CN106778234A - Application program protection method and device - Google Patents

Application program protection method and device Download PDF

Info

Publication number
CN106778234A
CN106778234A CN201510809215.2A CN201510809215A CN106778234A CN 106778234 A CN106778234 A CN 106778234A CN 201510809215 A CN201510809215 A CN 201510809215A CN 106778234 A CN106778234 A CN 106778234A
Authority
CN
China
Prior art keywords
application program
dynamic link
link library
loaded
protected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510809215.2A
Other languages
Chinese (zh)
Inventor
杨峰
潘建军
王云峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Zhuhai Juntian Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd, Zhuhai Juntian Electronic Technology Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201510809215.2A priority Critical patent/CN106778234A/en
Publication of CN106778234A publication Critical patent/CN106778234A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the invention discloses a method and a device for protecting an application program, relates to the technical field of safety protection, and can effectively prevent the application program from being damaged by a malicious DLL file. The protection method of the application program comprises the following steps: monitoring the call of a loading function of the DLL file, if the process calling the loading function is the process of the application program to be protected, judging whether the DLL file to be loaded is a malicious DLL file, and if the DLL file to be loaded is malicious, returning a loading refusing message. The method and the device are suitable for preventing the application program from being damaged by the malicious DLL file.

Description

The means of defence and device of application program
Technical field
The present invention relates to technical field of safety protection, more particularly to a kind of application program means of defence and device.
Background technology
In Windows operating system, many application programs are not a complete executable file, it Be divided into some relatively independent dynamic link libraries, i.e. DLL (Dynamic Link Library) file, It is positioned in system.When some application program is performed, corresponding dll file will be called.One Application program can have multiple dll files, and a dll file is likely to be shared by several application programs, this The dll file of sample is referred to as shared dll file.
Before the self-shield of an application program comes into force, Malware can DLL inject file by way of, One dll file is injected into the process of application program, such Malware just can be in application program Done at will in the process space, break the function of application program, such as terminate the process of application program.
The content of the invention
In view of this, the embodiment of the present invention provides a kind of means of defence and device of application program, can be effective Application program is avoided to be destroyed by malice dll file.
In a first aspect, the embodiment of the present invention provides a kind of means of defence of application program, including:
Calling for loading function to dll file monitors;
Judgement call the loading function process whether be the application program to be protected process;
If the process is the process of the application program to be protected, the process DLL currently to be loaded is judged File whether be malice dll file;
If the dll file to be loaded is the dll file of malice, refusal loading messages are returned.
With reference in a first aspect, in the first embodiment of first aspect, the application journey to be protected Sequence is security protection class application program;Calling for the loading function to dll file monitor, including:
During windows starting operating systems, by Hook Function to the loading function of dll file Call and monitored;Wherein, the Hook Function is included in the defence drive of the security protection class application program In dynamic.
In with reference to the first embodiment of first aspect, in second embodiment of first aspect, It is described judge call the loading function process whether be the application program to be protected process, including:It is logical The routing information that the Hook Function obtains the process is crossed, according to the routing information of the process, institute is judged State whether process is process under the application catalog to be protected.
In with reference to second embodiment of first aspect, in the third embodiment of first aspect, If the process is the process of the application program to be protected, the process DLL currently to be loaded is judged File whether be malice dll file, including:
If the process is the process of the application program to be protected, enter by described in Hook Function acquisition The routing information of the Cheng Dangqian dll files to be loaded;
The Hook Function is carried out according to the routing information of the dll file for obtaining in rule base is intercepted Matching inquiry, judge described in the dll file to be loaded whether be malice dll file;Wherein, it is described to block The routing information of despiteful dll file is preserved in cut rule storehouse.
In with reference to the third embodiment of first aspect, in the 4th kind of embodiment of first aspect, It is described to call the loading function, the loading to the dll file is completed by the loading function, including:
The Hook Function calls described adding according to the original entry address of the loading function for pre-saving Function is carried, the loading to the dll file is completed by the loading function.
Second aspect, the embodiment of the present invention provides a kind of protector of application program, including:Monitoring module, Monitored for calling for the loading function to dll file;First judge module, for judging to call institute State loading function process whether be the application program to be protected process;Second judge module, if for institute The process of stating is the process of the application program to be protected, then judge that the process dll file currently to be loaded is No is the dll file of malice;Refusal load-on module, if being malice for the dll file to be loaded Dll file, then return to refusal loading messages.
With reference to second aspect, in the first embodiment of second aspect, the application journey to be protected Sequence is security protection class application program;The security protection class application program includes defence drive module, described Monitoring module is in the defence drive module of the security protection class application program;The monitoring module, uses During windows starting operating systems, the calling for loading function to dll file monitors.
With reference to the first embodiment of second aspect, in second embodiment of second aspect, First judge module, including:First acquisition submodule, the routing information for obtaining the process; First judging submodule, for the routing information according to the process, judges whether the process is to protect Application catalog under process;First notifies submodule, if being the application to be protected for the process The process of program, then notify second judge module.
With reference to second embodiment of second aspect, in the third embodiment of second aspect, Second judge module, including:Second acquisition submodule, if being the application to be protected for the process The process of program, then obtain the routing information of the process dll file currently to be loaded;Second judges son Module, for the routing information of the dll file to be loaded according to, is matched in rule base is intercepted Inquiry, judge described in the dll file to be loaded whether be malice dll file;Wherein, it is described to intercept rule The routing information of despiteful dll file is then preserved in storehouse;Second notifies submodule, if to add for described The dll file of load is the dll file of malice, then notify the refusal load-on module.
The means of defence and device of application program provided in an embodiment of the present invention, by the loading to dll file Calling for function is monitored that judgement calls whether the process of the loading function is the application program to be protected Process, if the process is the process of the application program to be protected, determine whether what is currently loaded Whether dll file is the dll file of malice, if so, then returning to refusal loading messages, can so avoid disliking The dll file of meaning is injected into the process of the application program to be protected such that it is able to make the application journey to be protected Sequence by the dll file of malice from being destroyed.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to implementing Example or the accompanying drawing to be used needed for description of the prior art are briefly described, it should be apparent that, describe below In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying On the premise of going out creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of the means of defence embodiment one of application program of the present invention;
Fig. 2 is the schematic flow sheet of the means of defence embodiment two of application program of the present invention;
Fig. 3 is the structural representation of the protector embodiment one of application program of the present invention;
Fig. 4 is the structural representation of the protector embodiment two of application program of the present invention.
Specific embodiment
The means of defence and device to a kind of application program of the embodiment of the present invention are retouched in detail below in conjunction with the accompanying drawings State.
It will be appreciated that described embodiment is only a part of embodiment of the invention, rather than whole realities Apply example.Based on the embodiment in the present invention, those of ordinary skill in the art are not before creative work is made The all other embodiment for being obtained is put, the scope of present invention protection is belonged to.
Fig. 1 is the schematic flow sheet of the means of defence embodiment one of application program of the present invention.Referring to Fig. 1, this hair The means of defence embodiment of bright application program, comprises the following steps:
S101, the calling for loading function to dll file monitor.
In the present embodiment, the application journey to be protected can be the security protections such as Jinshan anti-virus software, Kingsoft bodyguard The common applications of class application program, or non-security protection class, such as instant messaging class application program, Game class application program etc..
Security protection class application program generally has self-protection function, however, in security protection class application journey Before the self-protection function of sequence comes into force, the dll file of some malice, such as virus, worm or Trojan Horse Program etc., can be injected into the process of security protection class application program, by destroying security protection class application journey The process of sequence implements control, so as to destroy the defense function of security protection class application program.By a DLL The injection of file certain process, refers to the address space that a dll file is put into certain process, Make a part for the dll file referred to as certain process.
In windows operating systems, the loading function of dll file is NtCreateSection functions, By calling NtCreateSection functions to load dll file in windows operating system nucleus.This reality Apply in example, monitored by calling for NtCreateSection functions, the DLL of malice can be captured File, consequently facilitating preventing it from being injected into the process of the application program to be protected.
S102, judgement call the loading function process whether be the application program to be protected process.
In the present embodiment, can by obtaining the routing information of the process, according to the routing information of the process, Judge the process whether be the application program to be protected process.
According to the judgement, if the process is the process of the application program to be protected, step S103 is performed, If the process is not meant to the process of the application program of protection, step S105 is performed.
S103, judge the process dll file currently to be loaded whether be malice dll file.
According to the judgement of step S102, if the process is the process of the application program to be protected, further Judge the process dll file currently to be loaded whether be malice dll file.
The dll file of malice can be set up into blacklist in advance, if the process of the application program will currently be loaded Dll file in the middle of blacklist, you can judge the DLL texts that the process of the application program currently to be loaded Part is the dll file of malice.
Also the dll file required for application program to be protected normally operation can be set up into white list in advance.If The process of the application program dll file currently to be loaded is not in the middle of white list, you can judge described answering It is the dll file of malice with the process of the program dll file currently to be loaded.
According to the judgement, if the dll file to be loaded is the dll file of malice, step is performed S104, if the dll file to be loaded is not the dll file of malice, performs step S105.
S104, return refusal loading messages.
According to the judgement of step S103, if the dll file to be loaded is the dll file of malice, can Refusal loading messages are returned to windows operating systems or to the process of application program to be protected, so as to hinder Only the dll file of malice is injected into the process of application program to be protected.
S105, the loading function is called, the loading to the dll file is completed by the loading function.
The means of defence of application program provided in an embodiment of the present invention, by the loading function to dll file Call and monitored, judgement call the loading function process whether be the application program to be protected process, If the process is the process of the application program to be protected, the dll file currently to be loaded is determined whether Whether be malice dll file, if so, then return refusal loading messages, can so avoid the DLL of malice File is injected into the process of the application program to be protected such that it is able to make the application program to be protected from quilt The dll file of malice is destroyed.
Fig. 2 is the schematic flow sheet of the means of defence embodiment two of application program of the present invention.The present embodiment is applicable In the self-protection of the security protection class application program such as Jinshan anti-virus software or Kingsoft bodyguard.Referring to Fig. 2, the present invention should With the means of defence embodiment of program, comprise the following steps:
S201, during windows starting operating systems, the loading by Hook Function to dll file Calling for function is monitored;Wherein, the Hook Function sets up the defence in security protection class application program In driving.
The defence driving of security protection class application program and defence process are opened after windows starting operating systems Begin to run.Wherein, defence drives the inner nuclear layer of the system that operates in, and defence process operates in application layer, defends Operation of the operation of driving prior to defence process.
Before this step, hook (HOOK) function can be set up in the defence drives by programming personnel. Hook Function is actually a program segment for treatment message, is called by system, and it is linked into system.Often When specific message sends, before without purpose window is reached, Hook Function just first captures the message, that is, Hook Function first obtains control.At this moment Hook Function be can be with the working process message, it is also possible to do not make to locate Manage and continue to transmit the message, the transmission of end can also be forced.
In the present embodiment, the original entry address of NtCreateSection functions is revised as in the present embodiment Hook Function entry address.The process of security protection class application program is calling NtCreateSection During function, because the original entry address of NtCreateSection functions has been modified to the hook of the present embodiment The entry address of subfunction, calls, you can skip to the present embodiment by NtCreateSection functions Hook Function execution, be achieved in the monitoring to NtCreateSection functions.
In order to realize the readjustment to NtCreateSection functions, by NtCreateSection functions , it is necessary to right before the entry address of the Hook Function in the present embodiment is revised as in original entry address The original entry address of NtCreateSection functions is preserved.
In the present embodiment, the process of application program is called to NtCreateSection functions, can be passed through Windows operating systems are called to realize to NtCreateSection functions.Specifically, can be should The message for calling NtCreateSection functions is sent to windows operating systems with the process of program, Windows operating systems are according to message call NtCreateSection functions.
S202, the path letter that the process for calling NtCreateSection functions is obtained by the Hook Function Breath.
S203, judge whether the process is process under the security protection class application catalog to be protected.
In the present embodiment, the routing information of the process obtained according to step S202 judges that the process is No is the process under the security protection class application catalog to be protected, if the process is to want the safety to prevent The process of class application program is protected, then performs step S204;If the process is not the security protection class application The process of program, then perform step S207.
S204, the routing information that the process dll file currently to be loaded is obtained by the Hook Function.
S205, judge described in the dll file to be loaded whether be malice dll file.
In the present embodiment, the Hook Function is being intercepted according to the routing information of the dll file for obtaining Carry out matching inquiry in rule base, judge described in the dll file to be loaded whether be malice dll file. Wherein, the routing information of despiteful dll file is preserved in the interception rule base;By the judgement, If the dll file to be loaded is the dll file of malice, step S206 is performed;If described will load Dll file be not malice dll file, then perform step S207.
In the present embodiment, the dll file of malice can be set up into blacklist in advance, if the application program is entered The Cheng Dangqian dll files to be loaded are in the middle of blacklist, you can judge that the process of the application program currently will The dll file of loading is the dll file of malice.
Alternatively, also can in advance by the DLL required for application program to be protected normally operation File sets up white list.If the process of the application program dll file currently to be loaded is not worked as in white list In, you can judge that the process of the application program dll file currently to be loaded is the dll file of malice.
S206, return refusal loading messages.
In the present embodiment, the Hook Function can be to windows operating systems or to application program to be protected Process return refusal loading messages, so as to prevent for the dll file of malice to be injected into application journey to be protected In the process of sequence.
S207, the loading function is called, the loading to the dll file is completed by the loading function.
In the present embodiment, the Hook Function is original according to the NtCreateSection functions for pre-saving Entry address, calls NtCreateSection functions, completes to treat by NtCreateSection functions The loading of the dll file of loading.
The means of defence of application program provided in an embodiment of the present invention, by setting up in security protection class application journey Hook Function in the defence driving of sequence, monitors to calling for NtCreateSection functions, can Calling for NtCreateSection functions is monitored in the inner nuclear layer of windows operating systems, can Before security protection class application program comes into force from protection, the dll file of malice is rapidly and accurately captured, The dll file of malice is prevented to be injected into the process of security protection class application program such that it is able to make safety anti- Shield class application program by the dll file of malice from being destroyed.
The present embodiment is mainly what is illustrated by taking the protection of security protection class application program as an example, for non-peace The means of defence of full protection class application program is similar to the present embodiment, and difference is in non-security protection class In the means of defence of application program, mainly after the completion of windows starting operating systems, by hook letter Calling for several loading functions to dll file is monitored.
Fig. 3 is the structural representation of the protector embodiment one of application program of the present invention.
Referring to Fig. 3, the protector embodiment of application program of the present invention, including:Monitoring module 31, first Judge module 32, the second judge module 33, refusal load-on module 34 and calling module 35;Wherein,
Monitoring module 31, monitors for calling for the loading function to dll file.
In the present embodiment, the application journey to be protected can be the security protections such as Jinshan anti-virus software, Kingsoft bodyguard The common applications of class application program, or non-security protection class, such as instant messaging class application program, Game class application program etc..
Security protection class application program generally has self-protection function, however, in security protection class application journey Before the self-protection function of sequence comes into force, the dll file of some malice, such as virus, worm or Trojan Horse Program etc., can be injected into the process of security protection class application program, by destroying security protection class application journey The process of sequence implements control, so as to destroy the defense function of security protection class application program.By a DLL The injection of file certain process, refers to the address space that a dll file is put into certain process, Make a part for the dll file referred to as certain process.
In windows operating systems, the loading function of dll file is NtCreateSection functions, By calling NtCreateSection functions to load dll file in windows operating system nucleus.This reality Apply in example, monitored by calling for NtCreateSection functions, the DLL of malice can be captured File, consequently facilitating preventing it from being injected into the process of the application program to be protected.
First judge module 32, whether the process for judging to call the loading function is the application to be protected The process of program.
In the present embodiment, can by obtaining the routing information of the process, according to the routing information of the process, Judge the process whether be the application program to be protected process.
According to the judgement, if the process is the process of the application program to be protected, the second judgement is notified Module 33, if the process is not meant to the process of the application program of protection, notifies calling module 35.
Second judge module 33, if being the process of the application program to be protected for the process, judges institute State the process dll file currently to be loaded whether be malice dll file.
The dll file of malice can be set up into blacklist in advance, if the process of the application program will currently be loaded Dll file in the middle of blacklist, you can judge the DLL texts that the process of the application program currently to be loaded Part is the dll file of malice.
Also the dll file required for application program to be protected normally operation can be set up into white list in advance.If The process of the application program dll file currently to be loaded is not in the middle of white list, you can judge described answering It is the dll file of malice with the process of the program dll file currently to be loaded.
According to the judgement, if the dll file to be loaded is the dll file of malice, refusal is notified Load-on module 34, if the dll file to be loaded is not the dll file of malice, notifies calling module 35。
Refusal load-on module 34, if being the dll file of malice for the dll file to be loaded, returns Return refusal loading messages.
In the present embodiment, if the dll file to be loaded is the dll file of malice, can be to windows Operating system returns to refusal loading messages to the process of application program to be protected, so as to prevent malice Dll file is injected into the process of application program to be protected.
Calling module 35, if being not meant to the process of the application program of protection for the process, if or described Process is the process of the application program to be protected, but the dll file to be loaded is not the DLL texts of malice Part, then call loading function, and the loading to the dll file is completed by the loading function.
The protector of application program provided in an embodiment of the present invention, by the loading function to dll file Call and monitored, judgement call the loading function process whether be the application program to be protected process, If the process is the process of the application program to be protected, the dll file currently to be loaded is determined whether Whether be malice dll file, if so, then return refusal loading messages, can so avoid the DLL of malice File is injected into the process of the application program to be protected such that it is able to make the application program to be protected from quilt The dll file of malice is destroyed.
The device of the present embodiment, can be used for performing the technical scheme of embodiment of the method shown in Fig. 1, and it realizes former Reason is similar with technique effect, and here is omitted.
Fig. 4 is the structural representation of the protector embodiment two of application program of the present invention.In the present embodiment, The application program to be protected is security protection class application program;The security protection class application program includes Defence drive module, defence drive module of the monitoring module 31 located at the security protection class application program In;The monitoring module 31, for during windows starting operating systems, by Hook Function pair Calling for the loading function of dll file is monitored;Wherein, the Hook Function is set up and is answered in security protection class In being driven with the defence of program.
The defence driving of security protection class application program and defence process are opened after windows starting operating systems Begin to run.Wherein, defence drives the inner nuclear layer of the system that operates in, and defence process operates in application layer, defends Operation of the operation of driving prior to defence process.
In the present embodiment, hook (HOOK) function can be set up in the defence drives by programming personnel. Hook Function is actually a program segment for treatment message, is called by system, and it is linked into system.Often When specific message sends, before without purpose window is reached, Hook Function just first captures the message, that is, Hook Function first obtains control.At this moment Hook Function be can be with the working process message, it is also possible to do not make to locate Manage and continue to transmit the message, the transmission of end can also be forced.
In the present embodiment, the original entry address of NtCreateSection functions is revised as in the present embodiment Hook Function entry address.The process of security protection class application program is calling NtCreateSection During function, because the original entry address of NtCreateSection functions has been modified to the hook of the present embodiment The entry address of subfunction, calls, you can skip to the present embodiment by NtCreateSection functions Hook Function execution, be achieved in the monitoring to NtCreateSection functions.
In order to realize the readjustment to NtCreateSection functions, by NtCreateSection functions , it is necessary to right before the entry address of the Hook Function in the present embodiment is revised as in original entry address The original entry address of NtCreateSection functions is preserved.
In the present embodiment, the process of application program is called to NtCreateSection functions, can be passed through Windows operating systems are called to realize to NtCreateSection functions.Specifically, can be should The message for calling NtCreateSection functions is sent to windows operating systems with the process of program, Windows operating systems are according to message call NtCreateSection functions.
Referring to Fig. 4, the device of the present embodiment is further, described on the basis of Fig. 3 shown device structures First judge module 32, can include:First acquisition submodule 321, the first judging submodule 322 and One notifies submodule 323;Wherein,
First acquisition submodule 321, the routing information for obtaining the process.
First judging submodule 322, for the routing information according to the process, judge the process whether be Process under the application catalog to be protected.
In the present embodiment, the routing information of the process obtained according to the first acquisition submodule 321 judges Whether the process is process under the security protection class application catalog to be protected.
First notifies submodule 323, if being the process of the application program to be protected for the process, notifies Second judge module 33, if the process is not meant to the process of the application program of protection, notifies described Calling module 35.
In the present embodiment, further, second judge module 33 can include:Second obtains submodule Block 331, the second judging submodule 332 and second notify submodule 333;Wherein,
Second acquisition submodule 331, if being the process of the application program to be protected for the process, obtains The routing information of the process dll file currently to be loaded.
Second judging submodule 332, for the routing information of the dll file to be loaded according to, is intercepting Carry out matching inquiry in rule base, judge described in the dll file to be loaded whether be malice dll file; Wherein, the routing information of despiteful dll file is preserved in the interception rule base.
In the present embodiment, according to the routing information of the dll file for obtaining, carried out in rule base is intercepted Matching inquiry, judge described in the dll file to be loaded whether be malice dll file.
In the present embodiment, the dll file of malice can be set up into blacklist in advance, if the application program is entered The Cheng Dangqian dll files to be loaded are in the middle of blacklist, you can judge that the process of the application program currently will The dll file of loading is the dll file of malice.
Alternatively, also can in advance by the DLL required for application program to be protected normally operation File sets up white list.If the process of the application program dll file currently to be loaded is not worked as in white list In, you can judge that the process of the application program dll file currently to be loaded is the dll file of malice.
Second notifies submodule 333, if being the dll file of malice for the dll file to be loaded, The refusal load-on module 34 is notified, if the dll file to be loaded is not the dll file of malice, Notify the calling module 35.
In the present embodiment, the refusal load-on module 34 can be answered to windows operating systems or to be protected Refusal loading messages are returned to the process of program, so as to prevent to be injected into the dll file of malice to be protected In the process of application program.
The calling module 35, if being not meant to the process of the application program of protection, Huo Zheruo for the process The process is the process of the application program to be protected, but the dll file to be loaded is not the DLL of malice File, then call the loading function according to the original entry address of the loading function for pre-saving, and leads to Cross loading of the loading function completion to the dll file.
In the present embodiment, can according to the original entry address of the NtCreateSection functions for pre-saving, NtCreateSection functions are called, is completed to DLL to be loaded by NtCreateSection functions The loading of file.
The protector of application program provided in an embodiment of the present invention, by setting up in security protection class application journey Monitoring module 31 in the defence driving of sequence, monitors, energy to calling for NtCreateSection functions Enough inner nuclear layers in windows operating systems monitor to calling for NtCreateSection functions, energy It is enough rapidly and accurately to capture the dll file of malice before security protection class application program comes into force from protection, The dll file of malice is prevented to be injected into the process of security protection class application program such that it is able to make safety anti- Shield class application program by the dll file of malice from being destroyed.
The device of the present embodiment, can be used for performing the technical scheme of embodiment of the method shown in Fig. 2, and it realizes former Reason is similar with technique effect, and here is omitted.
The present embodiment is mainly what is illustrated by taking the protection of security protection class application program as an example, for non-peace The means of defence of full protection class application program is similar to the present embodiment, and difference is in non-security protection class In the means of defence of application program, mainly after the completion of windows starting operating systems, by hook letter Calling for several loading functions to dll file is monitored.
One of ordinary skill in the art will appreciate that all or part of flow in realizing above-described embodiment method, Computer program be can be by instruct the hardware of correlation to complete, described program can be stored in a calculating In machine read/write memory medium, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method. Wherein, described storage medium can for magnetic disc, CD, read-only memory (Read-Only Memory, ) or random access memory (Random Access Memory, RAM) etc. ROM.
The above, specific embodiment only of the invention, but protective range of the invention is not limited to This, any one skilled in the art the invention discloses technical scope in, can readily occur in Change or replacement, should all cover within protective range of the invention.Therefore, protective range of the invention Should be defined by the protective range of claim.

Claims (8)

1. a kind of means of defence of application program, it is characterised in that including:
Calling for loading function to dynamic link library monitors;
Judgement call the loading function process whether be the application program to be protected process;
If the process is the process of the application program to be protected, judge that the process currently to be loaded dynamic State chained library whether be malice dynamic link library;
If the dynamic link library to be loaded is the dynamic link library of malice, refusal loading messages are returned.
2. the means of defence of application program according to claim 1, it is characterised in that described to protect Application program be security protection class application program;
Calling for the loading function to dynamic link library monitor, including:
During windows starting operating systems, by Hook Function to the loading function of dynamic link library Call and monitored;Wherein, the Hook Function is included in the defence of the security protection class application program In driving.
3. the means of defence of application program according to claim 2, it is characterised in that the judgement is adjusted With the process of the loading function whether be the application program to be protected process, including:
The routing information of the process is obtained by the Hook Function, according to the routing information of the process, Judge whether the process is process under the application catalog to be protected.
4. the means of defence of application program according to claim 3, it is characterised in that if described Process is the process of the application program to be protected, then judge that the process dynamic link library currently to be loaded is No is the dynamic link library of malice, including:
If the process is the process of the application program to be protected, enter by described in Hook Function acquisition The routing information of the Cheng Dangqian dynamic link libraries to be loaded;
The Hook Function enters according to the routing information of the dynamic link library for obtaining in rule base is intercepted Row matching inquiry, judge described in the dynamic link library to be loaded whether be malice dynamic link library;Wherein, The routing information of despiteful dynamic link library is preserved in the interception rule base.
5. a kind of protector of application program, it is characterised in that including:
Monitoring module, monitors for calling for the loading function to dynamic link library;
First judge module, whether the process for judging to call the loading function is the application journey to be protected The process of sequence;
Second judge module, if being the process of the application program to be protected for the process, judges described The process dynamic link library currently to be loaded whether be malice dynamic link library;
Refusal load-on module, if being the dynamic link library of malice for the dynamic link library to be loaded, Return to refusal loading messages.
6. the protector of application program according to claim 5, it is characterised in that described to protect Application program be security protection class application program;The security protection class application program includes that defence drives mould Block, the monitoring module is in the defence drive module of the security protection class application program;
The monitoring module, for during windows starting operating systems, adding to dynamic link library Calling for function is carried to be monitored.
7. the protector of application program according to claim 6, it is characterised in that described first sentences Disconnected module, including:
First acquisition submodule, the routing information for obtaining the process;
First judging submodule, for the routing information according to the process, judges whether the process is to want Process under the application catalog of protection;
First notifies submodule, if being the process of the application program to be protected for the process, notifies institute State the second judge module.
8. the protector of application program according to claim 7, it is characterised in that described second sentences Disconnected module, including:
Second acquisition submodule, if being the process of the application program to be protected for the process, obtains institute State the routing information of the process dynamic link library currently to be loaded;
Second judging submodule, for the routing information of the dynamic link library to be loaded according to, is intercepting Carry out matching inquiry in rule base, judge described in the dynamic link library to be loaded whether be malice dynamic link Storehouse;Wherein, the routing information of despiteful dynamic link library is preserved in the interception rule base;
Second notifies submodule, if being the dynamic link library of malice for the dynamic link library to be loaded, Then notify the refusal load-on module.
CN201510809215.2A 2015-11-19 2015-11-19 Application program protection method and device Pending CN106778234A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510809215.2A CN106778234A (en) 2015-11-19 2015-11-19 Application program protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510809215.2A CN106778234A (en) 2015-11-19 2015-11-19 Application program protection method and device

Publications (1)

Publication Number Publication Date
CN106778234A true CN106778234A (en) 2017-05-31

Family

ID=58885774

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510809215.2A Pending CN106778234A (en) 2015-11-19 2015-11-19 Application program protection method and device

Country Status (1)

Country Link
CN (1) CN106778234A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108491736A (en) * 2018-04-02 2018-09-04 北京顶象技术有限公司 Distort monitoring method and device
CN109388441A (en) * 2018-09-30 2019-02-26 联想(北京)有限公司 Processing method, device, electronic equipment and readable storage medium storing program for executing
CN109829270A (en) * 2018-12-27 2019-05-31 北京奇安信科技有限公司 Application program means of defence and device
CN110633566A (en) * 2019-06-27 2019-12-31 北京无限光场科技有限公司 Intrusion detection method, device, terminal equipment and medium
WO2020019521A1 (en) * 2018-07-27 2020-01-30 平安科技(深圳)有限公司 Risk detection method and apparatus
CN110968867A (en) * 2018-09-29 2020-04-07 武汉斗鱼网络科技有限公司 Method, storage medium, electronic device and system for preventing bad DLL injection
CN112800416A (en) * 2020-12-31 2021-05-14 航天信息股份有限公司 Safety protection system and method for calling chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101414341A (en) * 2007-10-15 2009-04-22 北京瑞星国际软件有限公司 Software self-protection method
CN1983296B (en) * 2005-12-12 2010-09-08 北京瑞星信息技术有限公司 Method and device for preventing illegal program from scavenging
CN103077353A (en) * 2013-01-24 2013-05-01 北京奇虎科技有限公司 Method and device for actively defending rogue program
CN103942490A (en) * 2013-01-17 2014-07-23 珠海市君天电子科技有限公司 Method and device for preventing webpage content from being tampered
CN104871173A (en) * 2012-12-21 2015-08-26 日本电信电话株式会社 Monitoring device and monitoring method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1983296B (en) * 2005-12-12 2010-09-08 北京瑞星信息技术有限公司 Method and device for preventing illegal program from scavenging
CN101414341A (en) * 2007-10-15 2009-04-22 北京瑞星国际软件有限公司 Software self-protection method
CN104871173A (en) * 2012-12-21 2015-08-26 日本电信电话株式会社 Monitoring device and monitoring method
CN103942490A (en) * 2013-01-17 2014-07-23 珠海市君天电子科技有限公司 Method and device for preventing webpage content from being tampered
CN103077353A (en) * 2013-01-24 2013-05-01 北京奇虎科技有限公司 Method and device for actively defending rogue program

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108491736A (en) * 2018-04-02 2018-09-04 北京顶象技术有限公司 Distort monitoring method and device
WO2020019521A1 (en) * 2018-07-27 2020-01-30 平安科技(深圳)有限公司 Risk detection method and apparatus
CN110968867A (en) * 2018-09-29 2020-04-07 武汉斗鱼网络科技有限公司 Method, storage medium, electronic device and system for preventing bad DLL injection
CN109388441A (en) * 2018-09-30 2019-02-26 联想(北京)有限公司 Processing method, device, electronic equipment and readable storage medium storing program for executing
CN109829270A (en) * 2018-12-27 2019-05-31 北京奇安信科技有限公司 Application program means of defence and device
CN109829270B (en) * 2018-12-27 2022-04-15 奇安信科技集团股份有限公司 Application program protection method and device
CN110633566A (en) * 2019-06-27 2019-12-31 北京无限光场科技有限公司 Intrusion detection method, device, terminal equipment and medium
CN112800416A (en) * 2020-12-31 2021-05-14 航天信息股份有限公司 Safety protection system and method for calling chain

Similar Documents

Publication Publication Date Title
CN106778234A (en) Application program protection method and device
EP3326100B1 (en) Systems and methods for tracking malicious behavior across multiple software entities
EP3049984B1 (en) Systems and methods for using a reputation indicator to facilitate malware scanning
JP5326062B1 (en) Non-executable file inspection apparatus and method
CN105930739B (en) A kind of method and terminal for preventing file deleted
US8590041B2 (en) Application sandboxing using a dynamic optimization framework
US9195828B2 (en) System and method for prevention of malware attacks on data
EP3462358B1 (en) System and method for detection of malicious code in the address space of processes
EP3502944B1 (en) Detecting script-based malware cross reference to related applications
CN104268471B (en) Method and device for detecting return-oriented programming attack
CN111339543B (en) File processing method and device, equipment and storage medium
CN101667232A (en) Terminal credible security system and method based on credible computing
CN109815700B (en) Application program processing method and device, storage medium and computer equipment
CN105426751A (en) Method and device for preventing system time from being tampered
CN106127031A (en) Method and device for protecting process and electronic equipment
CN104217163A (en) Method and device for detecting structured exception handling (SEH) attacks
CN110008693A (en) Security application encrypts ensuring method and device and system and storage medium
CN105229658B (en) The safety device and safety method of data handling system
CN103970574B (en) The operation method and device of office programs, computer system
CN107479874A (en) A kind of DLL method for implanting and system based on windows platform
CN105205412A (en) Inter-process communication intercepting method and device
CN105550582A (en) Method and system for accessing to virtual disk
CN105453104A (en) File security management apparatus and management method for system protection
Lobo et al. Windows rootkits: Attacks and countermeasures
US11151274B2 (en) Enhanced computer objects security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20181213

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Applicant after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 519070, six level 601F, 10 main building, science and technology road, Tangjia Bay Town, Zhuhai, Guangdong.

Applicant before: Zhuhai Juntian Electronic Technology Co.,Ltd.

Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170531