CN106815523B - A kind of malware defence method and device - Google Patents
A kind of malware defence method and device Download PDFInfo
- Publication number
- CN106815523B CN106815523B CN201510850019.XA CN201510850019A CN106815523B CN 106815523 B CN106815523 B CN 106815523B CN 201510850019 A CN201510850019 A CN 201510850019A CN 106815523 B CN106815523 B CN 106815523B
- Authority
- CN
- China
- Prior art keywords
- memory address
- malware
- object type
- list
- process object
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The embodiment of the invention discloses a kind of malware defence method and devices.A kind of malware defence method is applied to terminal, may comprise steps of: according to the memory address for the process object type that current time obtains, determining the memory address of readjustment list;According to the memory address of the readjustment list, the readjustment list is identified;For each node for including in the readjustment list, judge the process object type call back function that the node saves memory address whether in Malware in kernel in the set of corresponding memory address section;If it is, deleting the node in the readjustment list.Using technical solution provided by the embodiment of the present invention; the Process Protection of Malware can be made to fail; antivirus class application program in terminal or terminal can be with the process of normal termination Malware, so that terminal system be protected by the harm of Malware, not have preferable protection effect.
Description
Technical field
The present invention relates to field of computer technology, in particular to a kind of malware defence method and device.
Background technique
Malware refers to virus, the program of worm and Trojan Horse for executing malice task on the computer systems,
Implement control by destroying software process.
Currently, the defence of Malware is mainly realized by terminating the process of Malware in the prior art.
But in the Windows system of computer, Malware can use system offer for registration procedure pair
The ObRegisterCallbacks function adjusted back as type carries out Process Protection.Because terminating the process needs of Malware
The call back function of Malware registration is first passed through, Malware judges whether the process to be terminated is itself in call back function
Process can prevent its process not by normal termination in this way if it is, Malware can return to refuse information, can not
Terminated by security software.The process of Malware cannot be moved to end, and Malware may continue to harm system.
So can not effectively defend Malware using the prior art, Malware may continue to harm system, give user
Bring loss.
Summary of the invention
The embodiment of the present invention is designed to provide a kind of malware defence method and device, effectively to defend malice soft
Part avoids malware system.Technical solution is as follows:
A kind of malware defence method is applied to terminal, comprising:
According to the memory address for the process object type that current time obtains, the memory address of readjustment list is determined;
According to the memory address of the readjustment list, the readjustment list is identified;
For each node for including in the readjustment list, the process object type call back function that the node saves is judged
Memory address whether in Malware in kernel in the set of corresponding memory address section;
If it is, deleting the node in the readjustment list.
In a kind of specific embodiment of the invention, the memory of the process object type obtained according to current time
Address determines the memory address of readjustment list, comprising:
It is obtained according to offset and current time of the readjustment list being obtained ahead of time in the data structure of process object type
The memory address of the process object type obtained determines the memory address of the readjustment list.
In a kind of specific embodiment of the invention, following steps are first passed through in advance and obtain readjustment list in process object class
Offset in the data structure of type:
Obtain the memory address of the first moment process object type;
Internal storage data is read in dis-assembling the memory address of the process object type described in first moment;
In the internal storage data read, according to spy of the readjustment list in the data structure of the process object type
Sign determines the memory address that list is adjusted back described in first moment;
The memory address that list is adjusted back described in first moment is subtracted into process object type described in first moment
Memory address, obtain the offset of the readjustment list in the data structure of the process object type.
In a kind of specific embodiment of the invention, for Malware, the Malware is obtained by following steps
The corresponding memory address section in kernel:
Obtain the identification information of the driver of the Malware;
According to the identification information of the driver of the Malware, the driver of the Malware is obtained in kernel
Memory initial address and end address;
Memory initial address and end address of the driver for the Malware that will acquire in kernel are constituted
Address section is determined as the Malware corresponding memory address section in kernel.
In a kind of specific embodiment of the invention, it is described delete the node in the readjustment list after, institute
State method further include:
The memory of the process object type call back function of node preservation is deleted in the set of the memory address section
Memory address section where location.
A kind of malware defence device is applied to terminal, comprising:
Memory address determining module, the memory address of the process object type for being obtained according to current time, determines back
Adjust the memory address of list;
List identification module is adjusted back, for the memory address according to the readjustment list, identifies the readjustment list;
Memory address judgment module, for judging that the node is saved for each node for including in the readjustment list
The memory address of process object type call back function whether in Malware, corresponding memory address section is gathered in kernel
In, if it is, triggering knot removal module;
The knot removal module, for deleting the node in the readjustment list.
In a kind of specific embodiment of the invention, the readjustment list memory address determination module is specifically used for:
It is obtained according to offset and current time of the readjustment list being obtained ahead of time in the data structure of process object type
The memory address of the process object type obtained determines the memory address of the readjustment list.
In a kind of specific embodiment of the invention, described device further include:
Offset obtains module, obtains readjustment list in the data knot of process object type for first passing through following steps in advance
Offset in structure:
Obtain the memory address of the first moment process object type;
Internal storage data is read in dis-assembling the memory address of the process object type described in first moment;
In the internal storage data read, according to spy of the readjustment list in the data structure of the process object type
Sign determines the memory address that list is adjusted back described in first moment;
The memory address that list is adjusted back described in first moment is subtracted into process object type described in first moment
Memory address, obtain the offset of the readjustment list in the data structure of the process object type.
In a kind of specific embodiment of the invention, described device further include:
Memory address section obtains module, for being directed to Malware, including obtaining the Malware by following steps
Corresponding memory address section in core:
Obtain the identification information of the driver of the Malware;
According to the identification information of the driver of the Malware, the driver of the Malware is obtained in kernel
Memory initial address and end address;
Memory initial address and end address of the driver for the Malware that will acquire in kernel are constituted
Address section is determined as the Malware corresponding memory address section in kernel.
In a kind of specific embodiment of the invention, described device further include:
Memory address section removing module, for deleting the node in the readjustment list in the knot removal module
Later, the memory address institute of the process object type call back function of node preservation is deleted in the set of the memory address section
Memory address section.
Using technical solution provided by the embodiment of the present invention, if the process object class that the node in readjustment list saves
The memory address of type call back function in corresponding memory address section set, then deletes readjustment list in kernel in Malware
In corresponding node so that the Process Protection of Malware fails, the antivirus class application program in terminal or terminal can be with
The process of normal termination Malware, so that terminal system be protected by the harm of Malware, not there is preferable protection effect.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of implementation flow chart of malware defence method in the embodiment of the present invention;
Fig. 2 is a kind of structural schematic diagram of malware defence device in the embodiment of the present invention.
Specific embodiment
In order to make those skilled in the art more fully understand the technical solution in the embodiment of the present invention, below in conjunction with this hair
Attached drawing in bright embodiment, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described
Embodiment is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, this field
Those of ordinary skill's every other embodiment obtained without making creative work, belongs to protection of the present invention
Range.
A kind of malware defence method provided by the embodiment of the present invention is applied to terminal, such as has Windows system
The terminals such as desktop computer, laptop.Terminal carry out Malware defence when, can for readjustment list in include
Each node, judge the node save process object type call back function memory address whether in Malware in kernel
In corresponding memory address section set, if it is, the node is deleted in readjustment list.Pass through specifically, can be
Some application program in terminal carries out the defence of Malware, for example, passing through the antivirus class application program installed in terminal
It is on the defensive to Malware.
In practical applications, terminal can be implemented after the trigger request for receiving killing Malware using the present invention
Technical solution provided by example carries out the defence of Malware, implementation of the present invention can also be applied periodically according to the preset period
Technical solution provided by example carries out the defence of Malware.
It is shown in Figure 1, it is a kind of implementation flow chart of malware defence method provided by the embodiment of the present invention, it should
Method may comprise steps of:
S110: according to the memory address for the process object type that current time obtains, the memory address of readjustment list is determined.
So-called process object type, i.e. PsProcessType are a kind of kernel objects.For convenience of understanding, first to kernel
Object is described briefly.Kernel objects are one group of data structures, can only be accessed by kernel, and application program can not look in memory
To these data structures and it is directly changed their content.Microsoft Microsoft defines this restrictive condition, in order to
Ensure the consistent of kernel objects structure hold mode, this limitation also enables Microsoft not destroy any application program
In the case where add, delete and modify data member in these structures.Kernel objects include process object, file object, line
Journey object and type object etc..Process object has a process ID, a base priority and one to exit code, and file
Object then possesses a byte displacement, a shared model and an opening mode.
Process object type is as a kind of kernel objects and a data structure, referred to as Object_Type, comprising more
A data member, one of them is exactly to adjust back list, i.e. CallbackList, the data structure Object_ provided using system
The symbol of Type, feature of the available readjustment list in data structure.
In Windows system, the memory address of different moments process object type may be different.When terminal is needed to evil
Meaning software is when being on the defensive, and can directly obtain the memory address of current time process object type in systems, and according to working as
The memory address for the process object type that the preceding moment obtains determines the memory address of readjustment list.
In a kind of specific embodiment of the invention, the memory for the process object type that can be obtained from current time
Location start dis-assembling read internal storage data, in the internal storage data read, according to readjustment list process object type number
According to the feature in structure, the memory address of current time readjustment list can be determined.
In Windows system, adjusting back offset of the list in the data structure of process object type is fixed value, is
Computing resource is saved, the offset can be obtained ahead of time, then when needing to be on the defensive to Malware, according to being obtained ahead of time
Offset of the call back function in the data structure of process object type and the current time process object type that obtains
Memory address determines the memory address of readjustment list.
For example, current time obtain process object type memory address be 50, the readjustment list being obtained ahead of time into
Offset in the data structure of journey object type is 4, accordingly, can determine that the memory address of readjustment list is 54.
Offset of the readjustment list in the data structure of process object type is obtained ahead of time, prevents to Malware
It when imperial, can directly use, save computing resource and calculate the time, improve computational efficiency.
After terminal determines the memory address of readjustment list, the operation of step S120 can be continued to execute.
S120: according to the memory address of the readjustment list, the readjustment list is identified.
It has been determined that the memory address of readjustment list can recognize readjustment list according to the memory address in step S110.
Adjusting back list is a doubly linked list.Doubly linked list, also referred to as double linked list, are one kind of chained list, it includes every
All there are two pointers in a node, are respectively directed to immediate successor and direct precursor.It is opened from any one node in doubly linked list
Begin, can easily access its predecessor node and descendant node.
When Malware calls one process object type call back function of ObRegisterCallbacks function registration,
System can be inserted into the memory address of this call back function in the readjustment list of process object type, as in readjustment list
One node, i.e., each node saves the memory address of a process object type call back function in readjustment list.
So-called call back function refers to the function called by function pointer.If the pointer (address) of function made
Another function is passed to for parameter, when the function pointed by this pointer is used to call it, is just referred to as readjustment letter
Number.Call back function is not called directly by the implementation method of the function, when specific event or condition occur by addition
A side call, for being responded to the event or condition.
S130: for each node for including in the readjustment list, judge that the process object type that the node saves is returned
The memory address of letter of transfer number whether in Malware in kernel in the set of corresponding memory address section, if it is, executing
Otherwise step S140 is not processed.
After step S120 recognizes readjustment list, each node for including in readjustment list can be searched.For
Each node, the memory address for the process object type call back function that can be saved according to the node, judges that the memory address is
It is no in Malware in kernel in the set of corresponding memory address section, if so, showing that the memory address is some malice
The memory address of the process object type call back function of the driver registration of software, can continue the behaviour of step S140
Make, if it is not, then can be without any processing to the node.
For example, Malware corresponding memory address Interval Set in kernel is combined into { (10,20), (35,40) }, if returned
The memory address for adjusting the process object type call back function that certain node saves in list is 15, then can determine that the memory address exists
In above-mentioned memory address section set, if the memory for the process object type call back function that certain node saves in readjustment list
Location is 30, then can determine the memory address not in the set of above-mentioned memory address section.
In a kind of specific embodiment of the invention, for Malware, the malice can be obtained by following steps
Software corresponding memory address section in kernel:
Step 1: the identification information of the driver of the Malware is obtained;
Step 2: according to the identification information of the driver of the Malware, the driver for obtaining the Malware exists
Memory initial address and end address in kernel;
Step 3: memory initial address and end address of the driver for the Malware that will acquire in kernel
The address section of composition is determined as the corresponding memory address section of the Malware.
For convenience of understanding, above three step is combined and is illustrated.
Each software, including Malware all correspond to a memory address section in kernel after installing in the terminal.
The identification information that the driver of Malware can first be obtained, such as the name identification information of driver or other peculiar marks
Know information.According to the identification information, can get memory initial address of the driver of the Malware in kernel and
The address section that end address, the memory initial address and end address are constituted is the corresponding memory address area of the Malware
Between.
It is understood which can be predefined in the terminal is soft for the antivirus class application program in terminal or terminal
Part is Malware.For example, operation personnel determines which software is Malware by manual analysis mode, and on the server
Malware library is established, the antivirus class application program in terminal or terminal is handed down in Malware library by server, in this way, terminal
Or the antivirus class application program in terminal can determine which that install in terminal is soft according to the Malware library saved in terminal
Part is Malware, to get Malware corresponding memory address section in kernel through the above steps.Alternatively, eventually
The mark for the software installed in terminal can also be sent to server by the antivirus class application program in end or terminal, which to be inquired
A little softwares are Malware, are determined in terminal there are after which Malware, then get Malware through the above steps and exist
Corresponding memory address section in kernel.
It only include an element in the set of memory address section, i.e., in the case where there is a Malware in the terminal
The corresponding memory address section of the Malware;In the case where there are at least two Malwares in the terminal, memory address area
Between contain at least two element in set, the corresponding memory address section of the corresponding Malware of each element.
For adjusting back the lookup of list interior joint, the actual conditions determination of the Malware according to present in terminal is looked into
When look for terminates, and when determining the node in the corresponding readjustment list of all Malwares, can no longer carry out saving other
The operation of lookup and the judgement of point.
S140: the node is deleted in the readjustment list.
For each node for including in readjustment list, if the process object type call back function that the node saves is interior
Depositing address in corresponding memory address section set, then can delete the section in readjustment list in kernel in Malware
Point, i.e. unloading delete the process object type call back function that Malware is registered in kernel, in this way, the malice will be made soft
The Process Protection of part fails.Antivirus class application program in terminal or terminal can with the process of the normal termination Malware,
To protect terminal system not by the harm of the Malware.
Technical solution provided by the embodiment of the present invention for ease of understanding illustrates.
Malware A want protect its process be not moved to end, it includes driver A ' in kernel spacing, use
One process object type call back function of ObRegisterCallbacks function registration, for protect Malware A into
Journey.Antivirus class application program in terminal or terminal can determine readjustment column according to the memory address of process object type
The memory address of table, and node is searched from readjustment list, for each node found, if the process that the node saves
The memory address of object type call back function is then unloaded from readjustment list and is deleted in the memory address section of driver A '
The node.In this way, the Process Protection of Malware A will fail, the antivirus class application program in terminal or terminal can be tied
The associated process of beam Malware A, to protect harm of the terminal system not by Malware A.
Using technical solution provided by the embodiment of the present invention, if the process object class that the node in readjustment list saves
The memory address of type call back function in corresponding memory address section set, then deletes readjustment list in kernel in Malware
In corresponding node so that the Process Protection of Malware fails, the antivirus class application program in terminal or terminal can be with
The process of normal termination Malware, so that terminal system be protected by the harm of Malware, not there is preferable protection effect.
In one embodiment of the invention, following steps can be first passed through in advance obtains readjustment list in process object type
Data structure in offset:
First step: the memory address of the first moment process object type is obtained;
Second step: memory is read in dis-assembling the memory address of the process object type described in first moment
Data;
Third step: in the internal storage data read, according to readjustment list the process object type data
Feature in structure determines the memory address that list is adjusted back described in first moment;
4th step: by described in first moment adjust back list memory address subtract described in first moment into
The memory address of journey object type obtains offset of the readjustment list in the data structure of the process object type.
For convenience of description, aforementioned four step is combined and is illustrated.
Here the first moment is certain moment before current time, because readjustment list is in the number of process object type
According to the offset in structure be fixed value, so, the offset can be obtained at the first moment before current time, so as to
Current time needs to be on the defensive to Malware when handling, and directly utilizes the offset.
The memory address of first moment process object type can directly obtain in systems, obtain the first moment process pair
As type memory address after, since the memory address dis-assembling read internal storage data, in the internal storage data read, root
According to feature of the readjustment list in the data structure of process object type, with can determining the memory of the first moment readjustment list
The memory address of first moment readjustment list is subtracted the memory address of the first moment process object type, can be obtained back by location
Adjust offset of the list in the data structure of process object type.
In another embodiment of the present invention, after step S140 deletes the node in the readjustment list, institute
The method of stating can with the following steps are included:
The memory of the process object type call back function of node preservation is deleted in the set of the memory address section
Memory address section where location.
For each node found, if it is determined that the memory for the process object type call back function that the node saves
Location in corresponding memory address section set, then can delete the node in readjustment list, delete in Malware in kernel
Except the memory where the memory address for the process object type call back function that node preservation later, can also be deleted accordingly
Location section is carrying out other nodes guarantor in this way, the element in the corresponding memory address section set of Malware will reduce one
When the judgement of the memory address for the process object type call back function deposited, it is possible to reduce comparison number is saved and calculates the time, improves
Efficiency.
For example, there are three the Malware in terminal is total to, respectively Malware A, Malware B and Malware
C, these three Malwares corresponding memory address section in kernel are respectively as follows: (a1, a2), (b1, b2), (c1, c2), corresponding
Memory address Interval Set be combined into { (a1, a2), (b1, b2), (c1, c2) }.In sequence, first of readjustment list is found
Node, the memory address for the process object type call back function which saves is not or not any one section in above three section
In, it is without any processing to the node.Second node of readjustment list is found, the process object type which saves is returned
For the memory address of letter of transfer number in memory address section (a1, a2), corresponding Malware A can then delete the node, and inside
It deposits and deletes the corresponding memory address section (a1, a2) of Malware A in address section set, memory address section set is updated to
{ (b1, b2), (c1, c2) }.The third node for finding readjustment list judges the process object type readjustment that the node saves
The memory address of function whether in the updated memory address section set in.
Corresponding to above method embodiment, the embodiment of the invention also provides a kind of malware defence device, the dresses
It sets and is applied to terminal.Shown in Figure 2, the apparatus may include with lower module:
Memory address determining module 210, the memory address of the process object type for being obtained according to current time determine
Adjust back the memory address of list;
Memory address judgment module 230, for judging that the node is protected for each node for including in the readjustment list
The memory address for the process object type call back function deposited whether in Malware in kernel corresponding memory address Interval Set
In conjunction, if it is, triggering knot removal module 240;
The knot removal module 240, for deleting the node in the readjustment list.
Using device provided by the embodiment of the present invention, if the process object type that the node in readjustment list saves is returned
The memory address of letter of transfer number in corresponding memory address section set, then deletes phase in readjustment list in kernel in Malware
The node answered, so that the Process Protection of Malware fails, the antivirus class application program in terminal or terminal can be normal
Terminate the process of Malware, so that terminal system be protected by the harm of Malware, not there is preferable protection effect.
In a kind of specific embodiment of the invention, the readjustment list memory address determination module 210 can be specific
For:
It is obtained according to offset and current time of the readjustment list being obtained ahead of time in the data structure of process object type
The memory address of the process object type obtained determines the memory address of the readjustment list.
In one embodiment of the invention, described device can also comprise the following modules:
Offset obtains module, obtains readjustment list in the data knot of process object type for first passing through following steps in advance
Offset in structure:
Obtain the memory address of the first moment process object type;
Internal storage data is read in dis-assembling the memory address of the process object type described in first moment;
In the internal storage data read, according to spy of the readjustment list in the data structure of the process object type
Sign determines the memory address that list is adjusted back described in first moment;
The memory address that list is adjusted back described in first moment is subtracted into process object type described in first moment
Memory address, obtain the offset of the readjustment list in the data structure of the process object type.
In one embodiment of the invention, described device can also comprise the following modules:
Memory address section obtains module, for being directed to Malware, including obtaining the Malware by following steps
Corresponding memory address section in core:
Obtain the identification information of the driver of the Malware;
According to the identification information of the driver of the Malware, the driver of the Malware is obtained in kernel
Memory initial address and end address;
Memory initial address and end address of the driver for the Malware that will acquire in kernel are constituted
Address section is determined as the Malware corresponding memory address section in kernel.
In one embodiment of the invention, described device can also comprise the following modules:
Memory address section removing module, should for deleting in the readjustment list in the knot removal module 240
After node, the memory of the process object type call back function of node preservation is deleted in the set of the memory address section
Memory address section where location.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality
For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method
Part explanation.
Those of ordinary skill in the art will appreciate that all or part of the steps in realization above method embodiment is can
It is completed with instructing relevant hardware by program, the program can store in computer-readable storage medium,
The storage medium designated herein obtained, such as: ROM/RAM, magnetic disk, CD.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (10)
1. a kind of malware defence method is applied to terminal characterized by comprising
According to the memory address for the process object type that current time obtains, the memory address of readjustment list is determined;
According to the memory address of the readjustment list, the readjustment list is identified;
For each node for including in the readjustment list, the interior of the process object type call back function that the node saves is judged
Deposit address whether in Malware in kernel in the set of corresponding memory address section;
If it is, deleting the node in the readjustment list.
2. the method according to claim 1, wherein the process object type obtained according to current time
Memory address determines the memory address of readjustment list, comprising:
It is obtained according to offset of the readjustment list being obtained ahead of time in the data structure of process object type and current time
The memory address of the process object type determines the memory address of the readjustment list.
3. according to the method described in claim 2, it is characterized in that, first passing through following steps in advance obtains readjustment list in process pair
As type data structure in offset:
Obtain the memory address of the first moment process object type;
Internal storage data is read in dis-assembling the memory address of the process object type described in first moment;
In the internal storage data read, according to feature of the readjustment list in the data structure of the process object type, really
The memory address of list is adjusted back described in fixed first moment;
The memory address that list is adjusted back described in first moment is subtracted in process object type described in first moment
Address is deposited, offset of the readjustment list in the data structure of the process object type is obtained.
4. obtaining the malice by following steps the method according to claim 1, wherein being directed to Malware
Software corresponding memory address section in kernel:
Obtain the identification information of the driver of the Malware;
According to the identification information of the driver of the Malware, memory of the driver of the Malware in kernel is obtained
Initial address and end address;
The address that memory initial address and end address of the driver for the Malware that will acquire in kernel are constituted
Section is determined as the Malware corresponding memory address section in kernel.
5. the method according to claim 1, wherein it is described deleted in the readjustment list node it
Afterwards, the method also includes:
The memory address institute of the process object type call back function of node preservation is deleted in the set of the memory address section
Memory address section.
6. a kind of malware defence device is applied to terminal characterized by comprising
Memory address determining module, the memory address of the process object type for being obtained according to current time determine readjustment column
The memory address of table;
List identification module is adjusted back, for the memory address according to the readjustment list, identifies the readjustment list;
Memory address judgment module, for for it is described readjustment list in include each node, judge the node save into
The memory address of journey object type call back function whether in Malware in kernel in the set of corresponding memory address section, such as
Fruit is then to trigger knot removal module;
The knot removal module, for deleting the node in the readjustment list.
7. device according to claim 6, which is characterized in that the readjustment list memory address determination module, it is specific to use
In:
It is obtained according to offset of the readjustment list being obtained ahead of time in the data structure of process object type and current time
The memory address of the process object type determines the memory address of the readjustment list.
8. device according to claim 7, which is characterized in that described device further include:
Offset obtains module, obtains readjustment list in the data structure of process object type for first passing through following steps in advance
Offset:
Obtain the memory address of the first moment process object type;
Internal storage data is read in dis-assembling the memory address of the process object type described in first moment;
In the internal storage data read, according to feature of the readjustment list in the data structure of the process object type, really
The memory address of list is adjusted back described in fixed first moment;
The memory address that list is adjusted back described in first moment is subtracted in process object type described in first moment
Address is deposited, offset of the readjustment list in the data structure of the process object type is obtained.
9. device according to claim 6, which is characterized in that described device further include:
Memory address section obtains module, for being directed to Malware, obtains the Malware in kernel by following steps
Corresponding memory address section:
Obtain the identification information of the driver of the Malware;
According to the identification information of the driver of the Malware, memory of the driver of the Malware in kernel is obtained
Initial address and end address;
The address that memory initial address and end address of the driver for the Malware that will acquire in kernel are constituted
Section is determined as the Malware corresponding memory address section in kernel.
10. device according to claim 6, which is characterized in that described device further include:
Memory address section removing module, for the knot removal module deleted in the readjustment list node it
Afterwards, where the memory address of process object type call back function that node preservation is deleted in the set of the memory address section
Memory address section.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510850019.XA CN106815523B (en) | 2015-11-27 | 2015-11-27 | A kind of malware defence method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510850019.XA CN106815523B (en) | 2015-11-27 | 2015-11-27 | A kind of malware defence method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106815523A CN106815523A (en) | 2017-06-09 |
| CN106815523B true CN106815523B (en) | 2019-10-15 |
Family
ID=59103553
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510850019.XA Active CN106815523B (en) | 2015-11-27 | 2015-11-27 | A kind of malware defence method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106815523B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111639340B (en) * | 2020-05-28 | 2023-11-03 | 北京金山云网络技术有限公司 | Malicious application detection method and device, electronic equipment and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102214134A (en) * | 2010-04-12 | 2011-10-12 | 腾讯科技(深圳)有限公司 | System and method for terminating computer process |
| CN102982283A (en) * | 2012-11-27 | 2013-03-20 | 蓝盾信息安全技术股份有限公司 | System and method for killing protected malicious computer process |
| CN103632087A (en) * | 2012-08-21 | 2014-03-12 | 腾讯科技(深圳)有限公司 | Method and device for protecting process |
| CN103679027A (en) * | 2013-12-05 | 2014-03-26 | 北京奇虎科技有限公司 | Searching and killing method and device for kernel level malware |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130312099A1 (en) * | 2012-05-21 | 2013-11-21 | Mcafee, Inc. | Realtime Kernel Object Table and Type Protection |
-
2015
- 2015-11-27 CN CN201510850019.XA patent/CN106815523B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102214134A (en) * | 2010-04-12 | 2011-10-12 | 腾讯科技(深圳)有限公司 | System and method for terminating computer process |
| CN103632087A (en) * | 2012-08-21 | 2014-03-12 | 腾讯科技(深圳)有限公司 | Method and device for protecting process |
| CN102982283A (en) * | 2012-11-27 | 2013-03-20 | 蓝盾信息安全技术股份有限公司 | System and method for killing protected malicious computer process |
| CN103679027A (en) * | 2013-12-05 | 2014-03-26 | 北京奇虎科技有限公司 | Searching and killing method and device for kernel level malware |
Non-Patent Citations (2)
| Title |
|---|
| [原创]搞明白64位下常用于进程保护的函数ObRegisterCallbacks如何使用;迷失灵魂;《https://bbs.pediy.com/thread-188002.htm》;20140519;全文 * |
| 教你在64位Win7系统下使用ObRegisterCallbacks内核函数来实现进程保护;tianhz;《https://bbs.pediy.com/thread-168023.htm》;20130410;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106815523A (en) | 2017-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11494490B2 (en) | Endpoint detection and response utilizing machine learning | |
| CN109067815B (en) | Attack event tracing analysis method, system, user equipment and storage medium | |
| US8943592B1 (en) | Methods of detection of software exploitation | |
| US20170272452A1 (en) | Multi-host Threat Tracking | |
| US20110154489A1 (en) | System for analyzing malicious botnet activity in real time | |
| CN109922075A (en) | Network security knowledge map construction method and apparatus, computer equipment | |
| US8645923B1 (en) | Enforcing expected control flow in program execution | |
| US8256000B1 (en) | Method and system for identifying icons | |
| CN102932329A (en) | Method and device for intercepting behaviors of program, and client equipment | |
| CN104881601A (en) | Floating window display setup, control method and device | |
| CN109327449B (en) | Attack path restoration method, electronic device and computer readable storage medium | |
| CN107908958B (en) | SELinux security identifier anti-tampering detection method and system | |
| WO2018017498A1 (en) | Inferential exploit attempt detection | |
| CN107770125A (en) | A kind of network security emergency response method and emergency response platform | |
| CN109800577B (en) | Method and device for identifying escape safety monitoring behavior | |
| EP3127036B1 (en) | Systems and methods for identifying a source of a suspect event | |
| WO2006137657A1 (en) | Method for intercepting malicious code in computer system and system therefor | |
| CN104899511A (en) | Program behavior algorithm based active defense method | |
| CN112953938B (en) | Network attack defense method, device, electronic equipment and readable storage medium | |
| CN106815523B (en) | A kind of malware defence method and device | |
| CN109376530B (en) | Process mandatory behavior control method and system based on mark | |
| CN105740028B (en) | A kind of access control method and device | |
| CN101902338B (en) | Intrusion detection system and method adopting unified detection framework | |
| CN103514402B (en) | Intrusion detection method and device | |
| US9881155B2 (en) | System and method for automatic use-after-free exploit detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20181227 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |