CN106203107A - Method and device for preventing system menu from being maliciously modified and electronic equipment - Google Patents

Method and device for preventing system menu from being maliciously modified and electronic equipment Download PDF

Info

Publication number
CN106203107A
CN106203107A CN201610499159.1A CN201610499159A CN106203107A CN 106203107 A CN106203107 A CN 106203107A CN 201610499159 A CN201610499159 A CN 201610499159A CN 106203107 A CN106203107 A CN 106203107A
Authority
CN
China
Prior art keywords
system menu
function
menu
described process
eigenvalue
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610499159.1A
Other languages
Chinese (zh)
Inventor
杨峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201610499159.1A priority Critical patent/CN106203107A/en
Publication of CN106203107A publication Critical patent/CN106203107A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a method and a device for preventing a system menu from being maliciously modified and electronic equipment, relates to the technical field of computer security, and can effectively prevent a malicious program from modifying the system menu and improve the security performance of a system. The method comprises the following steps: monitoring an event called by a process to modify a system menu function in an operating system; acquiring a process path of the process according to the monitored event; judging whether the process is a malicious program process or not according to the process path; and if the process is a malicious program process, refusing the process to modify the system menu. The method and the device are suitable for preventing the malicious program from modifying the system menu.

Description

A kind of prevent System menu by the method for malicious modification, device and electronic equipment
Technical field
The present invention relates to computer security technique field, particularly relate to a kind of prevent System menu by the side of malicious modification Method, device and electronic equipment.
Background technology
In Window system, it is provided that SetSystemMenu function, this function is used for revising System menu.At present, for protecting Protecting system menu is not by malicious modification, and commonly used approach is the SetSystemMenu function of hook application layer, so, hook The event calling SetSystemMenu function will be monitored by subfunction, thus knows that rogue program process is wanted in time Amendment System menu, with timely prevention, this calls event.But, inventor finds that SetSystemMenu function is corresponding to system The function of kernel is NtUserSetSystemMenu function, if rogue program calls NtUserSetSystemMenu function Amendment System menu, owing to the method is more hidden, this malice is not the most called and is taked to prevent by current Prevention-Security software Protecting measure, Malware just can revise System menu by this mode, destroys user system environment.
Summary of the invention
In view of this, embodiment of the present invention offer is a kind of prevents System menu by the method for malicious modification, device and electronics Equipment, can effectively stop rogue program to revise System menu, improve security of system performance.
First aspect, the embodiment of the present invention provide a kind of prevent System menu by the method for malicious modification, including:
Monitor process is to revising the event that System menu function calls in operating system;
According to the described event listened to, obtain the process path of described process;
Judge whether described process is rogue program process according to described process path;
If described process is rogue program process, then refuse described process amendment System menu.
In conjunction with first aspect, in the first embodiment of first aspect, described system is Windows operating system; Described amendment System menu function is the NtUserSetSystemMenu function of operating system nucleus layer;
Before revising, in monitor process is to operating system, the event that System menu function calls, described method is also wrapped Include: pre-set the Hook Function revising System menu function in hook operating system;
The event that amendment System menu function in operating system is called by described monitor process, including: by described Hook Function monitor process is to revising the event that System menu function calls in operating system.
In conjunction with the first embodiment of first aspect, in the second embodiment of first aspect, described refusal institute State process amendment System menu, including:
Refuse information is returned to described process by described Hook Function;Or
Described Hook Function refusal calls NtUserSetSystemMenu function, with refusal amendment System menu.
In conjunction with first aspect, in the third embodiment of first aspect, described judge institute according to described process path After whether process of stating is rogue program process, also include:
If described process is not rogue program process, then call amendment System menu function, agree to that the amendment of described process is System menu.
In conjunction with first aspect, in the 4th kind of embodiment of first aspect, described judge institute according to described process path State whether process is rogue program process, including:
According to the eigenvalue algorithm pre-set, obtain the eigenvalue of described process path respective file;
Judge in the feature database pre-set, if record has the eigenvalue of described process path respective file;
If in the feature database pre-set, record has the eigenvalue of described process path respective file, it is determined that described process For rogue program process;If the feature database pre-set not recording the eigenvalue of described process path respective file, the most really Fixed described process is not rogue program process;
