CN106886691A - Interception method and device for ending process operation and electronic equipment - Google Patents
Interception method and device for ending process operation and electronic equipment Download PDFInfo
- Publication number
- CN106886691A CN106886691A CN201510939388.6A CN201510939388A CN106886691A CN 106886691 A CN106886691 A CN 106886691A CN 201510939388 A CN201510939388 A CN 201510939388A CN 106886691 A CN106886691 A CN 106886691A
- Authority
- CN
- China
- Prior art keywords
- program
- communication
- content
- driver
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 154
- 238000011112 process operation Methods 0.000 title claims abstract description 48
- 238000004891 communication Methods 0.000 claims abstract description 149
- 230000008569 process Effects 0.000 claims abstract description 127
- 230000006870 function Effects 0.000 claims description 50
- 230000005540 biological transmission Effects 0.000 claims description 28
- 230000003139 buffering effect Effects 0.000 claims description 18
- 230000000903 blocking effect Effects 0.000 claims description 11
- 230000006641 stabilisation Effects 0.000 description 8
- 238000011105 stabilization Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 4
- 238000012546 transfer Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000000840 anti-viral effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/101—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses an interception method, an interception device and electronic equipment for ending process operation, wherein the method comprises the following steps: intercepting communication content transmitted by a process of an application program to a driver of the application program; determining a target driver of the communication content, and judging whether the target driver is a driver needing to be intercepted; if the target driver is the driver needing to be intercepted, further judging whether the communication content is used for indicating the target driver to end the related process of the preset application program; and stopping transmitting the communication content if the communication content is used for indicating the target driver to end the related process of the preset application program. According to the interception method for ending the process operation, the process of the malicious program can be accurately acquired, and the related process of the preset application program is ended by calling the process of the malicious program through the driver program, and is intercepted. Therefore, the process which does not need to be ended can be prevented from being ended maliciously, and the system environment safety and stability of the user are guaranteed.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of hold-up interception method for terminating process operation, device and electricity
Sub- equipment.
Background technology
In order to prevent other EP (end of program) own process, some application programs, particularly some security protection programs, with certainly
My defencive function.The associated process of the application program with self-protection function is to be difficult to terminate by conventional method,
Need to terminate by the end process function in system kernel.At present, some rogue programs can be by rogue program
Driver these are called from system kernel for terminating the function of process, to close the application with self-protection function
The associated process of program.If the associated process of application program is closed, the failure of these function of application is may result in,
For especially for security protection program, once it is closed, it will bring greatly peace hidden danger.
The content of the invention
It is contemplated that at least solving one of technical problem in correlation technique to a certain extent.Therefore, first party of the present invention
The purpose in face is to propose a kind of hold-up interception method for terminating process operation, and the process that can intercept rogue program is driven by it
Dynamic program calls the associated process for terminating default application program.
The purpose of the second aspect of the present invention is to propose a kind of blocking apparatus for terminating process operation.
The purpose of the third aspect of the present invention is to propose a kind of electronic equipment.
It is that up to above-mentioned purpose, embodiment proposes a kind of hold-up interception method for terminating process operation according to a first aspect of the present invention,
Comprise the following steps:Intercept the Content of Communication that the process of application program is transmitted to the driver of the application program;Determine institute
The target drives program of Content of Communication is stated, and judges whether the target drives program is the driver for needing to intercept;If
The target drives program is the driver for needing to intercept, then determine whether whether the Content of Communication is described for indicating
The associated process of the default application program of target drives EP (end of program);If the Content of Communication is indicated for the target drives
The associated process of the default application program of EP (end of program), then stop the transmission Content of Communication.
In addition, the hold-up interception method for terminating process operation according to the above embodiment of the present invention can also have what is added as follows
Technical characteristic:
In one embodiment of the invention, the process of the interception application program is transmitted to the driver of the application program
Content of Communication, specifically include:The process of the application program is intercepted to leading to that the driver is transmitted by Hook Function
Letter number, and the parameter in the communication functions is obtained, and using the parameter in the communication functions as the Content of Communication,
Wherein, the parameter in the communication functions includes file handle parameter, control code parameter, the buffering area of transmission information and length
Parameter.
In one embodiment of the invention, it is described to determine the target drives program of the Content of Communication, and judge the target
Whether driver is the driver for needing to intercept, and is specifically included:Determine the corresponding file object of the file handle parameter;
Determine the corresponding driver of the file object, and using the corresponding driver of the file object as the target drives
Program;Judge whether the target drives program is the driver for needing to intercept.
In one embodiment of the invention, it is described to judge the Content of Communication whether for indicating the target drives program knot
The associated process of the default application program of beam, specifically includes:Judge whether the Content of Communication is used for according to the command code parameter
Indicate the target drives program to perform and terminate process operation;If it is, further according to the buffering area of the transmission information
And length parameter determines the routing information of the process that needs terminate;The process for needing and terminating is judged according to the routing information
Whether under the storage catalogue of the default application program;If under the storage catalogue of the default application program, judged
The Content of Communication is used to indicate the associated process of the default application program of the target drives EP (end of program).
In one embodiment of the invention, it is described also to include for terminating the hold-up interception method of process operation:If the communication
Content is not intended to indicate the associated process of the default application program of the target drives EP (end of program), then continue to transmit the communication
Content, to complete this communication.
In one embodiment of the invention, the default application program is security protection program.
The embodiment of the second aspect of the present invention provides a kind of blocking apparatus for terminating process operation, including:Interception mould
Block, the Content of Communication that the process for intercepting application program is transmitted to the driver of the application program;Determining module, uses
In it is determined that the target drives program of the Content of Communication, and judge whether the target drives program is the driving journey for needing to intercept
Sequence;Judge module, if being the driver that needs are intercepted for the target drives program, determines whether described logical
Whether letter content is for indicating the target drives EP (end of program) to preset the associated process of application program;Control module, for
When the Content of Communication is indicated for the associated process of the target drives EP (end of program) default application program, stop transmission institute
State Content of Communication.
In addition, the blocking apparatus for terminating process operation according to the above embodiment of the present invention can also have what is added as follows
Technical characteristic:
In one embodiment of the invention, the interception module specifically for:The application program is intercepted by Hook Function
The communication functions transmitted to the driver of process, and obtain the parameter in the communication functions, and by the communication letter
Parameter in number as the Content of Communication, wherein, parameter in the communication functions includes file handle parameter, control code
The buffering area and length parameter of parameter, transmission information.
In one embodiment of the invention, the determining module specifically for:Determine the corresponding text of the file handle parameter
Part object;Determine the corresponding driver of the file object, and using the corresponding driver of the file object as described
Target drives program;Judge whether the target drives program is the driver for needing to intercept.
In one embodiment of the invention, the judge module specifically for:Judge described logical according to the command code parameter
Whether letter content terminates process operation for indicating the target drives program to perform;If it is, further according to the biography
The buffering area and length parameter of defeated information determine the routing information of the process for needing end;According to the routing information judges
Whether the process that needs terminate is under the storage catalogue of the default application program;If in the storage of the default application program
Under catalogue, then judge the Content of Communication for indicating the associated process of the default application program of the target drives EP (end of program).
In one embodiment of the invention, the control module is additionally operable to:If the Content of Communication is not intended to indicate institute
The associated process of the default application program of target drives EP (end of program) is stated, then continues to transmit the Content of Communication, led to completing this
Letter.
In one embodiment of the invention, the default application program is security protection program.
The embodiment of the third aspect of the present invention provides a kind of electronic equipment, including:Shell, display, circuit board and place
Reason device, wherein, circuit board is placed in the interior volume that shell is surrounded, and display is connected in housing exterior with circuit board,
Processor is set on circuit boards;Processor is used for processing data, and specifically for performing:Intercept application program process to
The Content of Communication of the driver transmission of the application program;Determine the target drives program of the Content of Communication, and judge institute
State whether target drives program is the driver for needing to intercept;If the target drives program is the driving journey for needing to intercept
Whether sequence, then determine whether the Content of Communication for indicating the target drives EP (end of program) to preset the correlation of application program
Process;If the Content of Communication is indicated for the associated process of the default application program of the target drives EP (end of program),
Stop the transmission Content of Communication.
The hold-up interception method for terminating process operation of the embodiment of the present invention, device and electronic equipment, by intercepting application program
The Content of Communication that is transmitted to driver of process, and judging that Content of Communication is indicated for the driver knot for needing to intercept
During the associated process of the default application program of beam, stop transmitting the Content of Communication, the process of rogue program can be accurately obtained
The associated process for terminating default application program is called by its driver, and is intercepted.Thus, it is possible to prevent from being not required to knot
The process of beam is maliciously terminated, for the system environments safety and stabilization of user provide guarantee.
Brief description of the drawings
Of the invention above-mentioned and/or additional aspect and advantage will be apparent from description of the accompanying drawings below to embodiment is combined
Be readily appreciated that, wherein:
Fig. 1 is the flow chart of the hold-up interception method for terminating process operation according to one embodiment of the invention.
Fig. 2 is according to a flow chart for the hold-up interception method for terminating process operation of specific embodiment of the invention;
Fig. 3 is the structural representation of the blocking apparatus for terminating process operation according to one embodiment of the invention.
Specific embodiment
Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein identical from start to finish
Or similar label represents same or similar element or the element with same or like function.Retouched below with reference to accompanying drawing
The embodiment stated is exemplary, it is intended to for explaining the present invention, and be not considered as limiting the invention.
Because application program can terminate other application programs by the end process function in its driver call operation system
Associated process, therefore, in order to avoid not expecting that the process that is moved to end maliciously is terminated, the present invention proposes a kind of for tying
The hold-up interception method of beam process operation, device and electronic equipment.
Below with reference to the accompanying drawings hold-up interception method for terminating process operation according to embodiments of the present invention, device and electronics are described
Equipment.
The embodiment of the present invention is preferably applied to fail-safe software.Wherein, fail-safe software is for safeguarding the soft of electronic equipments safety
Part program, it may include anti-viral software (software program as being used for killing virus), anti rogue software are (as being used for clearing up malice
The software program of program), encryption software (for preventing the software program that data leak to data encryption) and system tool it is soft
Part (is such as used for patching bugs, the software program of cleaning rubbish), so that guarantee can be safely provided for the use of electronic equipment.
Certainly, other application programs are equally applicable to, the present invention is not limited this.
Fig. 1 is the flow chart of the hold-up interception method for terminating process operation according to one embodiment of the invention.
The hold-up interception method for terminating process operation of the embodiment of the present invention can be performed by fail-safe software.
As shown in figure 1, the hold-up interception method for terminating process operation of the embodiment of the present invention, comprises the following steps.
S101, intercepts the Content of Communication that the process of application program is transmitted to the driver of the application program.
Wherein, the process of application program may include target drives program information and operation to the Content of Communication that driver is transmitted
Command information.Wherein, operation instruction information is used to indicate target drives program to perform corresponding operation, including operation mark letter
Breath (such as command code) and operation target information.
S102, determines the target drives program of Content of Communication, and judges whether target drives program is the driving journey for needing to intercept
Sequence.
Specifically, target drives program information that can be in Content of Communication determines the target drives program of Content of Communication.
Wherein, the tables of data of the driver for needing to intercept can be preset, so that, can be by the target drives journey of Content of Communication
Sequence is matched with the tables of data, if there is the target drives program of Content of Communication in tables of data, target drives program is
Need the driver for intercepting.
Whether S103, if target drives program is the driver for needing to intercept, determine whether Content of Communication for referring to
Show the associated process of the default application program of target drives EP (end of program).
Specifically, operation identification information that can be in operation instruction information determines that target drives program needs the operation to be performed to be
No is end process operation.If it is, further judging to need whether the process for terminating is default according to operation target information
The associated process of application program, if it is, judging Content of Communication for indicating target drives EP (end of program) to preset application program
Associated process.
S104, if Content of Communication is indicated for the associated process of the default application program of target drives EP (end of program), stops
Transmission Content of Communication.
So as to, target drives program will not be transferred to for terminating the instruction of associated process of default application program, presetting should
Will not maliciously be terminated with the associated process of program, be that the safety and stabilization of system environments provide safeguard.
S105, if Content of Communication is not intended to indicate the associated process of the default application program of target drives EP (end of program), after
Defeated Content of Communication is resumed, to complete this communication.
In an embodiment of the present invention, if judging that target drives program is not required to the driver for intercepting in step S102,
Then perform S105.
Hold-up interception method for terminating process operation according to embodiments of the present invention, by intercepting the process of application program to driving
The Content of Communication of program transportation, and judging that Content of Communication is indicated for needing the driver for intercepting to terminate default to apply journey
During the associated process of sequence, stop transmitting the Content of Communication, the process that can be accurately obtained rogue program drives journey by it
Sequence calls the associated process for terminating default application program, and is intercepted.Thus, it is possible to prevent the process for being not required to terminate from being disliked
Meaning terminates, for the system environments safety and stabilization of user provide guarantee.
It should be appreciated that in one embodiment of the invention, default application program can be security protection program, i.e. fail-safe software,
So as to, by the embodiment of the present invention, the associated process of security protection program can be protected not terminated by other programs malice, be
The system environments of user provides effectively protection, improves the system environments safety and stability of user.
Fig. 2 is according to a flow chart for the hold-up interception method for terminating process operation of specific embodiment of the invention.
As shown in Fig. 2 the hold-up interception method for terminating process operation of the embodiment of the present invention, comprises the following steps.
S201, the communication functions that the process for intercepting application program by Hook Function is transmitted to driver, and obtain communication letter
Parameter in number, and using the parameter in communication functions as Content of Communication.
Wherein, the parameter in communication functions includes file handle parameter, control code parameter, the buffering area of transmission information and length
Parameter.
By taking Windows systems as an example, when the communication functions for thering is process to transfer in journey and driver in system (i.e.
NtDeviceIoControlFile functions) to its driver send message when, can by Hook Hook Functions message reach
Interception is NtDeviceIoControlFile functions before driver.Hook Hook Functions are being truncated to
After NtDeviceIoControlFile functions, that is, the control of NtDeviceIoControlFile functions being obtained, so that, can obtain
Take file handle parameter in NtDeviceIoControlFile functions, control code parameter, the buffering area of transmission information and length
Parameter etc..
S202, determines the corresponding file object of file handle parameter.
Wherein, file handle parameter is the identification information of file object, therefore can be by the corresponding text of file handle parameter determination
The corresponding object of transmission destination of part object, i.e. Content of Communication.
S203, determines the corresponding driver of file object, and using the corresponding driver of file object as target drives journey
Sequence.
When driver is installed, driver object corresponding with the driver can be created.Therefore, when it is determined that in communication
After holding corresponding file object, can determine whether this document object be which driver driver object, to obtain mesh
Mark driver.
S204, judges whether target drives program is the driver for needing to intercept.
Wherein, the tables of data of the driver for needing to intercept can be preset, so that, can be by the target drives journey of Content of Communication
Sequence is matched with the tables of data, if there is the target drives program of Content of Communication in tables of data, target drives program is
Need the driver for intercepting.
S205, if target drives program is not the communication letter of the driver for needing to intercept, calling process and driver
Count up into information transfer.
S206, if target drives program is the driver for needing to intercept, judges that Content of Communication is according to command code parameter
It is no to terminate process operation for indicating target drives program to perform.
Wherein, command code parameter is sequence of instructions row number, for telling CPU (Central Processing Unit, center treatment
Device) need to perform which bar is instructed.
So as to, if according to command code parameter it is corresponding be end process instruction, can determine whether that Content of Communication is indicated for
Target drives program is performed and terminates process operation.Then S207 is performed.Otherwise perform S205.
S207, if it is, buffering area and length parameter further according to transmission information determines the road of the process for needing end
Footpath information.
Wherein, the buffering area and length parameter of transmission information are used to identify the storage location of the corresponding operation target of command code parameter.
So as to the routing information of the corresponding operation target of command code parameter can be determined according to the buffering area of transmission information and length parameter.
Whether S208, judge to need the process for terminating under the storage catalogue of default application program according to routing information.
S209, if under the storage catalogue of default application program, judging Content of Communication for indicating target drives program knot
The associated process of the default application program of beam, and stop transmitting Content of Communication.
No person, performs S205.
Hold-up interception method for terminating process operation according to embodiments of the present invention, by intercepting the process of application program to driving
The Content of Communication of program transportation, and judging that Content of Communication is indicated for needing the driver for intercepting to terminate default to apply journey
During the associated process of sequence, stop transmitting the Content of Communication, the process that can be accurately obtained rogue program drives journey by it
Sequence calls the associated process for terminating default application program, and is intercepted.Thus, it is possible to prevent the process for being not required to terminate from being disliked
Meaning terminates, for the system environments safety and stabilization of user provide guarantee.
In order to realize above-described embodiment, the present invention also proposes a kind of process operation control device.
Fig. 3 is the structural representation of the blocking apparatus for terminating process operation according to one embodiment of the invention.
As shown in figure 3, the blocking apparatus for terminating process operation of the embodiment of the present invention, including:Interception module 10, really
Cover half block 20, judge module 30 and control module 40.
Interception module 10 is used to intercept the Content of Communication that the process of application program is transmitted to the driver of the application program.
Wherein, the process of application program may include target drives program information and operation to the Content of Communication that driver is transmitted
Command information.Wherein, operation instruction information is used to indicate target drives program to perform corresponding operation, including operation mark letter
Breath (such as command code) and operation target information.
In one embodiment of the invention, interception module 10 can be specifically for the process by Hook Function interception application program
To the communication functions that driver is transmitted, and the parameter in communication functions is obtained, and using the parameter in communication functions as communication
Content.Wherein, the parameter in communication functions includes that file handle parameter (corresponding with target drives program information), control code are joined
Number (corresponding with operation identification information), the buffering area of transmission information and length parameter (corresponding with operation target information).
By taking Windows systems as an example, when the communication functions for thering is process to transfer in journey and driver in system (i.e.
NtDeviceIoControlFile functions) to its driver send message when, interception module 10 can be by Hook hook letters
Number interception before message reaches driver is NtDeviceIoControlFile functions.Hook Hook Functions are being truncated to
After NtDeviceIoControlFile functions, that is, the control of NtDeviceIoControlFile functions being obtained, so that, can obtain
Take file handle parameter in NtDeviceIoControlFile functions, control code parameter, the buffering area of transmission information and length
Parameter etc..
Determining module 20 is used to determine the target drives program of Content of Communication, and judges whether target drives program is to need to intercept
Driver.
More specifically, determining module 20 can be in Content of Communication target drives program information determine Content of Communication target drive
Dynamic program.
In one embodiment of the invention, determining module 20 can be specifically for:Determine the corresponding file pair of file handle parameter
As;Determine the corresponding driver of file object, and using the corresponding driver of file object as target drives program;Sentence
Whether disconnected target drives program is the driver for needing to intercept.
Wherein, file handle parameter is the identification information of file object, therefore can be by the corresponding text of file handle parameter determination
The corresponding object of transmission destination of part object, i.e. Content of Communication.
When driver is installed, driver object corresponding with the driver can be created.Therefore, when it is determined that in communication
After holding corresponding file object, determining module 20 can determine whether this document object be which driver driver pair
As to obtain target drives program.
Wherein, the tables of data of the driver for needing to intercept can be preset, so that, determining module 20 can be by Content of Communication
Target drives program is matched with the tables of data, if there is the target drives program of Content of Communication, target in tables of data
Driver is the driver for needing to intercept.
If it is the driver for needing to intercept that judge module 30 is used for target drives program, determine whether that Content of Communication is
The no associated process for indicating the default application program of target drives EP (end of program).
Specifically, the operation identification information that judge module 30 can be in operation instruction information determines that target drives program needs to hold
Whether capable operation is to terminate process operation.If it is, further judging the process for needing to terminate according to operation target information
Whether it is the associated process of default application program, if it is, judging Content of Communication for indicating target drives EP (end of program) pre-
If the associated process of application program.
In one embodiment of the invention, judge module 30 can be specifically for:Judge that Content of Communication is according to command code parameter
It is no to terminate process operation for indicating target drives program to perform;If it is, buffering area further according to transmission information and
Length parameter determines the routing information of the process for needing end;Judge to need the process for terminating whether default according to routing information
Under the storage catalogue of application program;If under the storage catalogue of default application program, judging Content of Communication for indicating mesh
Mark driver terminates the associated process of default application program.
Wherein, command code parameter is sequence of instructions row number, for telling CPU (Central Processing Unit, center treatment
Device) need to perform which bar is instructed;The buffering area and length parameter of transmission information are used to identify the corresponding operation of command code parameter
The storage location of target.So as to, if according to command code parameter it is corresponding be end process instruction, can determine whether communication in
Appearance is indicated for target drives program and performs end process operation, and can be true according to the buffering area of transmission information and length parameter
Determine the routing information of the corresponding operation target of command code parameter.
Control module 40 is used to be indicated in Content of Communication the associated process of the default application program of target drives EP (end of program)
When, stop transmission Content of Communication.
So as to, target drives program will not be transferred to for terminating the instruction of associated process of default application program, presetting should
Will not maliciously be terminated with the associated process of program, be that the safety and stabilization of system environments provide safeguard.
In one embodiment of the invention, control module 40 is additionally operable to:If Content of Communication is not intended to indicate target drives
The associated process of the default application program of EP (end of program), then continue to transmit Content of Communication, to complete this communication.
It should be appreciated that in one embodiment of the invention, default application program can be security protection program, i.e. fail-safe software,
So as to, by the embodiment of the present invention, the associated process of security protection program can be protected not terminated by other programs malice, be
The system environments of user provides effectively protection, improves the system environments safety and stability of user.
The blocking apparatus for terminating process operation of the embodiment of the present invention, by intercepting the process of application program to driver
The Content of Communication of transmission, and judging that Content of Communication is indicated for needing the driver for intercepting to terminate default application program
During associated process, stop transmitting the Content of Communication, the process that can be accurately obtained rogue program is adjusted by its driver
The associated process of application program is preset with end, and is intercepted.Thus, it is possible to prevent the process for being not required to terminate from maliciously being tied
Beam, for the system environments safety and stabilization of user provide guarantee.
In order to realize above-described embodiment, the present invention also proposes a kind of electronic equipment.
The electronic equipment of the embodiment of the present invention, including:Shell, display, circuit board and processor, wherein, circuit board peace
The interior volume surrounded in shell is put, display is connected in housing exterior with circuit board, and processor is arranged on circuit board
On;Processor is used for processing data, and specifically for performing:
S101 ', intercepts the Content of Communication that the process of application program is transmitted to the driver of the application program.
Wherein, the process of application program may include target drives program information and operation to the Content of Communication that driver is transmitted
Command information.Wherein, operation instruction information is used to indicate target drives program to perform corresponding operation, including operation mark letter
Breath (such as command code) and operation target information.
S102 ', determines the target drives program of Content of Communication, and judges whether target drives program is the driving journey for needing to intercept
Sequence.
Specifically, target drives program information that can be in Content of Communication determines the target drives program of Content of Communication.
Wherein, the tables of data of the driver for needing to intercept can be preset, so that, can be by the target drives journey of Content of Communication
Sequence is matched with the tables of data, if there is the target drives program of Content of Communication in tables of data, target drives program is
Need the driver for intercepting.
Whether S103 ', if target drives program is the driver for needing to intercept, determine whether Content of Communication for referring to
Show the associated process of the default application program of target drives EP (end of program).
Specifically, operation identification information that can be in operation instruction information determines that target drives program needs the operation to be performed to be
No is end process operation.If it is, further judging to need whether the process for terminating is default according to operation target information
The associated process of application program, if it is, judging Content of Communication for indicating target drives EP (end of program) to preset application program
Associated process.
S104 ', if Content of Communication is indicated for the associated process of the default application program of target drives EP (end of program), stops
Transmission Content of Communication.
So as to, target drives program will not be transferred to for terminating the instruction of associated process of default application program, presetting should
Will not maliciously be terminated with the associated process of program, be that the safety and stabilization of system environments provide safeguard.
S105 ', if Content of Communication is not intended to indicate the associated process of the default application program of target drives EP (end of program), after
Defeated Content of Communication is resumed, to complete this communication.
Additionally, the processor of the electronic equipment of the embodiment of the present invention is additionally operable to perform the step shown in Fig. 2, particularly referring to figure
2 illustrated embodiments, will not be repeated here.
The electronic equipment of the embodiment of the present invention, the Content of Communication transmitted to driver by the process for intercepting application program, and
When judging that Content of Communication is indicated for the associated process for needing the driver for intercepting to terminate default application program, stop passing
The defeated Content of Communication, the process that can be accurately obtained rogue program calls the default application program of end by its driver
Associated process, and intercepted.It is the system ring of user thus, it is possible to prevent the process for being not required to terminate from maliciously being terminated
Border safety and stabilization are provided and ensured.
In the description of the invention, it is to be understood that term " " center ", " longitudinal direction ", " transverse direction ", " length ", " width ",
" thickness ", " on ", D score, "front", "rear", "left", "right", " vertical ", " level ", " top ", " bottom " " interior ", " outward ",
The orientation or position relationship of the instruction such as " clockwise ", " counterclockwise ", " axial direction ", " radial direction ", " circumference " are based on shown in the drawings
Orientation or position relationship, are for only for ease of the description present invention and simplify and describe, rather than indicate or imply signified device or
Element with specific orientation, with specific azimuth configuration and operation, therefore must be not considered as limiting the invention.
Additionally, term " first ", " second " be only used for describe purpose, and it is not intended that indicate or imply relative importance or
Person implies the quantity of the technical characteristic for indicating indicated.Thus, define " first ", the feature of " second " can express or
Implicitly include at least one this feature.In the description of the invention, " multiple " is meant that two or more, for example
Two, three etc., unless otherwise expressly limited specifically.
In the present invention, unless otherwise clearly defined and limited, the art such as term " installation ", " connected ", " connection ", " fixation "
Language should be interpreted broadly, for example, it may be fixedly connected, or be detachably connected, or integrally;Can be machinery
Connection, or electrical connection;Can be joined directly together, it is also possible to be indirectly connected to by intermediary, can be two units
Connection or two interaction relationships of element inside part, unless otherwise clearly restriction.For the ordinary skill of this area
For personnel, above-mentioned term concrete meaning in the present invention can be as the case may be understood.
In the present invention, unless otherwise clearly defined and limited, fisrt feature second feature " on " or D score can be
First and second feature directly contacts, or the first and second features pass through intermediary mediate contact.And, first is special
Levy second feature " on ", " top " and " above " but fisrt feature directly over second feature or oblique upper, or only
Only represent that fisrt feature level height is higher than second feature.Fisrt feature second feature " under ", " lower section " and " below "
Can be fisrt feature immediately below second feature or obliquely downward, or be merely representative of fisrt feature level height less than second
Feature.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specific example ",
Or the description of " some examples " etc. means to combine specific features, structure, material or feature bag that the embodiment or example are described
It is contained at least one embodiment of the invention or example.In this manual, to the schematic representation of above-mentioned term necessarily
It is directed to identical embodiment or example.And, the specific features of description, structure, material or feature can be any
Combined in an appropriate manner in individual or multiple embodiments or example.Additionally, in the case of not conflicting, the skill of this area
Can be combined for the feature of the different embodiments or example described in this specification and different embodiments or example by art personnel
And combination.
Although embodiments of the invention have been shown and described above, it is to be understood that above-described embodiment be it is exemplary,
It is not considered as limiting the invention, one of ordinary skill in the art within the scope of the invention can be to above-described embodiment
It is changed, changes, replacing and modification.
Claims (10)
1. a kind of hold-up interception method for terminating process operation, it is characterised in that comprise the following steps:
Intercept the Content of Communication that the process of application program is transmitted to the driver of the application program;
Determine the target drives program of the Content of Communication, and judge whether the target drives program is the driving for needing to intercept
Program;
If the target drives program is the driver for needing to intercept, determine whether whether the Content of Communication is used for
Indicate the associated process of the default application program of the target drives EP (end of program);
If the Content of Communication is indicated for the associated process of the default application program of the target drives EP (end of program), stop
Only transmit the Content of Communication.
2. it is used to terminate the hold-up interception method of process operation as claimed in claim 1, it is characterised in that the interception application journey
The Content of Communication that the process of sequence is transmitted to the driver of the application program, specifically includes:
The communication functions that the process for intercepting the application program by Hook Function is transmitted to the driver, and obtain described
Parameter in communication functions, and using the parameter in the communication functions as the Content of Communication, wherein, the communication functions
In parameter include file handle parameter, control code parameter, the buffering area and length parameter of transmission information.
3. it is used to terminate the hold-up interception method of process operation as claimed in claim 2, it is characterised in that the determination is described logical
Believe the target drives program of content, and judge whether the target drives program is the driver for needing to intercept, specifically include:
Determine the corresponding file object of the file handle parameter;
Determine the corresponding driver of the file object, and using the corresponding driver of the file object as the target
Driver;
Judge whether the target drives program is the driver for needing to intercept.
4. it is used to terminate the hold-up interception method of process operation as claimed in claim 2, it is characterised in that the judgement is described logical
Whether letter content specifically includes for indicating the target drives EP (end of program) to preset the associated process of application program:
Judge the Content of Communication whether for indicating the target drives program to perform end process according to the command code parameter
Operation;
If it is, buffering area and length parameter further according to the transmission information determines the path of the process for needing end
Information;
Judge the process for needing to terminate whether under the storage catalogue of the default application program according to the routing information;
If under the storage catalogue of the default application program, judging the Content of Communication for indicating the target drives
The associated process of the default application program of EP (end of program).
5. the hold-up interception method for terminating process operation as described in claim any one of 1-4, it is characterised in that also include:
If the Content of Communication is not intended to indicate the associated process of the default application program of the target drives EP (end of program),
Continue to transmit the Content of Communication, to complete this communication.
6. the hold-up interception method for terminating process operation as described in claim any one of 1-4, it is characterised in that described pre-
If application program is security protection program.
7. a kind of blocking apparatus for terminating process operation, it is characterised in that including:
Interception module, the Content of Communication that the process for intercepting application program is transmitted to the driver of the application program;
Determining module, for determining the target drives program of the Content of Communication, and judge the target drives program whether be
Need the driver for intercepting;
Judge module, if being the driver that needs are intercepted for the target drives program, determines whether described logical
Whether letter content is for indicating the target drives EP (end of program) to preset the associated process of application program;
Control module, the phase for being indicated for the default application program of the target drives EP (end of program) in the Content of Communication
When putting journey into, stop the transmission Content of Communication.
8. it is used to terminate the blocking apparatus of process operation as claimed in claim 7, it is characterised in that the interception module tool
Body is used for:
The communication functions that the process for intercepting the application program by Hook Function is transmitted to the driver, and obtain described
Parameter in communication functions, and using the parameter in the communication functions as the Content of Communication, wherein, the communication functions
In parameter include file handle parameter, control code parameter, the buffering area and length parameter of transmission information.
9. it is used to terminate the blocking apparatus of process operation as claimed in claim 8, it is characterised in that the determining module tool
Body is used for:
Determine the corresponding file object of the file handle parameter;
Determine the corresponding driver of the file object, and using the corresponding driver of the file object as the target
Driver;
Judge whether the target drives program is the driver for needing to intercept.
10. it is used to terminate the blocking apparatus of process operation as claimed in claim 8, it is characterised in that the judge module
Specifically for:
Judge the Content of Communication whether for indicating the target drives program to perform end process according to the command code parameter
Operation;
If it is, buffering area and length parameter further according to the transmission information determines the path of the process for needing end
Information;
Judge the process for needing to terminate whether under the storage catalogue of the default application program according to the routing information;
If under the storage catalogue of the default application program, judging the Content of Communication for indicating the target drives
The associated process of the default application program of EP (end of program).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510939388.6A CN106886691B (en) | 2015-12-15 | 2015-12-15 | Interception method and device for ending process operation and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510939388.6A CN106886691B (en) | 2015-12-15 | 2015-12-15 | Interception method and device for ending process operation and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106886691A true CN106886691A (en) | 2017-06-23 |
| CN106886691B CN106886691B (en) | 2020-01-14 |
Family
ID=59173901
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510939388.6A Active CN106886691B (en) | 2015-12-15 | 2015-12-15 | Interception method and device for ending process operation and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106886691B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108446553A (en) * | 2018-03-22 | 2018-08-24 | 北京金山安全软件有限公司 | Process protection method and device and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7472288B1 (en) * | 2004-05-14 | 2008-12-30 | Trend Micro Incorporated | Protection of processes running in a computer system |
| CN101901321A (en) * | 2010-06-04 | 2010-12-01 | 华为终端有限公司 | Method, device and system for defending malicious program for terminal |
| CN102156834A (en) * | 2011-04-18 | 2011-08-17 | 北京思创银联科技股份有限公司 | Method for realizing program killing prevention |
| CN102982283A (en) * | 2012-11-27 | 2013-03-20 | 蓝盾信息安全技术股份有限公司 | System and method for killing protected malicious computer process |
| CN104573420A (en) * | 2014-12-26 | 2015-04-29 | 北京奇虎科技有限公司 | Method and device for preventing processes from being mistakenly killed |
-
2015
- 2015-12-15 CN CN201510939388.6A patent/CN106886691B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7472288B1 (en) * | 2004-05-14 | 2008-12-30 | Trend Micro Incorporated | Protection of processes running in a computer system |
| CN101901321A (en) * | 2010-06-04 | 2010-12-01 | 华为终端有限公司 | Method, device and system for defending malicious program for terminal |
| CN102156834A (en) * | 2011-04-18 | 2011-08-17 | 北京思创银联科技股份有限公司 | Method for realizing program killing prevention |
| CN102982283A (en) * | 2012-11-27 | 2013-03-20 | 蓝盾信息安全技术股份有限公司 | System and method for killing protected malicious computer process |
| CN104573420A (en) * | 2014-12-26 | 2015-04-29 | 北京奇虎科技有限公司 | Method and device for preventing processes from being mistakenly killed |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108446553A (en) * | 2018-03-22 | 2018-08-24 | 北京金山安全软件有限公司 | Process protection method and device and electronic equipment |
| CN108446553B (en) * | 2018-03-22 | 2021-11-12 | 北京金山安全软件有限公司 | Process protection method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106886691B (en) | 2020-01-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8769433B2 (en) | Method and apparatus for protecting communication of information through a graphical user interface | |
| US7904959B2 (en) | Systems and methods for detecting and inhibiting attacks using honeypots | |
| CN104021336B (en) | A kind of information processing method and device | |
| WO2007149140A3 (en) | System and method for providing transactional security for an end-user device | |
| CN105264540A (en) | Cryptographic label for attachment to a communication card | |
| EP2341457B1 (en) | System and method for loading application classes | |
| CN104268470A (en) | Security control method and security control device | |
| CN105592039A (en) | Security equipment implementation system capable of setting authority, and implementation method thereof | |
| CN106886691A (en) | Interception method and device for ending process operation and electronic equipment | |
| CN102984134A (en) | Safe defense system | |
| KR20040090373A (en) | Method for realtime monitoring/detecting/curing virus on wireless terminal | |
| CN105844161A (en) | Security defense method, device and system | |
| CN106203119B (en) | Hide processing method, device and the electronic equipment of cursor | |
| CN109474560A (en) | Control method, device and the computer readable storage medium of network access | |
| CN106203094A (en) | Window content processing method and device and terminal equipment | |
| CN104462989A (en) | Method and system for installing application program between multiple systems and terminal | |
| CN108446553A (en) | Process protection method and device and electronic equipment | |
| CN102467622B (en) | Method and device for monitoring opened file | |
| CN103793645A (en) | Hypercall protection method | |
| CN101706852A (en) | Online game password protecting device and method thereof | |
| CN106022122A (en) | Information processing method and device | |
| CN106127041A (en) | Method and device for preventing clipboard data from being monitored and terminal equipment | |
| EP3040895A1 (en) | System and method for protecting a device against return-oriented programming attacks | |
| CN106203079A (en) | Cursor processing method and device and terminal equipment | |
| CN106169046A (en) | Method and device for preventing message hook injection and terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20181211 Address after: 519030 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 519070, six level 601F, 10 main building, science and technology road, Tangjia Bay Town, Zhuhai, Guangdong. Applicant before: Zhuhai Juntian Electronic Technology Co.,Ltd. Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |