CN106228062B - A kind of method, apparatus and electronic equipment for the treatment of progress registration - Google Patents
A kind of method, apparatus and electronic equipment for the treatment of progress registration Download PDFInfo
- Publication number
- CN106228062B CN106228062B CN201610547975.5A CN201610547975A CN106228062B CN 106228062 B CN106228062 B CN 106228062B CN 201610547975 A CN201610547975 A CN 201610547975A CN 106228062 B CN106228062 B CN 106228062B
- Authority
- CN
- China
- Prior art keywords
- information
- feature index
- kernel
- index information
- mapping
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Abstract
The embodiment of the present invention discloses the method, apparatus and electronic equipment of a kind for the treatment of progress registration, is related to information security technology, is able to ascend security protection efficiency.It include: to hook the function when the Hook Function being previously implanted monitors that kernel-driven grade user is called to adjust back two-parameter function;The feature index information for obtaining current operation system version information and calling the function incoming;If operating system version information/feature index information collection that the current operation system version information and the incoming feature index information are mapped with pre-set logon process matches, the progress information for calling the kernel-driven grade user to adjust back two-parameter function is obtained;If the application program of the progress information mapping obtained is identical as the pre-set any application program that need to intercept that need to be intercepted in application features library, refusal calls the kernel-driven grade user to adjust back two-parameter function.The present invention is suitable for handling process registers.
Description
Technical field
The method, apparatus and electronic equipment registered the present invention relates to information security technology more particularly to a kind for the treatment of progress.
Background technique
With gradually disclosing for operating system kernel layer technical detail, the malicious applications such as more and more trojan horses
Begin to use inner nuclear layer driver to protect the process of itself, the malicious application protected by inner nuclear layer driver into
Journey can terminate other processes in (kill) operating system, so that the process of malicious application can be according to malice
The intention of application provider, process or system process to user carry out malicious attack, may cause computer operation not
Stablize, or even causes the leakage of user information.For example, in an operating system, providing the registration logon process function of application layer
(RegisterLogonProcess function), for being the logon process with currently logged on user's permission by a process registers,
In this way, making some malicious applications using RegisterLogonProcess function, by the evil of pre-set low rights
Meaning process registers are logon process, so as to obtain some key messages of operating system, for example, operating system associative directory
File, operating system pertinent registration table path etc., cause operating system environment to be seriously damaged.Wherein, process (Process) is
Application program in computer is that operating system carries out Resource Distribution and Schedule about the primary operation activity on data acquisition system
Basic unit is the basis of operating system configuration.In computer configuation of the early stage towards process design, process is application program
Basic execution entity;In computer configuation of the present age towards threaded design, process is the container of thread.That is, answering
It is the description of instruction, data and its organizational form with program, process is the entity of application program.
Currently, protecting process is not using hook (HOOK) technology, by right by the method that malicious registration is logon process
RegisterLogonProcess function carries out hook processing, that is, passes through the RegisterLogonProcess letter of Hook application layer
Number carries out intercept process when the process that monitored calls RegisterLogonProcess function to protect process not disliked
Meaning is registered as logon process.
But the method for the treatment of progress registration, since RegisterLogonProcess function corresponds to operating system nucleus
Function be that kernel-driven grade user adjusts back two-parameter function (kernel NtUserCallTwoParam function), and the kernel
NtUserCallTwoParam function is that multiple functions of application layer correspond to a public function of operating system nucleus, so that very
The positive function for completing registration is kernel NtUserCallTwoParam function, so that malicious application can be by direct
Kernel NtUserCallTwoParam function is called to realize that by process registers be logon process, operating system environment is caused to be broken
It is bad, cause the security protection efficiency of operating system lower, safety is not high.
Summary of the invention
In view of this, the embodiment of the present invention provides the method, apparatus and electronic equipment of a kind for the treatment of progress registration, Neng Gouti
The security protection efficiency of lift operations system can be by calling directly to solve in the method that existing treatment progress is registered
Core NtUserCallTwoParam function by process registers be logon process caused by operating system security protection efficiency compared with
Low problem.
In a first aspect, the embodiment of the present invention provides a kind of method for the treatment of progress registration, comprising:
When the Hook Function being previously implanted monitors that kernel-driven grade user is called to adjust back two-parameter function, hook described
Kernel-driven grade user adjusts back two-parameter function;
It obtains current operation system version information and the kernel-driven grade user is called to adjust back two-parameter function and be passed to
Feature index information;
If the current operation system version information and the incoming feature index information are stepped on pre-set
Operating system version information/feature index information collection of record process mapping matches, and obtains and the kernel-driven grade is called to use
Adjust back the progress information of two-parameter function in family;
If the application program of the progress information mapping obtained need to intercept application features library with pre-set
In any application program that need to intercept it is identical, refusal calls the kernel-driven grade user to adjust back two-parameter function.
With reference to first aspect, in the first embodiment of first aspect, the current operation system version information and
Operating system version information/feature index number of the incoming feature index information and the mapping of pre-set logon process
Information collection, which matches, includes:
Using the current operation system version information of acquisition, inquiry operation system version information/feature index information collection,
Obtain the feature index information of the current operation system mapping;
If the incoming feature index information is identical as obtained feature index information, determination matches.
With reference to first aspect, in second of embodiment of first aspect, if the process in the acquisition is believed
Cease the application program of mapping with it is pre-set need to intercept in application features library it is any need to intercept application program it is identical it
Afterwards, before refusal calls the kernel-driven grade user to adjust back two-parameter function, the method also includes:
Show obtain the progress information mapping application program, and prompt show application program be by process registers
Logon process;
The instruction that user chooses is received, if described instruction is to allow to instruct, the kernel-driven grade user is allowed to adjust back
Two-parameter function executes the operation of registration logon process;If described instruction is refusal instruction, executes refusal and call the kernel
Driving stage user adjusts back the step of two-parameter function.
With reference to first aspect, in the third embodiment of first aspect, the method also includes:
If the application program of the process path information MAP obtained need to intercept application program spy with pre-set
All application programs that need to intercept in sign library are all different, and are allowed the kernel-driven grade user to adjust back two-parameter function and are executed note
The operation of volume logon process.
With reference to first aspect, the first of first aspect any embodiment into the third, the of first aspect
In four kinds of embodiments, operating system version information/feature index information collection of the pre-set logon process mapping
Include:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
Second aspect, the embodiment of the present invention provide a kind of device for the treatment of progress registration, comprising: hook module, version letter
Breath obtains module, progress information obtains module and location registration process module, wherein
Module is hooked, calls kernel-driven grade user to adjust back two-parameter letter for monitoring in the Hook Function being previously implanted
When number, hooks the kernel-driven grade user and adjust back two-parameter function;
Version information obtains module, for obtaining current operation system version information and the kernel-driven grade being called to use
Adjust back the incoming feature index information of two-parameter function in family;
Progress information obtains module, if the current operation system version information and the incoming feature index number letter
It ceases the operating system version information/feature index information collection mapped with pre-set logon process to match, obtains and call
The kernel-driven grade user adjusts back the progress information of two-parameter function;
Location registration process module, if the application program of the progress information mapping obtained is answered with pre-set need to intercept
Identical with any application program that need to intercept in performance of program library, refusal calls the kernel-driven grade user to adjust back two-parameter letter
Number.
In conjunction with second aspect, in the first embodiment of second aspect, it includes: function that the progress information, which obtains module,
Energy call number information acquisition unit, matching unit and progress information acquiring unit, wherein
Feature index information acquisition unit, for utilizing the current operation system version information obtained, inquiry operation system
System version information/feature index information collection obtains the feature index information of the current operation system mapping;
Matching unit determines if the incoming feature index information is identical as obtained feature index information
Match;
Progress information acquiring unit, for obtaining the process for calling the kernel-driven grade user to adjust back two-parameter function letter
Breath.
In conjunction with second aspect, in second of embodiment of second aspect, the location registration process module includes: interception
With unit, display unit and instruction process unit, wherein
Matching unit is intercepted, if the application program of the progress information mapping obtained is answered with pre-set need to intercept
It is identical with any application program that need to intercept in performance of program library, notify display unit;
Display unit for showing the application program of the progress information obtained mapping, and prompts the application journey shown
Process registers are logon process by sequence;
Instruction process unit, if described instruction is to allow to instruct, allows in described for receiving the instruction of user's selection
Core driving stage user adjusts back the operation that two-parameter function executes registration logon process;If described instruction is refusal instruction, refusal
The kernel-driven grade user is called to adjust back two-parameter function.
In conjunction with second aspect, in the third embodiment of second aspect, if the location registration process module is also used to
The application program of the process path information MAP obtained need to intercept owning in application features library with pre-set
Application program need to be intercepted to be all different, allow the kernel-driven grade user to adjust back two-parameter function and execute registration logon process
Operation.
In conjunction with second aspect, second aspect the first into the third any embodiment, the of second aspect
In four kinds of embodiments, operating system version information/feature index information collection of the pre-set logon process mapping
Include:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, and the electronic equipment includes: shell, processor, deposits
Reservoir, circuit board and power circuit, wherein circuit board is placed in the space interior that shell surrounds, processor and memory setting
On circuit boards;Power circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing and can hold
Line program code;Processor is run and executable program code pair by reading the executable program code stored in memory
The program answered, the method for executing aforementioned any treatment progress registration.
The method, apparatus and electronic equipment of a kind for the treatment of progress registration provided in an embodiment of the present invention, by being infused in advance
When the Hook Function entered monitors that kernel-driven grade user is called to adjust back two-parameter function, hooks the kernel-driven grade user and return
Adjust two-parameter function;It obtains current operation system version information and the kernel-driven grade user is called to adjust back two-parameter function
Incoming feature index information;If the current operation system version information and the incoming feature index information with
Operating system version information/feature index information collection of pre-set logon process mapping matches, and obtains described in calling
Kernel-driven grade user adjusts back the progress information of two-parameter function;If obtain the progress information mapping application program with
The pre-set any application program that need to intercept that need to be intercepted in application features library is identical, and refusal calls the kernel-driven
Grade user adjusts back two-parameter function, is able to ascend the security protection efficiency of operating system, to solve existing treatment progress registration
Method in, process registers can be caused for logon process by calling directly kernel NtUserCallTwoParam function
Operating system the lower problem of security protection efficiency.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the method flow schematic diagram of one treatment progress of the embodiment of the present invention registration;
Fig. 2 is the apparatus structure schematic diagram of two treatment progress of the embodiment of the present invention registration;
Fig. 3 is the structural schematic diagram of electronic equipment one embodiment of the present invention.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its
Its embodiment, shall fall within the protection scope of the present invention.
Step 101, when the Hook Function being previously implanted monitors that kernel-driven grade user is called to adjust back two-parameter function,
It hooks the kernel-driven grade user and adjusts back two-parameter function;
In the present embodiment, as an alternative embodiment, it is kernel that kernel-driven grade user, which adjusts back two-parameter function,
NtUserCallTwoParam function.
In the present embodiment, hook (Hook) function of injection is used to monitor the function call relevant operation using layer process,
And when the correlation function and pre-set function that application layer process calls match, the function of the calling is intercepted, is turned by infusing
The Hook Function entered is replaced the calling function and is handled, and returns to respective handling result.
In the present embodiment, as an alternative embodiment, hook can be injected when Jinshan anti-virus software defends driver application load
Subfunction, wherein
In the present embodiment, by defence driver application in Hook kernel NtUserCallTwoParam function,
Application layer, for example, malicious application carries the process of target process to be registered by sending using layer process to operating system
Registration request, the operating system apply layer process according to the request creation of received process registers accordingly, this applies layer process
When calling to kernel NtUserCallTwoParam function to register to target process to be registered, this reality will be first called
The Hook function of example is applied, so that the interception rule according to Hook function carries out respective handling.
In the present embodiment, as an alternative embodiment, the application layer process is that an application program is sent to operating system
When process registers are requested, the process of the operating system creation.
In the present embodiment, as an alternative embodiment, monitor that kernel-driven grade user is called to adjust back two-parameter function packet
It includes:
Monitor that kernel-driven grade user is called directly using layer process adjusts back two-parameter function.
As another alternative embodiment, monitor that calling kernel-driven grade user to adjust back two-parameter function includes:
It monitors to call registration logon process function using layer process, kernel described in the registration logon process function call
Driving stage user adjusts back two-parameter function.
In the present embodiment, as an alternative embodiment, logon process function is registered as RegisterLogonProcess letter
Number.
Step 102, it obtains current operation system version information and calls the kernel-driven grade user readjustment two-parameter
The incoming feature index information of function;
In the present embodiment, since kernel-driven grade user adjusts back two-parameter function (kernel NtUserCallTwoParam letter
Number) it is a public function, it is the corresponding kernel function of multiple application layer functions, thus, kernel NtUserCallTwoParam letter
Number is distinguished different applications layer functions (for example, RegisterLogonProcess function) using a feature index information and held
Capable different operation behavior, same application layer functions are double in kernel driving stage user readjustment under the operating system of different editions
Corresponding feature index information is also different in parametric function.
In the present embodiment, target process to be registered is carried by sending using layer process to operating system in application program
In process registers request, can also be passed to (carrying) has corresponding feature index information, with mark by calling kernel-driven grade
User adjusts back two-parameter function, and target process to be registered is registered as logon process.Thus, it is requested by parsing process registers,
It is available that the kernel-driven grade user is called to adjust back the incoming feature index information of two-parameter function.
Step 103, if the current operation system version information and the incoming feature index information and in advance
Operating system version information/feature index information collection of the logon process mapping of setting matches, and obtains and calls the kernel
Driving stage user adjusts back the progress information of two-parameter function;
In the present embodiment, in the process for being logon process by process registers, kernel NtUserCallTwoParam function
The feature index information difference of mapping is as follows, i.e., operating system version information/function of pre-set logon process mapping
Call number information collection includes:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
In the present embodiment, as an alternative embodiment, current operation system version information and the incoming feature index
Operating system version information/feature index information collection that number information is mapped with pre-set logon process matches and includes:
Using the current operation system version information of acquisition, inquiry operation system version information/feature index information collection,
Obtain the feature index information of the current operation system mapping;
If the incoming feature index information is identical as obtained feature index information, determination matches.
In the present embodiment, if current operation system version information is XP operating system, incoming feature index information
It is 105, it is determined that match;If current operation system version information is XP operating system, incoming feature index information
It is 110, it is determined that do not match that.
In the present embodiment, calling the kernel-driven grade user to adjust back the progress information of two-parameter function will to initiate this time
Target process to be registered is registered as the progress information of logon process.
In the present embodiment, the corresponding application program of each progress information.
Step 104, if the application program of the progress information mapping obtained need to be intercepted with pre-set using journey
Any application program that need to intercept in sequence characteristics library is identical, and refusal calls the kernel-driven grade user to adjust back two-parameter function.
It in the present embodiment, is scanned in it need to intercept application features library, judges to initiate this time for target to be registered
Process registers are the progress information (the kernel-driven grade user is called to adjust back the progress information of two-parameter function) of logon process
Whether corresponding application program is that need to intercept application program, if it is that need to intercept application program, then refuses its registration request.
In the present embodiment, as an alternative embodiment, if the application journey of the progress information mapping in the acquisition
Sequence with it is pre-set need to intercept in application features library it is any need to intercept application program it is identical after, described in refusal calls
Before kernel-driven grade user adjusts back two-parameter function, this method further include:
Show obtain the progress information mapping application program, and prompt show application program be by process registers
Logon process;
The instruction that user chooses is received, if described instruction is to allow to instruct, the kernel-driven grade user is allowed to adjust back
Two-parameter function executes the operation of registration logon process;If described instruction is refusal instruction, executes refusal and call the kernel
Driving stage user adjusts back the step of two-parameter function.
In the present embodiment, as an alternative embodiment, this method further include:
If the application program of the process path information MAP obtained need to intercept application program spy with pre-set
All application programs that need to intercept in sign library are all different, and are allowed the kernel-driven grade user to adjust back two-parameter function and are executed note
The operation of volume logon process.
In the present embodiment, if the application program of the progress information mapping obtained need to intercept application with pre-set
It is identical that any in performance of program library need to intercept application program, then it is assumed that the application layer process of the application program is malicious application journey
Sequence process, is intercepted, then terminates this operation, returns to refusal, thus refuse the process registers request of the application program,
So that malicious application fails the request that target process to be registered is registered as logon process.For example, in user computer environment
In, there are a malicious application A.Assuming that Hook is to hold by injecting Hook function in the defence of Jinshan anti-virus software driving
The kernel NtUserCallTwoParam function of row process registers, in this way, the process as malicious application A notifies this maliciously to answer
Kernel NtUserCallTwoParam function is called with the corresponding driver application of program, being passed to target process to be registered is to step on
When the feature index information of record process, the Hook function in the defence driving of Jinshan anti-virus software is infused in the process registers behavior
It is intercepted, and returns to refusal, so that malicious application A registration procedure is the operation failure of logon process, thus preferably
Operating system environment is protected not to be destroyed, the safety of lifting operating system.
The method of one treatment progress of the embodiment of the present invention registration monitors to call kernel in the Hook Function being previously implanted
When driving stage user adjusts back two-parameter function, hooks the kernel-driven grade user and adjust back two-parameter function;Obtain current operation
System version information and the calling kernel-driven grade user adjust back the incoming feature index information of two-parameter function;If
What the current operation system version information and the incoming feature index information and pre-set logon process mapped
Operating system version information/feature index information collection matches, and obtains and calls the kernel-driven grade user readjustment two-parameter
The progress information of function;If the application program of the progress information mapping obtained need to intercept application program with pre-set
Any application program that need to intercept in feature database is identical, and refusal calls the kernel-driven grade user to adjust back two-parameter function.This
Sample adjusts back two-parameter function by hooking kernel-driven grade user, when application call kernel-driven grade user adjusts back double ginsengs
Number functions execute by process registers be logon process when, the registration behavior of application program can be intercepted in time and carry out corresponding position
Reason, so that operating system be protected not to be destroyed, improves the security protection efficiency of operating system, can effectively enhance operating system
Safety.
Fig. 2 is the apparatus structure schematic diagram of two treatment progress of the embodiment of the present invention registration, as shown in Fig. 2, the present embodiment
Device may include: hook module 21, version information obtains module 22, progress information obtains module 23 and location registration process mould
Block 24, wherein
Module 21 is hooked, calls kernel-driven grade user readjustment two-parameter for monitoring in the Hook Function being previously implanted
When function, hooks the kernel-driven grade user and adjust back two-parameter function;
In the present embodiment, as an alternative embodiment, it is kernel that kernel-driven grade user, which adjusts back two-parameter function,
NtUserCallTwoParam function.
In the present embodiment, as an alternative embodiment, monitor that kernel-driven grade user is called to adjust back two-parameter function packet
It includes:
Monitor that kernel-driven grade user is called directly using layer process adjusts back two-parameter function.
As another alternative embodiment, monitor that calling kernel-driven grade user to adjust back two-parameter function includes:
It monitors to call registration logon process function using layer process, kernel described in the registration logon process function call
Driving stage user adjusts back two-parameter function.
In the present embodiment, as an alternative embodiment, logon process function is registered as RegisterLogonProcess letter
Number.
Version information obtains module 22, for obtaining current operation system version information and calling the kernel-driven grade
User adjusts back the incoming feature index information of two-parameter function;
In the present embodiment, target process to be registered is carried by sending using layer process to operating system in application program
In process registers request, can also be passed to (carrying) has corresponding feature index information, with mark by calling kernel-driven grade
User adjusts back two-parameter function, and target process to be registered is registered as logon process.
Progress information obtains module 23, if the current operation system version information and the incoming feature index number
The operating system version information that information is mapped with pre-set logon process/feature index information collection matches, and obtains and adjusts
The progress information of two-parameter function is adjusted back with the kernel-driven grade user;
In the present embodiment, as an alternative embodiment, the operating system version of the pre-set logon process mapping
Information/feature index information collection includes:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
In the present embodiment, as an alternative embodiment, it includes: feature index acquisition of information that progress information, which obtains module 23,
Unit, matching unit and progress information acquiring unit (not shown), wherein
Feature index information acquisition unit, for utilizing the current operation system version information obtained, inquiry operation system
System version information/feature index information collection obtains the feature index information of the current operation system mapping;
Matching unit determines if the incoming feature index information is identical as obtained feature index information
Match;
Progress information acquiring unit, for obtaining the process for calling the kernel-driven grade user to adjust back two-parameter function letter
Breath.
In the present embodiment, calling the kernel-driven grade user to adjust back the progress information of two-parameter function will to initiate this time
Target process to be registered is registered as the progress information of logon process.
Location registration process module 24, if the application program of the progress information mapping obtained needs to intercept with pre-set
Any application program that need to intercept in application features library is identical, and refusal calls the kernel-driven grade user readjustment two-parameter
Function.
In the present embodiment, as an alternative embodiment, location registration process module 24 includes: to intercept matching unit, display unit
And instruction process unit (not shown), wherein
Matching unit is intercepted, if the application program of the progress information mapping obtained is answered with pre-set need to intercept
It is identical with any application program that need to intercept in performance of program library, notify display unit;
Display unit for showing the application program of the progress information obtained mapping, and prompts the application journey shown
Process registers are logon process by sequence;
Instruction process unit, if described instruction is to allow to instruct, allows in described for receiving the instruction of user's selection
Core driving stage user adjusts back the operation that two-parameter function executes registration logon process;If described instruction is refusal instruction, refusal
The kernel-driven grade user is called to adjust back two-parameter function.
In the present embodiment, as another alternative embodiment, if location registration process module 24 is also used to the process obtained
The application program of routing information mapping and it is pre-set need to intercept in application features library all need to intercept application program
It is all different, the kernel-driven grade user is allowed to adjust back the operation that two-parameter function executes registration logon process.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill
Art effect is similar, and details are not described herein again.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.
For Installation practice, since it is substantially similar to the method embodiment, so the comparison of description is simple
Single, the relevent part can refer to the partial explaination of embodiments of method.
Expression or logic and/or step described otherwise above herein in flow charts, for example, being considered use
In the order list for the executable instruction for realizing logic function, may be embodied in any computer-readable medium, for
Instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be held from instruction
The instruction fetch of row system, device or equipment and the system executed instruction) it uses, or combine these instruction execution systems, device or set
It is standby and use.For the purpose of this specification, " computer-readable medium ", which can be, any may include, stores, communicates, propagates or pass
Defeated program is for instruction execution system, device or equipment or the dress used in conjunction with these instruction execution systems, device or equipment
It sets.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electricity of one or more wirings
Interconnecting piece (electronic device), portable computer diskette box (magnetic device), random access memory (RAM), read-only memory
(ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk is read-only deposits
Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other are suitable
Medium, because can then be edited, be interpreted or when necessary with it for example by carrying out optical scanner to paper or other media
His suitable method is handled electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.
In the above-described embodiment, multiple steps or method can be with storages in memory and by suitable instruction execution
The software or firmware that system executes are realized.For example, in another embodiment, can be used if realized with hardware
Any one of following technology well known in the art or their combination are realized: being had for realizing logic function to data-signal
The discrete logic of the logic gates of energy, the specific integrated circuit with suitable combinational logic gate circuit, programmable gate
Array (PGA), field programmable gate array (FPGA) etc..
The embodiment of the present invention also provides a kind of electronic equipment, and the electronic equipment includes dress described in aforementioned any embodiment
It sets.
Fig. 3 is the structural schematic diagram of electronic equipment one embodiment of the present invention, may be implemented to implement shown in Fig. 1-2 of the present invention
The process of example, as shown in figure 3, above-mentioned electronic equipment may include: shell 31, processor 32, memory 33, circuit board 34 and electricity
Source circuit 35, wherein circuit board 34 is placed in the space interior that shell 31 surrounds, and processor 32 and memory 33 are arranged in circuit
On plate 34;Power circuit 35, for each circuit or the device power supply for above-mentioned electronic equipment;Memory 33 is for storing and can hold
Line program code;Processor 32 is run and executable program generation by reading the executable program code stored in memory 33
The corresponding program of code, the method for executing the registration for the treatment of progress described in aforementioned any embodiment.
Processor 32 to the specific implementation procedures of above-mentioned steps and processor 32 by operation executable program code come
The step of further executing may refer to the description of Fig. 1-2 illustrated embodiment of the present invention, and details are not described herein.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment: the characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes: smart phone (such as iPhone), multimedia handset, functional mobile phone and low
Hold mobile phone etc..
(2) super mobile personal computer equipment: this kind of equipment belongs to the scope of personal computer, there is calculating and processing function
Can, generally also have mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind of equipment can show and play multimedia content.Such equipment include: audio,
Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server: providing the equipment of the service of calculating, and the composition of server includes that processor, hard disk, memory, system are total
Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy
Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium
In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
For convenience of description, description apparatus above is to be divided into various units/modules with function to describe respectively.Certainly, exist
Implement to realize each unit/module function in the same or multiple software and or hardware when the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can
It realizes by means of software and necessary general hardware platform.Based on this understanding, technical solution of the present invention essence
On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product
It can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that a computer equipment
(can be personal computer, server or the network equipment etc.) executes the certain of each embodiment or embodiment of the invention
Method described in part.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (11)
1. a kind of method for the treatment of progress registration characterized by comprising
When the Hook Function being previously implanted monitors that kernel-driven grade user is called to adjust back two-parameter function, the kernel is hooked
Driving stage user adjusts back two-parameter function;
It obtains current operation system version information and the kernel-driven grade user is called to adjust back the incoming function of two-parameter function
It can call number information;
If the current operation system version information and the incoming feature index information are logged into pre-set
Operating system version information/feature index information collection of journey mapping matches, and obtains and the kernel-driven grade user is called to return
The progress information of two-parameter function is adjusted, registration logon process function is executed, target process to be registered is registered as into logon process;
If the application program of the progress information mapping obtained need to intercept in application features library with pre-set
Any application program that need to intercept is identical, and refusal calls the kernel-driven grade user to adjust back two-parameter function.
2. the method for the treatment of progress registration according to claim 1, which is characterized in that the current operation system version letter
Operating system version information/function rope of breath and the incoming feature index information and the mapping of pre-set logon process
Quotation marks information collection, which matches, includes:
Using the current operation system version information of acquisition, inquiry operation system version information/feature index information collection is obtained
The feature index information of the current operation system mapping;
If the incoming feature index information is identical as obtained feature index information, determination matches.
3. the method for the treatment of progress according to claim 1 registration, which is characterized in that if described in described obtain into
The application program of journey information MAP with it is pre-set need to intercept in application features library any need to intercept application program phase
With after, before refusal calls the kernel-driven grade user to adjust back two-parameter function, the method also includes:
Show obtain the progress information mapping application program, and prompt show application program by process registers for log in
Process;
The instruction that user chooses is received, if described instruction is to allow to instruct, allows the double ginsengs of kernel-driven grade user readjustment
Number function executes the operation of registration logon process;If described instruction is refusal instruction, executes refusal and call the kernel-driven
Grade user adjusts back the step of two-parameter function.
4. the method for the treatment of progress registration according to claim 1, which is characterized in that the method also includes:
If the application program of the process path information MAP obtained need to intercept application features library with pre-set
In all application programs that need to intercept be all different, allow the kernel-driven grade user to adjust back two-parameter function and execute registration and step on
The operation of record process.
5. the method for the treatment of progress registration according to any one of claims 1 to 4, which is characterized in that described to preset
Logon process mapping operating system version information/feature index information collection include:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
6. a kind of device for the treatment of progress registration characterized by comprising hook module, version information obtains module, process letter
Breath obtains module and location registration process module, wherein
Module is hooked, calls kernel-driven grade user to adjust back two-parameter function for monitoring in the Hook Function being previously implanted
When, it hooks the kernel-driven grade user and adjusts back two-parameter function;
Version information obtains module, for obtaining current operation system version information and the kernel-driven grade user being called to return
The feature index information for adjusting two-parameter function incoming;
Progress information obtains module, if the current operation system version information and the incoming feature index information with
Operating system version information/feature index information collection of pre-set logon process mapping matches, and obtains described in calling
Kernel-driven grade user adjusts back the progress information of two-parameter function, registration logon process function is executed, by target process to be registered
Be registered as logon process;
Location registration process module, if the application program of the progress information mapping obtained need to be intercepted with pre-set using journey
Any application program that need to intercept in sequence characteristics library is identical, and refusal calls the kernel-driven grade user to adjust back two-parameter function.
7. the device for the treatment of progress registration according to claim 6, which is characterized in that the progress information obtains module packet
It includes: feature index information acquisition unit, matching unit and progress information acquiring unit, wherein
Feature index information acquisition unit, for utilizing the current operation system version information obtained, inquiry operation system version
This information/feature index information collection obtains the feature index information of the current operation system mapping;
Matching unit determines phase if the incoming feature index information is identical as obtained feature index information
Match;
Progress information acquiring unit, for obtaining the progress information for calling the kernel-driven grade user to adjust back two-parameter function.
8. the device for the treatment of progress according to claim 6 registration, which is characterized in that the location registration process module includes:
Intercept matching unit, display unit and instruction process unit, wherein
Matching unit is intercepted, if the application program of the progress information mapping obtained need to be intercepted with pre-set using journey
Any application program that need to intercept in sequence characteristics library is identical, notifies display unit;
Display unit for showing the application program of the progress information obtained mapping, and prompts the application program shown will
Process registers are logon process;
Instruction process unit, if described instruction is to allow to instruct, allows the kernel to drive for receiving the instruction of user's selection
Dynamic grade user adjusts back the operation that two-parameter function executes registration logon process;If described instruction is refusal instruction, refusal is called
The kernel-driven grade user adjusts back two-parameter function.
9. the device for the treatment of progress registration according to claim 6, which is characterized in that the location registration process module is also used to
If the application program of the process path information MAP obtained need to intercept in application features library with pre-set
All application programs that need to intercept are all different, and are allowed the kernel-driven grade user to adjust back two-parameter function execution registration and are logged into
The operation of journey.
10. according to the device of the described in any item treatment progress registrations of claim 6 to 9, which is characterized in that described to preset
Logon process mapping operating system version information/feature index information collection include:
For XP operating system, the feature index information of mapping is 105;
For Win7 operating system, the feature index information of mapping is 110;
For Win8 operating system, the feature index information of mapping is 117;
For Win8.1 operating system, the feature index information of mapping is 122;
For Win10 operating system, the feature index information of mapping is 129.
11. a kind of electronic equipment, which is characterized in that the electronic equipment includes: shell, processor, memory, circuit board and electricity
Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply
Circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing executable program code;Processing
Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding
The method for the treatment of progress registration described in the aforementioned any claim 1-5 of row.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610547975.5A CN106228062B (en) | 2016-07-12 | 2016-07-12 | A kind of method, apparatus and electronic equipment for the treatment of progress registration |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610547975.5A CN106228062B (en) | 2016-07-12 | 2016-07-12 | A kind of method, apparatus and electronic equipment for the treatment of progress registration |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106228062A CN106228062A (en) | 2016-12-14 |
CN106228062B true CN106228062B (en) | 2019-04-26 |
Family
ID=57519611
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610547975.5A Active CN106228062B (en) | 2016-07-12 | 2016-07-12 | A kind of method, apparatus and electronic equipment for the treatment of progress registration |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106228062B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11106491B2 (en) * | 2018-04-06 | 2021-08-31 | Beijing Didi Infinity Technology And Development Co., Ltd. | Method and system for kernel routine callbacks |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101350052A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for discovering malignancy of computer program |
CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
CN101478407A (en) * | 2008-01-03 | 2009-07-08 | 联想(北京)有限公司 | Method and apparatus for on-line safe login |
CN104077220A (en) * | 2014-06-10 | 2014-10-01 | 中标软件有限公司 | Method and device for debugging microprocessor without interlocked piped stages (MIPS) framework operating system kernel |
CN104636659A (en) * | 2014-12-31 | 2015-05-20 | 株洲南车时代电气股份有限公司 | Register data generation method and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8621584B2 (en) * | 2011-08-31 | 2013-12-31 | Mcafee, Inc. | Credential provider that encapsulates other credential providers |
-
2016
- 2016-07-12 CN CN201610547975.5A patent/CN106228062B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101350052A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for discovering malignancy of computer program |
CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
CN101478407A (en) * | 2008-01-03 | 2009-07-08 | 联想(北京)有限公司 | Method and apparatus for on-line safe login |
CN104077220A (en) * | 2014-06-10 | 2014-10-01 | 中标软件有限公司 | Method and device for debugging microprocessor without interlocked piped stages (MIPS) framework operating system kernel |
CN104636659A (en) * | 2014-12-31 | 2015-05-20 | 株洲南车时代电气股份有限公司 | Register data generation method and device |
Also Published As
Publication number | Publication date |
---|---|
CN106228062A (en) | 2016-12-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106201468B (en) | A kind of processing method of screenshotss, device and electronic equipment | |
CN104270386B (en) | Across application system user (asu) information integrating method and identity information management server | |
CN106203077B (en) | A kind of processing method of Copy Info, device and electronic equipment | |
CN109831456A (en) | Information push method, device, equipment and storage medium | |
CN109818937A (en) | For the control method of Android permission, device and storage medium, electronic device | |
CN105574437B (en) | Method and device for protecting privacy information and electronic equipment | |
CN109831504A (en) | Micro services request processing method, device and equipment | |
CN101601257A (en) | System and method by user and equipment control network access security policy | |
US20170316209A1 (en) | Method and device for preventing application in an operating system from being uninstalled | |
CN104506487A (en) | Credible execution method for privacy policy in cloud environment | |
CN106127031A (en) | Method and device for protecting process and electronic equipment | |
Mohsen et al. | Android keylogging threat | |
Zhang et al. | A trust‐based noise injection strategy for privacy protection in cloud | |
CN106203069B (en) | A kind of hold-up interception method of dynamic link library file, device and terminal device | |
CN105893847A (en) | Method and device for protecting safety protection application program file and electronic equipment | |
CN106126291A (en) | Method and device for deleting malicious file and electronic equipment | |
CN106228062B (en) | A kind of method, apparatus and electronic equipment for the treatment of progress registration | |
CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
Zhang et al. | PhoneProtector: protecting user privacy on the android-based mobile platform | |
CN106203119B (en) | Hide processing method, device and the electronic equipment of cursor | |
CN106169049B (en) | A kind of method, apparatus and electronic equipment of the registration of processing thread | |
CN105868625A (en) | Method and device for intercepting restart deletion of file | |
CN106022110B (en) | The method and device of identification push platform application | |
CN106203115A (en) | Application program protection method and device and electronic equipment | |
CN106131805A (en) | The method of a kind of information transmission and terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20190118 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |