window, calling a user searching window function to obtain a window handle of a target window; judging whether the target window is a window under a preset directory or not according to the window handle of the target window, wherein the process currently carrying out the operation of searching the software window belongs to a malicious program process; and if the target window is a window in a preset directory and the process currently performing the operation of searching the software window belongs to a malicious program process, rejecting the operation of searching the software window. By the embodiment of the invention, the target window can be protected from being destroyed, and the software of the target window is further protected.

Description

A kind of protect the method for software, device and electronic equipment
Technical field
The present invention relates to technical field of system security, particularly relate to a kind of protect the method for software, device and electronic equipment.
Background technology
Along with the development of Internet technology, the rogue program such as virus wooden horse emerges in an endless stream, and such as, rogue program is destroyed The process of anti-viral software window is: rogue program calls FindWindow function, calls kernel further NtUserFindWindowEx function gets window handle, and rogue program is with this window handle as parameter call DestroyWindow function, the NtUserDestroyWindow calling kernel further destroys window.Therefore, rogue program Window can be enlivened by searching anti-viral software, get window handle, the most just anti-viral software window can be carried out Destroying, the process that such anti-viral software window is corresponding will terminate, and anti-viral software just cannot normally protect security of system.
Summary of the invention
It is contemplated that at least solve one of above-mentioned technical problem.
To this end, the embodiment of the present invention provides a kind of protects the method for software, device and electronic equipment, it is possible to make anti-virus soft Part window can not be found by rogue program, and then protection anti-viral software window is the most destroyed, protects anti-viral software Protect, strengthen the self-defense of anti-viral software, the safety of beneficially maintenance system.
First aspect, the embodiment of the present invention provides a kind of method protecting software, comprises the following steps:
When capturing the operation searching software window, call user and search the window sentence of window function acquisition target window Handle;
Window handle according to described target window judge whether described target window be the window under predetermined directory and The process of the operation currently making a look up software window belongs to rogue program process;
If described target window is entering of the window under predetermined directory and the operation currently making a look up software window Journey belongs to rogue program process, then refuse the operation of described lookup software window.
In conjunction with first aspect, in the first embodiment of first aspect, described method also includes: utilize Hook Function Hook user searches window function, catches the operation searching software window.
In conjunction with first aspect, in the second embodiment of first aspect, the described window according to described target window Handle judges whether that described target window is that the window under predetermined directory includes:
Window handle according to described target window obtains the process identification (PID) of the target process belonging to described target window, root Process identification (PID) according to described target process obtains the process path of target process;
Judge whether the process path of described target process belongs to predetermined directory, if the process path of described target process Belong to predetermined directory, it is determined that described target window is the window under predetermined directory.
In conjunction with first aspect, in the third embodiment of first aspect, it may be judged whether currently make a look up software window The process of the operation of mouth belongs to rogue program process and includes:
Obtain the process identification (PID) of the current process of the operation currently making a look up software window, according to the process of current process Mark obtains the process path of current process;
Process path according to current process judges whether current process belongs to rogue program process, if current process belongs to In rogue program process, it is determined that the process of the operation currently making a look up software window belongs to rogue program process.
In conjunction with first aspect, in the 4th kind of embodiment of first aspect, described refusal described lookup software window Operation is particularly as follows: return invalid window handle to the process of the operation currently making a look up software window.
In conjunction with first aspect, in the 5th kind of embodiment of first aspect, described method also includes: if described target Window process for the window under predetermined directory or the operation that currently makes a look up software window is not belonging to rogue program and enters Journey, then the process to the operation currently making a look up software window returns the window handle of described target window.
Second aspect, the embodiment of the present invention provides a kind of device protecting software, including: acquisition module, judge module and Refusal module;
Described acquisition module, for when capturing the operation searching software window, calls user and searches window function and obtain Take the window handle of target window;
Described judge module, the window handle judgement of the described target window for getting according to described acquisition module is No described target window is that the process of the window under predetermined directory and the operation that currently makes a look up software window belongs to malice Program process;
For described judge module, described refusal module, if judging that described target window is the window under predetermined directory And the process currently making a look up the operation of software window belongs to rogue program process, then refuse described lookup software window Operation.
In conjunction with second aspect, in the first embodiment of second aspect, described device also includes: Hooking module, uses In utilizing Hook Function hook user to search window function, catch the operation searching software window.
In conjunction with second aspect, in the second embodiment of second aspect, described judge module includes: first obtains list Unit and the first judging unit;
Described first acquiring unit, the window handle of the described target window for getting according to described acquisition module obtains Take the process identification (PID) of target process belonging to described target window, obtain target process according to the process identification (PID) of described target process Process path;
Described first judging unit, for judging the process road of described target process that described first acquiring unit gets Whether footpath belongs to predetermined directory, if the process path of described target process belongs to predetermined directory, it is determined that described target window For the window under predetermined directory.
In conjunction with second aspect, in the third embodiment of second aspect, described judge module includes: second obtains list Unit and the second judging unit;
Described second acquisition unit, for obtaining the process mark of the current process of the operation currently making a look up software window Know, obtain the process path of current process according to the process identification (PID) of current process;
Described second judging unit, the process path of the current process for getting according to described second acquisition unit is sentenced Whether disconnected current process belongs to rogue program process, if current process belongs to rogue program process, it is determined that currently look into The process looking for the operation of software window belongs to rogue program process.
In conjunction with second aspect, in the 4th kind of embodiment of second aspect, described refusal module, if specifically for institute State judge module and judge that described target window is the window under predetermined directory and the operation currently making a look up software window Process belong to rogue program process, then the process to the operation currently making a look up software window returns invalid window handle.
In conjunction with second aspect, in the 5th kind of embodiment of second aspect, described device also includes: return module, uses If judging that described target window is not the window under predetermined directory or currently makes a look up software in described judge module The process of the operation of window is not belonging to rogue program process, then the process to the operation currently making a look up software window returns institute State the window handle of target window.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment protecting software, including: housing, processor, storage Device, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and is arranged on On circuit board;Power circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing and can perform Program code;Processor is by reading the executable program code of storage in memorizer and performing following operation:
When capturing the operation searching software window, call user and search the window sentence of window function acquisition target window Handle;
Window handle according to described target window judge whether described target window be the window under predetermined directory and The process of the operation currently making a look up software window belongs to rogue program process;
If described target window is entering of the window under predetermined directory and the operation currently making a look up software window Journey belongs to rogue program process, then refuse the operation of described lookup software window.
The protection method of software, device and the electronic equipment of the embodiment of the present invention, it is possible to search anti-virus at rogue program Intercept during software window, make anti-viral software window can not be found by rogue program, and then protection anti-viral software window Mouth is the most destroyed, protects anti-viral software, strengthens the self-defense of anti-viral software, the peace of beneficially maintenance system Entirely.
Aspect and advantage that the present invention adds will part be given in the following description, and part will become from the following description Obtain substantially, or recognized by the practice of the present invention.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to Other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is the method flow diagram of the protection software according to embodiments of the invention one;
Fig. 2 is the method flow diagram of the protection software according to embodiments of the invention two;
Fig. 3 is the apparatus structure schematic diagram of the protection software according to embodiments of the invention three;
Fig. 4 is the apparatus structure schematic diagram of the another kind of protection software according to embodiments of the invention three;
Fig. 5 is the apparatus structure schematic diagram of another the protection software according to embodiments of the invention three;
Fig. 6 is the apparatus structure schematic diagram of another the protection software according to embodiments of the invention three;
Fig. 7 is the apparatus structure schematic diagram of another the protection software according to embodiments of the invention three;
Fig. 8 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Embodiments of the invention are described below in detail, and the example of described embodiment is shown in the drawings, the most from start to finish Same or similar label represents same or similar element or has the element of same or like function.Below with reference to attached The embodiment that figure describes is exemplary, it is intended to is used for explaining the present invention, and is not considered as limiting the invention.
Additionally, term " first ", " second " are only used for describing purpose, and it is not intended that instruction or hint relative importance Or the implicit quantity indicating indicated technical characteristic, thus, define " first ", the feature of " second " can express or Implicitly include one or more this feature.In describing the invention, " multiple " are meant that two or more, Unless otherwise expressly limited specifically.
In flow chart or at this, any process described otherwise above or method description are construed as, and expression includes One or more is for realizing the module of code, fragment or the portion of the executable instruction of the step of specific logical function or process Point, and the scope of the preferred embodiment of the present invention includes other realization, wherein can not by shown or discuss suitable Sequence, including according to involved function according to basic mode simultaneously or in the opposite order, performs function, and this should be by this Bright embodiment person of ordinary skill in the field is understood.
Embodiment one
Fig. 1 is the flow chart of the method for the protection software of embodiments of the invention one, as it is shown in figure 1, the side of the present embodiment Method may include that
Step 101, when capturing the operation searching software window, calls user and searches window function acquisition target window Window handle;
Step 102, according to the window handle of target window judge whether target window be the window under predetermined directory and The process of the operation currently making a look up software window belongs to rogue program process;
Step 103, if target window is the window under predetermined directory and the operation currently making a look up software window Process belong to rogue program process, then refusal searches the operation of software window.
The method of the protection software of the embodiment of the present invention, it is possible to block when rogue program searches anti-viral software window Cut, make anti-viral software window can not be found by rogue program, and then protection anti-viral software window is the most destroyed, to anti-sick Poison software is protected, and strengthens the self-defense of anti-viral software, the safety of beneficially maintenance system.
Embodiment two
Fig. 2 is the flow chart of the method for the protection software of embodiments of the invention two, as in figure 2 it is shown, the side of the present embodiment Method may include that
Step 201, utilizes Hook Function hook user to search window function, catches the operation searching software window.
In the present embodiment, it is NtUserFindWindowEx kernel function that user searches window function;
In the present embodiment, Hook Function hook user is utilized to search window function and can be: at SSDT (System Services Descriptor Table, system service descriptor table) in, find NtUserFindWindowEx kernel letter The function address of number, uses the function address of Hook Function to replace the letter of the NtUserFindWindowEx kernel function in SSDT Number address, it is achieved thereby that utilize Hook Function to link up with NtUserFindWindowEx kernel function so that arbitrarily process is searched The operation of software window all can enter Hook Function, the method that can realize protecting software in this Hook Function, reaches protection The purpose that software window is the most destroyed.
Step 202, when capturing the operation searching software window, calls user and searches window function acquisition target window Window handle.
In the present embodiment, when intercepting the operation searching software window, with incoming window title or window class name Search window function for parameter call NtUserFindWindowEx user and search the window handle of corresponding target window.
Step 203, obtains the process identification (PID) of the target process belonging to target window, root according to the window handle of target window Process identification (PID) according to target process obtains the process path of target process.
In the present embodiment, with the window handle of target window for parameter call query window function ZwUserQueryWindow function obtains the process identification (PID) (Process Identification, PID) of target process;With mesh The process identification (PID) of mark process is that parameter call Query Information function ZwQueryInformationProcess function acquisition target is entered The process path of journey.
Such as, the process path of the target process got be C: Program Files (x86) kingsoft kingsoft antivirus\kxetray.exe。
Step 204, it is judged that whether the process path of target process belongs to predetermined directory, if it is performs step 205, no Then perform step 208.
In the present embodiment, it is judged that whether the process path of target process mates with predetermined directory, if it is determine target The process path of process belongs to predetermined directory, otherwise determines that the process path of target process is not belonging to predetermined directory.
Such as, predetermined directory be C: Program Files (x86) kingsoft kingsoft antivirus, mesh The process path of mark process be C: Program Files (x86) kingsoft kingsoft antivirus Kxetray.exe, then the process path of target process mates with predetermined directory, determines that the process path of target process belongs to default Catalogue.
Step 205, obtains the process identification (PID) of the current process of the operation currently making a look up software window, according to when advancing The process identification (PID) of journey obtains the process path of current process.
In the present embodiment, obtain by calling acquisition current process identification function PsGetCurrentProcessId function Currently make a look up the process identification (PID) of the current process of the operation of software window, with the process identification (PID) of current process as parameter call Query Information function ZwQueryInformationProcess function obtains the process path of current process.
According to the process path of current process, step 206, judges whether current process belongs to rogue program process, if Then perform step 207, otherwise perform step 208.
In the present embodiment, it is judged that whether the process path of current process comprises default process name, if it is determines and work as Front process belongs to rogue program process, otherwise determines that current process is not belonging to rogue program process.
Such as, default process name includes but not limited to: ab2.exe, av2.exe, ac2.exe.
It is appreciated that the window handle according to target window judges whether the step that target window is the window under predetermined directory Suddenly (step 203 and 204) with judge whether that the process currently making a look up the operation of software window belongs to rogue program process Step (step 205 and 206) can perform with exchange sequence, i.e. the present embodiment does not limit and judges whether that target window is as presetting mesh The step of the window under Lu with judge whether that the process currently making a look up the operation of software window belongs to rogue program process The execution sequence of step.
Step 207, refusal searches the operation of software window.
In the present embodiment, it can be to return invalid window handle to current process that refusal searches the operation of software window.
Such as, invalid window handle is preset value 0.
In addition, it can also be not return data to current process that refusal searches the operation of software window, to when advancing Journey returns operation failure information, returns refusal operation information etc. to current process.
Step 208, returns the window handle of target window to current process.
The method of the protection software of the embodiment of the present invention, it is possible to block when rogue program searches anti-viral software window Cut, make anti-viral software window can not be found by rogue program, and then protection anti-viral software window is the most destroyed, to anti-sick Poison software is protected, and strengthens the self-defense of anti-viral software, the safety of beneficially maintenance system.
Embodiment three
Fig. 3 is the structural representation of the device of the protection software of embodiments of the invention three, as it is shown on figure 3, the present embodiment Device include: acquisition module 301, judge module 302 and refusal module 303;
Acquisition module 301, for when capturing the operation searching software window, calls user and searches window function acquisition The window handle of target window;
In the present embodiment, as shown in Figure 4, the device of the another kind of protection software of the present embodiment also includes: Hooking module 304, it is used for utilizing Hook Function hook user to search window function, catches the operation searching software window.
In the present embodiment, it is NtUserFindWindowEx kernel function that user searches window function;
In the present embodiment, Hooking module 304, specifically at SSDT (System Services Descriptor Table, system service descriptor table) in, find the function address of NtUserFindWindowEx kernel function, use hook The function address of function replaces the function address of the NtUserFindWindowEx kernel function in SSDT, it is achieved thereby that utilize Hook Function hook NtUserFindWindowEx kernel function.
In the present embodiment, when intercepting the operation searching software window, acquisition module 301 is specifically for incoming window Mouth title or window class entitled parameter call NtUserFindWindowEx user search window function and search corresponding target The window handle of window.
Judge module 302, the window handle of the target window for getting according to acquisition module 301 judges whether target Window is that the process of the window under predetermined directory and the operation that currently makes a look up software window belongs to rogue program process;
In the present embodiment, as it is shown in figure 5, judge module 302 includes in the device of another the protection software of the present embodiment: First acquiring unit 3021 and the first judging unit 3022;
First acquiring unit 3021, the window handle of the target window for getting according to acquisition module 301 obtains mesh The process identification (PID) of mark target process belonging to window, obtains the process path of target process according to the process identification (PID) of target process;
In the present embodiment, the first acquiring unit 3021 is specifically for inquiring about with the window handle of target window for parameter call Window function ZwUserQueryWindow function obtain target process process identification (PID) (Process Identification, PID);With the process identification (PID) of target process for parameter call Query Information function ZwQueryInformationProcess function Obtain the process path of target process.
First judging unit 3022, for judging that the process path of target process that the first acquiring unit 3021 gets is No belong to predetermined directory, if the process path of target process belongs to predetermined directory, it is determined that target window is under predetermined directory Window.
In the present embodiment, the first judging unit 3022 is specifically for judging that the process path of target process with predetermined directory is No coupling, if it is determines that the process path of target process belongs to predetermined directory, otherwise determines the process path of target process It is not belonging to predetermined directory.
In the present embodiment, as shown in Figure 6, in the device of another the protection software of the present embodiment, judge module 302 includes: Second acquisition unit 3023 and the second judging unit 3024;
Second acquisition unit 3023, for obtaining the process mark of the current process of the operation currently making a look up software window Know, obtain the process path of current process according to the process identification (PID) of current process;
In the present embodiment, second acquisition unit 3023 is specifically for by calling acquisition current process identification function PsGetCurrentProcessId function obtains the process identification (PID) of the current process of the operation currently making a look up software window, Obtain with the process identification (PID) of current process for parameter call Query Information function ZwQueryInformationProcess function and work as The process path of front process.
Second judging unit 3024, the process path of the current process for getting according to second acquisition unit 3023 is sentenced Whether disconnected current process belongs to rogue program process, if current process belongs to rogue program process, it is determined that currently look into The process looking for the operation of software window belongs to rogue program process.
In the present embodiment, whether the second judging unit 3024 is pre-specifically for judging to comprise in the process path of current process If process name, if it is determine that current process belongs to rogue program process, otherwise determine that current process is not belonging to rogue program Process.
Refusal module 303, for if it is determined that module 302 judges that target window is the window under predetermined directory and works as Before make a look up software window the process of operation belong to rogue program process, then refusal searches the operation of software window.
In the present embodiment, refuse module 303, specifically for if it is determined that module 302 judges that target window is to preset mesh The process of window under Lu and the operation that currently makes a look up software window belongs to rogue program process, then to currently looking into The process looking for the operation of software window returns invalid window handle.
In addition, refusal module 303 can be also used for if it is determined that module 302 judges that target window is predetermined directory Under window and the process of the operation that currently makes a look up software window belong to rogue program process, do not return to current process Return data, or return operation failure information to current process, or return refusal operation information etc. to current process.
In the present embodiment, as it is shown in fig. 7, the device of another the protection software of the present embodiment also includes: return module 305, for if it is determined that module 302 judges that target window not for the window under predetermined directory or currently makes a look up software The process of the operation of window is not belonging to rogue program process, then the process to the operation currently making a look up software window returns mesh The window handle of mark window.
The device of the protection software of the embodiment of the present invention, it is possible to block when rogue program searches anti-viral software window Cut, make anti-viral software window can not be found by rogue program, and then protection anti-viral software window is the most destroyed, to anti-sick Poison software is protected, and strengthens the self-defense of anti-viral software, the safety of beneficially maintenance system.
The embodiment of the present invention also provides for a kind of electronic equipment protecting software.
Fig. 8 is the structural representation of one embodiment of electronic equipment of the present invention, and above-mentioned electronic equipment may include that housing 41, processor 42, memorizer 43, circuit board 44 and power circuit 45, wherein, circuit board 44 is placed in the space that housing 41 surrounds Inside, processor 42 and memorizer 43 are arranged on circuit board 44;Power circuit 45, for each electricity for above-mentioned electronic equipment Road or device are powered;Memorizer 43 is used for storing executable program code;Processor 42 is by reading storage in memorizer 43 Executable program code runs the program corresponding with executable program code, and performs following operation:
When capturing the operation searching software window, call user and search the window sentence of window function acquisition target window Handle;
Window handle according to target window judges whether that target window is the window under predetermined directory and currently carries out The process of the operation searching software window belongs to rogue program process;
If the process that target window is the window under predetermined directory and the operation currently making a look up software window belongs to In rogue program process, then refusal searches the operation of software window.
Processor 42 to concrete process and the processor 42 of performing of above-mentioned steps by running executable program code The step performed further, may refer to the description of Fig. 1-2 illustrated embodiment of the present invention, does not repeats them here.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and to provide speech, data Communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset, functional mobile phone, and low End mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and processes merit Can, the most also possess mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes: audio frequency, Video player (such as iPod), handheld device, e-book, and intelligent toy and portable car-mounted navigator.
(4) server: providing the equipment of the service of calculating, the composition of server includes that processor, hard disk, internal memory, system are total Lines etc., server is similar with general computer architecture, but owing to needing to provide highly reliable service, is therefore processing energy The aspects such as power, stability, reliability, safety, extensibility, manageability require higher.
(5) other have the electronic equipment of data interaction function.
Those skilled in the art are appreciated that and realize all or part of step that above-described embodiment method is carried Suddenly the program that can be by completes to instruct relevant hardware, and described program can be stored in a kind of computer-readable storage medium In matter, this program upon execution, including one or a combination set of the step of embodiment of the method.
For convenience of description, describing apparatus above is to be divided into various units/modules to be respectively described with function.Certainly, exist Implement the function of each unit/module to be realized in same or multiple softwares and/or hardware during the present invention.
As seen through the above description of the embodiments, those skilled in the art is it can be understood that arrive this
Invention can add the mode of required general hardware platform by software and realize.Based on such understanding, the present invention The part that the most in other words prior art contributed of technical scheme can embody with the form of software product, should Computer software product can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that One computer equipment (can be personal computer, server, or the network equipment etc.) perform each embodiment of the present invention or The method described in some part of person's embodiment.
In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " concrete example " Or specific features, structure, material or the feature bag that the description of " some examples " etc. means to combine this embodiment or example describes It is contained at least one embodiment or the example of the present invention.In this manual, to the schematic representation of above-mentioned term necessarily It is directed to identical embodiment or example.And, the specific features of description, structure, material or feature can be at any one Or multiple embodiment or example combine in an appropriate manner.Additionally, in the case of the most conflicting, those skilled in the art Member the feature of the different embodiments described in this specification or example and different embodiment or example can be combined and Combination.
Although above it has been shown and described that embodiments of the invention, it is to be understood that above-described embodiment is example Property, it is impossible to being interpreted as limitation of the present invention, those of ordinary skill in the art within the scope of the invention can be to above-mentioned Embodiment is changed, revises, replaces and modification.

Claims (10)

1. the method protecting software, it is characterised in that comprise the following steps:
When capturing the operation searching software window, call user and search the window handle of window function acquisition target window;
Window handle according to described target window judges whether that described target window is the window under predetermined directory and current The process of the operation making a look up software window belongs to rogue program process;
If the process that described target window is the window under predetermined directory and the operation currently making a look up software window belongs to In rogue program process, then refuse the operation of described lookup software window.
Method the most according to claim 1, it is characterised in that described method also includes: utilize Hook Function to link up with user Search window function, catch the operation searching software window.
Method the most according to claim 1, it is characterised in that the described window handle judgement according to described target window is No described target window is that the window under predetermined directory includes:
Window handle according to described target window obtains the process identification (PID) of the target process belonging to described target window, according to institute The process identification (PID) stating target process obtains the process path of target process;
Judge whether the process path of described target process belongs to predetermined directory, if the process path of described target process belongs to Predetermined directory, it is determined that described target window is the window under predetermined directory.
Method the most according to claim 1, it is characterised in that judge whether currently to make a look up the operation of software window Process belongs to rogue program process and includes:
Obtain the process identification (PID) of the current process of the operation currently making a look up software window, according to the process identification (PID) of current process Obtain the process path of current process;
Process path according to current process judges whether current process belongs to rogue program process, if current process belongs to evil Meaning program process, it is determined that the process of the operation currently making a look up software window belongs to rogue program process.
Method the most according to claim 1, it is characterised in that described method also includes: if described target window is not The process of window under predetermined directory or the operation that currently makes a look up software window is not belonging to rogue program process, then to working as Before make a look up software window operation process return described target window window handle.
6. the device protecting software, it is characterised in that including: acquisition module, judge module and refusal module;
Described acquisition module, for when capturing the operation searching software window, calls user and searches window function acquisition mesh The window handle of mark window;
Described judge module, the window handle of the described target window for getting according to described acquisition module judges whether institute State the process that target window is the window under predetermined directory and the operation that currently makes a look up software window and belong to rogue program Process;
Described refusal module, if for described judge module judge described target window be the window under predetermined directory and The process of the operation currently making a look up software window belongs to rogue program process, then refuse the behaviour of described lookup software window Make.
Device the most according to claim 6, it is characterised in that described device also includes: Hooking module, is used for utilizing hook Function hook user searches window function, catches the operation searching software window.
Device the most according to claim 6, it is characterised in that described judge module includes: the first acquiring unit and first Judging unit;
Described first acquiring unit, the window handle of the described target window for getting according to described acquisition module obtains institute State the process identification (PID) of target process belonging to target window, obtain entering of target process according to the process identification (PID) of described target process Journey path;
Described first judging unit, for judging that the process path of described target process that described first acquiring unit gets is No belong to predetermined directory, if the process path of described target process belongs to predetermined directory, it is determined that described target window is pre- If the window under catalogue.
Device the most according to claim 6, it is characterised in that described judge module includes: second acquisition unit and second Judging unit;
Described second acquisition unit, for obtaining the process identification (PID) of the current process of the operation currently making a look up software window, Process identification (PID) according to current process obtains the process path of current process;
Described second judging unit, the process path of the current process for getting according to described second acquisition unit judges to work as Whether front process belongs to rogue program process, if current process belongs to rogue program process, it is determined that currently make a look up soft The process of the operation of part window belongs to rogue program process.
10. the electronic equipment protecting software, it is characterised in that described electronic equipment includes: housing, processor, memorizer, Circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and is arranged on circuit On plate;Power circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing executable program Code;Processor is by reading the executable program code of storage in memorizer and performing following operation:
When capturing the operation searching software window, call user and search the window handle of window function acquisition target window;
Window handle according to described target window judges whether that described target window is the window under predetermined directory and current The process of the operation making a look up software window belongs to rogue program process;
If the process that described target window is the window under predetermined directory and the operation currently making a look up software window belongs to In rogue program process, then refuse the operation of described lookup software window.
CN201610556525.2A 2016-07-14 2016-07-14 Method and device for protecting software and electronic equipment Pending CN106203097A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610556525.2A CN106203097A (en) 2016-07-14 2016-07-14 Method and device for protecting software and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610556525.2A CN106203097A (en) 2016-07-14 2016-07-14 Method and device for protecting software and electronic equipment

Publications (1)

Publication Number Publication Date
CN106203097A true CN106203097A (en) 2016-12-07

Family

ID=57475302

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610556525.2A Pending CN106203097A (en) 2016-07-14 2016-07-14 Method and device for protecting software and electronic equipment

Country Status (1)

Country Link
CN (1) CN106203097A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112084501A (en) * 2020-09-18 2020-12-15 珠海豹趣科技有限公司 Malicious program detection method and device, electronic device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102945341A (en) * 2012-10-23 2013-02-27 北京奇虎科技有限公司 Method and device for intercepting popup
US20140075568A1 (en) * 2012-09-07 2014-03-13 Shiju Sathyadevan Security Layer and Methods for Protecting Tenant Data in a Cloud-Mediated Computing Network
CN105550580A (en) * 2015-12-09 2016-05-04 珠海市君天电子科技有限公司 Window searching method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140075568A1 (en) * 2012-09-07 2014-03-13 Shiju Sathyadevan Security Layer and Methods for Protecting Tenant Data in a Cloud-Mediated Computing Network
CN102945341A (en) * 2012-10-23 2013-02-27 北京奇虎科技有限公司 Method and device for intercepting popup
CN105550580A (en) * 2015-12-09 2016-05-04 珠海市君天电子科技有限公司 Window searching method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
孙夫雄: "《Windows信息安全实践教程》", 31 May 2015, 清华大学出版社 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112084501A (en) * 2020-09-18 2020-12-15 珠海豹趣科技有限公司 Malicious program detection method and device, electronic device and storage medium

Similar Documents

Publication Publication Date Title
CN110826064B (en) Malicious file processing method and device, electronic equipment and storage medium
CN104361076B (en) The abnormality eliminating method and device of browser
CN104901805B (en) A kind of identification authentication methods, devices and systems
CN106557319A (en) The method and apparatus that negative one screen loads object
CN106791168A (en) Information of mobile terminal guard method, device and mobile terminal
CN104580093A (en) Processing method, device and system for notification messages of websites
CN106203092A (en) Method and device for intercepting shutdown of malicious program and electronic equipment
CN105095758B (en) Screen locking applied program processing method, device and mobile terminal
CN103246847B (en) A kind of method and apparatus of macrovirus killing
CN112583773B (en) Unknown sample detection method and device, storage medium and electronic device
CN111930588A (en) Process monitoring method, device, equipment and storage medium
CN114282212A (en) Rogue software identification method and device, electronic equipment and storage medium
CN109871685B (en) RTF file analysis method and device
CN106169048A (en) File deletion method and device and electronic equipment
CN106022117A (en) Method and device for preventing system environment variable from being modified and electronic equipment
CN106203097A (en) Method and device for protecting software and electronic equipment
CN111046385B (en) Software type detection method and device, electronic equipment and storage medium
CN106127029A (en) Starting method and device of security application program and electronic equipment
CN106203114A (en) Application program protection method and device and electronic equipment
CN105844158A (en) Method and device for protecting window and electronic equipment
CN105787302A (en) Application processing method and device and electronic equipment
CN114070638B (en) Computer system security defense method and device, electronic equipment and medium
CN106127041A (en) Method and device for preventing clipboard data from being monitored and terminal equipment
CN111695116B (en) Evidence obtaining method and device based on Rootkit of kernel layer of Linux system
CN106203090B (en) Guard method, device and the electronic equipment of thread

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20181210

Address after: 519030 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Applicant after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing

Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

TA01 Transfer of patent application right
RJ01 Rejection of invention patent application after publication

Application publication date: 20161207

RJ01 Rejection of invention patent application after publication