CN106599687A

CN106599687A - Method and device for opening Flash file in application program

Info

Publication number: CN106599687A
Application number: CN201611030834.2A
Authority: CN
Inventors: 郑劲松; 魏狄龙; 郭涛
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Priority date: 2016-11-18
Filing date: 2016-11-18
Publication date: 2017-04-26

Abstract

The invention discloses a method and device for opening a Flash file in an application program. The method comprises following steps: monitoring an event in which a designated application program loads a Flash file; intercepting the Flash file such that the designated application program fails to render the Flash file when monitoring the end of the event in which the designated application program loads the Flash file; carrying out safety scanning on the Flash file and determining whether the Flash file is a suspicious file or not; keeping intercepting the Flash file if so and otherwise releasing the Flash file and allowing the designated application program to render and start the Flash file. In the scheme, the method and device for opening the Flash file in the application program have following beneficial effects: after loading, the designated application program intercepts the Flash file and carries out safety scanning onto the Flash file; after determining that the Flash file is not a suspicious file, the designated application program is allowed to render and open the Flash file so that safety of operation for opening the Flash file in the designated application program is ensured; and the safety problem of the designated application program is avoided due to safety holes of the Flash file.

Description

A kind of method and apparatus for opening Flash file in the application

Technical field

The present invention relates to Internet technical field, and in particular to a kind of method for opening Flash file in the application And device.

Background technology

With the continuous development of Internet technology, people are further frequent for the use of network, can be carried out by network Many matters such as work, study, life, amusement, have brought great convenience.However, people are using interconnection During net there is leak in used many files, and the leak of these files is to malice developer with opportunity, malice Developers can utilize the leak of these files to attack the application program for opening these files, and especially, Flash is literary Part be easier when Flash file is opened as a document form that itself there is many leaks, in the application due to The leak of Flash file itself and cause the potential safety hazard of application program, threaten application program user information security, give The aspects such as the person, the property of user are lost.

The content of the invention

In view of the above problems, it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on State the method and apparatus for opening Flash file in the application of problem.

According to one aspect of the present invention, there is provided a kind of method for opening Flash file in the application, including：

Monitor the event that specified application loads Flash file；

At the end of the event of the specified application loading Flash file is listened to, intercepting the Flash file makes Obtaining the specified application cannot render to the Flash file；

Security sweep is carried out to the Flash file, judges whether the Flash file is apocrypha；

It is then, to maintain the interception to the Flash file；Otherwise, the clearance Flash file, it is allowed to specify and apply journey Sequence renders and opens the Flash file.

Alternatively, the specified application is web browser；

The event for monitoring specified application loading Flash file includes：Monitor web browser download Flash literary The event of part；

At the end of the event that the specified application loading Flash file ought be listened to, the Flash is obtained literary Part simultaneously forbids the specified application to render the Flash file including：It is literary to the Flash when web browser is listened to At the end of part is downloaded, intercept the Flash file and web browser cannot be rendered to the Flash file.

Alternatively, the event for monitoring web browser download Flash file includes：In the download mould of web browser Carry Hook Function in block, by the Hook Function monitor web browser download module start download Flash file with And terminate to download the event of Flash file；

It is described at the end of it listen to web browser to Flash file download, intercept the Flash file and cause Web browser cannot the Flash file be carried out rendering including：Under the download module for listening to web browser terminates When carrying Flash file, the Flash modules of the download module of web browser to web browser are intercepted by the Hook Function The Flash file for sending；

Then when it is not apocrypha to detect the Flash file, the clearance Flash file, it is allowed to specify Application program is rendered and opens the Flash file to be included：The Flash file is sent to the Flash moulds of web browser Block, is rendered and is opened by the Flash modules to the Flash file.

Alternatively, the carry Hook Function in the download module of web browser includes：

Carry on the derivation function that call back function is downloaded for creating data in the urlmon files of web browser First Hook Function, the data created in the derivation function download the Hook Function of carry second on call back function.

Alternatively, leading for call back function is downloaded for creating data in the urlmon files of web browser described Go out on function before the Hook Function of carry first, the method is further included：

Obtain the data structure of corresponding with the version of current web page browser urlmon files, according to the data structure from The derivation function, then the Hook Function of carry first on the derivation function are searched in urlmon files.

Alternatively, download of the download module of web browser to Flash file includes：The download module of web browser N number of block data of the Flash file is downloaded successively, N is the positive integer more than 1；

The method is further included：When the download module for listening to web browser terminates to download the Flash file During each block data in front N-1 piecemeal, the block data is cached, it is allowed to the download module of web browser to The Flash modules of web browser send the block data；

It is described when the download module for listening to web browser terminate download Flash file when, by the Hook Function Intercept the download module of web browser includes to the Flash file that the Flash modules of web browser send：Work as monitoring When terminating last block data for downloading the Flash file to the download module of web browser, by the hook The block data that the download module of intercepting api callses web browser sends to the Flash modules of web browser.

Alternatively, it is described security sweep is carried out to the Flash file to include：The front N-1 block data of caching is read, Flash file to being made up of with last block data for being intercepted front N-1 block data carries out security sweep；

Then when it is not apocrypha to detect the Flash file, the Flash file is sent to web browser Flash modules, the Flash file is rendered by the Flash modules and is opened including：By last block data Send to the Flash modules of web browser, by the Flash modules to by front N-1 block data with intercepted last The Flash file that individual block data is constituted is rendered and opened.

Alternatively, it is described security sweep is carried out to the Flash file to include：According to virus database to the Flash File carries out security sweep；

When it is apocrypha to judge the Flash file, the method is further included：

The window handle of the web browser of current thread place process is obtained, net is traveled through by IWebBrowser2 interfaces The current html page content of page browsing device, hits the Flash file of the first predetermined condition in the current html page of acquisition Url addresses；

The characteristic information of the Flash file is obtained, the url addresses and characteristic information together be recorded into viral data In storehouse.

Alternatively, the specified application is word processor；

The event for monitoring specified application loading Flash file includes：Monitor word processor reading Flash literary The event of part；

At the end of the event that the specified application loading Flash file ought be listened to, the Flash is obtained literary Part simultaneously forbids the specified application to render the Flash file including：It is literary to the Flash when word processor is listened to At the end of part reads, intercept the Flash file and word processor cannot be rendered to the Flash file.

Alternatively, the event for monitoring word processor reading Flash file includes：Created in word processor Carry Hook Function in specified object, monitors word processor and calls the specified object to start to read by the Hook Function The event of Flash file is read in Flash file and end；

It is described at the end of it listen to word processor to Flash file reading, intercept the Flash file and cause Word processor cannot the Flash file be carried out rendering including：The specified object is called when word processor is listened to When terminating to read Flash file, the specified object is intercepted by the Hook Function and is sent out to the Flash modules of word processor The Flash file for sending；

Then when it is not apocrypha to detect the Flash file, the clearance Flash file, it is allowed to specify Application program is rendered and opens the Flash file to be included：The Flash file is sent to the Flash moulds of word processor Block, is rendered and is opened by the Flash modules to the Flash file.

Alternatively, reading of the specified object of word processor to Flash file includes：The specified object of word processor N number of block data of the Flash file is read out successively, N is the positive integer more than 1；

The method is further included：The specified object is called to terminate to read the Flash when word processor is listened to During each block data in the front N-1 piecemeal of file, the block data is cached, it is allowed to the specified object Xiang Wen The Flash modules of word processing device send the block data；

It is described when listen to word processor call the specified object terminate read Flash file when, by the hook Subfunction intercepts the Flash file that the specified object sends to the Flash modules of word processor：When listening to word When processor calls the specified object to terminate last block data for reading the Flash file, by the hook The block data for specifying object to send to the Flash modules of word processor described in intercepting api callses.

Then when it is not apocrypha to detect the Flash file, the Flash file is sent to word processor Flash modules, the Flash file is rendered by the Flash modules and is opened including：By last block data Send to the Flash modules of word processor, by the Flash modules to by front N-1 block data with intercepted last The Flash file that individual block data is constituted is rendered and opened.

When it is apocrypha to judge the Flash file, the method is further included：

Obtain the url addresses of the Flash file；

According to another aspect of the present invention, there is provided a kind of device for opening Flash file in the application, bag Include：

Interception unit is monitored, the event that specified application loads Flash file is adapted for listening for；It is described specified when listening to At the end of the event of application program loading Flash file, intercept the Flash file and cause the specified application right The Flash file is rendered；

Scan process unit, is suitable to carry out security sweep to the Flash file, judges that whether the Flash file is Apocrypha；It is then, to maintain the interception to the Flash file；Otherwise, the clearance Flash file, it is allowed to specify and apply journey Sequence renders and opens the Flash file.

Alternatively, the specified application is web browser；

The monitoring interception unit, is adapted for listening for the event that web browser downloads Flash file；It is clear when webpage is listened to At the end of device is look to Flash file download, intercept the Flash file and cause the web browser cannot be to the Flash File is rendered.

Alternatively, the monitoring interception unit, is suitable to the carry Hook Function in the download module of web browser, passes through The Hook Function monitors the download module of web browser and starts to download Flash file and terminate to download Flash file Event；When the download module for listening to web browser terminates to download Flash file, webpage is intercepted by the Hook Function The Flash file that the download module of browser sends to the Flash modules of web browser；

The then scan process unit.It is suitable to when it is not apocrypha to detect the Flash file, will be described Flash file is sent to the Flash modules of web browser, by the Flash modules Flash file is rendered and beaten Open.

Alternatively, the monitoring interception unit, be suitable in the urlmon files of web browser for creating data The Hook Function of carry first on the derivation function of call back function is downloaded, the data created in the derivation function are downloaded back The Hook Function of carry second on letter of transfer number.

Alternatively, the monitoring interception unit, is further adapted for described in the urlmon files of web browser Download for creating data on the derivation function of call back function before the Hook Function of carry first, obtain and current web page browser The corresponding urlmon files of version data structure, the derivation letter is searched from urlmon files according to the data structure Number, then the Hook Function of carry first on the derivation function.

The monitoring interception unit, is further adapted for when the download module for listening to web browser terminates described in download During each block data in the front N-1 piecemeal of Flash file, the block data is cached, it is allowed to web browser Download module send the block data to the Flash modules of web browser；

The monitoring interception unit, be suitable to when the download module that listen to web browser terminate to download the Flash it is literary During last block data of part, the download module of web browser is intercepted to web browser by the Hook Function The block data that Flash modules send.

Alternatively, the scan process unit, is suitable to read the front N-1 block data of caching, to by front N-1 piecemeal The Flash file that data are constituted with last block data for being intercepted carries out security sweep；And it is described detecting When Flash file is not apocrypha, last block data is sent to the Flash modules of web browser, by this Flash modules are rendered to the Flash file being made up of with last block data for being intercepted front N-1 block data And open.

Alternatively, the scan process unit, is suitable to carry out the Flash file safe sweeping according to virus database Retouch；

The scan process unit, is further adapted for, when it is apocrypha to judge the Flash file, obtaining current The window handle of the web browser of thread place process, travels through web browser current by IWebBrowser2 interfaces Html page content, obtains the url addresses of the Flash file that the first predetermined condition is hit in current html page；Obtain institute The characteristic information of Flash file is stated, the url addresses and characteristic information together recorded in virus database.

Alternatively, the specified application is word processor；

The monitoring interception unit, is adapted for listening for the event that word processor reads Flash file；When listening at word At the end of reason device is to Flash file reading, intercepts the Flash file and cause the word processor cannot be to the Flash File is rendered.

Alternatively, the monitoring interception unit, is suitable to the carry hook letter in the specified object that word processor is created Number, monitors word processor and calls the specified object to start to read Flash file and terminate to read by the Hook Function Take the event of Flash file；When listen to word processor call the specified object terminate read Flash file when, pass through The Hook Function intercepts the Flash file that the specified object sends to the Flash modules of word processor；

The then scan process unit.It is suitable to when it is not apocrypha to detect the Flash file, will be described Flash file is sent to the Flash modules of word processor, by the Flash modules Flash file is rendered and beaten Open.

The monitoring interception unit, be further adapted for when listen to word processor call the specified object terminate read During each block data in the front N-1 piecemeal of the Flash file, the block data is cached, it is allowed to the finger Determine object and send the block data to the Flash modules of word processor；

The monitoring interception unit, be suitable to when listen to word processor call the specified object terminate to read it is described During last block data of Flash file, the specified object is intercepted to word processor by the Hook Function The block data that Flash modules send.

Alternatively, the scan process unit, is suitable to read the front N-1 block data of caching, to by front N-1 piecemeal The Flash file that data are constituted with last block data for being intercepted carries out security sweep；And then detect it is described When Flash file is not apocrypha, last block data is sent to the Flash modules of word processor, by this Flash modules are rendered to the Flash file being made up of with last block data for being intercepted front N-1 block data And open.

The scan process unit, is further adapted for, when it is apocrypha to judge the Flash file, obtaining described The url addresses of Flash file；The characteristic information of the Flash file is obtained, the url addresses and characteristic information are together remembered In recording virus database.

From the foregoing, the technical scheme that provides of the present invention in specified application loading, render and to open Flash literary During part, the event that specified application loads the Flash file is monitored, and blocked after the completion of specified application loading Cutting the Flash file prevents specified application to carry out rendering opening to the Flash file that loading is completed from direct, to being blocked The Flash file for cutting carries out security sweep, and after it is determined that the Flash file is not apocrypha specified application pair is allowed again The Flash file is performed and renders opening, it is ensured that the security of the operation of Flash file is opened in specified application, is kept away Exempt to cause the safety problem of specified application due to the security breaches of Flash file itself, provide for specified application More pure, safe Flash treatment mechanisms.

Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the specific embodiment of the present invention.

Description of the drawings

By the detailed description for reading hereafter preferred embodiment, various other advantages and benefit is common for this area Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred embodiment, and is not considered as to the present invention Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings：

Fig. 1 shows a kind of method for opening Flash file in the application according to an embodiment of the invention Flow chart；

Fig. 2 shows a kind of device for opening Flash file in the application according to an embodiment of the invention Schematic diagram.

Specific embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.

Fig. 1 shows a kind of method for opening Flash file in the application according to an embodiment of the invention Flow chart.As shown in figure 1, the method includes：

Step S110, monitors the event that specified application loads Flash file.

Step S120, at the end of the event of the specified application loading Flash file is listened to, intercepts described Flash file causes the specified application to render to the Flash file.

Step S130, to the Flash file security sweep is carried out, and judges whether the Flash file is apocrypha.

Step S140, is then, to maintain the interception to the Flash file；Otherwise, the clearance Flash file, it is allowed to refer to Determine application program and render and open the Flash file.

It can be seen that, the method shown in Fig. 1 is supervised during specified application loads, renders and open Flash file Listen specified application to load the event of the Flash file, and the Flash file is intercepted after the completion of specified application loading Prevent specified application carries out rendering opening from direct to the Flash file that loading is completed, to the Flash file for being intercepted Security sweep is carried out, allows specified application to hold the Flash file again after it is determined that the Flash file is not apocrypha Row render openings, it is ensured that in specified application opening Flash file operation security, it is to avoid due to Flash it is literary The security breaches of part itself and cause the safety problem of specified application, for specified application provide it is more pure, safety Flash treatment mechanisms.

In embodiments of the invention one, the specified application in method shown in Fig. 1 is web browser；Then, it is above-mentioned Step S110 monitors the event of specified application loading Flash file to be included：Monitor web browser and download Flash file Event；Above-mentioned steps S120 obtain described at the end of the event of the specified application loading Flash file is listened to Flash file simultaneously forbids the specified application to render the Flash file including：When listening to web browser to described At the end of Flash file is downloaded, intercept the Flash file and cause web browser to carry out wash with watercolours to the Flash file Dye.Above-mentioned steps S130 carry out security sweep to the Flash file to be included：Call script killing engine literary to the Flash Part carries out security sweep, and the script killing engine includes virus database, and its virus database is the script killing engine pair Sorted out, scanned in great amount of samples data, partition of the level, being formed after the work such as feature extraction, can exactly to Flash File (such as the file of SWF forms) carries out security sweep.

Specifically, the event of above-mentioned monitoring web browser download Flash file includes：In the download mould of web browser Carry Hook Function in block, by the Hook Function monitor web browser download module start download Flash file with And terminate to download the event of Flash file；It is above-mentioned when listen to web browser to the Flash file download at the end of, block Cut the Flash file cause web browser cannot the Flash file be carried out rendering including：When listening to web page browsing When the download module of device terminates to download Flash file, the download module of web browser is intercepted to net by the Hook Function The Flash file that the Flash modules of page browsing device send.

Then when it is not apocrypha to detect the Flash file, the above-mentioned steps S140 clearance Flash file, Allowing specified application to render and open the Flash file includes：The Flash file is sent to web browser Flash modules, are rendered and are opened by the Flash modules to the Flash file.

The implementation process of embodiment one is illustrated with a specific example, in this example, it is intended that application program is IE (Internet Explorer) browser, the module of data download is responsible in IE browser to be included：Urlmon.dll files； The urlmon.dll files include：For creating the derivation function that data download call back function；When the derivation function starts wound When building data download call back function, illustrate that IE browser proceeds by data download；The data that the derivation function is created are downloaded Call back function be for data download terminate after data are adjusted back to the Virtual Function of the rendering module of IE browser, by rendering Module renders and opens downloading data；Wherein, when data are Flash file, the rendering module refers to Flash modules, Flash modules are the OCS modules of adobe.Therefore, start to download the event of Flash file in order to listen to IE browser, The Hook Function of carry first on export in urlmon.dll files, and, in order to listen to IE browser knot Beam downloads the event of Flash file, and the data created in export download the Hook Function of carry second on call back function.

Wherein, because the data structure of the urlmon.dll files of the IE browser of different editions is differed, it is desirable to from IE Search in the urlmon.dll files of browser for creating derivation function and carry the thereon that data download call back function During one Hook Function, the data structure for knowing the urlmon.dll files is needed.Therefore, in the present embodiment, prestore one and match somebody with somebody Information database is put, the configuration information database includes：The data of the urlmon.dll files of the IE browser of different editions Structure；Then before carry Hook Function, the version identifier of current IE browser is first obtained, according to the version identifier from confidence The data structure of the corresponding urlmon.dll files of the version identifier is obtained in breath database, is browsed from IE according to the data structure Search in the urlmon files of device for creating the derivation function that data download call back function, then the carry the on the derivation function One Hook Function.

The monitoring course of work of the first Hook Function and the second Hook Function can be：First Hook Function is deriving function Start to create and the event is intercepted when data download call back function and judges whether the data being downloaded belong to Flash file, judge The event of letting pass after end continues to perform；When the data for judging to be downloaded belong to Flash file, IE is determined Browser proceed by Flash file download, then the second Hook Function data download call back function start by data adjust back to The data of readjustment are intercepted during the Flash modules of IE browser so that Flash modules do not receive data and download call back function transmission Data, now determine IE browser terminate download Flash file.In another embodiment, this programme can also save One Hook Function, only downloads the Hook Function of carry second on call back function in data, monitors IE by the second Hook Function clear Device of looking at terminates the event of downloading data and judges whether the data being downloaded belong to Flash file, is then to determine IE browser knot Beam downloads Flash file.

Under many circumstances, the data downloading process of web browser is not that entirety is downloaded, but is splitted data into Come what is be downloaded respectively, such as download of the download module of IE browser to Flash file is substantially some：Flash File is divided into multiple block datas, and the data volume of each block data is MB levels, or the data volume of each block data For KB levels, or the data volume of different block datas is different, can sequentially from big to small or from small to large.IE browser Download module is downloaded successively in order to multiple block datas of Flash file.For example, the download module of IE browser 10 block datas of Flash file are downloaded successively in order, its process listens to IE browser specifically, working as When download module terminates each block data in front 9 piecemeals for download the Flash file, the block data is delayed Deposit, it is allowed to which the data in the download module of IE browser download call back function and send the block data to Flash modules；Work as monitoring Download module to IE browser terminates to download last block data (the 10th block data) of the Flash file When, intercepted under the data in the download module of IE browser in the second Hook Function that data are downloaded on call back function by carry Carry the block data that call back function sends to the Flash modules of IE browser.

On the above-mentioned basis having been sent to front 9 block datas of Flash file in the Flash modules of IE browser On, intercept the 10th block count that the data in IE browser download the Flash file that call back function sends to Flash modules According to front 9 block datas of reading caching, to by front 9 block datas and the common structure of last block data for being intercepted Into Flash file carry out security sweep；Then when it is not apocrypha to detect the Flash file, what clearance was intercepted 10th block data, the block data is sent to the Flash modules of IE browser, by the Flash modules to by connecing before The Flash file that front 9 block datas for receiving are constituted with last block data being currently received is rendered and beaten Open；If to detect the Flash file be apocrypha, forbid the continuation of the 10th block data in Flash file Transmission so that the Flash modules of IE browser do not get last block data, and Flash modules do not get total data Words cannot untie this Flash file, inextricable just to be rendered, that is, prevent what IE browser was currently downloaded Flash file is opened in IE browser, protects the safety of IE browser.

Wherein, further, after said process has been performed to a Flash file, the data file in shining spring is judged Whether size exceedes caching limits, if it exceeds then directly empty caching thinking at the download and scanning of next Flash file Reason process vacates spatial cache, if limit not less than caching temporarily can retain, is emptied again until exceeding caching and limiting Process.

Have been previously mentioned, it is above-mentioned data interception download call back function be sent to Flash modules Flash file it Afterwards, carrying out security sweep to the Flash file includes：It is literary to the Flash according to the virus database of script killing engine Part carries out security sweep；Then when it is apocrypha to judge the Flash file, the method shown in Fig. 1 is further included：Obtain The window handle of the IE browser of current thread place process is taken, web browser is traveled through by IWebBrowser2 interfaces current Html page content, obtain the url addresses of the Flash file that the first predetermined condition is hit in current html page；Obtain The characteristic information of the Flash file, the url addresses and characteristic information together recorded in virus database.

Specifically, Flash file is SWF formatted files, and the first predetermined condition is：The url addresses of SWF formatted files with .swf end up；Or, the corresponding local preservation temporary file of SWF formatted files is with .swf endings.Obtain hit this first make a reservation for The url addresses of the SWF formatted files of condition and characteristic information, record, its record format to the url addresses and characteristic information For：

http://s.360.cn/wangdun/wdcom.htmlId=qex_ie＆brwv=8.0.0.xxxx＆osv= 6.2.xxxx＆qv=3.x.x.xxx＆fv=x.0.0.xxxx＆ft=ocx＆url=xxxurlnum=x＆topurl1=xxxr Ef1=xxx＆pref1=xxx＆ifrm1=xxx.....md5=xxx＆sha1=xxx＆vname=x xx.

Including one or more characteristic information and url addresses：

id：Qex_ie (represents the ID of script killing engine), brwv：Browser-ver (represents the version of web browser This), osv：Os-ver (represents the version of operating system), qv：Qex-ver (represents the version of script killing engine), fv： Flash-ver (version of Flash file), ft：Type (np/pp/ocx) (represents the type of Flash modules), url：swf- Url (represents the url addresses of SWF formatted files), urlnum：The quantity of URL, topurl1：Top-url (represents top attributes Url addresses), ref1：Refer-url (represents the url addresses of refer attributes), pref1：Refer2-url (represents refer2 category The url addresses of property), ifrm1：Iframe-url (represents the url addresses of iframe attributes), md5：Swf md5 (represent SWF lattice The MD5 values of formula file), sha1：The sha1 (representing the SHA1 values of SWF formatted files) of swf, vname：Virus Name.

The above- mentioned information for being recorded is added in virus database, to improve the security sweep of more new script killing engine Mechanism.

Above-mentioned example is illustrated by taking IE browser as an example, and other web browsers can perform identical according to this principle Treatment mechanism, will not be described here.

In embodiments of the invention two, the specified application in method shown in Fig. 1 is word processor；Step S110 Monitoring the event of specified application loading Flash file includes：Monitor the event that word processor reads Flash file；Step Rapid S120 obtains the Flash file and prohibits at the end of the event of the specified application loading Flash file is listened to Only the specified application renders the Flash file and includes：The Flash file is read when word processor is listened to At the end of, intercept the Flash file and word processor cannot be rendered to the Flash file.Above-mentioned steps S130 carries out security sweep to the Flash file to be included：Call script killing engine to carry out the Flash file safety to sweep Retouch, the script killing engine includes virus database, its virus database is the script killing engine for great amount of samples number According to being sorted out, scanned, partition of the level, formed after the work such as feature extraction, can be exactly to Flash file (such as SWF lattice The file of formula) carry out security sweep.

Embodiments of the invention two are illustrated with a specific example：In this example, it is intended that application program is Word document, when a word document the inside embedded in the url addresses of Flash file, the word document after opening can be certainly It is dynamic to go on the net to download corresponding Flash file, or the Flash file of one body of setting, word document is in opening Local Flash file loading can be got up automatically afterwards, the process of loading is actually word document oneself establishment one and specifies Object, calls the specified object to read the process of Flash file, and after Flash file reads to be terminated, the specified object will Rendered and opened in the Flash modules that Flash file sends into word document.

Therefore, the specified object for being created to listen to word document terminates the event for reading Flash file, above-mentioned prison The event that word document reads Flash file is listened to include：The carry Hook Function in the specified object that word document is created, leads to Crossing the Hook Function monitoring word document calls the specified object to start to read Flash file and terminate to read Flash The event of file；It is above-mentioned at the end of it listen to word document to Flash file reading, intercepting the Flash file makes Word document cannot the Flash file be carried out rendering including：The specified object knot is called when word document is listened to When beam reads Flash file, intercept what the specified object sent to the Flash modules of word document by the Hook Function The Flash file；Then when it is not apocrypha to detect the Flash file, the above-mentioned clearance Flash file is permitted Perhaps specified application is rendered and opens the Flash file and includes：The Flash file is sent to word document Flash modules, are rendered and are opened by the Flash modules to the Flash file.

Under many circumstances, the data read process of word processor is not that entirety is read out, but is splitted data into Come what is be read out respectively, e.g., reading of the specified object that word document is created to Flash file includes some： The specified object that word document is created is read out successively to N number of block data of the Flash file, and N is more than 1 just Integer；Then the method shown in Fig. 1 is further included：The specified object is called to terminate described in reading when word document is listened to During each block data in the front N-1 piecemeal of Flash file, the block data is cached, it is allowed to described to specify right As sending the block data to the Flash modules of word document；The word document that ought listen to calls the specified object knot When beam reads Flash file, intercept what the specified object sent to the Flash modules of word document by the Hook Function The Flash file：When listen to word document call the specified object terminate to read the Flash file last During block data, the piecemeal that the specified object sends to the Flash modules of word document is intercepted by the Hook Function Data.

Then carrying out security sweep to the Flash file includes：The front N-1 block data of caching is read, to by front N-1 The Flash file that individual block data is constituted with last block data for being intercepted carries out security sweep；Then detecting When stating Flash file and being not apocrypha, the Flash file is sent to the Flash modules of word document, by the Flash Module the Flash file is rendered and opened including：Last block data is sent to the Flash of word document Module, by the Flash modules to literary with the Flash that last block data for being intercepted is constituted by front N-1 block data Part is rendered and opened.

Have been previously mentioned, it is above-mentioned after intercepting specified object and being sent to the Flash file of Flash modules, to described Flash file carries out security sweep to be included：Safety is carried out to the Flash file according to the virus database of script killing engine Scanning；Then when it is apocrypha to judge the Flash file, the method shown in Fig. 1 is further included：Obtain described The url addresses of Flash file；The characteristic information of the Flash file is obtained, the url addresses and characteristic information are together remembered In recording virus database.

http://s.360.cn/wangdun/wdcom.htmlMid=0f1622d004xx＆from=＆id=qex_i E＆app=TWljcm9zb2＆osv=6.1.7601＆qv=4.1.8.3270＆fv=21.0.0.21 3＆ft=ocx＆ur l= ZmlsZTovLxxx==＆md5=d36b9d6xxx＆sha1=161151e0xxx＆vname=sus p.swf.qexvmI.95

The characteristic information and url addresses for wherein recording includes：

The ID, app=TWljcm9zb2//application name, Base64 of id=qex_ofc//script killing engine), The version of osv=6.1.7601//operating system version, qv=4.1.8.3270//script killing engine, fv= 21.0.0.213//Flash the version of module, ft=ocx//Flash types, url=ZmlsZxxxx//sample URL (may be Local path), the Md5 values of md5=d36b9d6xxx//SWF formatted files, sha1=161151e08//SWF formatted files Sha1 values, vname=susp.xxx//Virus Name.

The implementation process of embodiment two is hereinbefore illustrated by taking the process that word document opens Flash file as an example, other Office tools class application program opens the process of Flash file with this in the same manner, such as powerpoint presentation class application software, Excel spreadsheet applications etc., this is not restricted.

Fig. 2 shows a kind of device for opening Flash file in the application according to an embodiment of the invention Schematic diagram.As shown in Fig. 2 the device 200 for opening Flash file in the application includes：

Interception unit 210 is monitored, the event that specified application loads Flash file is adapted for listening for；It is described when listening to At the end of the event of specified application loading Flash file, intercept the Flash file cause the specified application without Method is rendered to the Flash file.

Scan process unit 220, is suitable to carry out security sweep to the Flash file, whether judges the Flash file For apocrypha；It is then, to maintain the interception to the Flash file；Otherwise, the clearance Flash file, it is allowed to specify application Programs render simultaneously opens the Flash file.

It can be seen that, the device shown in Fig. 2 is supervised during specified application loads, renders and open Flash file Listen specified application to load the event of the Flash file, and the Flash file is intercepted after the completion of specified application loading Prevent specified application carries out rendering opening from direct to the Flash file that loading is completed, to the Flash file for being intercepted Security sweep is carried out, allows specified application to hold the Flash file again after it is determined that the Flash file is not apocrypha Row render openings, it is ensured that in specified application opening Flash file operation security, it is to avoid due to Flash it is literary The security breaches of part itself and cause the safety problem of specified application, for specified application provide it is more pure, safety Flash treatment mechanisms.

In one embodiment of the invention, the specified application is web browser；Interception unit 210 is monitored, It is adapted for listening for the event that web browser downloads Flash file；Knot is downloaded to the Flash file when web browser is listened to Shu Shi, intercepts the Flash file and web browser cannot be rendered to the Flash file.

Wherein, interception unit 210 is monitored, the carry Hook Function in the download module of web browser is suitable to, by institute The download module for stating Hook Function monitoring web browser starts to download Flash file and terminates to download the thing of Flash file Part；When the download module for listening to web browser terminates to download Flash file, webpage is intercepted by the Hook Function clear The Flash file that the download module of device of looking at sends to the Flash modules of web browser；Scan process unit 220.It is suitable to When it is not apocrypha to detect the Flash file, the Flash file is sent to the Flash moulds of web browser Block, is rendered and is opened by the Flash modules to the Flash file.

Specifically, monitor interception unit 210, be suitable in the urlmon files of web browser for creating data under The Hook Function of carry first on the derivation function of call back function is carried, the data created in the derivation function download readjustment The Hook Function of carry second on function.

Further, interception unit 210 is monitored, is further adapted for described in the urlmon files of web browser Download for creating data on the derivation function of call back function before the Hook Function of carry first, obtain and current web page browser The corresponding urlmon files of version data structure, the derivation letter is searched from urlmon files according to the data structure Number, then the Hook Function of carry first on the derivation function.

In one embodiment of the invention, download of the download module of web browser to Flash file includes：Webpage The download module of browser is downloaded successively to N number of block data of the Flash file, and N is the positive integer more than 1；Prison Interception unit 210 is listened, is further adapted for before the download module for listening to web browser terminates to download the Flash file During each block data in N-1 piecemeal, the block data is cached, it is allowed to which the download module of web browser is to net The Flash modules of page browsing device send the block data；And be suitable under the download module for listening to web browser terminates When carrying last block data of the Flash file, the download module of web browser is intercepted by the Hook Function To the block data that the Flash modules of web browser send.

Wherein, scan process unit 220, is suitable to read the front N-1 block data of caching, to by front N-1 block count Security sweep is carried out according to the Flash file constituted with last block data for being intercepted；And detecting the Flash When file is not apocrypha, last block data is sent to the Flash modules of web browser, by the Flash moulds Block is rendered and opened to the Flash file being made up of with last block data for being intercepted front N-1 block data.

In one embodiment of the invention, scan process unit 220, is suitable to according to virus database to the Flash File carries out security sweep；Scan process unit 220, is further adapted for when it is apocrypha to judge the Flash file, The window handle of the web browser of current thread place process is obtained, web browser is traveled through by IWebBrowser2 interfaces Current html page content, obtains the url addresses of the Flash file that the first predetermined condition is hit in current html page； The characteristic information of the Flash file is obtained, the url addresses and characteristic information together recorded in virus database.

In another embodiment of the present invention, the specified application is word processor；Monitor interception unit 210, it is adapted for listening for the event that word processor reads Flash file；The Flash file is read when word processor is listened to At the end of taking, intercept the Flash file and word processor cannot be rendered to the Flash file.

Wherein, interception unit 210 is monitored, is suitable to the carry Hook Function in the specified object that word processor is created, Monitoring word processor by the Hook Function calls the specified object to start to read Flash file and terminate to read The event of Flash file；When listen to word processor call the specified object terminate read Flash file when, by institute State Hook Function and intercept the Flash file that the specified object sends to the Flash modules of word processor；Scan process Unit 220.It is suitable to, when it is not apocrypha to detect the Flash file, the Flash file be sent to word processing The Flash modules of device, are rendered and are opened by the Flash modules to the Flash file.

In one example, reading of the specified object of word processor to Flash file includes：The finger of word processor Determine object to be read out N number of block data of the Flash file successively, N is the positive integer more than 1；Monitor interception unit 210, it is further adapted for calling the specified object to terminate to read the front N-1 of the Flash file when listening to word processor During each block data in individual piecemeal, the block data is cached, it is allowed to which the specified object is to word processor Flash modules send the block data；Monitor interception unit 210, be suitable to when listen to word processor call it is described specify it is right As terminating to read during last block data of the Flash file, the specified object is intercepted by the Hook Function To the block data that the Flash modules of word processor send.

Wherein, scan process unit 220, is suitable to read the front N-1 block data of caching, to by front N-1 block count Security sweep is carried out according to the Flash file constituted with last block data for being intercepted；And then detect it is described When Flash file is not apocrypha, last block data is sent to the Flash modules of word processor, by this Flash modules are rendered to the Flash file being made up of with last block data for being intercepted front N-1 block data And open.

Wherein, scan process unit 220, is suitable to carry out security sweep to the Flash file according to virus database；Sweep Processing unit 220 is retouched, is further adapted for, when it is apocrypha to judge the Flash file, obtaining the Flash file Url addresses；The characteristic information of the Flash file is obtained, the url addresses and characteristic information together be recorded into viral data In storehouse.

Wherein, each embodiment of the device shown in Fig. 2 and each embodiment of the method shown in Fig. 1 are corresponding identical, above Describe in detail, will not be described here.

In sum, the technical scheme that the present invention is provided is loaded, renders and open Flash file in specified application During, the event that specified application loads the Flash file is monitored, and intercept after the completion of specified application loading The Flash file prevents specified application to carry out rendering opening to the Flash file that loading is completed from direct, to being intercepted Flash file carry out security sweep, allow specified application again after it is determined that the Flash file is not apocrypha to this Flash file is performed and renders opening, it is ensured that the security of the operation of Flash file is opened in specified application, it is to avoid Cause the safety problem of specified application due to the security breaches of Flash file itself, provide more for specified application For pure, safe Flash treatment mechanisms.

It should be noted that：

Provided herein algorithm and display be not inherently related to any certain computer, virtual bench or miscellaneous equipment. Various fexible units can also be used together based on teaching in this.As described above, construct required by this kind of device Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this Bright preferred forms.

In specification mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist Above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：I.e. required guarantor The more features of feature that the application claims ratio of shield is expressly recited in each claim.More precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as the separate embodiments of the present invention.

Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification is (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can it is identical by offers, be equal to or the alternative features of similar purpose carry out generation Replace.

Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint One of meaning can in any combination mode using.

The present invention all parts embodiment can be realized with hardware, or with one or more processor operation Software module realize, or with combinations thereof realization.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) are realizing opening Flash in the application according to embodiments of the present invention The some or all functions of some or all parts in the device of file.The present invention is also implemented as performing this In described method some or all equipment or program of device (for example, computer program and computer program Product).Such program for realizing the present invention can be stored on a computer-readable medium, either can be with one or many The form of individual signal.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or with Any other form is provided.

It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability Field technique personnel can design without departing from the scope of the appended claims alternative embodiment.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame Claim.

The invention discloses A1, a kind of method for opening Flash file in the application, wherein, including：

Monitor the event that specified application loads Flash file；

A2, the method as described in A1, wherein, the specified application is web browser；

A3, the method as described in A2, wherein, the event for monitoring web browser download Flash file includes：In net Carry Hook Function in the download module of page browsing device, the download module for monitoring web browser by the Hook Function starts Download Flash file and terminate to download the event of Flash file；

A4, the method as described in A3, wherein, the carry Hook Function in the download module of web browser includes：

A5, the method as described in A4, wherein, it is described in the urlmon files of web browser for creating data Download on the derivation function of call back function before the Hook Function of carry first, the method is further included：

A6, the method as described in A3, wherein, the download of the download module of web browser to Flash file includes：Webpage The download module of browser is downloaded successively to N number of block data of the Flash file, and N is the positive integer more than 1；

A7, the method as described in A6, wherein,

It is described security sweep is carried out to the Flash file to include：The front N-1 block data of caching is read, to by front The Flash file that N-1 block data is constituted with last block data for being intercepted carries out security sweep；

A8, the method as described in A2, wherein, it is described security sweep is carried out to the Flash file to include：According to viral number Security sweep is carried out to the Flash file according to storehouse；

When it is apocrypha to judge the Flash file, the method is further included：

A9, the method as described in A1, wherein, the specified application is word processor；

A10, the method as described in A9, wherein, the event for monitoring word processor reading Flash file includes： Carry Hook Function in the specified object that word processor is created, monitors word processor and calls institute by the Hook Function State specified object to start to read Flash file and terminate to read the event of Flash file；

A11, the method as described in A10, wherein, the reading of the specified object of word processor to Flash file includes：Text The specified object of word processing device is read out successively to N number of block data of the Flash file, and N is the positive integer more than 1；

A12, the method as described in A11, wherein,

A13, the method as described in A9, wherein, it is described security sweep is carried out to the Flash file to include：According to virus Database carries out security sweep to the Flash file；

When it is apocrypha to judge the Flash file, the method is further included：

Obtain the url addresses of the Flash file；

The invention also discloses B14, a kind of device for opening Flash file in the application, wherein, including：

B15, the device as described in B14, wherein, the specified application is web browser；

B16, the device as described in B15, wherein,

The monitoring interception unit, is suitable to the carry Hook Function in the download module of web browser, by the hook Subfunction monitors the download module of web browser and starts to download Flash file and terminate to download the event of Flash file；When When the download module for listening to web browser terminates to download Flash file, web browser is intercepted by the Hook Function Flash modules from download module to web browser send the Flash file；

B17, the device as described in B16, wherein,

The monitoring interception unit, is suitable to download readjustment for creating data in the urlmon files of web browser The Hook Function of carry first on the derivation function of function, the data created in the derivation function are downloaded on call back function The Hook Function of carry second.

B18, the device as described in B17, wherein,

The monitoring interception unit, be further adapted for it is described in the urlmon files of web browser for creating Data are downloaded on the derivation function of call back function before the Hook Function of carry first, obtain the version pair with current web page browser The data structure of the urlmon files answered, according to the data structure derivation function is searched from urlmon files, then in institute State the Hook Function of carry first on derivation function.

B19, the device as described in B16, wherein, the download of the download module of web browser to Flash file includes：Net The download module of page browsing device is downloaded successively to N number of block data of the Flash file, and N is the positive integer more than 1；

B20, the device as described in B19, wherein,

The scan process unit, is suitable to read the front N-1 block data of caching, to by front N-1 block data and The Flash file that last block data for being intercepted is constituted carries out security sweep；And detecting the Flash file When being not apocrypha, last block data is sent to the Flash modules of web browser, by the Flash modules pair The Flash file being made up of with last block data for being intercepted front N-1 block data is rendered and opened.

B21, the device as described in B15, wherein,

The scan process unit, is suitable to carry out security sweep to the Flash file according to virus database；

B22, the device as described in B14, wherein, the specified application is word processor；

B23, the device as described in B22, wherein,

The monitoring interception unit, is suitable to the carry Hook Function in the specified object that word processor is created, and passes through The Hook Function monitors word processor and calls the specified object to start to read Flash file and terminate to read Flash The event of file；When listen to word processor call the specified object terminate read Flash file when, by the hook The Flash file for specifying object to send to the Flash modules of word processor described in intercepting api callses；

B24, the device as described in B23, wherein, the reading of the specified object of word processor to Flash file includes：Text The specified object of word processing device is read out successively to N number of block data of the Flash file, and N is the positive integer more than 1；

B25, the device as described in B24, wherein,

The scan process unit, is suitable to read the front N-1 block data of caching, to by front N-1 block data and The Flash file that last block data for being intercepted is constituted carries out security sweep；And then to detect the Flash literary When part is not apocrypha, last block data is sent to the Flash modules of word processor, by the Flash modules Flash file to being made up of with last block data for being intercepted front N-1 block data is rendered and opened.

B26, the device as described in B22, wherein,

Claims

1. it is a kind of in the application open Flash file method, wherein, including：

Monitor the event that specified application loads Flash file；

At the end of the event of the specified application loading Flash file is listened to, intercept the Flash file and cause institute Stating specified application cannot render to the Flash file；

It is then, to maintain the interception to the Flash file；Otherwise, the clearance Flash file, it is allowed to specified application wash with watercolours Contaminate and open the Flash file.

2. the method for claim 1, wherein the specified application is web browser；

The event for monitoring specified application loading Flash file includes：Monitor web browser and download Flash file Event；

At the end of the event that the specified application loading Flash file ought be listened to, the Flash file is obtained simultaneously Forbidding the specified application to render the Flash file includes：When listening to web browser under the Flash file At the end of load, intercept the Flash file and web browser cannot be rendered to the Flash file.

3. method as claimed in claim 2, wherein, it is described monitor web browser and download the event of Flash file include： Carry Hook Function in the download module of web browser, the download module for monitoring web browser by the Hook Function is opened Begin to download Flash file and terminate to download the event of Flash file；

It is described at the end of it listen to web browser to Flash file download, intercept the Flash file and cause webpage Browser cannot the Flash file be carried out rendering including：When the download module for listening to web browser terminates to download During Flash file, the download module for intercepting web browser by the Hook Function is sent out to the Flash modules of web browser The Flash file for sending；

Then when it is not apocrypha to detect the Flash file, the clearance Flash file, it is allowed to specify application Programs render is simultaneously opened the Flash file and is included：The Flash file is sent to the Flash modules of web browser, by The Flash modules are rendered and opened to the Flash file.

4. method as claimed in claim 3, wherein, the carry Hook Function bag in the download module of web browser Include：

Carry first on the derivation function that call back function is downloaded for creating data in the urlmon files of web browser Hook Function, the data created in the derivation function download the Hook Function of carry second on call back function.

5. method as claimed in claim 4, wherein, it is described in the urlmon files of web browser for creating number Before according to the Hook Function of carry first on the derivation function for downloading call back function, the method is further included：

6. it is a kind of in the application open Flash file device, wherein, including：

Interception unit is monitored, the event that specified application loads Flash file is adapted for listening for；When listening to the specified application At the end of the event of program loading Flash file, intercept the Flash file and cause the specified application cannot be to described Flash file is rendered；

Scan process unit, is suitable to carry out security sweep to the Flash file, judges whether the Flash file is suspicious File；It is then, to maintain the interception to the Flash file；Otherwise, the clearance Flash file, it is allowed to specified application wash with watercolours Contaminate and open the Flash file.

7. device as claimed in claim 6, wherein, the specified application is web browser；

The monitoring interception unit, is adapted for listening for the event that web browser downloads Flash file；When listening to web browser At the end of downloading to the Flash file, intercept the Flash file and cause the web browser cannot be to the Flash file Rendered.

8. device as claimed in claim 7, wherein,

The monitoring interception unit, is suitable to the carry Hook Function in the download module of web browser, by the hook letter Number monitors the download module of web browser and starts to download Flash file and terminate to download the event of Flash file；Work as monitoring To web browser download module terminate download Flash file when, by the Hook Function intercept web browser under Carry the Flash file that module sends to the Flash modules of web browser；

The then scan process unit.It is suitable to when it is not apocrypha to detect the Flash file, the Flash is literary Part is sent to the Flash modules of web browser, by the Flash modules Flash file is rendered and opened.

9. device as claimed in claim 8, wherein,

The monitoring interception unit, is suitable to download call back function for creating data in the urlmon files of web browser Derivation function on the Hook Function of carry first, download carry on call back function in the data that created of derivation function Second Hook Function.

10. device as claimed in claim 9, wherein,

The monitoring interception unit, be further adapted for it is described in the urlmon files of web browser for creating data Download on the derivation function of call back function before the Hook Function of carry first, obtain corresponding with the version of current web page browser The data structure of urlmon files, according to the data structure derivation function is searched from urlmon files, then is led described Go out the Hook Function of carry first on function.