CN106228062B - A kind of method, apparatus and electronic equipment for the treatment of progress registration - Google Patents

A kind of method, apparatus and electronic equipment for the treatment of progress registration Download PDF

Info

Publication number
CN106228062B
CN106228062B CN201610547975.5A CN201610547975A CN106228062B CN 106228062 B CN106228062 B CN 106228062B CN 201610547975 A CN201610547975 A CN 201610547975A CN 106228062 B CN106228062 B CN 106228062B
Authority
CN
China
Prior art keywords
information
feature index
kernel
index information
mapping
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610547975.5A
Other languages
Chinese (zh)
Other versions
CN106228062A (en
Inventor
杨峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Zhuhai Seal Interest Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Seal Interest Technology Co Ltd filed Critical Zhuhai Seal Interest Technology Co Ltd
Priority to CN201610547975.5A priority Critical patent/CN106228062B/en
Publication of CN106228062A publication Critical patent/CN106228062A/en
Application granted granted Critical
Publication of CN106228062B publication Critical patent/CN106228062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Abstract

The embodiment of the present invention discloses the method, apparatus and electronic equipment of a kind for the treatment of progress registration, is related to information security technology, is able to ascend security protection efficiency.It include: to hook the function when the Hook Function being previously implanted monitors that kernel-driven grade user is called to adjust back two-parameter function;The feature index information for obtaining current operation system version information and calling the function incoming;If operating system version information/feature index information collection that the current operation system version information and the incoming feature index information are mapped with pre-set logon process matches, the progress information for calling the kernel-driven grade user to adjust back two-parameter function is obtained;If the application program of the progress information mapping obtained is identical as the pre-set any application program that need to intercept that need to be intercepted in application features library, refusal calls the kernel-driven grade user to adjust back two-parameter function.The present invention is suitable for handling process registers.

Description

A kind of method, apparatus and electronic equipment for the treatment of progress registration
Technical field
The method, apparatus and electronic equipment registered the present invention relates to information security technology more particularly to a kind for the treatment of progress.
Background technique
With gradually disclosing for operating system kernel layer technical detail, the malicious applications such as more and more trojan horses Begin to use inner nuclear layer driver to protect the process of itself, the malicious application protected by inner nuclear layer driver into Journey can terminate other processes in (kill) operating system, so that the process of malicious application can be according to malice The intention of application provider, process or system process to user carry out malicious attack, may cause computer operation not Stablize, or even causes the leakage of user information.For example, in an operating system, providing the registration logon process function of application layer (RegisterLogonProcess function), for being the logon process with currently logged on user's permission by a process registers, In this way, making some malicious applications using RegisterLogonProcess function, by the evil of pre-set low rights Meaning process registers are logon process, so as to obtain some key messages of operating system, for example, operating system associative directory File, operating system pertinent registration table path etc., cause operating system environment to be seriously damaged.Wherein, process (Process) is Application program in computer is that operating system carries out Resource Distribution and Schedule about the primary operation activity on data acquisition system Basic unit is the basis of operating system configuration.In computer configuation of the early stage towards process design, process is application program Basic execution entity;In computer configuation of the present age towards threaded design, process is the container of thread.That is, answering It is the description of instruction, data and its organizational form with program, process is the entity of application program.
Currently, protecting process is not using hook (HOOK) technology, by right by the method that malicious registration is logon process RegisterLogonProcess function carries out hook processing, that is, passes through the RegisterLogonProcess letter of Hook application layer Number carries out intercept process when the process that monitored calls RegisterLogonProcess function to protect process not disliked Meaning is registered as logon process.
But the method for the treatment of progress registration, since RegisterLogonProcess function corresponds to operating system nucleus Function be that kernel-driven grade user adjusts back two-parameter function (kernel NtUserCallTwoParam function), and the kernel NtUserCallTwoParam function is that multiple functions of application layer correspond to a public function of operating system nucleus, so that very The positive function for completing registration is kernel NtUserCallTwoParam function, so that malicious application can be by direct Kernel NtUserCallTwoParam function is called to realize that by process registers be logon process, operating system environment is caused to be broken It is bad, cause the security protection efficiency of operating system lower, safety is not high.
Summary of the invention
In view of this, the embodiment of the present invention provides the method, apparatus and electronic equipment of a kind for the treatment of progress registration, Neng Gouti The security protection efficiency of lift operations system can be by calling directly to solve in the method that existing treatment progress is registered Core NtUserCallTwoParam function by process registers be logon process caused by operating system security protection efficiency compared with Low problem.
In a first aspect, the embodiment of the present invention provides a kind of method for the treatment of progress registration, comprising:
When the Hook Function being previously implanted monitors that kernel-driven grade user is called to adjust back two-parameter function, hook described Kernel-driven grade user adjusts back two-parameter function;
It obtains current operation system version information and the kernel-driven grade user is called to adjust back two-parameter function and be passed to Feature index information;
If the current operation system version information and the incoming feature index information are stepped on pre-set Operating system version information/feature index information collection of record process mapping matches, and obtains and the kernel-driven grade is called to use Adjust back the progress information of two-parameter function in family;
If the application program of the progress information mapping obtained need to intercept application features library with pre-set In any application program that need to intercept it is identical, refusal calls the kernel-driven grade user to adjust back two-parameter function.
With reference to first aspect, in the first embodiment of first aspect, the current operation system version information and Operating system version information/feature index number of the incoming feature index information and the mapping of pre-set logon process Information collection, which matches, includes:
Using the current operation system version information of acquisition, inquiry operation system version information/feature index information collection, Obtain the feature index information of the current operation system mapping;
If the incoming feature index information is identical as obtained feature index information, determination matches.
With reference to first aspect, in second of embodiment of first aspect, if the process in the acquisition is believed Cease the application program of mapping with it is pre-set need to intercept in application features library it is any need to intercept application program it is identical it Afterwards, before refusal calls the kernel-driven grade user to adjust back two-parameter function, the method also includes:
Show obtain the progress information mapping application program, and prompt show application program be by process registers Logon process;
The instruction that user chooses is received, if described instruction is to allow to instruct, the kernel-driven grade user is allowed to adjust back Two-parameter function executes the operation of registration logon process;If described instruction is refusal instruction, executes refusal and call the kernel Driving stage user adjusts back the step of two-parameter function.
With reference to first aspect, in the third embodiment of first aspect, the method also includes:
If the application program of the process path information MAP obtained need to intercept application program spy with pre-set All application programs that need to intercept in sign library are all different, and are allowed the kernel-driven grade user to adjust back two-parameter function and are executed note The operation of volume logon process.
With reference to first aspect, the first of first aspect any embodiment into the third, the of first aspect In four kinds of embodiments, operating system version information/feature index information collection of the pre-set logon process mapping Include:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
Second aspect, the embodiment of the present invention provide a kind of device for the treatment of progress registration, comprising: hook module, version letter Breath obtains module, progress information obtains module and location registration process module, wherein
Module is hooked, calls kernel-driven grade user to adjust back two-parameter letter for monitoring in the Hook Function being previously implanted When number, hooks the kernel-driven grade user and adjust back two-parameter function;
Version information obtains module, for obtaining current operation system version information and the kernel-driven grade being called to use Adjust back the incoming feature index information of two-parameter function in family;
Progress information obtains module, if the current operation system version information and the incoming feature index number letter It ceases the operating system version information/feature index information collection mapped with pre-set logon process to match, obtains and call The kernel-driven grade user adjusts back the progress information of two-parameter function;
Location registration process module, if the application program of the progress information mapping obtained is answered with pre-set need to intercept Identical with any application program that need to intercept in performance of program library, refusal calls the kernel-driven grade user to adjust back two-parameter letter Number.
In conjunction with second aspect, in the first embodiment of second aspect, it includes: function that the progress information, which obtains module, Energy call number information acquisition unit, matching unit and progress information acquiring unit, wherein
Feature index information acquisition unit, for utilizing the current operation system version information obtained, inquiry operation system System version information/feature index information collection obtains the feature index information of the current operation system mapping;
Matching unit determines if the incoming feature index information is identical as obtained feature index information Match;
Progress information acquiring unit, for obtaining the process for calling the kernel-driven grade user to adjust back two-parameter function letter Breath.
In conjunction with second aspect, in second of embodiment of second aspect, the location registration process module includes: interception With unit, display unit and instruction process unit, wherein
Matching unit is intercepted, if the application program of the progress information mapping obtained is answered with pre-set need to intercept It is identical with any application program that need to intercept in performance of program library, notify display unit;
Display unit for showing the application program of the progress information obtained mapping, and prompts the application journey shown Process registers are logon process by sequence;
Instruction process unit, if described instruction is to allow to instruct, allows in described for receiving the instruction of user's selection Core driving stage user adjusts back the operation that two-parameter function executes registration logon process;If described instruction is refusal instruction, refusal The kernel-driven grade user is called to adjust back two-parameter function.
In conjunction with second aspect, in the third embodiment of second aspect, if the location registration process module is also used to The application program of the process path information MAP obtained need to intercept owning in application features library with pre-set Application program need to be intercepted to be all different, allow the kernel-driven grade user to adjust back two-parameter function and execute registration logon process Operation.
In conjunction with second aspect, second aspect the first into the third any embodiment, the of second aspect In four kinds of embodiments, operating system version information/feature index information collection of the pre-set logon process mapping Include:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, and the electronic equipment includes: shell, processor, deposits Reservoir, circuit board and power circuit, wherein circuit board is placed in the space interior that shell surrounds, processor and memory setting On circuit boards;Power circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing and can hold Line program code;Processor is run and executable program code pair by reading the executable program code stored in memory The program answered, the method for executing aforementioned any treatment progress registration.
The method, apparatus and electronic equipment of a kind for the treatment of progress registration provided in an embodiment of the present invention, by being infused in advance When the Hook Function entered monitors that kernel-driven grade user is called to adjust back two-parameter function, hooks the kernel-driven grade user and return Adjust two-parameter function;It obtains current operation system version information and the kernel-driven grade user is called to adjust back two-parameter function Incoming feature index information;If the current operation system version information and the incoming feature index information with Operating system version information/feature index information collection of pre-set logon process mapping matches, and obtains described in calling Kernel-driven grade user adjusts back the progress information of two-parameter function;If obtain the progress information mapping application program with The pre-set any application program that need to intercept that need to be intercepted in application features library is identical, and refusal calls the kernel-driven Grade user adjusts back two-parameter function, is able to ascend the security protection efficiency of operating system, to solve existing treatment progress registration Method in, process registers can be caused for logon process by calling directly kernel NtUserCallTwoParam function Operating system the lower problem of security protection efficiency.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the method flow schematic diagram of one treatment progress of the embodiment of the present invention registration;
Fig. 2 is the apparatus structure schematic diagram of two treatment progress of the embodiment of the present invention registration;
Fig. 3 is the structural schematic diagram of electronic equipment one embodiment of the present invention.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its Its embodiment, shall fall within the protection scope of the present invention.
Step 101, when the Hook Function being previously implanted monitors that kernel-driven grade user is called to adjust back two-parameter function, It hooks the kernel-driven grade user and adjusts back two-parameter function;
In the present embodiment, as an alternative embodiment, it is kernel that kernel-driven grade user, which adjusts back two-parameter function, NtUserCallTwoParam function.
In the present embodiment, hook (Hook) function of injection is used to monitor the function call relevant operation using layer process, And when the correlation function and pre-set function that application layer process calls match, the function of the calling is intercepted, is turned by infusing The Hook Function entered is replaced the calling function and is handled, and returns to respective handling result.
In the present embodiment, as an alternative embodiment, hook can be injected when Jinshan anti-virus software defends driver application load Subfunction, wherein
In the present embodiment, by defence driver application in Hook kernel NtUserCallTwoParam function, Application layer, for example, malicious application carries the process of target process to be registered by sending using layer process to operating system Registration request, the operating system apply layer process according to the request creation of received process registers accordingly, this applies layer process When calling to kernel NtUserCallTwoParam function to register to target process to be registered, this reality will be first called The Hook function of example is applied, so that the interception rule according to Hook function carries out respective handling.
In the present embodiment, as an alternative embodiment, the application layer process is that an application program is sent to operating system When process registers are requested, the process of the operating system creation.
In the present embodiment, as an alternative embodiment, monitor that kernel-driven grade user is called to adjust back two-parameter function packet It includes:
Monitor that kernel-driven grade user is called directly using layer process adjusts back two-parameter function.
As another alternative embodiment, monitor that calling kernel-driven grade user to adjust back two-parameter function includes:
It monitors to call registration logon process function using layer process, kernel described in the registration logon process function call Driving stage user adjusts back two-parameter function.
In the present embodiment, as an alternative embodiment, logon process function is registered as RegisterLogonProcess letter Number.
Step 102, it obtains current operation system version information and calls the kernel-driven grade user readjustment two-parameter The incoming feature index information of function;
In the present embodiment, since kernel-driven grade user adjusts back two-parameter function (kernel NtUserCallTwoParam letter Number) it is a public function, it is the corresponding kernel function of multiple application layer functions, thus, kernel NtUserCallTwoParam letter Number is distinguished different applications layer functions (for example, RegisterLogonProcess function) using a feature index information and held Capable different operation behavior, same application layer functions are double in kernel driving stage user readjustment under the operating system of different editions Corresponding feature index information is also different in parametric function.
In the present embodiment, target process to be registered is carried by sending using layer process to operating system in application program In process registers request, can also be passed to (carrying) has corresponding feature index information, with mark by calling kernel-driven grade User adjusts back two-parameter function, and target process to be registered is registered as logon process.Thus, it is requested by parsing process registers, It is available that the kernel-driven grade user is called to adjust back the incoming feature index information of two-parameter function.
Step 103, if the current operation system version information and the incoming feature index information and in advance Operating system version information/feature index information collection of the logon process mapping of setting matches, and obtains and calls the kernel Driving stage user adjusts back the progress information of two-parameter function;
In the present embodiment, in the process for being logon process by process registers, kernel NtUserCallTwoParam function The feature index information difference of mapping is as follows, i.e., operating system version information/function of pre-set logon process mapping Call number information collection includes:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
In the present embodiment, as an alternative embodiment, current operation system version information and the incoming feature index Operating system version information/feature index information collection that number information is mapped with pre-set logon process matches and includes:
Using the current operation system version information of acquisition, inquiry operation system version information/feature index information collection, Obtain the feature index information of the current operation system mapping;
If the incoming feature index information is identical as obtained feature index information, determination matches.
In the present embodiment, if current operation system version information is XP operating system, incoming feature index information It is 105, it is determined that match;If current operation system version information is XP operating system, incoming feature index information It is 110, it is determined that do not match that.
In the present embodiment, calling the kernel-driven grade user to adjust back the progress information of two-parameter function will to initiate this time Target process to be registered is registered as the progress information of logon process.
In the present embodiment, the corresponding application program of each progress information.
Step 104, if the application program of the progress information mapping obtained need to be intercepted with pre-set using journey Any application program that need to intercept in sequence characteristics library is identical, and refusal calls the kernel-driven grade user to adjust back two-parameter function.
It in the present embodiment, is scanned in it need to intercept application features library, judges to initiate this time for target to be registered Process registers are the progress information (the kernel-driven grade user is called to adjust back the progress information of two-parameter function) of logon process Whether corresponding application program is that need to intercept application program, if it is that need to intercept application program, then refuses its registration request.
In the present embodiment, as an alternative embodiment, if the application journey of the progress information mapping in the acquisition Sequence with it is pre-set need to intercept in application features library it is any need to intercept application program it is identical after, described in refusal calls Before kernel-driven grade user adjusts back two-parameter function, this method further include:
Show obtain the progress information mapping application program, and prompt show application program be by process registers Logon process;
The instruction that user chooses is received, if described instruction is to allow to instruct, the kernel-driven grade user is allowed to adjust back Two-parameter function executes the operation of registration logon process;If described instruction is refusal instruction, executes refusal and call the kernel Driving stage user adjusts back the step of two-parameter function.
In the present embodiment, as an alternative embodiment, this method further include:
If the application program of the process path information MAP obtained need to intercept application program spy with pre-set All application programs that need to intercept in sign library are all different, and are allowed the kernel-driven grade user to adjust back two-parameter function and are executed note The operation of volume logon process.
In the present embodiment, if the application program of the progress information mapping obtained need to intercept application with pre-set It is identical that any in performance of program library need to intercept application program, then it is assumed that the application layer process of the application program is malicious application journey Sequence process, is intercepted, then terminates this operation, returns to refusal, thus refuse the process registers request of the application program, So that malicious application fails the request that target process to be registered is registered as logon process.For example, in user computer environment In, there are a malicious application A.Assuming that Hook is to hold by injecting Hook function in the defence of Jinshan anti-virus software driving The kernel NtUserCallTwoParam function of row process registers, in this way, the process as malicious application A notifies this maliciously to answer Kernel NtUserCallTwoParam function is called with the corresponding driver application of program, being passed to target process to be registered is to step on When the feature index information of record process, the Hook function in the defence driving of Jinshan anti-virus software is infused in the process registers behavior It is intercepted, and returns to refusal, so that malicious application A registration procedure is the operation failure of logon process, thus preferably Operating system environment is protected not to be destroyed, the safety of lifting operating system.
The method of one treatment progress of the embodiment of the present invention registration monitors to call kernel in the Hook Function being previously implanted When driving stage user adjusts back two-parameter function, hooks the kernel-driven grade user and adjust back two-parameter function;Obtain current operation System version information and the calling kernel-driven grade user adjust back the incoming feature index information of two-parameter function;If What the current operation system version information and the incoming feature index information and pre-set logon process mapped Operating system version information/feature index information collection matches, and obtains and calls the kernel-driven grade user readjustment two-parameter The progress information of function;If the application program of the progress information mapping obtained need to intercept application program with pre-set Any application program that need to intercept in feature database is identical, and refusal calls the kernel-driven grade user to adjust back two-parameter function.This Sample adjusts back two-parameter function by hooking kernel-driven grade user, when application call kernel-driven grade user adjusts back double ginsengs Number functions execute by process registers be logon process when, the registration behavior of application program can be intercepted in time and carry out corresponding position Reason, so that operating system be protected not to be destroyed, improves the security protection efficiency of operating system, can effectively enhance operating system Safety.
Fig. 2 is the apparatus structure schematic diagram of two treatment progress of the embodiment of the present invention registration, as shown in Fig. 2, the present embodiment Device may include: hook module 21, version information obtains module 22, progress information obtains module 23 and location registration process mould Block 24, wherein
Module 21 is hooked, calls kernel-driven grade user readjustment two-parameter for monitoring in the Hook Function being previously implanted When function, hooks the kernel-driven grade user and adjust back two-parameter function;
In the present embodiment, as an alternative embodiment, it is kernel that kernel-driven grade user, which adjusts back two-parameter function, NtUserCallTwoParam function.
In the present embodiment, as an alternative embodiment, monitor that kernel-driven grade user is called to adjust back two-parameter function packet It includes:
Monitor that kernel-driven grade user is called directly using layer process adjusts back two-parameter function.
As another alternative embodiment, monitor that calling kernel-driven grade user to adjust back two-parameter function includes:
It monitors to call registration logon process function using layer process, kernel described in the registration logon process function call Driving stage user adjusts back two-parameter function.
In the present embodiment, as an alternative embodiment, logon process function is registered as RegisterLogonProcess letter Number.
Version information obtains module 22, for obtaining current operation system version information and calling the kernel-driven grade User adjusts back the incoming feature index information of two-parameter function;
In the present embodiment, target process to be registered is carried by sending using layer process to operating system in application program In process registers request, can also be passed to (carrying) has corresponding feature index information, with mark by calling kernel-driven grade User adjusts back two-parameter function, and target process to be registered is registered as logon process.
Progress information obtains module 23, if the current operation system version information and the incoming feature index number The operating system version information that information is mapped with pre-set logon process/feature index information collection matches, and obtains and adjusts The progress information of two-parameter function is adjusted back with the kernel-driven grade user;
In the present embodiment, as an alternative embodiment, the operating system version of the pre-set logon process mapping Information/feature index information collection includes:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
In the present embodiment, as an alternative embodiment, it includes: feature index acquisition of information that progress information, which obtains module 23, Unit, matching unit and progress information acquiring unit (not shown), wherein
Feature index information acquisition unit, for utilizing the current operation system version information obtained, inquiry operation system System version information/feature index information collection obtains the feature index information of the current operation system mapping;
Matching unit determines if the incoming feature index information is identical as obtained feature index information Match;
Progress information acquiring unit, for obtaining the process for calling the kernel-driven grade user to adjust back two-parameter function letter Breath.
In the present embodiment, calling the kernel-driven grade user to adjust back the progress information of two-parameter function will to initiate this time Target process to be registered is registered as the progress information of logon process.
Location registration process module 24, if the application program of the progress information mapping obtained needs to intercept with pre-set Any application program that need to intercept in application features library is identical, and refusal calls the kernel-driven grade user readjustment two-parameter Function.
In the present embodiment, as an alternative embodiment, location registration process module 24 includes: to intercept matching unit, display unit And instruction process unit (not shown), wherein
Matching unit is intercepted, if the application program of the progress information mapping obtained is answered with pre-set need to intercept It is identical with any application program that need to intercept in performance of program library, notify display unit;
Display unit for showing the application program of the progress information obtained mapping, and prompts the application journey shown Process registers are logon process by sequence;
Instruction process unit, if described instruction is to allow to instruct, allows in described for receiving the instruction of user's selection Core driving stage user adjusts back the operation that two-parameter function executes registration logon process;If described instruction is refusal instruction, refusal The kernel-driven grade user is called to adjust back two-parameter function.
In the present embodiment, as another alternative embodiment, if location registration process module 24 is also used to the process obtained The application program of routing information mapping and it is pre-set need to intercept in application features library all need to intercept application program It is all different, the kernel-driven grade user is allowed to adjust back the operation that two-parameter function executes registration logon process.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill Art effect is similar, and details are not described herein again.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.
For Installation practice, since it is substantially similar to the method embodiment, so the comparison of description is simple Single, the relevent part can refer to the partial explaination of embodiments of method.
Expression or logic and/or step described otherwise above herein in flow charts, for example, being considered use In the order list for the executable instruction for realizing logic function, may be embodied in any computer-readable medium, for Instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be held from instruction The instruction fetch of row system, device or equipment and the system executed instruction) it uses, or combine these instruction execution systems, device or set It is standby and use.For the purpose of this specification, " computer-readable medium ", which can be, any may include, stores, communicates, propagates or pass Defeated program is for instruction execution system, device or equipment or the dress used in conjunction with these instruction execution systems, device or equipment It sets.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electricity of one or more wirings Interconnecting piece (electronic device), portable computer diskette box (magnetic device), random access memory (RAM), read-only memory (ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk is read-only deposits Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other are suitable Medium, because can then be edited, be interpreted or when necessary with it for example by carrying out optical scanner to paper or other media His suitable method is handled electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.
In the above-described embodiment, multiple steps or method can be with storages in memory and by suitable instruction execution The software or firmware that system executes are realized.For example, in another embodiment, can be used if realized with hardware Any one of following technology well known in the art or their combination are realized: being had for realizing logic function to data-signal The discrete logic of the logic gates of energy, the specific integrated circuit with suitable combinational logic gate circuit, programmable gate Array (PGA), field programmable gate array (FPGA) etc..
The embodiment of the present invention also provides a kind of electronic equipment, and the electronic equipment includes dress described in aforementioned any embodiment It sets.
Fig. 3 is the structural schematic diagram of electronic equipment one embodiment of the present invention, may be implemented to implement shown in Fig. 1-2 of the present invention The process of example, as shown in figure 3, above-mentioned electronic equipment may include: shell 31, processor 32, memory 33, circuit board 34 and electricity Source circuit 35, wherein circuit board 34 is placed in the space interior that shell 31 surrounds, and processor 32 and memory 33 are arranged in circuit On plate 34;Power circuit 35, for each circuit or the device power supply for above-mentioned electronic equipment;Memory 33 is for storing and can hold Line program code;Processor 32 is run and executable program generation by reading the executable program code stored in memory 33 The corresponding program of code, the method for executing the registration for the treatment of progress described in aforementioned any embodiment.
Processor 32 to the specific implementation procedures of above-mentioned steps and processor 32 by operation executable program code come The step of further executing may refer to the description of Fig. 1-2 illustrated embodiment of the present invention, and details are not described herein.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment: the characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data Communication is main target.This Terminal Type includes: smart phone (such as iPhone), multimedia handset, functional mobile phone and low Hold mobile phone etc..
(2) super mobile personal computer equipment: this kind of equipment belongs to the scope of personal computer, there is calculating and processing function Can, generally also have mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind of equipment can show and play multimedia content.Such equipment include: audio, Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server: providing the equipment of the service of calculating, and the composition of server includes that processor, hard disk, memory, system are total Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
For convenience of description, description apparatus above is to be divided into various units/modules with function to describe respectively.Certainly, exist Implement to realize each unit/module function in the same or multiple software and or hardware when the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can It realizes by means of software and necessary general hardware platform.Based on this understanding, technical solution of the present invention essence On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product It can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that a computer equipment (can be personal computer, server or the network equipment etc.) executes the certain of each embodiment or embodiment of the invention Method described in part.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.

Claims (11)

1. a kind of method for the treatment of progress registration characterized by comprising
When the Hook Function being previously implanted monitors that kernel-driven grade user is called to adjust back two-parameter function, the kernel is hooked Driving stage user adjusts back two-parameter function;
It obtains current operation system version information and the kernel-driven grade user is called to adjust back the incoming function of two-parameter function It can call number information;
If the current operation system version information and the incoming feature index information are logged into pre-set Operating system version information/feature index information collection of journey mapping matches, and obtains and the kernel-driven grade user is called to return The progress information of two-parameter function is adjusted, registration logon process function is executed, target process to be registered is registered as into logon process;
If the application program of the progress information mapping obtained need to intercept in application features library with pre-set Any application program that need to intercept is identical, and refusal calls the kernel-driven grade user to adjust back two-parameter function.
2. the method for the treatment of progress registration according to claim 1, which is characterized in that the current operation system version letter Operating system version information/function rope of breath and the incoming feature index information and the mapping of pre-set logon process Quotation marks information collection, which matches, includes:
Using the current operation system version information of acquisition, inquiry operation system version information/feature index information collection is obtained The feature index information of the current operation system mapping;
If the incoming feature index information is identical as obtained feature index information, determination matches.
3. the method for the treatment of progress according to claim 1 registration, which is characterized in that if described in described obtain into The application program of journey information MAP with it is pre-set need to intercept in application features library any need to intercept application program phase With after, before refusal calls the kernel-driven grade user to adjust back two-parameter function, the method also includes:
Show obtain the progress information mapping application program, and prompt show application program by process registers for log in Process;
The instruction that user chooses is received, if described instruction is to allow to instruct, allows the double ginsengs of kernel-driven grade user readjustment Number function executes the operation of registration logon process;If described instruction is refusal instruction, executes refusal and call the kernel-driven Grade user adjusts back the step of two-parameter function.
4. the method for the treatment of progress registration according to claim 1, which is characterized in that the method also includes:
If the application program of the process path information MAP obtained need to intercept application features library with pre-set In all application programs that need to intercept be all different, allow the kernel-driven grade user to adjust back two-parameter function and execute registration and step on The operation of record process.
5. the method for the treatment of progress registration according to any one of claims 1 to 4, which is characterized in that described to preset Logon process mapping operating system version information/feature index information collection include:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
6. a kind of device for the treatment of progress registration characterized by comprising hook module, version information obtains module, process letter Breath obtains module and location registration process module, wherein
Module is hooked, calls kernel-driven grade user to adjust back two-parameter function for monitoring in the Hook Function being previously implanted When, it hooks the kernel-driven grade user and adjusts back two-parameter function;
Version information obtains module, for obtaining current operation system version information and the kernel-driven grade user being called to return The feature index information for adjusting two-parameter function incoming;
Progress information obtains module, if the current operation system version information and the incoming feature index information with Operating system version information/feature index information collection of pre-set logon process mapping matches, and obtains described in calling Kernel-driven grade user adjusts back the progress information of two-parameter function, registration logon process function is executed, by target process to be registered Be registered as logon process;
Location registration process module, if the application program of the progress information mapping obtained need to be intercepted with pre-set using journey Any application program that need to intercept in sequence characteristics library is identical, and refusal calls the kernel-driven grade user to adjust back two-parameter function.
7. the device for the treatment of progress registration according to claim 6, which is characterized in that the progress information obtains module packet It includes: feature index information acquisition unit, matching unit and progress information acquiring unit, wherein
Feature index information acquisition unit, for utilizing the current operation system version information obtained, inquiry operation system version This information/feature index information collection obtains the feature index information of the current operation system mapping;
Matching unit determines phase if the incoming feature index information is identical as obtained feature index information Match;
Progress information acquiring unit, for obtaining the progress information for calling the kernel-driven grade user to adjust back two-parameter function.
8. the device for the treatment of progress according to claim 6 registration, which is characterized in that the location registration process module includes: Intercept matching unit, display unit and instruction process unit, wherein
Matching unit is intercepted, if the application program of the progress information mapping obtained need to be intercepted with pre-set using journey Any application program that need to intercept in sequence characteristics library is identical, notifies display unit;
Display unit for showing the application program of the progress information obtained mapping, and prompts the application program shown will Process registers are logon process;
Instruction process unit, if described instruction is to allow to instruct, allows the kernel to drive for receiving the instruction of user's selection Dynamic grade user adjusts back the operation that two-parameter function executes registration logon process;If described instruction is refusal instruction, refusal is called The kernel-driven grade user adjusts back two-parameter function.
9. the device for the treatment of progress registration according to claim 6, which is characterized in that the location registration process module is also used to If the application program of the process path information MAP obtained need to intercept in application features library with pre-set All application programs that need to intercept are all different, and are allowed the kernel-driven grade user to adjust back two-parameter function execution registration and are logged into The operation of journey.
10. according to the device of the described in any item treatment progress registrations of claim 6 to 9, which is characterized in that described to preset Logon process mapping operating system version information/feature index information collection include:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
11. a kind of electronic equipment, which is characterized in that the electronic equipment includes: shell, processor, memory, circuit board and electricity Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply Circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing executable program code;Processing Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding The method for the treatment of progress registration described in the aforementioned any claim 1-5 of row.
CN201610547975.5A 2016-07-12 2016-07-12 A kind of method, apparatus and electronic equipment for the treatment of progress registration Active CN106228062B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610547975.5A CN106228062B (en) 2016-07-12 2016-07-12 A kind of method, apparatus and electronic equipment for the treatment of progress registration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610547975.5A CN106228062B (en) 2016-07-12 2016-07-12 A kind of method, apparatus and electronic equipment for the treatment of progress registration

Publications (2)

Publication Number Publication Date
CN106228062A CN106228062A (en) 2016-12-14
CN106228062B true CN106228062B (en) 2019-04-26

Family

ID=57519611

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610547975.5A Active CN106228062B (en) 2016-07-12 2016-07-12 A kind of method, apparatus and electronic equipment for the treatment of progress registration

Country Status (1)

Country Link
CN (1) CN106228062B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11106491B2 (en) * 2018-04-06 2021-08-31 Beijing Didi Infinity Technology And Development Co., Ltd. Method and system for kernel routine callbacks

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350052A (en) * 2007-10-15 2009-01-21 北京瑞星国际软件有限公司 Method and apparatus for discovering malignancy of computer program
CN101414341A (en) * 2007-10-15 2009-04-22 北京瑞星国际软件有限公司 Software self-protection method
CN101478407A (en) * 2008-01-03 2009-07-08 联想(北京)有限公司 Method and apparatus for on-line safe login
CN104077220A (en) * 2014-06-10 2014-10-01 中标软件有限公司 Method and device for debugging microprocessor without interlocked piped stages (MIPS) framework operating system kernel
CN104636659A (en) * 2014-12-31 2015-05-20 株洲南车时代电气股份有限公司 Register data generation method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8621584B2 (en) * 2011-08-31 2013-12-31 Mcafee, Inc. Credential provider that encapsulates other credential providers

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350052A (en) * 2007-10-15 2009-01-21 北京瑞星国际软件有限公司 Method and apparatus for discovering malignancy of computer program
CN101414341A (en) * 2007-10-15 2009-04-22 北京瑞星国际软件有限公司 Software self-protection method
CN101478407A (en) * 2008-01-03 2009-07-08 联想(北京)有限公司 Method and apparatus for on-line safe login
CN104077220A (en) * 2014-06-10 2014-10-01 中标软件有限公司 Method and device for debugging microprocessor without interlocked piped stages (MIPS) framework operating system kernel
CN104636659A (en) * 2014-12-31 2015-05-20 株洲南车时代电气股份有限公司 Register data generation method and device

Also Published As

Publication number Publication date
CN106228062A (en) 2016-12-14

Similar Documents

Publication Publication Date Title
CN106201468B (en) A kind of processing method of screenshotss, device and electronic equipment
CN104270386B (en) Across application system user (asu) information integrating method and identity information management server
CN106203077B (en) A kind of processing method of Copy Info, device and electronic equipment
CN109831456A (en) Information push method, device, equipment and storage medium
CN109818937A (en) For the control method of Android permission, device and storage medium, electronic device
CN105574437B (en) Method and device for protecting privacy information and electronic equipment
CN109831504A (en) Micro services request processing method, device and equipment
CN101601257A (en) System and method by user and equipment control network access security policy
US20170316209A1 (en) Method and device for preventing application in an operating system from being uninstalled
CN104506487A (en) Credible execution method for privacy policy in cloud environment
CN106127031A (en) Method and device for protecting process and electronic equipment
Mohsen et al. Android keylogging threat
Zhang et al. A trust‐based noise injection strategy for privacy protection in cloud
CN106203069B (en) A kind of hold-up interception method of dynamic link library file, device and terminal device
CN105893847A (en) Method and device for protecting safety protection application program file and electronic equipment
CN106126291A (en) Method and device for deleting malicious file and electronic equipment
CN106228062B (en) A kind of method, apparatus and electronic equipment for the treatment of progress registration
CN106682493B (en) A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment
Zhang et al. PhoneProtector: protecting user privacy on the android-based mobile platform
CN106203119B (en) Hide processing method, device and the electronic equipment of cursor
CN106169049B (en) A kind of method, apparatus and electronic equipment of the registration of processing thread
CN105868625A (en) Method and device for intercepting restart deletion of file
CN106022110B (en) The method and device of identification push platform application
CN106203115A (en) Application program protection method and device and electronic equipment
CN106131805A (en) The method of a kind of information transmission and terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20190118

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Applicant after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing

Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

GR01 Patent grant
GR01 Patent grant