CN106203107A - Method and device for preventing system menu from being maliciously modified and electronic equipment - Google Patents
Method and device for preventing system menu from being maliciously modified and electronic equipment Download PDFInfo
- Publication number
- CN106203107A CN106203107A CN201610499159.1A CN201610499159A CN106203107A CN 106203107 A CN106203107 A CN 106203107A CN 201610499159 A CN201610499159 A CN 201610499159A CN 106203107 A CN106203107 A CN 106203107A
- Authority
- CN
- China
- Prior art keywords
- system menu
- function
- menu
- described process
- eigenvalue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a method and a device for preventing a system menu from being maliciously modified and electronic equipment, relates to the technical field of computer security, and can effectively prevent a malicious program from modifying the system menu and improve the security performance of a system. The method comprises the following steps: monitoring an event called by a process to modify a system menu function in an operating system; acquiring a process path of the process according to the monitored event; judging whether the process is a malicious program process or not according to the process path; and if the process is a malicious program process, refusing the process to modify the system menu. The method and the device are suitable for preventing the malicious program from modifying the system menu.
Description
Technical field
The present invention relates to computer security technique field, particularly relate to a kind of prevent System menu by the side of malicious modification
Method, device and electronic equipment.
Background technology
In Window system, it is provided that SetSystemMenu function, this function is used for revising System menu.At present, for protecting
Protecting system menu is not by malicious modification, and commonly used approach is the SetSystemMenu function of hook application layer, so, hook
The event calling SetSystemMenu function will be monitored by subfunction, thus knows that rogue program process is wanted in time
Amendment System menu, with timely prevention, this calls event.But, inventor finds that SetSystemMenu function is corresponding to system
The function of kernel is NtUserSetSystemMenu function, if rogue program calls NtUserSetSystemMenu function
Amendment System menu, owing to the method is more hidden, this malice is not the most called and is taked to prevent by current Prevention-Security software
Protecting measure, Malware just can revise System menu by this mode, destroys user system environment.
Summary of the invention
In view of this, embodiment of the present invention offer is a kind of prevents System menu by the method for malicious modification, device and electronics
Equipment, can effectively stop rogue program to revise System menu, improve security of system performance.
First aspect, the embodiment of the present invention provide a kind of prevent System menu by the method for malicious modification, including:
Monitor process is to revising the event that System menu function calls in operating system;
According to the described event listened to, obtain the process path of described process;
Judge whether described process is rogue program process according to described process path;
If described process is rogue program process, then refuse described process amendment System menu.
In conjunction with first aspect, in the first embodiment of first aspect, described system is Windows operating system;
Described amendment System menu function is the NtUserSetSystemMenu function of operating system nucleus layer;
Before revising, in monitor process is to operating system, the event that System menu function calls, described method is also wrapped
Include: pre-set the Hook Function revising System menu function in hook operating system;
The event that amendment System menu function in operating system is called by described monitor process, including: by described
Hook Function monitor process is to revising the event that System menu function calls in operating system.
In conjunction with the first embodiment of first aspect, in the second embodiment of first aspect, described refusal institute
State process amendment System menu, including:
Refuse information is returned to described process by described Hook Function;Or
Described Hook Function refusal calls NtUserSetSystemMenu function, with refusal amendment System menu.
In conjunction with first aspect, in the third embodiment of first aspect, described judge institute according to described process path
After whether process of stating is rogue program process, also include:
If described process is not rogue program process, then call amendment System menu function, agree to that the amendment of described process is
System menu.
In conjunction with first aspect, in the 4th kind of embodiment of first aspect, described judge institute according to described process path
State whether process is rogue program process, including:
According to the eigenvalue algorithm pre-set, obtain the eigenvalue of described process path respective file;
Judge in the feature database pre-set, if record has the eigenvalue of described process path respective file;
If in the feature database pre-set, record has the eigenvalue of described process path respective file, it is determined that described process
For rogue program process;If the feature database pre-set not recording the eigenvalue of described process path respective file, the most really
Fixed described process is not rogue program process;
Wherein, in the feature database pre-set described in, record has the feature of known malicious program process path respective file
Value.
In conjunction with the 4th kind of embodiment of first aspect, in the 5th kind of embodiment of first aspect, described judgement is pre-
In the feature database first arranged, if before record has the eigenvalue of described process path respective file, also include:
Statistics known malicious program process path;
According to the eigenvalue algorithm pre-set, obtain the feature of described known malicious program process path respective file
Value;
The eigenvalue of known malicious program process path respective file is stored in feature database.
In conjunction with the 4th kind or the 5th kind of embodiment of first aspect, in the 6th kind of implementation of first aspect, institute
Stating the eigenvalue algorithm pre-set is:
That asks for process path calculates Message Digest 5 value or the cryptographic Hash eigenvalue as process path respective file,
Or
The fileversion number eigenvalue as process path respective file is obtained from process path.
Second aspect, the embodiment of the present invention provide a kind of prevent System menu by the device of malicious modification, including:
Monitor module, for monitor process to operating system is revised the event that System menu function calls;
Acquisition module, for the event listened to according to described monitoring module, obtains the process path of described process;
Judge module, for the described process path that gets according to described acquisition module, it is judged that whether described process is
Rogue program process;
Stop module, for when described judge module judges that described process is rogue program process, enter described in refusal
Cheng Xiugai System menu.
In conjunction with second aspect, in the first embodiment of second aspect, described operating system is that Windows operation is
During system, described monitoring module is previously provided with the hook of the NtUserSetSystemMenu function of hook operating system nucleus layer
Subfunction, amendment System menu function in operating system is adjusted by described monitoring module by described Hook Function monitor process
Event.
In conjunction with the first embodiment of second aspect, in the second embodiment of second aspect, described prevention mould
Block calls NtUserSetSystemMenu function by described Hook Function to described process return refuse information or refusal, with
Refusal amendment System menu.
In conjunction with second aspect, in the third embodiment of second aspect, described prevention module, it is additionally operable to sentence described
Disconnected module is judged when described process is not rogue program process, calls amendment System menu function, agrees to that described process is revised
System menu.
In conjunction with second aspect, in the 4th kind of embodiment of second aspect, described judge module includes:
Eigenvalue calculation submodule, for according to the eigenvalue algorithm pre-set, obtaining described acquisition module and get
The eigenvalue of process path respective file;
Matched sub-block, for judging in the feature database pre-set, if record has described eigenvalue calculation submodule
The eigenvalue of the process path respective file got, if record has described process path correspondence literary composition in the feature database pre-set
The eigenvalue of part, it is determined that described process is rogue program process;If the feature database pre-set does not records described process
The eigenvalue of path respective file, it is determined that described process is not rogue program process;Wherein, the feature database pre-set described in
Middle record has the eigenvalue of known malicious program process path respective file.
In conjunction with the 4th kind of embodiment of second aspect, in the 5th kind of embodiment of second aspect, also include:
Feature database generation module, for statistics known malicious program process path in advance, and according to the feature pre-set
Value-based algorithm, obtains the eigenvalue of described known malicious program process path respective file and is stored in feature database.
In conjunction with the 4th kind or the 5th kind of embodiment of second aspect, in the 6th kind of embodiment of second aspect, institute
State eigenvalue calculation submodule specifically for asking for the calculating Message Digest 5 of the process path that described acquisition module gets
Value or cryptographic Hash are as the eigenvalue of process path respective file, or obtain from the process path that described acquisition module gets
Take the fileversion number eigenvalue as process path respective file.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, and described electronic equipment includes: housing, processor, deposit
Reservoir, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges
On circuit boards;Power circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing can be held
Line program code;Processor runs and executable program code pair by reading the executable program code of storage in memorizer
The program answered, prevents System menu by the method for malicious modification described in aforementioned any embodiment for performing.
The a kind of of embodiment of the present invention offer prevents System menu by the method for malicious modification, device and electronic equipment, leads to
Cross the event that amendment System menu function in operating system is called by monitor process, when the process of having listened to calls amendment system
During system menu function, obtain described process path, and judge whether described process is that rogue program enters according to described process path
Journey, if described process is rogue program process, then refuses described process amendment System menu.It is possible to effectively stop malice
Modification of program System menu, improves security of system performance.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to
Other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is that the present invention prevents System menu by the flow chart of the embodiment of the method one of malicious modification;
Fig. 2 is that the present invention prevents System menu by the flow chart of the embodiment of the method two of malicious modification;
Fig. 3 is that the present invention prevents System menu by the structural representation of the device embodiment one of malicious modification;
Fig. 4 is that the present invention prevents System menu by the structural representation of the device embodiment three of malicious modification;
Fig. 5 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Prevent System menu by the method for malicious modification, device and electronics to the embodiment of the present invention is a kind of below in conjunction with the accompanying drawings
Equipment is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole embodiments.Base
Embodiment in the present invention, those of ordinary skill in the art obtained under not making creative work premise all its
Its embodiment, broadly falls into the scope of protection of the invention.
Fig. 1 be the present invention prevent System menu by the flow chart of the embodiment of the method one of malicious modification, as it is shown in figure 1, this
The method of embodiment may include that
Step 101, monitor process are to revising the event that System menu function calls in operating system.
In the present embodiment, the amendment System menu function that rogue program needs call operation system to provide could realize amendment system
System menu.Therefore can intercept and capture rogue program system to be revised in time by described amendment System menu function is monitored
The message of menu.After intercepting this message, it is rejected by rogue program process amendment System menu, thus effectively stops malice
Modification of program System menu, improves security of system performance.
The described event that step 102, basis listen to, obtains the process path of described process.
In the present embodiment, such as according to the identifier PID of process, the function obtaining process path in calling system, just
Process path can be got.
Step 103, judge according to described process path whether described process is rogue program process;It is to perform step
104。
In the present embodiment, owing to rogue program process path is more fixing, thus can according to the routing information of current process,
Judge whether process is rogue program process.
In the present embodiment, as an optional mode, described process path can be obtained according to the eigenvalue algorithm pre-set
The eigenvalue of respective file;Then judge in the feature database pre-set, if record has described process path respective file
Eigenvalue;If in the feature database pre-set, record has the eigenvalue of described process path respective file, it is determined that described process
For rogue program process;If the feature database pre-set not recording the eigenvalue of described process path respective file, the most really
Fixed described process is not rogue program process.Wherein, feature database pre-sets, and the generation process of feature database is: statistics is
Know malicious process path;According to the eigenvalue algorithm pre-set, obtain described known malicious program process path respective file
Eigenvalue be stored in feature database.
Preferably, the eigenvalue algorithm pre-set is: ask for process path calculating Message Digest 5 (MD5) value or
Hash (HASH) value is as the eigenvalue of process path respective file, or obtains fileversion number from process path as entering
The eigenvalue of journey path respective file.
Step 104, refuse described process amendment System menu.
In the present embodiment, if current process is rogue program process, then refuse described process amendment System menu, thus
Effectively stop rogue program amendment System menu.
The present embodiment, by rogue program call operation system revise System menu function monitoring, can be effectively
Stop rogue program amendment System menu, reach to improve the purpose of security of system performance.
What the present embodiment provided prevents System menu by the method for malicious modification, is repaiied in operating system by monitor process
Change the event that System menu function calls, when the process of having listened to calls amendment System menu function, enter described in acquisition
Journey path, and judge whether described process is rogue program process according to described process path, if described process is rogue program
Process, then refuse described process amendment System menu.It is possible to effectively stop rogue program to revise System menu, improve system
System security performance.
Fig. 2 is that the present invention prevents System menu by the flow chart of the embodiment of the method two of malicious modification, and the present embodiment is used for
Windows operating system;Described amendment System menu function is the NtUserSetSystemMenu letter of operating system nucleus layer
Number.The embodiment of the present invention is applicable to the security protection class application program system dish to operating system such as Jinshan anti-virus software or Kingsoft bodyguard
Singly protect.As in figure 2 it is shown, the method for the present embodiment comprises the steps:
The event that NtUserSetSystemMenu function in operating system is called by step 201, monitor process.
In the present embodiment, by hook (Hook) the function monitor process that pre-sets in operating system
The event that NtUserSetSystemMenu function calls.Hook Function is actually a program segment processing message, logical
The system of mistake is called, and it is linked into system.Whenever specific message sends, before not arriving purpose window, Hook Function is the most first
Capture this message, that is Hook Function first obtains control.At this moment Hook Function i.e. can be with this message of processed, it is also possible to no
Deal with and continue to transmit this message, it is also possible to force the transmission of end.
In the present embodiment, Hook Function pre-build in security protection class application program such as Kingsoft before this step performs
NtUserSetSystemMenu function during the defence of poison despot drives, in this Hook Function hook operating system.Security protection class
The defence of application program drives and i.e. brings into operation after Windows starting operating system.
In the present embodiment, the original entry address of NtUserSetSystemMenu function is revised as in the present embodiment
The entry address of Hook Function.Malicious process when calling NtUserSetSystemMenu function, due to
The original entry address of NtUserSetSystemMenu function has been modified to the entry address of the Hook Function of the present embodiment,
When then calling NtUserSetSystemMenu function, can skip to the execution of the Hook Function of the present embodiment, it is right to be achieved in
The supervision of NtUserSetSystemMenu function.In order to realize the readjustment to NtUserSetSystemMenu function, inciting somebody to action
The entry address of the Hook Function that the original entry address of NtUserSetSystemMenu function is revised as in the present embodiment it
Before, need the original entry address of NtUserSetSystemMenu function is preserved.
When step 202, Hook Function listen to the event that process calls NtUserSetSystemMenu function, obtain institute
State the process path of process.
In the present embodiment, NtUserSetSystemMenu function is called by malicious process, is by grasping to Windows
Send the message calling NtUserSetSystemMenu function as system, this message can directly be intercepted and captured by Hook Function.Hook letter
Number intercepts this message, is i.e. considered as listening to the event that NtUserSetSystemMenu function is called by process, then according to entering
The identifier PID of journey, the function obtaining process path in calling system, such as: GetModuleFileNameEx,
GetProcessImageFileName functions etc., just can get process path.
Step 203, judge according to described process path whether described process is rogue program process;It is to perform step
204, otherwise perform step 205.
In the present embodiment, the process of step 203 is similar with the step 103 of said method embodiment, and here is omitted.
Step 204, refuse described process amendment System menu.
In the present embodiment, return refuse information by described Hook Function to described process;Or described Hook Function is refused
Call absolutely NtUserSetSystemMenu function, to refuse described process amendment System menu.
Step 205, Hook Function call NtUserSetSystemMenu function, agree to that described process revises System menu.
In the present embodiment, when described process is not rogue program process, can be with call operation system kernel function
NtUserSetSystemMenu, agrees to that described process revises System menu.
What the present embodiment provided prevents System menu by the method for malicious modification, can effectively stop rogue program to system
The amendment of menu, reaches to improve the purpose of security of system.
Use a specific embodiment below, the technical scheme of embodiment of the method shown in any one in Fig. 1~Fig. 2 is entered
Row describes in detail.
In user computer environment, there is a Malware A.Defence in Jinshan anti-virus software drive in Hook amendment system
The NtUserSetSystemMenu function of system menu, when the process of Malware A notifies that its driver calls
During NtUserSetSystemMenu function amendment System menu, this behavior will be intercepted by defence driving, and return is refused
Absolutely so that Malware amendment System menu is failed, custom system thus is preferably protected not to be destroyed.
Fig. 3 be the present invention prevent System menu by the structural representation of the device embodiment one of malicious modification, such as Fig. 3 institute
Showing, the device of the present embodiment may include that monitoring module 11, and amendment System menu function in operating system is carried out by monitor process
The event called;Acquisition module 12, for according to monitoring the event that module 11 listens to, obtaining the process path of described process;
Judge module 13, for the described process path got according to acquisition module 12, it is judged that whether described process is rogue program
Process;Stop module 14, for when judge module 13 judges that described process is rogue program process, refuse described process and repair
Change System menu.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1, and it realizes principle and skill
Art effect is similar to, and here is omitted.
Prevent System menu by the device embodiment two of malicious modification in the present invention, maliciously repaiied when preventing System menu
When the device changed is in Windows operating system, monitors and module 11 is previously provided with hook operating system nucleus layer
The Hook Function of NtUserSetSystemMenu function, monitors module 11 by described Hook Function monitor process to operation system
The event that in system, NtUserSetSystemMenu function calls.Stop module 14 by described Hook Function to described enter
Journey returns refuse information or refusal calls NtUserSetSystemMenu function, with refusal amendment System menu;Stop module 14
It is additionally operable to when judge module 13 judges that described process is not rogue program process, then call amendment System menu
NtUserSetSystemMenu function, agrees to that described process revises System menu.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 2, and it realizes principle and skill
Art effect is similar to, and here is omitted.
Fig. 4 be the present invention prevent System menu by the structural representation of the device embodiment three of malicious modification, such as Fig. 4 institute
Showing, the device of the present embodiment is on the basis of Fig. 3 shown device structure, further, it is judged that module 13 includes:
Eigenvalue calculation submodule 131, for according to the eigenvalue algorithm pre-set, obtains acquisition module 12 and gets
The eigenvalue of process path respective file;Matched sub-block 132, for judging in the feature database pre-set, if record
There is the eigenvalue of the process path respective file that eigenvalue calculation submodule 131 gets, if the feature database pre-set is remembered
Record has the eigenvalue of described process path respective file, it is determined that described process is rogue program process;If the spy pre-set
Levy the eigenvalue not recording described process path respective file in storehouse, it is determined that described process is not rogue program process;Its
In, described in the feature database that pre-sets record have the eigenvalue of known malicious program process path respective file.
Preferably, in embodiment three, eigenvalue calculation submodule 131, get specifically for asking for acquisition module 12
Calculating Message Digest 5 (MD5) value of process path or Hash (HASH) value as the feature of process path respective file
Value, or from the process path that acquisition module 12 gets, obtain the fileversion number feature as process path respective file
Value.
Preferably, the System menu that prevents shown in embodiment three is also included feature database generation module by the device of malicious modification
(Fig. 4 is not shown), for statistics known malicious program process path in advance, and according to the eigenvalue algorithm pre-set, obtains
The eigenvalue of described known malicious program process path respective file is also stored in feature database.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1 or Fig. 2, and it realizes former
Managing similar with technique effect, here is omitted.
The embodiment of the present invention also provides for a kind of electronic equipment.Fig. 5 is that the structure of one embodiment of electronic equipment of the present invention is shown
It is intended to, it is possible to achieve Fig. 1 of the present invention or the flow process of embodiment illustrated in fig. 2, as it is shown in figure 5, above-mentioned electronic equipment may include that shell
Body 21, processor 22, memorizer 23, circuit board 24 and power circuit 25, wherein, circuit board 24 is placed in the sky that housing 21 surrounds
Inside between, processor 22 and memorizer 23 are arranged on circuit board 24;Power circuit 25, for for each of above-mentioned electronic equipment
Circuit or device are powered;Memorizer 23 is used for storing executable program code;Processor 22 stores by reading in memorizer 23
Executable program code run the program corresponding with executable program code, for performing described in aforementioned any embodiment
Prevent System menu by the method for malicious modification.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset, functional mobile phone, and low
End mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and processes merit
Can, the most also possess mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes: audio frequency,
Video playback module (such as iPod), handheld device, e-book, and intelligent toy and portable car-mounted navigator.
(4) server: providing the equipment of the service of calculating, the composition of server includes that processor, hard disk, internal memory, system are total
Lines etc., server is similar with general computer architecture, but owing to needing to provide highly reliable service, is therefore processing energy
The aspects such as power, stability, reliability, safety, extensibility, manageability require higher.
(5) other have the electronic equipment of data interaction function.
It should be noted that in this article, the relational terms of such as first and second or the like is used merely to a reality
Body or operation separate with another entity or operating space, and deposit between not necessarily requiring or imply these entities or operating
Relation or order in any this reality.And, term " includes ", " comprising " or its any other variant are intended to
Comprising of nonexcludability, so that include that the process of a series of key element, method, article or equipment not only include that those are wanted
Element, but also include other key elements being not expressly set out, or also include for this process, method, article or equipment
Intrinsic key element.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that
Including process, method, article or the equipment of described key element there is also other identical element.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, be permissible
Instructing relevant hardware by computer program to complete, described program can be stored in a computer read/write memory medium
In, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic
Dish, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access
Memory, RAM) etc..
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited thereto, and any
Those familiar with the art in the technical scope that the invention discloses, the change that can readily occur in or replacement, all answer
Contain within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with scope of the claims.
Claims (10)
1. one kind prevents System menu by the method for malicious modification, it is characterised in that including:
Monitor process is to revising the event that System menu function calls in operating system;
According to the described event listened to, obtain the process path of described process;
Judge whether described process is rogue program process according to described process path;
If described process is rogue program process, then refuse described process amendment System menu.
Prevent System menu by the method for malicious modification the most as claimed in claim 1, it is characterised in that described system is
Windows operating system;Described amendment System menu function is the NtUserSetSystemMenu letter of operating system nucleus layer
Number;
Before revising, in monitor process is to operating system, the event that System menu function calls, described method also includes:
Pre-set the Hook Function revising System menu function in hook operating system;
The event that amendment System menu function in operating system is called by described monitor process, including: by described hook
Function monitor process is to revising the event that System menu function calls in operating system.
Prevent System menu by the method for malicious modification the most as claimed in claim 2, it is characterised in that to enter described in described refusal
Cheng Xiugai System menu, including:
Refuse information is returned to described process by described Hook Function;Or
Described Hook Function refusal calls NtUserSetSystemMenu function, with refusal amendment System menu.
Prevent System menu by the method for malicious modification the most as claimed in claim 1, it is characterised in that to enter described in described basis
After journey path judges whether described process is rogue program process, also include:
If described process is not rogue program process, then call amendment System menu function, agree to that described process revises system dish
Single.
Prevent System menu by the method for malicious modification the most as claimed in claim 1, it is characterised in that to enter described in described basis
Journey path judges whether described process is rogue program process, including:
According to the eigenvalue algorithm pre-set, obtain the eigenvalue of described process path respective file;
Judge in the feature database pre-set, if record has the eigenvalue of described process path respective file;
If record has the eigenvalue of described process path respective file in the feature database pre-set, it is determined that described process is for disliking
Meaning program process;If the feature database pre-set not recording the eigenvalue of described process path respective file, it is determined that institute
Process of stating is not rogue program process;
Wherein, in the feature database pre-set described in, record has the eigenvalue of known malicious program process path respective file.
6. one kind prevents System menu by the device of malicious modification, it is characterised in that including:
Monitor module, for monitor process to operating system is revised the event that System menu function calls;
Acquisition module, for the event listened to according to described monitoring module, obtains the process path of described process;
Judge module, for the described process path got according to described acquisition module, it is judged that whether described process is malice
Program process;
Stop module, for when described judge module judges that described process is rogue program process, refuse described process and repair
Change System menu.
Prevent System menu by the device of malicious modification the most as claimed in claim 6, it is characterised in that described operating system is
During Windows operating system, described monitoring module is previously provided with hook operating system nucleus layer
The Hook Function of NtUserSetSystemMenu function, described monitoring module by described Hook Function monitor process to operation
System is revised the event that System menu function calls.
The most according to claim 7 prevent System menu by the device of malicious modification, it is characterised in that described prevention module
NtUserSetSystemMenu function is called, to refuse to described process return refuse information or refusal by described Hook Function
Revise absolutely System menu.
The most according to claim 6 prevent System menu by the device of malicious modification, it is characterised in that described prevention mould
Block, is additionally operable to when described judge module judges that described process is not rogue program process, calls amendment System menu function,
Agree to that described process revises System menu.
10. an electronic equipment, it is characterised in that described electronic equipment includes: housing, processor, memorizer, circuit board and electricity
Source circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges on circuit boards;Power supply
Circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing executable program code;Process
Device runs the program corresponding with executable program code by reading the executable program code of storage in memorizer, is used for holding
Row aforementioned any one of claim 1-5 described in prevent System menu by the method for malicious modification.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610499159.1A CN106203107A (en) | 2016-06-29 | 2016-06-29 | Method and device for preventing system menu from being maliciously modified and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610499159.1A CN106203107A (en) | 2016-06-29 | 2016-06-29 | Method and device for preventing system menu from being maliciously modified and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106203107A true CN106203107A (en) | 2016-12-07 |
Family
ID=57463491
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610499159.1A Pending CN106203107A (en) | 2016-06-29 | 2016-06-29 | Method and device for preventing system menu from being maliciously modified and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106203107A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107645546A (en) * | 2017-09-12 | 2018-01-30 | 深圳Tcl新技术有限公司 | File monitor method, smart machine and storage medium based on Android system |
CN109947055A (en) * | 2017-12-20 | 2019-06-28 | 松下知识产权经营株式会社 | Apparatus control method, plant control unit and apparatus control system |
CN113239350A (en) * | 2021-06-11 | 2021-08-10 | 杭州安恒信息技术股份有限公司 | Method and device for preventing shear plate from being illegally tampered and electronic device |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101141339A (en) * | 2007-02-09 | 2008-03-12 | 江苏怡丰通信设备有限公司 | Embedded SoC chip based wireless network industry monitoring management system |
CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
CN102902919A (en) * | 2012-08-30 | 2013-01-30 | 北京奇虎科技有限公司 | Method, device and system for identifying and processing suspicious practices |
CN102902913A (en) * | 2012-09-19 | 2013-01-30 | 无锡华御信息技术有限公司 | Preservation method for preventing software in computer from being damaged maliciously |
CN104484224A (en) * | 2014-12-18 | 2015-04-01 | 北京奇虎科技有限公司 | Server process control method, device and system |
CN104915594A (en) * | 2015-06-30 | 2015-09-16 | 北京奇虎科技有限公司 | Application running method and device |
US9152791B1 (en) * | 2011-05-11 | 2015-10-06 | Trend Micro Inc. | Removal of fake anti-virus software |
-
2016
- 2016-06-29 CN CN201610499159.1A patent/CN106203107A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101141339A (en) * | 2007-02-09 | 2008-03-12 | 江苏怡丰通信设备有限公司 | Embedded SoC chip based wireless network industry monitoring management system |
CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
US9152791B1 (en) * | 2011-05-11 | 2015-10-06 | Trend Micro Inc. | Removal of fake anti-virus software |
CN102902919A (en) * | 2012-08-30 | 2013-01-30 | 北京奇虎科技有限公司 | Method, device and system for identifying and processing suspicious practices |
CN102902913A (en) * | 2012-09-19 | 2013-01-30 | 无锡华御信息技术有限公司 | Preservation method for preventing software in computer from being damaged maliciously |
CN104484224A (en) * | 2014-12-18 | 2015-04-01 | 北京奇虎科技有限公司 | Server process control method, device and system |
CN104915594A (en) * | 2015-06-30 | 2015-09-16 | 北京奇虎科技有限公司 | Application running method and device |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107645546A (en) * | 2017-09-12 | 2018-01-30 | 深圳Tcl新技术有限公司 | File monitor method, smart machine and storage medium based on Android system |
CN109947055A (en) * | 2017-12-20 | 2019-06-28 | 松下知识产权经营株式会社 | Apparatus control method, plant control unit and apparatus control system |
CN113239350A (en) * | 2021-06-11 | 2021-08-10 | 杭州安恒信息技术股份有限公司 | Method and device for preventing shear plate from being illegally tampered and electronic device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108270786A (en) | Right management method, device, storage medium and the intelligent terminal of application program | |
CN106201468A (en) | Screen capture processing method and device and electronic equipment | |
CN105868625B (en) | Method and device for intercepting restart deletion of file | |
CN108932428B (en) | Lesog software processing method, device, equipment and readable storage medium | |
CN106127031A (en) | Method and device for protecting process and electronic equipment | |
CN106203107A (en) | Method and device for preventing system menu from being maliciously modified and electronic equipment | |
CN105844146A (en) | Method and device for protecting driver and electronic equipment | |
CN106169047A (en) | Method and device for opening monitoring camera and electronic equipment | |
CN106534093A (en) | Terminal data processing method, device and system | |
CN104954126A (en) | Sensitive operation verification method, device and system | |
CN104901805A (en) | Identity authentication method and device and system | |
CN104123276A (en) | Method, device and system for intercepting popup windows in browser | |
CN106529312A (en) | Method and device for permission control of mobile terminal, and mobile terminal | |
CN109190411A (en) | A kind of active safety means of defence, system and the terminal device of operating system | |
CN106127050A (en) | Method and device for preventing system cursor from being maliciously modified and electronic equipment | |
CN106529332A (en) | Permission control method and apparatus for mobile terminal, and mobile terminal | |
CN106203092A (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
US9047470B2 (en) | Secure provisioning of commercial off-the-shelf (COTS) devices | |
CN106127034A (en) | Method and device for preventing system from being closed maliciously and electronic equipment | |
CN106022117A (en) | Method and device for preventing system environment variable from being modified and electronic equipment | |
CN106022120A (en) | File monitoring processing method and device and electronic equipment | |
CN106127051A (en) | Method and device for preventing mouse from being maliciously captured and electronic equipment | |
CN105279433A (en) | Application protection method and apparatus | |
CN106066968A (en) | Data guard method and device | |
CN106203089A (en) | Method and device for preventing system color from being maliciously modified and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20190110 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161207 |