Wherein, in the feature database pre-set described in, record has the feature of known malicious program process path respective file Value.
In conjunction with the 4th kind of embodiment of first aspect, in the 5th kind of embodiment of first aspect, described judgement is pre- In the feature database first arranged, if before record has the eigenvalue of described process path respective file, also include:
Statistics known malicious program process path;
According to the eigenvalue algorithm pre-set, obtain the feature of described known malicious program process path respective file Value;
The eigenvalue of known malicious program process path respective file is stored in feature database.
In conjunction with the 4th kind or the 5th kind of embodiment of first aspect, in the 6th kind of implementation of first aspect, institute Stating the eigenvalue algorithm pre-set is:
That asks for process path calculates Message Digest 5 value or the cryptographic Hash eigenvalue as process path respective file, Or
The fileversion number eigenvalue as process path respective file is obtained from process path.
Second aspect, the embodiment of the present invention provide a kind of prevent System menu by the device of malicious modification, including:
Monitor module, for monitor process to operating system is revised the event that System menu function calls;
Acquisition module, for the event listened to according to described monitoring module, obtains the process path of described process;
Judge module, for the described process path that gets according to described acquisition module, it is judged that whether described process is Rogue program process;
Stop module, for when described judge module judges that described process is rogue program process, enter described in refusal Cheng Xiugai System menu.
In conjunction with second aspect, in the first embodiment of second aspect, described operating system is that Windows operation is During system, described monitoring module is previously provided with the hook of the NtUserSetSystemMenu function of hook operating system nucleus layer Subfunction, amendment System menu function in operating system is adjusted by described monitoring module by described Hook Function monitor process Event.
In conjunction with the first embodiment of second aspect, in the second embodiment of second aspect, described prevention mould Block calls NtUserSetSystemMenu function by described Hook Function to described process return refuse information or refusal, with Refusal amendment System menu.
In conjunction with second aspect, in the third embodiment of second aspect, described prevention module, it is additionally operable to sentence described Disconnected module is judged when described process is not rogue program process, calls amendment System menu function, agrees to that described process is revised System menu.
In conjunction with second aspect, in the 4th kind of embodiment of second aspect, described judge module includes:
Eigenvalue calculation submodule, for according to the eigenvalue algorithm pre-set, obtaining described acquisition module and get The eigenvalue of process path respective file;
Matched sub-block, for judging in the feature database pre-set, if record has described eigenvalue calculation submodule The eigenvalue of the process path respective file got, if record has described process path correspondence literary composition in the feature database pre-set The eigenvalue of part, it is determined that described process is rogue program process;If the feature database pre-set does not records described process The eigenvalue of path respective file, it is determined that described process is not rogue program process;Wherein, the feature database pre-set described in Middle record has the eigenvalue of known malicious program process path respective file.
In conjunction with the 4th kind of embodiment of second aspect, in the 5th kind of embodiment of second aspect, also include:
Feature database generation module, for statistics known malicious program process path in advance, and according to the feature pre-set Value-based algorithm, obtains the eigenvalue of described known malicious program process path respective file and is stored in feature database.
In conjunction with the 4th kind or the 5th kind of embodiment of second aspect, in the 6th kind of embodiment of second aspect, institute State eigenvalue calculation submodule specifically for asking for the calculating Message Digest 5 of the process path that described acquisition module gets Value or cryptographic Hash are as the eigenvalue of process path respective file, or obtain from the process path that described acquisition module gets Take the fileversion number eigenvalue as process path respective file.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, and described electronic equipment includes: housing, processor, deposit Reservoir, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges On circuit boards;Power circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing can be held Line program code;Processor runs and executable program code pair by reading the executable program code of storage in memorizer The program answered, prevents System menu by the method for malicious modification described in aforementioned any embodiment for performing.
The a kind of of embodiment of the present invention offer prevents System menu by the method for malicious modification, device and electronic equipment, leads to Cross the event that amendment System menu function in operating system is called by monitor process, when the process of having listened to calls amendment system During system menu function, obtain described process path, and judge whether described process is that rogue program enters according to described process path Journey, if described process is rogue program process, then refuses described process amendment System menu.It is possible to effectively stop malice Modification of program System menu, improves security of system performance.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to Other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is that the present invention prevents System menu by the flow chart of the embodiment of the method one of malicious modification;
Fig. 2 is that the present invention prevents System menu by the flow chart of the embodiment of the method two of malicious modification;
Fig. 3 is that the present invention prevents System menu by the structural representation of the device embodiment one of malicious modification;
Fig. 4 is that the present invention prevents System menu by the structural representation of the device embodiment three of malicious modification;
Fig. 5 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Prevent System menu by the method for malicious modification, device and electronics to the embodiment of the present invention is a kind of below in conjunction with the accompanying drawings Equipment is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole embodiments.Base Embodiment in the present invention, those of ordinary skill in the art obtained under not making creative work premise all its Its embodiment, broadly falls into the scope of protection of the invention.
Fig. 1 be the present invention prevent System menu by the flow chart of the embodiment of the method one of malicious modification, as it is shown in figure 1, this The method of embodiment may include that
Step 101, monitor process are to revising the event that System menu function calls in operating system.
In the present embodiment, the amendment System menu function that rogue program needs call operation system to provide could realize amendment system System menu.Therefore can intercept and capture rogue program system to be revised in time by described amendment System menu function is monitored The message of menu.After intercepting this message, it is rejected by rogue program process amendment System menu, thus effectively stops malice Modification of program System menu, improves security of system performance.
The described event that step 102, basis listen to, obtains the process path of described process.
In the present embodiment, such as according to the identifier PID of process, the function obtaining process path in calling system, just Process path can be got.
Step 103, judge according to described process path whether described process is rogue program process;It is to perform step 104。
In the present embodiment, owing to rogue program process path is more fixing, thus can according to the routing information of current process, Judge whether process is rogue program process.
In the present embodiment, as an optional mode, described process path can be obtained according to the eigenvalue algorithm pre-set The eigenvalue of respective file;Then judge in the feature database pre-set, if record has described process path respective file Eigenvalue;If in the feature database pre-set, record has the eigenvalue of described process path respective file, it is determined that described process For rogue program process;If the feature database pre-set not recording the eigenvalue of described process path respective file, the most really Fixed described process is not rogue program process.Wherein, feature database pre-sets, and the generation process of feature database is: statistics is Know malicious process path;According to the eigenvalue algorithm pre-set, obtain described known malicious program process path respective file Eigenvalue be stored in feature database.
Preferably, the eigenvalue algorithm pre-set is: ask for process path calculating Message Digest 5 (MD5) value or Hash (HASH) value is as the eigenvalue of process path respective file, or obtains fileversion number from process path as entering The eigenvalue of journey path respective file.
Step 104, refuse described process amendment System menu.
In the present embodiment, if current process is rogue program process, then refuse described process amendment System menu, thus Effectively stop rogue program amendment System menu.
The present embodiment, by rogue program call operation system revise System menu function monitoring, can be effectively Stop rogue program amendment System menu, reach to improve the purpose of security of system performance.
What the present embodiment provided prevents System menu by the method for malicious modification, is repaiied in operating system by monitor process Change the event that System menu function calls, when the process of having listened to calls amendment System menu function, enter described in acquisition Journey path, and judge whether described process is rogue program process according to described process path, if described process is rogue program Process, then refuse described process amendment System menu.It is possible to effectively stop rogue program to revise System menu, improve system System security performance.
Fig. 2 is that the present invention prevents System menu by the flow chart of the embodiment of the method two of malicious modification, and the present embodiment is used for Windows operating system;Described amendment System menu function is the NtUserSetSystemMenu letter of operating system nucleus layer Number.The embodiment of the present invention is applicable to the security protection class application program system dish to operating system such as Jinshan anti-virus software or Kingsoft bodyguard Singly protect.As in figure 2 it is shown, the method for the present embodiment comprises the steps:
The event that NtUserSetSystemMenu function in operating system is called by step 201, monitor process.
In the present embodiment, by hook (Hook) the function monitor process that pre-sets in operating system The event that NtUserSetSystemMenu function calls.Hook Function is actually a program segment processing message, logical The system of mistake is called, and it is linked into system.Whenever specific message sends, before not arriving purpose window, Hook Function is the most first Capture this message, that is Hook Function first obtains control.At this moment Hook Function i.e. can be with this message of processed, it is also possible to no Deal with and continue to transmit this message, it is also possible to force the transmission of end.
In the present embodiment, Hook Function pre-build in security protection class application program such as Kingsoft before this step performs NtUserSetSystemMenu function during the defence of poison despot drives, in this Hook Function hook operating system.Security protection class The defence of application program drives and i.e. brings into operation after Windows starting operating system.
In the present embodiment, the original entry address of NtUserSetSystemMenu function is revised as in the present embodiment The entry address of Hook Function.Malicious process when calling NtUserSetSystemMenu function, due to The original entry address of NtUserSetSystemMenu function has been modified to the entry address of the Hook Function of the present embodiment, When then calling NtUserSetSystemMenu function, can skip to the execution of the Hook Function of the present embodiment, it is right to be achieved in The supervision of NtUserSetSystemMenu function.In order to realize the readjustment to NtUserSetSystemMenu function, inciting somebody to action The entry address of the Hook Function that the original entry address of NtUserSetSystemMenu function is revised as in the present embodiment it Before, need the original entry address of NtUserSetSystemMenu function is preserved.
When step 202, Hook Function listen to the event that process calls NtUserSetSystemMenu function, obtain institute State the process path of process.
In the present embodiment, NtUserSetSystemMenu function is called by malicious process, is by grasping to Windows Send the message calling NtUserSetSystemMenu function as system, this message can directly be intercepted and captured by Hook Function.Hook letter Number intercepts this message, is i.e. considered as listening to the event that NtUserSetSystemMenu function is called by process, then according to entering The identifier PID of journey, the function obtaining process path in calling system, such as: GetModuleFileNameEx, GetProcessImageFileName functions etc., just can get process path.
Step 203, judge according to described process path whether described process is rogue program process;It is to perform step 204, otherwise perform step 205.
In the present embodiment, the process of step 203 is similar with the step 103 of said method embodiment, and here is omitted.
Step 204, refuse described process amendment System menu.
In the present embodiment, return refuse information by described Hook Function to described process;Or described Hook Function is refused Call absolutely NtUserSetSystemMenu function, to refuse described process amendment System menu.
Step 205, Hook Function call NtUserSetSystemMenu function, agree to that described process revises System menu.
In the present embodiment, when described process is not rogue program process, can be with call operation system kernel function NtUserSetSystemMenu, agrees to that described process revises System menu.
What the present embodiment provided prevents System menu by the method for malicious modification, can effectively stop rogue program to system The amendment of menu, reaches to improve the purpose of security of system.
Use a specific embodiment below, the technical scheme of embodiment of the method shown in any one in Fig. 1~Fig. 2 is entered Row describes in detail.
In user computer environment, there is a Malware A.Defence in Jinshan anti-virus software drive in Hook amendment system The NtUserSetSystemMenu function of system menu, when the process of Malware A notifies that its driver calls During NtUserSetSystemMenu function amendment System menu, this behavior will be intercepted by defence driving, and return is refused Absolutely so that Malware amendment System menu is failed, custom system thus is preferably protected not to be destroyed.
Fig. 3 be the present invention prevent System menu by the structural representation of the device embodiment one of malicious modification, such as Fig. 3 institute Showing, the device of the present embodiment may include that monitoring module 11, and amendment System menu function in operating system is carried out by monitor process The event called;Acquisition module 12, for according to monitoring the event that module 11 listens to, obtaining the process path of described process; Judge module 13, for the described process path got according to acquisition module 12, it is judged that whether described process is rogue program Process;Stop module 14, for when judge module 13 judges that described process is rogue program process, refuse described process and repair Change System menu.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1, and it realizes principle and skill Art effect is similar to, and here is omitted.
Prevent System menu by the device embodiment two of malicious modification in the present invention, maliciously repaiied when preventing System menu When the device changed is in Windows operating system, monitors and module 11 is previously provided with hook operating system nucleus layer The Hook Function of NtUserSetSystemMenu function, monitors module 11 by described Hook Function monitor process to operation system The event that in system, NtUserSetSystemMenu function calls.Stop module 14 by described Hook Function to described enter Journey returns refuse information or refusal calls NtUserSetSystemMenu function, with refusal amendment System menu;Stop module 14 It is additionally operable to when judge module 13 judges that described process is not rogue program process, then call amendment System menu NtUserSetSystemMenu function, agrees to that described process revises System menu.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 2, and it realizes principle and skill Art effect is similar to, and here is omitted.
Fig. 4 be the present invention prevent System menu by the structural representation of the device embodiment three of malicious modification, such as Fig. 4 institute Showing, the device of the present embodiment is on the basis of Fig. 3 shown device structure, further, it is judged that module 13 includes:
Eigenvalue calculation submodule 131, for according to the eigenvalue algorithm pre-set, obtains acquisition module 12 and gets The eigenvalue of process path respective file;Matched sub-block 132, for judging in the feature database pre-set, if record There is the eigenvalue of the process path respective file that eigenvalue calculation submodule 131 gets, if the feature database pre-set is remembered Record has the eigenvalue of described process path respective file, it is determined that described process is rogue program process;If the spy pre-set Levy the eigenvalue not recording described process path respective file in storehouse, it is determined that described process is not rogue program process;Its In, described in the feature database that pre-sets record have the eigenvalue of known malicious program process path respective file.
Preferably, in embodiment three, eigenvalue calculation submodule 131, get specifically for asking for acquisition module 12 Calculating Message Digest 5 (MD5) value of process path or Hash (HASH) value as the feature of process path respective file Value, or from the process path that acquisition module 12 gets, obtain the fileversion number feature as process path respective file Value.
Preferably, the System menu that prevents shown in embodiment three is also included feature database generation module by the device of malicious modification (Fig. 4 is not shown), for statistics known malicious program process path in advance, and according to the eigenvalue algorithm pre-set, obtains The eigenvalue of described known malicious program process path respective file is also stored in feature database.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1 or Fig. 2, and it realizes former Managing similar with technique effect, here is omitted.
The embodiment of the present invention also provides for a kind of electronic equipment.Fig. 5 is that the structure of one embodiment of electronic equipment of the present invention is shown It is intended to, it is possible to achieve Fig. 1 of the present invention or the flow process of embodiment illustrated in fig. 2, as it is shown in figure 5, above-mentioned electronic equipment may include that shell Body 21, processor 22, memorizer 23, circuit board 24 and power circuit 25, wherein, circuit board 24 is placed in the sky that housing 21 surrounds Inside between, processor 22 and memorizer 23 are arranged on circuit board 24;Power circuit 25, for for each of above-mentioned electronic equipment Circuit or device are powered;Memorizer 23 is used for storing executable program code;Processor 22 stores by reading in memorizer 23 Executable program code run the program corresponding with executable program code, for performing described in aforementioned any embodiment Prevent System menu by the method for malicious modification.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and to provide speech, data Communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset, functional mobile phone, and low End mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and processes merit Can, the most also possess mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes: audio frequency, Video playback module (such as iPod), handheld device, e-book, and intelligent toy and portable car-mounted navigator.
(4) server: providing the equipment of the service of calculating, the composition of server includes that processor, hard disk, internal memory, system are total Lines etc., server is similar with general computer architecture, but owing to needing to provide highly reliable service, is therefore processing energy The aspects such as power, stability, reliability, safety, extensibility, manageability require higher.
(5) other have the electronic equipment of data interaction function.
It should be noted that in this article, the relational terms of such as first and second or the like is used merely to a reality Body or operation separate with another entity or operating space, and deposit between not necessarily requiring or imply these entities or operating Relation or order in any this reality.And, term " includes ", " comprising " or its any other variant are intended to Comprising of nonexcludability, so that include that the process of a series of key element, method, article or equipment not only include that those are wanted Element, but also include other key elements being not expressly set out, or also include for this process, method, article or equipment Intrinsic key element.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that Including process, method, article or the equipment of described key element there is also other identical element.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, be permissible Instructing relevant hardware by computer program to complete, described program can be stored in a computer read/write memory medium In, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic Dish, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc..
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited thereto, and any Those familiar with the art in the technical scope that the invention discloses, the change that can readily occur in or replacement, all answer Contain within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with scope of the claims.

Claims (10)

1. one kind prevents System menu by the method for malicious modification, it is characterised in that including:
Monitor process is to revising the event that System menu function calls in operating system;
According to the described event listened to, obtain the process path of described process;
Judge whether described process is rogue program process according to described process path;
If described process is rogue program process, then refuse described process amendment System menu.
Prevent System menu by the method for malicious modification the most as claimed in claim 1, it is characterised in that described system is Windows operating system;Described amendment System menu function is the NtUserSetSystemMenu letter of operating system nucleus layer Number;
Before revising, in monitor process is to operating system, the event that System menu function calls, described method also includes: Pre-set the Hook Function revising System menu function in hook operating system;
The event that amendment System menu function in operating system is called by described monitor process, including: by described hook Function monitor process is to revising the event that System menu function calls in operating system.
Prevent System menu by the method for malicious modification the most as claimed in claim 2, it is characterised in that to enter described in described refusal Cheng Xiugai System menu, including:
Refuse information is returned to described process by described Hook Function;Or
Described Hook Function refusal calls NtUserSetSystemMenu function, with refusal amendment System menu.
Prevent System menu by the method for malicious modification the most as claimed in claim 1, it is characterised in that to enter described in described basis After journey path judges whether described process is rogue program process, also include:
If described process is not rogue program process, then call amendment System menu function, agree to that described process revises system dish Single.
Prevent System menu by the method for malicious modification the most as claimed in claim 1, it is characterised in that to enter described in described basis Journey path judges whether described process is rogue program process, including:
According to the eigenvalue algorithm pre-set, obtain the eigenvalue of described process path respective file;
Judge in the feature database pre-set, if record has the eigenvalue of described process path respective file;
If record has the eigenvalue of described process path respective file in the feature database pre-set, it is determined that described process is for disliking Meaning program process;If the feature database pre-set not recording the eigenvalue of described process path respective file, it is determined that institute Process of stating is not rogue program process;
Wherein, in the feature database pre-set described in, record has the eigenvalue of known malicious program process path respective file.
6. one kind prevents System menu by the device of malicious modification, it is characterised in that including:
Monitor module, for monitor process to operating system is revised the event that System menu function calls;
Acquisition module, for the event listened to according to described monitoring module, obtains the process path of described process;
Judge module, for the described process path got according to described acquisition module, it is judged that whether described process is malice Program process;
Stop module, for when described judge module judges that described process is rogue program process, refuse described process and repair Change System menu.
Prevent System menu by the device of malicious modification the most as claimed in claim 6, it is characterised in that described operating system is During Windows operating system, described monitoring module is previously provided with hook operating system nucleus layer The Hook Function of NtUserSetSystemMenu function, described monitoring module by described Hook Function monitor process to operation System is revised the event that System menu function calls.
The most according to claim 7 prevent System menu by the device of malicious modification, it is characterised in that described prevention module NtUserSetSystemMenu function is called, to refuse to described process return refuse information or refusal by described Hook Function Revise absolutely System menu.
The most according to claim 6 prevent System menu by the device of malicious modification, it is characterised in that described prevention mould Block, is additionally operable to when described judge module judges that described process is not rogue program process, calls amendment System menu function, Agree to that described process revises System menu.
10. an electronic equipment, it is characterised in that described electronic equipment includes: housing, processor, memorizer, circuit board and electricity Source circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges on circuit boards;Power supply Circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing executable program code;Process Device runs the program corresponding with executable program code by reading the executable program code of storage in memorizer, is used for holding Row aforementioned any one of claim 1-5 described in prevent System menu by the method for malicious modification.
CN201610499159.1A 2016-06-29 2016-06-29 Method and device for preventing system menu from being maliciously modified and electronic equipment Pending CN106203107A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610499159.1A CN106203107A (en) 2016-06-29 2016-06-29 Method and device for preventing system menu from being maliciously modified and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610499159.1A CN106203107A (en) 2016-06-29 2016-06-29 Method and device for preventing system menu from being maliciously modified and electronic equipment

Publications (1)

Publication Number Publication Date
CN106203107A true CN106203107A (en) 2016-12-07

Family

ID=57463491

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610499159.1A Pending CN106203107A (en) 2016-06-29 2016-06-29 Method and device for preventing system menu from being maliciously modified and electronic equipment

Country Status (1)

Country Link
CN (1) CN106203107A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107645546A (en) * 2017-09-12 2018-01-30 深圳Tcl新技术有限公司 File monitor method, smart machine and storage medium based on Android system
CN109947055A (en) * 2017-12-20 2019-06-28 松下知识产权经营株式会社 Apparatus control method, plant control unit and apparatus control system
CN113239350A (en) * 2021-06-11 2021-08-10 杭州安恒信息技术股份有限公司 Method and device for preventing shear plate from being illegally tampered and electronic device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141339A (en) * 2007-02-09 2008-03-12 江苏怡丰通信设备有限公司 Embedded SoC chip based wireless network industry monitoring management system
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102902919A (en) * 2012-08-30 2013-01-30 北京奇虎科技有限公司 Method, device and system for identifying and processing suspicious practices
CN102902913A (en) * 2012-09-19 2013-01-30 无锡华御信息技术有限公司 Preservation method for preventing software in computer from being damaged maliciously
CN104484224A (en) * 2014-12-18 2015-04-01 北京奇虎科技有限公司 Server process control method, device and system
CN104915594A (en) * 2015-06-30 2015-09-16 北京奇虎科技有限公司 Application running method and device
US9152791B1 (en) * 2011-05-11 2015-10-06 Trend Micro Inc. Removal of fake anti-virus software

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141339A (en) * 2007-02-09 2008-03-12 江苏怡丰通信设备有限公司 Embedded SoC chip based wireless network industry monitoring management system
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
US9152791B1 (en) * 2011-05-11 2015-10-06 Trend Micro Inc. Removal of fake anti-virus software
CN102902919A (en) * 2012-08-30 2013-01-30 北京奇虎科技有限公司 Method, device and system for identifying and processing suspicious practices
CN102902913A (en) * 2012-09-19 2013-01-30 无锡华御信息技术有限公司 Preservation method for preventing software in computer from being damaged maliciously
CN104484224A (en) * 2014-12-18 2015-04-01 北京奇虎科技有限公司 Server process control method, device and system
CN104915594A (en) * 2015-06-30 2015-09-16 北京奇虎科技有限公司 Application running method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107645546A (en) * 2017-09-12 2018-01-30 深圳Tcl新技术有限公司 File monitor method, smart machine and storage medium based on Android system
CN109947055A (en) * 2017-12-20 2019-06-28 松下知识产权经营株式会社 Apparatus control method, plant control unit and apparatus control system
CN113239350A (en) * 2021-06-11 2021-08-10 杭州安恒信息技术股份有限公司 Method and device for preventing shear plate from being illegally tampered and electronic device

Similar Documents

Publication Publication Date Title
CN108270786A (en) Right management method, device, storage medium and the intelligent terminal of application program
CN106201468A (en) Screen capture processing method and device and electronic equipment
CN105868625B (en) Method and device for intercepting restart deletion of file
CN108932428B (en) Lesog software processing method, device, equipment and readable storage medium
CN106127031A (en) Method and device for protecting process and electronic equipment
CN106203107A (en) Method and device for preventing system menu from being maliciously modified and electronic equipment
CN105844146A (en) Method and device for protecting driver and electronic equipment
CN106169047A (en) Method and device for opening monitoring camera and electronic equipment
CN106534093A (en) Terminal data processing method, device and system
CN104954126A (en) Sensitive operation verification method, device and system
CN104901805A (en) Identity authentication method and device and system
CN104123276A (en) Method, device and system for intercepting popup windows in browser
CN106529312A (en) Method and device for permission control of mobile terminal, and mobile terminal
CN109190411A (en) A kind of active safety means of defence, system and the terminal device of operating system
CN106127050A (en) Method and device for preventing system cursor from being maliciously modified and electronic equipment
CN106529332A (en) Permission control method and apparatus for mobile terminal, and mobile terminal
CN106203092A (en) Method and device for intercepting shutdown of malicious program and electronic equipment
US9047470B2 (en) Secure provisioning of commercial off-the-shelf (COTS) devices
CN106127034A (en) Method and device for preventing system from being closed maliciously and electronic equipment
CN106022117A (en) Method and device for preventing system environment variable from being modified and electronic equipment
CN106022120A (en) File monitoring processing method and device and electronic equipment
CN106127051A (en) Method and device for preventing mouse from being maliciously captured and electronic equipment
CN105279433A (en) Application protection method and apparatus
CN106066968A (en) Data guard method and device
CN106203089A (en) Method and device for preventing system color from being maliciously modified and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20190110

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Applicant after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing

Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20161207