CN106815523A - Malicious software defense method and device - Google Patents
Malicious software defense method and device Download PDFInfo
- Publication number
- CN106815523A CN106815523A CN201510850019.XA CN201510850019A CN106815523A CN 106815523 A CN106815523 A CN 106815523A CN 201510850019 A CN201510850019 A CN 201510850019A CN 106815523 A CN106815523 A CN 106815523A
- Authority
- CN
- China
- Prior art keywords
- memory address
- malware
- process object
- list
- object type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the invention discloses a method and a device for defending malicious software. A malicious software defense method is applied to a terminal and can comprise the following steps: determining the memory address of the callback list according to the memory address of the process object type obtained at the current moment; identifying the callback list according to the memory address of the callback list; judging whether the memory address of the process object type callback function stored by the node is in a memory address interval set corresponding to the malicious software in the kernel or not aiming at each node contained in the callback list; if so, deleting the node in the callback list. By applying the technical scheme provided by the embodiment of the invention, the process protection of the malicious software can be disabled, and the terminal or the antivirus application program in the terminal can normally end the process of the malicious software, so that the terminal system is protected from being damaged by the malicious software, and a better defense effect is achieved.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of malware defence method and device.
Background technology
Malware, refers to virus, worm and the Trojan Horse for performing malice task on the computer systems
Program, implement control by destroying software process.
At present, the defence in the prior art to Malware is mainly by terminating the process of Malware come real
Existing.
But, in the Windows systems of computer, Malware can utilize system provide for noting
The ObRegisterCallbacks functions of volume process object type readjustment carry out Process Protection.Because terminating to dislike
The process of meaning software needs to first pass through the call back function of Malware registration, and Malware is sentenced in call back function
Whether the disconnected process to be terminated is the process of itself, if it is, Malware can return to refuse information,
Can so prevent its process not by normal termination, can not be terminated by fail-safe software.The process of Malware
Can not be moved to end, Malware may continue to harm system.
So, cannot effectively defend Malware, Malware to may continue to harm system using prior art,
Loss is brought to user.
The content of the invention
The purpose of the embodiment of the present invention is to provide a kind of malware defence method and device, effectively to defend
Malware, it is to avoid malware system.Technical scheme is as follows:
A kind of malware defence method, is applied to terminal, including:
The memory address of the process object type obtained according to current time, it is determined that the memory address of readjustment list;
According to the memory address of readjustment list, the readjustment list is recognized;
For each node included in readjustment list, judge that the process object type that the node is preserved is returned
The memory address of letter of transfer number whether in Malware in kernel in the interval set of corresponding memory address;
If it is, deleting the node in readjustment list.
In a kind of specific embodiment of the invention, the process object type obtained according to current time
Memory address, it is determined that readjustment list memory address, including:
Side-play amount according to the readjustment list being obtained ahead of time in the data structure of process object type and it is current when
The memory address of the process object type for obtaining is carved, the memory address of readjustment list is determined.
In a kind of specific embodiment of the invention, readjustment list is obtained in process beforehand through following steps
Side-play amount in the data structure of object type:
Obtain the memory address of the first moment process object type;
Internal storage data is read in dis-assembling since the memory address of process object type described in first moment;
In the internal storage data for reading, according to readjustment list in the data structure of the process object type
Feature, determine described in first moment adjust back list memory address;
The memory address that list is adjusted back described in first moment is subtracted into process object described in first moment
The memory address of type, obtains skew of the readjustment list in the data structure of the process object type
Amount.
In a kind of specific embodiment of the invention, for Malware, the evil is obtained by following steps
Meaning software corresponding memory address in kernel is interval:
Obtain the identification information of the driver of the Malware;
The identification information of the driver according to the Malware, obtains including the driver of the Malware
Internal memory initial address and end address in core;
Internal memory initial address and end address structure of the driver of the Malware that will be got in kernel
Into address section to be defined as the Malware corresponding memory address in kernel interval.
In a kind of specific embodiment of the invention, it is described it is described readjustment list in delete the node it
Afterwards, methods described also includes:
In the process object type call back function for deleting node preservation in the interval set of the memory address
Memory address where depositing address is interval.
A kind of malware defence device, is applied to terminal, including:
Memory address determining module, the memory address of the process object type for being obtained according to current time,
It is determined that the memory address of readjustment list;
Readjustment list identification module, for the memory address according to readjustment list, recognizes the readjustment row
Table;
Memory address judge module, for for each node included in readjustment list, judging the section
Whether the memory address of the process object type call back function that point is preserved is in Malware is corresponding in kernel
In depositing address section set, if it is, triggering knot removal module;
The knot removal module, for deleting the node in readjustment list.
In a kind of specific embodiment of the invention, the readjustment list memory address determination module, specifically
For:
Side-play amount according to the readjustment list being obtained ahead of time in the data structure of process object type and it is current when
The memory address of the process object type for obtaining is carved, the memory address of readjustment list is determined.
In a kind of specific embodiment of the invention, described device also includes:
Side-play amount obtains module, for obtaining readjustment list in process object type beforehand through following steps
Side-play amount in data structure:
Obtain the memory address of the first moment process object type;
Internal storage data is read in dis-assembling since the memory address of process object type described in first moment;
In the internal storage data for reading, according to readjustment list in the data structure of the process object type
Feature, determine described in first moment adjust back list memory address;
The memory address that list is adjusted back described in first moment is subtracted into process object described in first moment
The memory address of type, obtains skew of the readjustment list in the data structure of the process object type
Amount.
In a kind of specific embodiment of the invention, described device also includes:
Memory address is interval to obtain module, for for Malware, obtaining the malice by following steps soft
Part corresponding memory address in kernel is interval:
Obtain the identification information of the driver of the Malware;
The identification information of the driver according to the Malware, obtains including the driver of the Malware
Internal memory initial address and end address in core;
Internal memory initial address and end address structure of the driver of the Malware that will be got in kernel
Into address section to be defined as the Malware corresponding memory address in kernel interval.
In a kind of specific embodiment of the invention, described device also includes:
Memory address interval removing module, for being deleted in readjustment list in the knot removal module
After the node, the process object type readjustment of node preservation is deleted in the interval set of the memory address
Memory address where the memory address of function is interval.
The technical scheme provided using the embodiment of the present invention, if the process that the node in readjustment list is preserved
The memory address of object type call back function in Malware in the interval set of the corresponding memory address in kernel,
Corresponding node in readjustment list is then deleted, to cause the Process Protection failure of Malware, terminal or end
Antivirus class application program in end can be with the process of normal termination Malware, so as to protect terminal system not receive
The harm of Malware, with preferable protection effect.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to implementing
Example or the accompanying drawing to be used needed for description of the prior art are briefly described, it should be apparent that, describe below
In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying
On the premise of going out creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of implementing procedure figure of malware defence method in the embodiment of the present invention;
Fig. 2 is a kind of structural representation of malware defence device in the embodiment of the present invention.
Specific embodiment
In order that those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, below will knot
The accompanying drawing in the embodiment of the present invention is closed, the technical scheme in the embodiment of the present invention is clearly and completely retouched
State, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.
Based on the embodiment in the present invention, those of ordinary skill in the art institute under the premise of creative work is not made
The every other embodiment for obtaining, belongs to the scope of protection of the invention.
A kind of malware defence method that the embodiment of the present invention is provided is applied to terminal, such as has
The terminals such as desktop computer, the notebook computer of Windows systems.Terminal when the defence of Malware is carried out,
Each node included in readjustment list can be directed to, the process object type readjustment letter that the node is preserved is judged
Several memory address whether in Malware in kernel in the interval set of corresponding memory address, if it is,
Then the node is deleted in list is adjusted back.Specifically, can be by some application program in terminal
The defence of Malware is carried out, for example, entering to Malware by the antivirus class application program installed in terminal
Row defence.
In actual applications, terminal can be after the trigger request for receiving killing Malware, using this hair
The technical scheme that bright embodiment is provided carries out the defence of Malware, can also be fixed according to the default cycle
Phase carries out the defence of Malware using the technical scheme that the embodiment of the present invention is provided.
It is shown in Figure 1, by a kind of implementation stream of malware defence method that the embodiment of the present invention is provided
Cheng Tu, the method may comprise steps of:
S110:The memory address of the process object type obtained according to current time, it is determined that readjustment list is interior
Deposit address.
So-called process object type, i.e. PsProcessType is a kind of kernel objects.It is first for convenience of understanding
First kernel objects are described briefly.Kernel objects are one group of data structures, and it can only be accessed by kernel, should
These data structures cannot be found in internal memory with program and directly change their content.Microsoft Microsoft
Define this restrictive condition, in order to ensure the consistent of kernel objects structure hold mode, this limit
System also enables Microsoft be added in these structures in the case where any application program is not destroyed, deleted
With modification data member.Kernel objects are including process object, file object, thread object and type object etc.
Deng.Process object has a process ID, a base priority and one to exit code, and file object is then
Possess a byte displacement, a shared model and an opening pattern.
Process object type, as a kind of kernel objects, is also a data structure, referred to as Object_Type,
Comprising multiple data members, one of them is exactly to adjust back list, i.e. CallbackList, is provided using system
The symbol of data structure Object_Type, can obtain adjusting back feature of the list in data structure.
In Windows systems, the memory address of process object type may be not different in the same time.When terminal is needed
When being on the defensive to Malware, the interior of current time process object type can be in systems directly obtained
Deposit address, and the process object type obtained according to current time memory address, it is determined that readjustment list is interior
Deposit address.
In a kind of specific embodiment of the invention, the process object type that can be obtained from current time
Memory address starts dis-assembling and reads internal storage data, in the internal storage data for reading, is existed according to readjustment list
Feature in the data structure of process object type, it may be determined that current time adjusts back the memory address of list.
In Windows systems, side-play amount of the readjustment list in the data structure of process object type is fixed
Value, to save computing resource, can be obtained ahead of time the side-play amount, then need to prevent Malware
When imperial, side-play amount according to the call back function being obtained ahead of time in the data structure of process object type and current
The memory address of the process object type that the moment obtains, it is determined that the memory address of readjustment list.
Such as, the memory address of the process object type that current time obtains is 50, the readjustment row being obtained ahead of time
Side-play amount of the table in the data structure of process object type is 4, accordingly, it may be determined that the internal memory of readjustment list
Address is 54.
Side-play amount of the readjustment list in the data structure of process object type is obtained ahead of time, to Malware
When being on the defensive, can directly use, save computing resource and calculating time, improve computational efficiency.
After terminal determines the memory address of readjustment list, the operation of step S120 can be continued executing with.
S120:According to the memory address of readjustment list, the readjustment list is recognized.
The memory address of readjustment list is determined in step S110, according to the memory address, can recognize back
Adjust list.
Readjustment list is a doubly linked list.Doubly linked list, also referred to as double linked list, are one kind of chained list, it
Comprising each node in have two pointers, be respectively directed to immediate successor and direct precursor.From doubly linked list
In any one node start, can easily access its predecessor node and descendant node.
When Malware calls one process object type call back function of ObRegisterCallbacks function registrations
When, system can be inserted into the memory address of this call back function in the readjustment list of process object type, make
It is a node in readjustment list, that is, each node saves a process object type time in adjusting back list
The memory address of letter of transfer number.
So-called call back function, refers to a function called by function pointer.If by pointer (of function
Location) another function is passed to as parameter, when this pointer is used to call the function pointed by it,
Just it is referred to as call back function.Call back function is directly invoked by the implementation method of the function, but in spy
What fixed event or condition were called when occurring by an other side, for being responded to the event or condition.
S130:For each node included in readjustment list, the process object that the node is preserved is judged
The memory address of type call back function whether in Malware in kernel in the interval set of corresponding memory address,
If it is, performing step S140, otherwise, do not process.
After step S120 recognizes readjustment list, each node included in readjustment list can be searched.
For each node, the memory address of the process object type call back function that can be preserved according to the node is sentenced
Break the memory address whether in Malware in kernel in the interval set of corresponding memory address, if it is,
Show the interior of the process object type call back function that the driver that the memory address is certain Malware is registered
Address is deposited, the operation of step S140 can be proceeded, if it is not, then any place can not be done to the node
Reason.
Such as, Malware corresponding memory address Interval Set in kernel is combined into { (10,20), (35,40) },
If the memory address of the process object type call back function that certain node is preserved is 15 in readjustment list, can be with
The memory address is determined in the interval set of above-mentioned memory address, if the preservation of certain node enters in readjustment list
The memory address of journey object type call back function is 30, then can determine the memory address not on above-mentioned internal memory ground
In the interval set in location.
In a kind of specific embodiment of the invention, for Malware, can be obtained by following steps
The Malware corresponding memory address in kernel is interval:
Step one:Obtain the identification information of the driver of the Malware;
Step 2:The identification information of the driver according to the Malware, obtains the driving of the Malware
Internal memory initial address and end address of the program in kernel;
Step 3:Internal memory initial address and knot of the driver of the Malware that will be got in kernel
It is interval that the address section that beam address is constituted is defined as the corresponding memory address of the Malware.
For convenience of understanding, above three step is combined and is illustrated.
Each software, including Malware, after installing in the terminal, all correspond to an internal memory ground in kernel
Location is interval.The identification information of the driver of Malware, such as name identification of driver can first be obtained
Information, or other peculiar identification informations.According to the identification information, you can get the driving of the Malware
What internal memory initial address and end address of the program in kernel, the internal memory initial address and end address were constituted
It is interval that address section is the corresponding memory address of the Malware.
It is understood that during the antivirus class application program in terminal or terminal can predefine the terminal
Which software is Malware.Such as, operation personnel determines which software is malice by manual analysis mode
Software, and Malware storehouse is set up on the server, terminal or terminal are handed down in Malware storehouse by server
In antivirus class application program, so, antivirus class application program in terminal or terminal is preserved according in terminal
Malware storehouse be that can determine which software installed in terminal is Malware, so as to pass through above-mentioned steps
Get Malware corresponding memory address in kernel interval.Or, the antivirus class in terminal or terminal
The mark of the software that application program will can also be installed in terminal is sent to server, is to inquire about which software
Malware, after determining to there is which Malware in terminal, then gets Malware by above-mentioned steps
Corresponding memory address is interval in kernel.
In the case of there is a Malware in the terminal, a unit is only included in the interval set of memory address
The corresponding memory address of element, the i.e. Malware is interval;In the terminal in the presence of the feelings of at least two Malwares
Under condition, at least two elements, each element one Malware pair of correspondence are included in the interval set of memory address
The memory address answered is interval.
For the lookup for adjusting back list interior joint, the actual conditions of Malware according to present in terminal
It is determined that when lookup terminates, when the node in determining the corresponding readjustment list of all Malwares, you can
No longer carry out the operation to lookup and the judgement of other nodes.
S140:The node is deleted in readjustment list.
For each node included in readjustment list, if the process object type readjustment letter that the node is preserved
Several memory address in the interval set of the corresponding memory address in kernel, then can adjusted back in Malware
The node, i.e. unloading are deleted in list and deletes the process object type readjustment letter that Malware is registered in kernel
Number, so, will cause that the Process Protection of the Malware fails.Antivirus class in terminal or terminal should
Can be with the process of the normal termination Malware, so as to protect terminal system not by the Malware with program
Harm.
For ease of understanding the technical scheme that the embodiment of the present invention is provided, illustrate.
Malware A want protect its process be not moved to end, the driver A ' that it is included in kernel spacing,
One process object type call back function using ObRegisterCallbacks function registrations, for protecting malice
The process of software A.Antivirus class application program in terminal or terminal according to the memory address of process object type,
The memory address of readjustment list can be determined, and node is searched from readjustment list, it is every for what is found
Individual node, if the memory address of the process object type call back function of node preservation is driver A's '
In memory address interval, then unloaded from readjustment list and delete the node.So, the process of Malware A is protected
Shield will fail, and the antivirus class application program in terminal or terminal can terminate the associated process of Malware A,
So as to protect terminal system not endangered by Malware A.
The technical scheme provided using the embodiment of the present invention, if the process that the node in readjustment list is preserved
The memory address of object type call back function in Malware in the interval set of the corresponding memory address in kernel,
Corresponding node in readjustment list is then deleted, to cause the Process Protection failure of Malware, terminal or end
Antivirus class application program in end can be with the process of normal termination Malware, so as to protect terminal system not receive
The harm of Malware, with preferable protection effect.
In one embodiment of the invention, readjustment list can be obtained in process pair beforehand through following steps
As the side-play amount in the data structure of type:
First step:Obtain the memory address of the first moment process object type;
Second step:Dis-assembling is read since the memory address of process object type described in first moment
Take internal storage data;
3rd step:In the internal storage data for reading, according to readjustment list in the process object type
Data structure in feature, determine described in first moment adjust back list memory address;
4th step:The memory address that list is adjusted back described in first moment is subtracted into first moment
The memory address of the process object type, obtains data of the readjustment list in the process object type
Side-play amount in structure.
For convenience of describing, aforementioned four step is combined and is illustrated.
Here the first moment is certain moment before current time, because readjustment list is in process object class
Side-play amount in the data structure of type is fixed value, so, the first moment that can be before current time is obtained
The side-play amount is obtained, it is directly inclined using this so as to when needing to be on the defensive Malware treatment at current time
Shifting amount.
The memory address of the first moment process object type can be directly obtained in systems, obtain for the first moment
After the memory address of process object type, internal storage data is read in dis-assembling since the memory address, is reading
To internal storage data in, according to readjustment feature of the list in the data structure of process object type, can be true
The memory address of the first moment readjustment list is made, the memory address of readjustment list subtracts first by the first moment
The memory address of moment process object type, you can obtain data structure of the readjustment list in process object type
In side-play amount.
In another embodiment of the present invention, step S140 it is described readjustment list in delete the node it
Afterwards, methods described can also be comprised the following steps:
In the process object type call back function for deleting node preservation in the interval set of the memory address
Memory address where depositing address is interval.
For each node for finding, if it is determined that the process object type call back function that the node is preserved
Memory address in the interval set of the corresponding memory address in kernel, then can adjust back list in Malware
Middle deletion node, after deletion, can also accordingly delete the process object type readjustment of node preservation
Memory address where the memory address of function is interval, so, the corresponding memory address Interval Set of Malware
Element in conjunction will reduce one, in the internal memory of the process object type call back function for carrying out other node preservations
During the judgement of address, it is possible to reduce contrast number of times, the calculating time is saved, improve efficiency.
For example, the Malware in terminal has three, respectively Malware A, Malware B
With Malware C, these three Malwares corresponding memory address interval in kernel is respectively:(a1, a2),
(b1, b2), (c1, c2), corresponding memory address Interval Set be combined into (a1, a2), (b1, b2), (c1,
c2)}.In sequence, first node of readjustment list, the process object type that the node is preserved are found
The memory address of call back function in any one interval interval of above three, any place is not done to the node
Reason.Find readjustment list second node, the node preserve process object type call back function it is interior
Address is deposited in memory address interval (a1, a2), correspondence Malware A can then delete the node, and
Corresponding memory address interval (a1, a2) of Malware A, internal memory ground are deleted in the interval set of memory address
The interval set in location is updated to { (b1, b2), (c1, c2) }.The 3rd node of readjustment list is found, is sentenced
Break the node preserve process object type call back function memory address whether memory address area in the updated
Between gather in.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of malware defence device,
The device is applied to terminal.Shown in Figure 2, the device can include with lower module:
Memory address determining module 210, the memory address of the process object type for being obtained according to current time,
It is determined that the memory address of readjustment list;
Readjustment list identification module 220, for the memory address according to readjustment list, recognizes the readjustment
List, and search the node in readjustment list;
Memory address judge module 230, for for each node included in readjustment list, judging should
Whether the memory address of the process object type call back function that node is preserved is corresponding in kernel in Malware
In the interval set of memory address, if it is, triggering knot removal module 240;
The knot removal module 240, for deleting the node in readjustment list.
The device provided using the embodiment of the present invention, if the process object that the node in readjustment list is preserved
The memory address of type call back function in Malware in the interval set of the corresponding memory address in kernel, then
Corresponding node in readjustment list is deleted, to cause the Process Protection failure of Malware, terminal or terminal
In antivirus class application program can be with the process of normal termination Malware, so as to protect terminal system not disliked
The harm of meaning software, with preferable protection effect.
In a kind of specific embodiment of the invention, the readjustment list memory address determination module 210 can
With specifically for:
Side-play amount according to the readjustment list being obtained ahead of time in the data structure of process object type and it is current when
The memory address of the process object type for obtaining is carved, the memory address of readjustment list is determined.
In one embodiment of the invention, described device can also include with lower module:
Side-play amount obtains module, for obtaining readjustment list in process object type beforehand through following steps
Side-play amount in data structure:
Obtain the memory address of the first moment process object type;
Internal storage data is read in dis-assembling since the memory address of process object type described in first moment;
In the internal storage data for reading, according to readjustment list in the data structure of the process object type
Feature, determine described in first moment adjust back list memory address;
The memory address that list is adjusted back described in first moment is subtracted into process object described in first moment
The memory address of type, obtains skew of the readjustment list in the data structure of the process object type
Amount.
In one embodiment of the invention, described device can also include with lower module:
Memory address is interval to obtain module, for for Malware, obtaining the malice by following steps soft
Part corresponding memory address in kernel is interval:
Obtain the identification information of the driver of the Malware;
The identification information of the driver according to the Malware, obtains including the driver of the Malware
Internal memory initial address and end address in core;
Internal memory initial address and end address structure of the driver of the Malware that will be got in kernel
Into address section to be defined as the Malware corresponding memory address in kernel interval.
In one embodiment of the invention, described device can also include with lower module:
Memory address interval removing module, for being deleted in readjustment list in the knot removal module 240
After except the node, the process object type that node preservation is deleted in the interval set of the memory address is returned
Memory address where the memory address of letter of transfer number is interval.
It should be noted that herein, such as first and second or the like relational terms be used merely to by
One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these
There is any this actual relation or order between entity or operation.And, term " including ", " bag
Containing " or any other variant thereof is intended to cover non-exclusive inclusion, so that including a series of key elements
Process, method, article or equipment not only include those key elements, but also including being not expressly set out
Other key elements, or it is this process, method, article or the intrinsic key element of equipment also to include.
In the case of there is no more limitations, the key element limited by sentence "including a ...", it is not excluded that in bag
Also there is other identical element in the process, method, article or the equipment that include the key element.
Each embodiment in this specification is described by the way of correlation, identical phase between each embodiment
As part mutually referring to what each embodiment was stressed is the difference with other embodiment.
For especially for device embodiment, because it is substantially similar to embodiment of the method, so the comparing of description
Simply, the relevent part can refer to the partial explaination of embodiments of method.
One of ordinary skill in the art will appreciate that realizing all or part of step in above method implementation method
Program be can be by instruct the hardware of correlation to complete, described program can be stored in computer-readable
In taking storage medium, storage medium designated herein, such as:ROM/RAM, magnetic disc, CD etc..
Presently preferred embodiments of the present invention is the foregoing is only, is not intended to limit the scope of the present invention.
All any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., are all contained in
In protection scope of the present invention.
Claims (10)
1. a kind of malware defence method, is applied to terminal, it is characterised in that including:
The memory address of the process object type obtained according to current time, it is determined that the memory address of readjustment list;
According to the memory address of readjustment list, the readjustment list is recognized;
For each node included in readjustment list, judge that the process object type that the node is preserved is returned
The memory address of letter of transfer number whether in Malware in kernel in the interval set of corresponding memory address;
If it is, deleting the node in readjustment list.
2. method according to claim 1, it is characterised in that described according to entering of obtaining of current time
The memory address of journey object type, it is determined that the memory address of readjustment list, including:
Side-play amount according to the readjustment list being obtained ahead of time in the data structure of process object type and it is current when
The memory address of the process object type for obtaining is carved, the memory address of readjustment list is determined.
3. method according to claim 2, it is characterised in that adjusted back beforehand through following steps
Side-play amount of the list in the data structure of process object type:
Obtain the memory address of the first moment process object type;
Internal storage data is read in dis-assembling since the memory address of process object type described in first moment;
In the internal storage data for reading, according to readjustment list in the data structure of the process object type
Feature, determine described in first moment adjust back list memory address;
The memory address that list is adjusted back described in first moment is subtracted into process object described in first moment
The memory address of type, obtains skew of the readjustment list in the data structure of the process object type
Amount.
4. method according to claim 1, it is characterised in that for Malware, by following step
Suddenly the Malware corresponding memory address in kernel is obtained interval:
Obtain the identification information of the driver of the Malware;
The identification information of the driver according to the Malware, obtains including the driver of the Malware
Internal memory initial address and end address in core;
Internal memory initial address and end address structure of the driver of the Malware that will be got in kernel
Into address section to be defined as the Malware corresponding memory address in kernel interval.
5. method according to claim 1, it is characterised in that deleted in readjustment list described
After except the node, methods described also includes:
In the process object type call back function for deleting node preservation in the interval set of the memory address
Memory address where depositing address is interval.
6. a kind of malware defence device, is applied to terminal, it is characterised in that including:
Memory address determining module, the memory address of the process object type for being obtained according to current time,
It is determined that the memory address of readjustment list;
Readjustment list identification module, for the memory address according to readjustment list, recognizes the readjustment row
Table;
Memory address judge module, for for each node included in readjustment list, judging the section
Whether the memory address of the process object type call back function that point is preserved is in Malware is corresponding in kernel
In depositing address section set, if it is, triggering knot removal module;
The knot removal module, for deleting the node in readjustment list.
7. device according to claim 6, it is characterised in that the readjustment list memory address determines
Module, specifically for:
Side-play amount according to the readjustment list being obtained ahead of time in the data structure of process object type and it is current when
The memory address of the process object type for obtaining is carved, the memory address of readjustment list is determined.
8. device according to claim 7, it is characterised in that described device also includes:
Side-play amount obtains module, for obtaining readjustment list in process object type beforehand through following steps
Side-play amount in data structure:
Obtain the memory address of the first moment process object type;
Internal storage data is read in dis-assembling since the memory address of process object type described in first moment;
In the internal storage data for reading, according to readjustment list in the data structure of the process object type
Feature, determine described in first moment adjust back list memory address;
The memory address that list is adjusted back described in first moment is subtracted into process object described in first moment
The memory address of type, obtains skew of the readjustment list in the data structure of the process object type
Amount.
9. device according to claim 6, it is characterised in that described device also includes:
Memory address is interval to obtain module, for for Malware, obtaining the malice by following steps soft
Part corresponding memory address in kernel is interval:
Obtain the identification information of the driver of the Malware;
The identification information of the driver according to the Malware, obtains including the driver of the Malware
Internal memory initial address and end address in core;
Internal memory initial address and end address structure of the driver of the Malware that will be got in kernel
Into address section to be defined as the Malware corresponding memory address in kernel interval.
10. device according to claim 6, it is characterised in that described device also includes:
Memory address interval removing module, for being deleted in readjustment list in the knot removal module
After the node, the process object type readjustment of node preservation is deleted in the interval set of the memory address
Memory address where the memory address of function is interval.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510850019.XA CN106815523B (en) | 2015-11-27 | 2015-11-27 | A kind of malware defence method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510850019.XA CN106815523B (en) | 2015-11-27 | 2015-11-27 | A kind of malware defence method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106815523A true CN106815523A (en) | 2017-06-09 |
CN106815523B CN106815523B (en) | 2019-10-15 |
Family
ID=59103553
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510850019.XA Active CN106815523B (en) | 2015-11-27 | 2015-11-27 | A kind of malware defence method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106815523B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111639340A (en) * | 2020-05-28 | 2020-09-08 | 北京金山云网络技术有限公司 | Malicious application detection method and device, electronic equipment and readable storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102214134A (en) * | 2010-04-12 | 2011-10-12 | 腾讯科技(深圳)有限公司 | System and method for terminating computer process |
CN102982283A (en) * | 2012-11-27 | 2013-03-20 | 蓝盾信息安全技术股份有限公司 | System and method for killing protected malicious computer process |
US20130312099A1 (en) * | 2012-05-21 | 2013-11-21 | Mcafee, Inc. | Realtime Kernel Object Table and Type Protection |
CN103632087A (en) * | 2012-08-21 | 2014-03-12 | 腾讯科技(深圳)有限公司 | Method and device for protecting process |
CN103679027A (en) * | 2013-12-05 | 2014-03-26 | 北京奇虎科技有限公司 | Searching and killing method and device for kernel level malware |
-
2015
- 2015-11-27 CN CN201510850019.XA patent/CN106815523B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102214134A (en) * | 2010-04-12 | 2011-10-12 | 腾讯科技(深圳)有限公司 | System and method for terminating computer process |
US20130312099A1 (en) * | 2012-05-21 | 2013-11-21 | Mcafee, Inc. | Realtime Kernel Object Table and Type Protection |
CN103632087A (en) * | 2012-08-21 | 2014-03-12 | 腾讯科技(深圳)有限公司 | Method and device for protecting process |
CN102982283A (en) * | 2012-11-27 | 2013-03-20 | 蓝盾信息安全技术股份有限公司 | System and method for killing protected malicious computer process |
CN103679027A (en) * | 2013-12-05 | 2014-03-26 | 北京奇虎科技有限公司 | Searching and killing method and device for kernel level malware |
Non-Patent Citations (2)
Title |
---|
TIANHZ: "教你在64位Win7系统下使用ObRegisterCallbacks内核函数来实现进程保护", 《HTTPS://BBS.PEDIY.COM/THREAD-168023.HTM》 * |
迷失灵魂: "[原创]搞明白64位下常用于进程保护的函数ObRegisterCallbacks如何使用", 《HTTPS://BBS.PEDIY.COM/THREAD-188002.HTM》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111639340A (en) * | 2020-05-28 | 2020-09-08 | 北京金山云网络技术有限公司 | Malicious application detection method and device, electronic equipment and readable storage medium |
CN111639340B (en) * | 2020-05-28 | 2023-11-03 | 北京金山云网络技术有限公司 | Malicious application detection method and device, electronic equipment and readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106815523B (en) | 2019-10-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8370931B1 (en) | Multi-behavior policy matching for malware detection | |
EP3462358B1 (en) | System and method for detection of malicious code in the address space of processes | |
US8645923B1 (en) | Enforcing expected control flow in program execution | |
US7814549B2 (en) | Direct process access | |
CN107851155A (en) | For the system and method across multiple software entitys tracking malicious act | |
US20190147163A1 (en) | Inferential exploit attempt detection | |
RU2723665C1 (en) | Dynamic reputation indicator for optimization of computer security operations | |
US9038161B2 (en) | Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor | |
CN103679032A (en) | Method and device for preventing malicious software | |
CN107908958B (en) | SELinux security identifier anti-tampering detection method and system | |
CN107770125A (en) | A kind of network security emergency response method and emergency response platform | |
CN114679315B (en) | Attack detection method, apparatus, computer device, storage medium, and program product | |
CN109376530B (en) | Process mandatory behavior control method and system based on mark | |
CN113312615A (en) | Terminal detection and response system | |
US20240061933A1 (en) | Systems and methods for causing nonpredictable environment states for exploit prevention and malicious code neutralization for javascript-enabled applications | |
CN113852597A (en) | Network threat traceability iterative analysis method, computer equipment and storage medium | |
CN106815523A (en) | Malicious software defense method and device | |
US10783249B2 (en) | Root virus removal method and apparatus, and electronic device | |
Ramesh et al. | Integrated malware analysis using markov based model in machine learning | |
CN109558730B (en) | Safety protection method and device for browser | |
EP3040895A1 (en) | System and method for protecting a device against return-oriented programming attacks | |
CN106934288A (en) | Root virus cleaning method and device and electronic equipment | |
Thomas et al. | Active malware countermeasure approach for mission critical systems | |
CN113765852B (en) | Data packet detection method, system, storage medium and computing device | |
CN116738427B (en) | Terminal safety protection method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20181227 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |