CN107330322A - File safety protection method, device and equipment - Google Patents

File safety protection method, device and equipment Download PDF

Info

Publication number
CN107330322A
CN107330322A CN201710419661.1A CN201710419661A CN107330322A CN 107330322 A CN107330322 A CN 107330322A CN 201710419661 A CN201710419661 A CN 201710419661A CN 107330322 A CN107330322 A CN 107330322A
Authority
CN
China
Prior art keywords
file
trap
traversal
malicious
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710419661.1A
Other languages
Chinese (zh)
Inventor
王亮
何博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201710419661.1A priority Critical patent/CN107330322A/en
Publication of CN107330322A publication Critical patent/CN107330322A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiments of the invention provide a kind of file safety protection method, device and equipment, wherein methods described includes:Interception process is asked for the traversal of file;The information of trap file is carried in the corresponding result of the traversal request;If monitoring preset operation of the process for the trap file, it is determined that the process is malicious process.Pass through file safety protection method provided in an embodiment of the present invention, it is possible to increase the accuracy and objectivity of the safety detection result of process, and the coverage rate of malicious process can be improved.Due to by being carried out to process after safety detection, only allowing security procedure to operate document, therefore document can be provided better protection against.

Description

File safety protection method, device and equipment
Technical field
The present invention relates to field of information security technology, more particularly to a kind of file safety protection method, device and set It is standby.
Background technology
With continuing to develop for social informatization, malicious process is that rogue program is also being continuously increased, at present some malice Process is directed to the almost all kinds of texts such as picture, document, compressed package, audio, the video in terminal device used in user Shelves are encrypted to ask for ransom money to user.In order to prevent malicious process from being attacked terminal devices such as computers, it is necessary to right Easily it is monitored in terminal device by the route of transmission that rogue program infects.
The process that existing scheme is monitored to the malicious process in terminal device is specially:Treat within a predetermined period of time Editor's number of times of detection document is added up, and accumulative frequency exceeds preset dangerous number of times, then whether output display prevents to continue to compile The dialog box of document to be detected is collected, if receiving prevention instruction, determines to deposit in terminal device by preset process blacklist In malicious process.For example:The type of document to be detected includes:.doc document .rar documents .psd documents etc., if monitoring one 5 documents in document to be detected are edited in minute, the editor's number of times that adds up is beyond preset dangerous number of times, it is determined that The process of executive editor's document to be detected is malicious process.
However, existing scheme need to rely on process blacklist, and because malicious process is continuously increased therefore can not be ensured Process blacklist covers all malicious process, and ultimately resulting in comprehensively malicious process to be identified.
The content of the invention
In view of the problem of existing scheme to malicious process monitoring malicious process can not be identified comprehensively, it is proposed that The present invention is to provide a kind of file safety protection method for overcoming above mentioned problem, device and equipment.
According to one aspect of the present invention there is provided a kind of file safety protection method, including:Interception process is for file Traversal request;The information of trap file is carried in the corresponding result of the traversal request;If monitoring the process For the preset operation of the trap file, it is determined that the process is malicious process.
According to another aspect of the present invention there is provided a kind of document security protector, including:Ask blocking module, Asked for intercepting process for the traversal of file;As a result module is returned to, in the corresponding result of the traversal request The middle information for carrying trap file;Process detection module, if for monitoring the process for the preset of the trap file Operation, it is determined that the process is malicious process.
According to another aspect of the present invention there is provided a kind of equipment protected for document security, including:One or many Individual processor;With the one or more machine readable medias for being stored thereon with instruction, held when by one or more of processors During row so that the equipment performs one or more file safety protection methods shown in the embodiment of the present invention.
According to another aspect of the invention there is provided one or more machine readable medias, instruction is stored thereon with, when When being performed by one or more processors so that one or more document securities that equipment performs shown in the embodiment of the present invention are prevented Maintaining method.
File safety protection method provided in an embodiment of the present invention, device and equipment, for malicious process " by for text Enumerating for file is realized in the traversal request of part, and carries out batch malicious operation to file " behavioural characteristic, carry out the safety of process Property detection, no matter process blacklist covering or unlapped malicious process there may be above-mentioned behavioural characteristic, therefore, this hair Bright embodiment can improve the accuracy and objectivity of the safety detection result of process, and can improve the covering of malicious process Rate.Due to by being carried out to process after safety detection, only allowing security procedure to operate document, therefore can preferably prevent Protect document.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter optional embodiment, various other advantages and benefit is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of optional embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of step schematic flow sheet of file safety protection method according to an embodiment of the invention;
Fig. 2 shows a kind of step schematic flow sheet of file safety protection method according to an embodiment of the invention;
Fig. 3 shows a kind of step schematic flow sheet of file safety protection method according to an embodiment of the invention;
Fig. 4 shows a kind of structural representation of document security protector according to an embodiment of the invention;
Fig. 5 shows a kind of structural representation of document security protector according to an embodiment of the invention;And
Fig. 6 shows a kind of block diagram of equipment protected for document security according to an exemplary embodiment.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.
In actual applications, when a malicious process encrypted document, generally in the file first in reading disk Hold internal memory, then file content is rewritten in internal memory according to its AES, finally by revised file content Write back file or a newly-built file.The embodiment of the present invention is it has been investigated that the following behavioural characteristic of above-mentioned malicious process:Right What file was done first before being encrypted is to enumerate multiple files on disk, then for enumerating the execution batch of obtained listed files Amount encryption, and for malicious process, it generally realizes enumerating for file by the traversal request for file.
The one of the inventive concepts of the embodiment of the present invention is that the traversal for intercepting process for file is asked;In the traversal Ask the information of carrying trap file in corresponding result;If monitoring the process for the preset of the trap file Operation, it is determined that the process is malicious process.Wherein, trap file can be profile, and process is for trap file Preset operation can be directed to the operation performed by file, such as modification, deletion, the mobile behaviour for changing file present situation for malicious process Make etc.;Because the embodiment of the present invention " can realize text according to the behavioural characteristic of malicious process by the traversal request for file Part is enumerated, and carries out batch malicious operation to file ", carry out the safety detection of process, no matter the covering of process blacklist or The unlapped malicious process of person may have above-mentioned behavioural characteristic, therefore, and the embodiment of the present invention can improve the safety of process The accuracy and objectivity of property testing result, and the coverage rate of malicious process can be improved.
Embodiment one
Reference picture 1, shows a kind of step flow chart of file safety protection method of the embodiment of the present invention one.
The file safety protection method of the embodiment of the present invention specifically may comprise steps of:
Step 101:Interception process is asked for the traversal of file.
The file safety protection method of the embodiment of the present invention can be performed in terminal equipment side.Alternatively, the present invention is implemented The terminal device of example can be the terminal in LAN and/or wide area network, and the example of LAN can include:Enterprise network.
Be stored with multiple files in disk, in actual applications, and process can travel through all files stored in disk, Can be by setting search condition to travel through the partial document stored in disk.When process travels through file, traversal documentation function is called (traveling through file interface) obtains listed files, and the embodiment of the present invention can intercept process please to calling for traversal documentation function Ask, so as to reach purpose of the interception process for the traversal request of file.
Specifically, HookAPI (Hook Application can be based on when intercepting traversal documentation function Programming Interface, link up with application programming interface) principle, documentation function will be traveled through using Hook Function and hung Hook, when traversal documentation function is called by process, Hook Function can be called to this and intercepted.
Step 102:The information of trap file is carried in the corresponding result of traversal request.
Wherein, the trap file can be differently configured from the user file or operating system file in terminal device, this area Technical staff can be according to practical application request, preset trap file of pre-set path in disk.Alternatively, trap text Part can be hidden file, user operate terminal device when can not see trap file, with avoid the trap file for The interference at family.The information of trap file can be the handle of trap file.
Trap file can be conventional Doctype, for example:Entitled .doc .docx .docb .docm are extended, .dot,.dotm,.dotx,.xls,.xlsx,.xlsm,.xlsb,.xlw,.xlt,.xlm,.xlc,.xltx,.xltm, .ppt,.pptx,.pptm,.pot,.pps,.ppsm,.ppsx,.ppam,.potx,.p otm,.pst,.ost,.msg, .eml,.edb,.vsd,.vsdx,.txt,.csv,.rtf,.123,.wks,.wk1,.pdf,.dwg,.onetoc2,.snt, .hwp,.602,.sxi,.sti,.sldx,.sldm,.sldm,.vdi,.vmdk,.vmx,.g pg,.aes,.ARC,.PAQ, .bz2,.tbk,.bak,.tar,.tgz,.gz,.7z,.rar,.zip,.backup,.iso,.v cd,.jpeg,.jpg, .bmp,.png,.gif,.raw,.cgm,.GIF,.GIFf,.nef,.psd,.ai,.svg,.djvu,.m4u,.m3u,.mid, .wma,.flv,.3g2,.mkv,.3gp,.mp4,.mov,.avi,.asf,.mpeg,.vob,.m pg,.wmv,.fla, .swf,.wav,.mp3,.sh,.class,.jar,.java,.rb,.asp,.php,.jsp,.brd,.sc h,.dch, .dip,.pl,.vb,.vbs,.ps1,.bat,.cmd,.js,.asm,.h,.pas,.cpp,.c,.cs,.suo,.sl n, .ldf,.mdf,.ibd,.myi,.myd,.frm,.odb,.dbf,.db,.mdb,.accdb,.sql,.sqlitedb,.s qlite3,.asc,.lay6,.lay,.mml,.sxm,.otg,.odg,.uop,.std,.sxd,.otp,.odp,.wb2,.sl k,.dif,.stc,.sxc,.ots,.ods,.3dm,.max,.3ds,.uot,.stw,.sxw,.ott,.odt,.pem, .p12, the document of the types such as .csr .crt .key .pfx .der, certainly, the embodiment of the present invention are specific for trap file Type is not any limitation as.
The embodiment of the present invention intercept process for file traversal request after, can according to practical application request, it is determined that The traversal asks corresponding result, specifically, in the traversal corresponding result can be asked to carry trap file Information.The user file or operating system file in terminal device are can be differently configured from due to the trap file, therefore can be one Determine the malicious operation for avoiding malicious process for user file or operating system file in degree.Also, can also be by entering Journey is for the operation of trap file, and whether judge the process is malicious process.
In the embodiment of the present invention, the information of trap file is being carried after intercepting result in result.Carry Trap fileinfo can include but is not limited to:Before the information that result is included insert trap file information or The information included in result is replaced using the information of trap file.Wherein, the information of trap file can be trap file Handle, certainly, the embodiment of the present invention is not any limitation as the specifying information of trap file.
Step 103:If monitoring preset operation of the process for trap file, it is determined that process is malicious process.
The embodiment of the present invention can be by operation of the process for trap file, and whether judge the process is malicious process. Specifically, if monitoring preset operation of the process for trap file, it is determined that process is malicious process.Alternatively, it is above-mentioned pre- Putting operation can include but is not limited to:Deletion action, modification operation, moving operation, cryptographic operation etc..It is appreciated that it is determined that After process is malicious process, the behavior of the process can be intercepted, therefore, it can to avoid to a certain extent malicious process for The malicious operation of family file or operating system file.
Alternatively, monitoring process can include for the process of the preset operation of trap file:Whether monitoring process is directed to The trap file triggers the corresponding file process function of preset operation, and (such as file reads function, file and writes function, file to delete Function etc.) call request, certainly, the embodiment of the present invention is for specific monitoring side of the process for the preset operation of trap file Formula is not any limitation as.
If it should be noted that not monitoring preset operation of the process for trap file, can let pass process Behavior.Or, it can also judge whether the process is malicious process using other process detection modes, and according to corresponding detection As a result the behavior of the clearance process is determined whether.
To sum up, file safety protection method provided in an embodiment of the present invention, " time for file is passed through for malicious process Go through request and realize enumerating for file, and batch malicious operation is carried out to file " behavioural characteristic, carry out the security inspection of process Survey, no matter the covering of process blacklist or unlapped malicious process may have above-mentioned behavioural characteristic, and therefore, the present invention is real The accuracy and objectivity of safety detection result of process can be improved by applying example, and can improve the coverage rate of malicious process. Due to by being carried out to process after safety detection, only allowing security procedure to operate document, therefore can provide better protection against Document.
Embodiment two
Reference picture 2, shows a kind of step flow chart of file safety protection method of the embodiment of the present invention two.
The file safety protection method of the embodiment of the present invention specifically includes following steps:
Step 201:Trap file is created on disk directory.
Trap file can be located at any appropriate position in disk directory, and alternatively, trap file can be hidden Tibetan language part, user can not see trap file when operating terminal device.
Step 202:There is the Hook Function of traversal documentation function by hook, intercept tune of the process for traversal documentation function With request.
Traversal documentation function can include:Header searches function, and the header is used to search designated disk or file First catalogue or header in folder.Alternatively, Hook Function can link up with header and search function, in the embodiment of the present invention with Illustrated exemplified by this.In addition traversal documentation function can also include next ff function, next ff function It is located at next file that identical file is pressed from both sides with specified file for searching.
In actual applications, process can be traveled through by calling traversal documentation function to the file stored in disk Final to get required file directory, file directory can include the information of multiple files.The information of file can be file Handle.
Step 203:By Hook Function, insertion trap is literary before header searches the information for the header that function is returned The information of part.
In the embodiment of the present invention, when traversal documentation function is called by process, execution header is called to search function first, Function is searched due to header to be linked up with by Hook Function, therefore the information of header lookup function lookup to header is processing knot Process is returned to after fruit, Hook Function intercepts header and searches the result of function, and obtains the information of trap file, in head The information of insertion trap file and return before the information for the header that ff function is returned;It is determined that header searches letter Count and successfully return after result, perform information and the return of next second file of ff function lookup, repeat Next ff function searches the information of the 3rd file, the information of the 4th file until traveling through all texts to be found successively Untill part, now process can obtain the listed files generated after file traversal.
It should be noted that trap file can not also be being inserted during implementing before the information of header, But use the information of trap file to replace the information of header.
A kind of set-up mode of optional traversal documentation function is in the embodiment of the present invention:Traversal documentation function is set to include Function FindFirstFile (), FindNextFile () and GetLastError ();By hook in this optional implementation Function is linked up with FindFirstFile ().
When traversal documentation function is called by process, FindFirstFile () is first carried out, FindFirstFile () is looked into Look for first file or catalogue and the handle i.e. return value for returning to institute's locating file of assigned catalogue, due to Hook Function with FindFirstFile () is linked up with, therefore Hook Function intercepts FindFirstFile () return value, and is taken in its return value Handle with trap file.
File or the handle of catalogue are found if it succeeds, returning, is continued executing with FindNextFile () function lookup The handle of one file;If it fails, returning to INVALID_HANDLE_VALUE, now then to need with calling GetLastError Function.
FindFirstFile function prototypes are as follows:
HANDLE FindFirstFile (LPCTSTR lpFileName, // directory name
LPWIN32_FIND_DATA lpFindFileData//data buffer zone);
Parameter lpFileName is that [input] points to the pointer of character string for specifying an effective catalogue. LpFileName is directory name, and directory name typically uses asterisk wildcard.For example:The form of assigned catalogue for " .. Abc * .* " be exactly first file or catalogue are looked in abc catalogues, specifically can pass through keyword * .doc search for word Document.
LpFindFileData is the pointer that [output] points to a WIN32_FIND_DATA, and file is found for depositing Or the information of catalogue.
Step 204:If monitoring preset operation of the process for trap file, it is determined that process is malicious process.
Because user can not see trap file when operating terminal device, if therefore trap file be triggered preset behaviour Make, it is believed that the preset operation is triggered by malicious process.
Step 205:When process is malicious process, the behavior of process is intercepted.
The process of the behavior of interception process can specifically include:This document loading internal memory is intercepted in operating system nucleus Request, so that operation behavior of the process to trap file is effectively intercepted, because trap file is the header operated by process, Process has been intercepted to its operation behavior, therefore process can not also be carried out to enumerating the subsequent file in obtained listed files Operation, therefore process can be intercepted to the behavior of the batch documents traveled through.
Step 206:Killing is carried out to the process and/or the associated chain of processes of the process.
After the behavior of the process of interception, killing is carried out to process and/or the associated chain of processes of process, so as to avoid this from entering Derivative malicious process is subsequently launched a offensive to system again in journey and/or chain of processes.It should be noted that this step is can Step is selected, those skilled in the art can choose whether to perform this step according to the actual requirements.
To sum up, file safety protection method provided in an embodiment of the present invention, intercepts header by Hook Function and searches letter The information of the header of several returns, and before the information of header insert trap file information, then return process text The information of trap file is then located at first in part list, if high-volume file of the process by malicious process inherently to traveling through Operated, therefore must trigger the preset operation to trap file, thus in the embodiment of the present invention by determinating processes whether The preset operation to trap file is triggered, to determine whether process is malicious process, it is possible to increase the safety detection knot of process The accuracy and objectivity of fruit.
In addition, in the embodiment of the present invention when it is determined that process is malicious process, to process and/or the associated process of process Chain carries out killing, and derivative malicious process in the process and/or chain of processes can be avoided subsequently to be launched a offensive again to system.
Embodiment three
Reference picture 3, shows a kind of step flow chart of file safety protection method of the embodiment of the present invention three.
The file safety protection method of the embodiment of the present invention specifically includes following steps:
Step 301:Trap file is created on disk directory.
Wherein, trap file can be hidden file.
Step 302:There is the Hook Function of traversal documentation function by hook, intercept tune of the process for traversal documentation function With request.
Traversal documentation function can include:Header searches function, and Hook Function hook header searches function.
In the embodiment of the present invention, the header of Hook Function hook traversal documentation function searches function, without linking up with traversal Other functions in documentation function, therefore Hook Function only intercepts the return value that header searches function, and header is searched The return value of function is modified.
Step 303:By Hook Function, insertion trap is literary before header searches the information for the header that function is returned The information of part.
Wherein, the information of header or the information of trap file can be the handle of file.
The information that trap file is inserted before the information of header eventually returns to process, then the traversal obtained by process Ask in corresponding result, trap file is then the header in the listed files that is traversed.Due to malicious process example Such as extorting virus, do first is to enumerate the All Files on disk before illegal operation is carried out to file, then according to list batch Amount performs illegal operation, if therefore the process is that the trap file that malicious process is inherently pointed to first of listed files performs behaviour Make.
Step 304:If monitoring process for the preset operation of trap file and the process source of process having malice Property, it is determined that process is malicious process.
In the present embodiment, in preset operation of the process that monitors for trap file, and indirect determination process is Malicious process, but determine whether the process is malicious process, Neng Gouti by being determined whether to its process source Rise the accuracy to process safety detection.
Current process may be not the process that system is carried on terminal device, and it may be from third party website or application Download and obtain on platform, for example:Qq platforms, malice network address, fishing website etc., it is therefore desirable to determine the process source of process.If Process source then can determine that the process for malicious process with malicious;If, can conversely, process source is without malicious Judge the process as security procedure.
Only be in step 304 with based on process originate this Process Attributes information, the security of process is carried out it is further Illustrated exemplified by judgement, during implementing, acceptable other attribute informations according to process are for example:Process signature, Chain of processes etc. is determined whether to the security of process.
A kind of optional mode is:
If monitoring process for the preset operation of trap file and the parent process of process being malicious process, it is determined that enter Journey is malicious process.
Specifically, the parent process of process can be determined by the corresponding chain of processes of process;Whether judge parent process is malice Process;If, it is determined that the process is malicious process;If not, it is determined that the process is security procedure.
Chain of processes is one and derives from subprocess by parent process, and subprocess derives from the relation chain of subprocess again.Therefore, it is determined that Parent process be malicious process after, due to subprocess be by parent process derive from, therefore subprocess also be malicious process.
It should be noted that be not limited to during implementing by the parent process of process come it is indirect determine into The security of journey, can also determine the security of process indirectly, specifically, when it is determined that subprocess is by the subprocess of process During malicious process, then can determine that the process is malicious process.
Another optional mode is:
If monitoring process for the preset operation of trap file and the process signature of process being insincere, it is determined that process For malicious process.
Specifically when it is determined that whether the process signature of process is credible, it can be determined that whether process is to that should have process signature; If not, it is determined that process is malicious process;If so, then determining whether whether process signature is trusted signature;If credible label Name, it is determined that process is security procedure, if untrusted is signed, it is determined that process is malicious process.
Malicious process is generally not present signature, therefore whether first determines whether process to that should have process signature, if it is not, then direct It is malicious process to determine the process.In the optional mode of the embodiment of the present invention, trusted signature list can be prestored, judge into Process signature can be compared with each signature in trusted signature list when whether journey signature is credible, if there is same signature It is trusted signature then to determine process signature, and on the contrary then determination process signature is untrusted signature.
Step 305:When process is malicious process, the behavior of process is intercepted, and enter to process and/or process are associated Journey chain carries out killing.
When carrying out killing to process, the information of process can be sent to killing software, be received by killing software foundation To process information determine process carry out killing.
When carrying out killing to the chain of processes that process is associated, the information of chain of processes can be sent to killing software, by looking into Kill software and determine that chain of processes carries out killing according to the information of received chain of processes.
To sum up, file safety protection method provided in an embodiment of the present invention, when the process that monitors is for the pre- of trap file When putting operation, the security of process is determined whether with reference to the attribute information of process, in particular by the process of process Source, process signature or chain of processes determine whether process is malicious process, it is possible to increase the safety detection result of process Accuracy.
Example IV
Reference picture 4, shows a kind of structural representation of document security protector of the embodiment of the present invention four.
The document security protector of the embodiment of the present invention can include:Blocking module 401 is asked, for intercepting process pair Asked in the traversal of file;As a result module 402 is returned to, for carrying trap text in the corresponding result of the traversal request The information of part;Process detection module 403, if for monitoring preset operation of the process for the trap file, really The fixed process is malicious process.
To sum up, document security protector provided in an embodiment of the present invention, is typically in high volume to text for malicious process Part carries out the situation of malicious operation, intercepts process and the traversal of file is asked, and is taken in the corresponding result of traversal request Information with trap file, if process, which is malicious process, must trigger the preset operation to trap file, therefore the present invention is implemented The preset operation to trap file whether is triggered by determinating processes in example, to determine whether process is malicious process, Neng Gouti The accuracy and objectivity of the safety detection result of high process.
Embodiment five
Reference picture 5, shows a kind of structural representation of document security protector of the embodiment of the present invention five.
The document security protector of the embodiment of the present invention is the further optimization to device in example IV, after optimization Document security protector can include:Blocking module 501 is asked, is asked for intercepting process for the traversal of file;As a result Module 502 is returned to, the information for carrying trap file in the corresponding result of the traversal request;Process detection module 503, if for monitoring preset operation of the process for the trap file, it is determined that the process is malicious process.
Alternatively, it is described request blocking module 501 specifically for:There is the Hook Function of traversal documentation function by hook, Call request of the interception process for the traversal documentation function.
Alternatively, the traversal documentation function includes:Header searches function, and the Hook Function links up with the header Search function.
Alternatively, the result return module 502 specifically for:Letter is searched in the header by the Hook Function The information of the trap file is inserted before the information for the header that number is returned.
Alternatively, the document security protector in the embodiment of the present invention can also include:Creation module 504, for Trap file is created on disk directory, wherein, the trap file is hidden file.
Alternatively, the process detection module 503 can include:First determination sub-module, if for monitor it is described enter Journey is for the preset operation of the trap file and the parent process of the process is malicious process, it is determined that the process is evil Meaning process.
Alternatively, the process detection module 503 can include:Second determination sub-module, if for monitor it is described enter Journey has malicious for the preset operation of the trap file and the process source of the process, it is determined that the process is Malicious process.
Alternatively, the process detection module 503 can include:3rd determination sub-module, if for monitor it is described enter Journey is for the preset operation of the trap file and the process signature of the process is insincere, it is determined that the process is malice Process.
Alternatively, the document security protector in the embodiment of the present invention can also include:Behavior blocking module 505, is used In when the process is malicious process, the behavior of the process is intercepted;Or killing module 506, for being when the process During malicious process, the behavior of the process is intercepted, and the process and/or the associated chain of processes of the process are looked into Kill.
The document security protector of the present embodiment is used to realize the corresponding safety into embodiment three of previous embodiment one Property detection method, and with corresponding embodiment of the method beneficial effect, will not be repeated here.
Embodiment six
Reference picture 6, shows a kind of structured flowchart of equipment protected for document security of the embodiment of the present invention six.
The equipment for being used for document security protection of the embodiment of the present invention can include:One or more processors;Thereon Be stored with one or more machine readable medias of instruction, when by one or more of computing devices so that described to set The standby embodiment one that performs is to one or more file safety protection methods described in embodiment three.
Fig. 6 is a kind of block diagram of equipment protected for document security according to an exemplary embodiment.In reality In, the equipment can be located at server side, can also be located at terminal equipment side.
Reference picture 6, equipment can include following one or more assemblies:Processing assembly 602, memory 604, power supply module 606, multimedia groupware 608, audio-frequency assembly 610, the interface 612 of input/output (I/O), sensor cluster 614, and communication Component 616.
The integrated operation of the usual control device of processing assembly 602, such as with display, data communication, camera operation and record The associated operation of operation.Treatment element 602 can carry out execute instruction including one or more processors 620, above-mentioned to complete Method all or part of step.In addition, processing assembly 602 can include one or more modules, it is easy to processing assembly 602 Interaction between other assemblies.For example, processing component 602 can include multi-media module, to facilitate the He of multimedia groupware 608 Interaction between processing assembly 602.
Memory 604 is configured as storing various types of data supporting the operation in equipment.The example of these data Include the instruction of any application program or method for being operated in equipment, contact data, telephone book data, message, figure Piece, video etc..Memory 604 can be real by any kind of volatibility or non-volatile memory device or combinations thereof It is existing, such as static RAM (SRAM), Electrically Erasable Read Only Memory (EEPROM), erasable programmable is only Read memory (EPROM), programmable read only memory (PROM), read-only storage (ROM), magnetic memory, flash memory, magnetic Disk or CD.
Power supply module 606 provides electric power for the various assemblies of terminal device.Power supply module 606 can include power management system System, one or more power supplys, and other components associated with generating, managing and distributing electric power for terminal device 600.
Multimedia groupware 608 is included in the screen of one output interface of offer between the terminal device and user. In some embodiments, screen can include liquid crystal display (LCD) and touch panel (TP).If screen includes touch panel, Screen may be implemented as touch-screen, to receive the input signal from user.Touch panel includes one or more touch and passed Sensor is with the gesture on sensing touch, slip and touch panel.The touch sensor can not only sensing touch or slip be dynamic The border of work, but also the detection duration related to the touch or slide and pressure.In certain embodiments, it is many Media component 608 includes a front camera and/or rear camera.When terminal device is in operator scheme, mould is such as shot When formula or video mode, front camera and/or rear camera can receive the multi-medium data of outside.Each preposition shooting Head and rear camera can be a fixed optical lens systems or with focusing and optical zoom capabilities.
Audio-frequency assembly 610 is configured as output and/or input audio signal.For example, audio-frequency assembly 610 includes a Mike Wind (MIC), when terminal device be in operator scheme, when such as call model, logging mode and speech recognition mode, microphone by with It is set to reception external audio signal.The audio signal received can be further stored in memory 604 or via communication set Part 616 is sent.In certain embodiments, audio-frequency assembly 810 also includes a loudspeaker, for exports audio signal.
I/O interfaces 612 is provide interface between processing assembly 602 and peripheral interface module, above-mentioned peripheral interface module can To be keyboard, click wheel, button etc..These buttons may include but be not limited to:Home button, volume button, start button and lock Determine button.
Sensor cluster 614 includes one or more sensors, the state for providing various aspects for terminal device 600 Assess.For example, sensor cluster 614 can detect opening/closed mode of equipment 600, the relative positioning of component, such as institute Display and keypad that component is equipment are stated, sensor cluster 614 can be with the position of one component of detection device or equipment Change, the existence or non-existence that user contacts with equipment, terminal device orientation or acceleration/deceleration and the temperature of terminal device become Change.Sensor cluster 614 can include proximity transducer, be configured in not any physical contact thing near detection The presence of body.Sensor cluster 614 can also include optical sensor, such as CMOS or ccd image sensor, in imaging applications In use.In certain embodiments, the sensor cluster 614 can also include acceleration transducer, and gyro sensor, magnetic is passed Sensor, pressure sensor or temperature sensor.
Communication component 616 is configured to facilitate the communication of wired or wireless way between equipment and other equipment.Equipment can To access the wireless network based on communication standard, such as WiFi, 2G or 3G, or combinations thereof.In one exemplary embodiment, Communication component 616 receives broadcast singal or broadcast related information from external broadcasting management system via broadcast channel.One In individual exemplary embodiment, the communication component 616 also includes near-field communication (NFC) module, to promote junction service.For example, Radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) technology, bluetooth can be based in NFC module (BT) technology and other technologies are realized.
In the exemplary embodiment, terminal device can be by one or more application specific integrated circuits (ASIC), numeral Signal processor (DSP), digital signal processing appts (DSPD), PLD (PLD), field programmable gate array (FPGA), controller, microcontroller, microprocessor or other electronic components are realized, for performing the above method.
In the exemplary embodiment, a kind of machinable medium including instructing is additionally provided, such as including instruction Memory 604, above-mentioned instruction can be performed to complete the above method by the one or more processors 620 of equipment.For example, machine Readable storage medium storing program for executing can be ROM, random access memory (RAM), CD-ROM, tape, floppy disk and optical data storage devices etc..
Each embodiment in this specification is described by the way of progressive, what each embodiment was stressed be with Between the difference of other embodiment, each embodiment identical similar part mutually referring to.For system embodiment For, because it is substantially similar to embodiment of the method, so description is fairly simple, referring to the portion of embodiment of the method in place of correlation Defend oneself bright.
Provided herein file safety protection method, device and equipment not with any certain computer, virtual system or Person's miscellaneous equipment is inherently related.Various general-purpose systems can also be used together with based on teaching in this.As described above, It is obvious to construct with the structure required by the system of the present invention program.In addition, the present invention is not also for any specific Programming language.It is understood that, it is possible to use various programming languages realize the content of invention described herein, and above to spy Attribute says that done description is to disclose the preferred forms of the present invention.
In the specification that this place is provided, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, exist Above in the description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as right As claim reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows tool Thus claims of body embodiment are expressly incorporated in the embodiment, wherein the conduct of each claim in itself The separate embodiments of the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can or similar purpose identical, equivalent by offer alternative features come generation Replace.
Although in addition, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of be the same as Example does not mean in of the invention Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of any Mode it can use in any combination.
The present invention all parts embodiment can be realized with hardware, or with one or more processor run Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) realize file safety protection method according to embodiments of the present invention, device And some or all functions of some or all parts in equipment.The present invention is also implemented as being used to perform here The some or all equipment or program of device of described method are (for example, computer program and computer program production Product).Such program for realizing the present invention can be stored on a computer-readable medium, or can have one or more The form of signal.Such signal can be downloaded from internet website and obtained, and either be provided or on carrier signal to appoint What other forms is provided.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and coming real by means of properly programmed computer It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.
The invention discloses A1 file safety protection methods, including:
Interception process is asked for the traversal of file;
The information of trap file is carried in the corresponding result of the traversal request;
If monitoring preset operation of the process for the trap file, it is determined that the process is malicious process.
A2, the method according to A1, wherein, the interception process is asked for the traversal of file, including:
There is the Hook Function of traversal documentation function by hook, interception process please for the calling for traversal documentation function Ask.
A3, the method according to A2, it is characterised in that the traversal documentation function includes:Header searches function, institute State Hook Function and link up with the header lookup function.
4th, method according to claim 3, wherein, it is described to be carried in the corresponding result of the traversal request The information of trap file, including:
Described fall into is inserted before the header searches the information for the header that function is returned by the Hook Function The information of trap file.
A5, according to A2 into A4 any described method, wherein, methods described also includes:
Trap file is created on disk directory, wherein, the trap file is hidden file.
A6, the method according to A1, wherein, if the preset behaviour for monitoring the process for the trap file Make, it is determined that the process is malicious process, including:
If monitoring the process for the preset operation of the trap file and the parent process of the process being that malice is entered Journey, it is determined that the process is malicious process.
A7, the method according to A1, wherein, if the preset behaviour for monitoring the process for the trap file Make, it is determined that the process is malicious process, including:
If monitoring the process for the preset operation of the trap file and the process source of the process having evil Meaning property, it is determined that the process is malicious process.
A8, the method according to A1, wherein, if the preset behaviour for monitoring the process for the trap file Make, it is determined that the process is malicious process, including:
If monitoring the process for the preset operation of the trap file and the process signature of the process can not Letter, it is determined that the process is malicious process.
A9, the method according to A1 or A2 or A3 or A4 or A6 or A7 or A8, wherein, methods described also includes:
When the process is malicious process, the behavior of the process is intercepted;Or
When the process is malicious process, the behavior of the process is intercepted, and to the process and/or the process phase The chain of processes of association carries out killing.
The invention discloses B10, a kind of document security protector, including:
Blocking module is asked, is asked for intercepting process for the traversal of file;
As a result module is returned to, the information for carrying trap file in the corresponding result of the traversal request;
Process detection module, if for monitoring preset operation of the process for the trap file, it is determined that institute Process is stated for malicious process.
B11, the device according to B10, wherein, it is described request blocking module specifically for:
There is the Hook Function of traversal documentation function by hook, interception process please for the calling for traversal documentation function Ask.
B12, the device according to B11, wherein, the traversal documentation function includes:Header searches function, the hook Subfunction links up with the header and searches function.
B13, the device according to B12, wherein, the result return module specifically for:
Described fall into is inserted before the header searches the information for the header that function is returned by the Hook Function The information of trap file.
B14, according to B11 into B13 any described device, wherein, described device also includes:
Creation module, for creating trap file on disk directory, wherein, the trap file is hidden file.
B15, the device according to B10, wherein, the process detection module includes:
First determination sub-module, if for monitoring the process for the preset operation of the trap file and described The parent process of process is malicious process, it is determined that the process is malicious process.
B16, the device according to B10, wherein, the process detection module includes:
Second determination sub-module, if for monitoring the process for the preset operation of the trap file and described The process source of process has malicious, it is determined that the process is malicious process.
B17, the device according to B10, wherein, the process detection module includes:
3rd determination sub-module, if for monitoring the process for the preset operation of the trap file and described The process signature of process is insincere, it is determined that the process is malicious process.
B18, the device according to B10 or B11 or B12 or B13 or B15 or B16 or B17, wherein, described device is also wrapped Include:
Behavior blocking module, for when the process is malicious process, intercepting the behavior of the process;Or
Killing module, for when the process is malicious process, intercepting the behavior of the process, and to the process And/or the associated chain of processes of the process carries out killing.
The invention discloses C19, a kind of equipment protected for document security, wherein, including:
One or more processors;With the one or more machine readable medias for being stored thereon with instruction, when by described one During individual or multiple computing devices so that the equipment perform A1 into A9 it is one or more as described in method.
The invention also discloses D20, one or more machine readable medias, instruction is stored thereon with, when by one or many During individual computing device so that equipment perform A1 into A9 it is one or more as described in method.

Claims (10)

1. a kind of file safety protection method, including:
Interception process is asked for the traversal of file;
The information of trap file is carried in the corresponding result of the traversal request;
If monitoring preset operation of the process for the trap file, it is determined that the process is malicious process.
2. according to the method described in claim 1, it is characterised in that the interception process is asked for the traversal of file, including:
There is the Hook Function of traversal documentation function by hook, intercept call request of the process for the traversal documentation function.
3. method according to claim 2, it is characterised in that the traversal documentation function includes:Header searches function, The Hook Function links up with the header and searches function.
4. method according to claim 3, it is characterised in that described to be taken in the corresponding result of the traversal request Information with trap file, including:
The trap text is inserted before the header searches the information for the header that function is returned by the Hook Function The information of part.
5. according to any described method in claim 2 to 4, it is characterised in that methods described also includes:
Trap file is created on disk directory, wherein, the trap file is hidden file.
6. according to the method described in claim 1, it is characterised in that if described monitor the process for the trap file Preset operation, it is determined that the process be malicious process, including:
If monitoring the process for the preset operation of the trap file and the parent process of the process being malicious process, It is malicious process then to determine the process.
7. according to the method described in claim 1, it is characterised in that if described monitor the process for the trap file Preset operation, it is determined that the process be malicious process, including:
If monitoring the process for the preset operation of the trap file and the process source of the process having malice Property, it is determined that the process is malicious process.
8. a kind of document security protector, including:
Blocking module is asked, is asked for intercepting process for the traversal of file;
As a result module is returned to, the information for carrying trap file in the corresponding result of the traversal request;
Process detection module, if for monitoring preset operation of the process for the trap file, it is determined that it is described enter Journey is malicious process.
9. a kind of equipment protected for document security, it is characterised in that including:
One or more processors;With the one or more machine readable medias for being stored thereon with instruction, when by one or During multiple computing devices so that the equipment performs the method as described in one or more in claim 1 to 7.
10. one or more machine readable medias, are stored thereon with instruction, when executed by one or more processors so that Equipment performs the method as described in one or more in claim 1 to 7.
CN201710419661.1A 2017-06-06 2017-06-06 File safety protection method, device and equipment Pending CN107330322A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710419661.1A CN107330322A (en) 2017-06-06 2017-06-06 File safety protection method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710419661.1A CN107330322A (en) 2017-06-06 2017-06-06 File safety protection method, device and equipment

Publications (1)

Publication Number Publication Date
CN107330322A true CN107330322A (en) 2017-11-07

Family

ID=60194293

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710419661.1A Pending CN107330322A (en) 2017-06-06 2017-06-06 File safety protection method, device and equipment

Country Status (1)

Country Link
CN (1) CN107330322A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110647744A (en) * 2018-06-27 2020-01-03 国际商业机器公司 Identifying and extracting key hazard forensic indicators using object-specific file system views
CN110717180A (en) * 2018-07-13 2020-01-21 北京安天网络安全技术有限公司 Malicious document detection method and system based on self-positioning behaviors and storage medium
CN112527302A (en) * 2019-09-19 2021-03-19 北京字节跳动网络技术有限公司 Error detection method and device, terminal and storage medium
WO2022032950A1 (en) * 2020-08-10 2022-02-17 华为技术有限公司 Defense method, defense apparatus and defense system for malicious software
CN114077735A (en) * 2020-08-10 2022-02-22 华为技术有限公司 Malicious software defense method, device and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106096397A (en) * 2016-05-26 2016-11-09 倪茂志 A kind of prevention method extorting software and system
WO2017053745A1 (en) * 2015-09-23 2017-03-30 University Of Florida Research Foundation, Incorporated Malware detection via data transformation monitoring
CN106611123A (en) * 2016-12-02 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for detecting 'Harm. Extortioner. a' virus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017053745A1 (en) * 2015-09-23 2017-03-30 University Of Florida Research Foundation, Incorporated Malware detection via data transformation monitoring
CN106096397A (en) * 2016-05-26 2016-11-09 倪茂志 A kind of prevention method extorting software and system
CN106611123A (en) * 2016-12-02 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for detecting 'Harm. Extortioner. a' virus

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110647744A (en) * 2018-06-27 2020-01-03 国际商业机器公司 Identifying and extracting key hazard forensic indicators using object-specific file system views
US11775638B2 (en) 2018-06-27 2023-10-03 International Business Machines Corporation Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views
CN110717180A (en) * 2018-07-13 2020-01-21 北京安天网络安全技术有限公司 Malicious document detection method and system based on self-positioning behaviors and storage medium
CN112527302A (en) * 2019-09-19 2021-03-19 北京字节跳动网络技术有限公司 Error detection method and device, terminal and storage medium
CN112527302B (en) * 2019-09-19 2024-03-01 北京字节跳动网络技术有限公司 Error detection method and device, terminal and storage medium
WO2022032950A1 (en) * 2020-08-10 2022-02-17 华为技术有限公司 Defense method, defense apparatus and defense system for malicious software
CN114077735A (en) * 2020-08-10 2022-02-22 华为技术有限公司 Malicious software defense method, device and system

Similar Documents

Publication Publication Date Title
US12052272B2 (en) Forensic analysis of computing activity
US11741222B2 (en) Sandbox environment for document preview and analysis
US11494490B2 (en) Endpoint detection and response utilizing machine learning
US11637851B2 (en) Cyber security posture validation platform
US20230032874A1 (en) Realtime event detection
CN107330322A (en) File safety protection method, device and equipment
US20200242239A1 (en) Mitigation of return-oriented programming attacks
KR101373986B1 (en) Method and apparatus to vet an executable program using a model
US10476894B2 (en) Evaluating installers and installer payloads
WO2018130904A1 (en) Early runtime detection and prevention of ransomware
CN105793862A (en) Directed execution of dynamic programs in isolated environments
CN108932428B (en) Lesog software processing method, device, equipment and readable storage medium
US20230118204A1 (en) Tracking malicious software movement with an event graph
CN105095758B (en) Screen locking applied program processing method, device and mobile terminal
EP3497917A1 (en) Detection of bulk operations associated with remotely stored content
Wu et al. Overprivileged permission detection for android applications
CN106203125A (en) Operating system and safety detection method, safety detection device and terminal
CN109376529A (en) Application program operation method and device
CN107292173A (en) File safety protection method, device and equipment
CN107169359A (en) Utilize the document means of defence and device, electronic equipment for triggering file realization
Mahan Exploring ransomware on the oculus quest 2
Ahmad et al. A Review on Methods for Managing the Risk of Android Ransomware
KR20190109619A (en) Permission management process and permission management apparatus
van Rijn An In-depth Analysis of the AZORult Infostealer Malware Capabilities
Faruki Techniques For Analysis And Detection Of Android Malware...

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171107