CN108446553B

CN108446553B - Process protection method and device and electronic equipment

Info

Publication number: CN108446553B
Application number: CN201810242265.0A
Authority: CN
Inventors: 杨峰
Original assignee: Beijing Kingsoft Internet Security Software Co Ltd
Current assignee: Beijing Kingsoft Internet Security Software Co Ltd
Priority date: 2018-03-22
Filing date: 2018-03-22
Publication date: 2021-11-12
Anticipated expiration: 2038-03-22
Also published as: CN108446553A

Abstract

The embodiment of the invention provides a process protection method, a process protection device and electronic equipment, wherein the method comprises the following steps: the first application program obtains a closing instruction which is sent by the second application program and used for closing the third application program, and the closing instruction carries: identification information of the second application program and information of a process to be closed corresponding to the third application program; determining whether the process of the third application program is a process needing protection or not based on the information of the process to be closed; when the process to be protected is determined, determining target process information corresponding to the second application program based on the identification information of the second application program; determining whether the process of the second application program is a process needing to be intercepted or not based on the target process information; and when the process is determined to be the process to be intercepted, controlling the corresponding driver to discard the closing instruction based on the process ending function which is hooked in advance and called by the NtTerminatepprocesses function. Therefore, the protection of the process is realized, and the safety of the electronic equipment is improved.

Description

Process protection method and device and electronic equipment

Technical Field

The present invention relates to the field of information security technologies, and in particular, to a process protection method and apparatus, and an electronic device.

Background

In recent years, along with the popularization of electronic devices, various application programs emerge endlessly, and the security of electronic devices gets more and more attention.

At present, some malicious applications may close the process of the security application in the electronic device by calling a process termination function of a system kernel, so that the security application cannot protect the electronic device. The malicious application program may be: the method includes the steps of carrying application programs such as viruses, worms, trojan horses and the like which execute malicious tasks on an electronic equipment system, wherein the malicious application programs can be called end application programs.

Therefore, the process of the security application program in the electronic device has the possibility of being closed by a malicious application program, which causes a certain degree of potential safety hazard to the electronic device.

Disclosure of Invention

The embodiment of the invention aims to provide a process protection method, a process protection device and electronic equipment, so as to protect a process and improve the safety of the electronic equipment. The specific technical scheme is as follows:

in one aspect, an embodiment of the present invention provides a method for protecting a process, which is applied to a first application program, and the method includes:

acquiring a closing instruction which is sent by a second application program and used for closing a third application program, wherein the closing instruction carries: the identification information of the second application program and the process information corresponding to the third application program are used as process information to be closed;

determining whether the process of the third application program is a process needing protection or not based on the information of the process to be closed;

when the process of the third application program is determined to be a process needing to be protected, determining process information corresponding to the second application program as target process information based on the identification information of the second application program;

determining whether the process of the second application program is a process required to be intercepted by the process required to be intercepted or not based on the target process information;

when the process of the second application program is determined to be a process to be intercepted, controlling a driver corresponding to the first application program to discard the closing instruction based on a process ending function hooked in advance, wherein the process ending function is as follows: based on the function called by the NtTerminateProcess function.

Optionally, the process termination function is: a PspTerminateProcesses function;

the step of obtaining a closing instruction for closing the third application program, which is sent by the second application program, includes:

and acquiring a closing instruction which is sent by the second application program to close the third application program by calling the PspTerminateProcess function based on a hook function hooking the PspTerminateProcess function in advance.

Optionally, the method further comprises:

when the process of the third application program is determined not to be the process which needs to be protected, or when the process of the third application program is determined to be the process which needs to be protected and the process of the second application program is determined not to be the process which needs to be intercepted, controlling a driver program corresponding to the first application program to call the process ending function to close the process of the third application program.

Optionally, the process end function is: a PspTerminateProcesses function;

before the step of obtaining a closing instruction sent by the second application program for closing the third application program, the method further includes:

a driver corresponding to the first application program acquires a kernel address of an NtTerminatepprocess function as a first kernel address;

determining a kernel address of a PspTerminateProcess function as a second kernel address by a driver corresponding to the first application program based on the acquired first kernel address and a preset calling characteristic;

and the driver corresponding to the first application program hooks the PspTerminateProcessfunction by utilizing a hook function based on the second kernel address.

Optionally, the step of determining whether the process of the third application is a process that needs to be protected based on the information about the process to be closed includes:

matching the information of the process to be closed with each piece of preset protection process information in a pre-stored first feature library, wherein when the preset protection process information matched with the information of the process to be closed exists in the first feature library, determining the process of the third application program as a process to be protected; and when the first feature library does not have preset protection process information matched with the process information to be closed, determining that the process of the third application program is not a process needing protection.

Optionally, the step of determining whether the process of the second application is a process that needs to be intercepted based on the target process information includes:

matching the target process information with each preset interception process information in a pre-stored second feature library, wherein when the preset interception process information matched with the target process information exists in the second feature library, determining the process of the second application program as a process to be intercepted; and when the second feature library does not have preset interception process information matched with the target process information, determining that the process of the second application program is not the process to be intercepted.

Optionally, after the step of discarding the shutdown instruction, the method further comprises:

and outputting prompt information to prompt the user that the closing instruction is discarded.

In another aspect, an embodiment of the present invention provides a process protection apparatus, applied to a first application, where the apparatus includes:

an obtaining module, configured to obtain a closing instruction for closing a third application program, where the closing instruction carries: the identification information of the second application program and the process information corresponding to the third application program are used as process information to be closed;

a first determining module, configured to determine, based on the information about the process to be closed, whether the process of the third application is a process that needs to be protected;

a second determining module, configured to determine, when it is determined that the process of the third application is a process that needs to be protected, process information corresponding to the second application as target process information based on the identification information of the second application;

a third determining module, configured to determine, based on the target process information, whether the process of the second application is a process that needs to be intercepted;

a discarding module, configured to, when it is determined that the process of the second application is a process to be intercepted, control a driver corresponding to the first application to discard the closing instruction based on a process ending function hooked in advance, where the process ending function is: based on the function called by the NtTerminateProcess function.

the acquisition module is particularly used for

Optionally, the apparatus further comprises: calling a module;

the calling module is configured to control the driver corresponding to the first application to call the process ending function to close the process of the third application when it is determined that the process of the third application is not the process to be protected, or when it is determined that the process of the third application is the process to be protected and it is determined that the process of the second application is not the process to be intercepted.

Optionally, the process end function is a PspTerminateProcess function;

the driver corresponding to the first application program obtains a kernel address of an NtTerminatProcess function as a first kernel address before the first application program obtains a closing instruction which is sent by a second application program and used for closing a third application program;

determining a kernel address of the PspTerminateProcesses function as a second kernel address based on the obtained first kernel address and a preset calling characteristic;

hooking the PspTerminateProcesses function with a hook function based on the second kernel address.

Optionally, the first determining module is specifically configured to

Optionally, the third determining module is specifically configured to

Optionally, the apparatus further comprises an output module;

and the output module is used for outputting prompt information after the closing instruction is discarded so as to prompt a user that the closing instruction is discarded.

On the other hand, the embodiment of the invention provides electronic equipment, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;

the memory is used for storing a first application program;

the processor is configured to implement any of the above method steps for process protection provided in the embodiment of the present invention when executing the first application stored in the memory.

In another aspect, an embodiment of the present invention provides a computer-readable storage medium, where a first application program is stored in the computer-readable storage medium, and the first application program, when executed by a processor, implements any of the above method steps for protecting a process provided in an embodiment of the present invention.

In the embodiment of the present invention, a first application program obtains a closing instruction for closing a third application program, which is sent by a second application program, where the closing instruction carries: the identification information of the second application program and the process information corresponding to the third application program are used as the information of the process to be closed; determining whether the process of the third application program is a process needing protection or not based on the information of the process to be closed; when the process of the third application program is determined to be the process needing to be protected, determining process information corresponding to the second application program as target process information based on the identification information of the second application program; determining whether the process of the second application program is a process needing to be intercepted or not based on the target process information; and when the process of the second application program is determined to be the process to be intercepted, controlling a driver corresponding to the first application program to discard the closing instruction based on a pre-hooked process ending function, wherein the process ending function is a function called based on an NtTerminateprocess function.

In the embodiment of the present invention, the first application program may obtain a close instruction sent by the second application program for closing the third application program, and when it is determined that the process of the third application program is a process to be protected based on information carried by the close instruction and the process of the second application program is a process to be intercepted, the driver corresponding to the first application program is controlled to discard the close instruction based on a process end function called by a pre-hooked NtTerminateProcess function based on the NtTerminateProcess function, so as to prevent the process to be protected from being closed by the intercepted application program, thereby protecting the process to be protected, and improving the security of the electronic device to a certain extent. Of course, it is not necessary for any product or method of practicing the invention to achieve all of the above-described advantages at the same time.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a flowchart illustrating a process protection method according to an embodiment of the present invention;

fig. 2 is another schematic flow chart of a process protection method according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of a process protection apparatus according to an embodiment of the present invention;

fig. 4 is another schematic structural diagram of a process protection apparatus according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The embodiment of the invention provides a process protection method and device and electronic equipment, which are used for protecting a process and improving the safety of the electronic equipment.

It can be understood that the method for process protection provided by the embodiment of the present invention can be applied to a first application program, where the first application program can be installed in any electronic device, and the electronic device can be a computer, a smart phone, and the like. In one case, the functional software for implementing the process protection method may be a special client software, or may be a plug-in of other security application software, that is, the first application program may exist in the form of a special client software, or may exist in the form of a plug-in of a security application software.

As shown in fig. 1, an embodiment of the present invention provides a method for protecting a process, which may include the steps of:

s101: acquiring a closing instruction which is sent by a second application program and used for closing a third application program, wherein the closing instruction carries: the identification information of the second application program and the process information corresponding to the third application program are used as the information of the process to be closed;

the first application program can be installed in any electronic device, and the first application program can acquire a closing instruction for closing the third application program, which is sent by the second application program, in a specific manner. In one implementation, the first application program may monitor the second application program in real time, and when the second application program sends a close instruction for closing the third application program, the first application program intercepts the close instruction. In another implementation, the first application may hook the preset function in advance through a hook function via a driver, so that when the preset function is called by an application to generate a close instruction to close a function of another application, that is, the preset function is called by a second application to generate a close instruction, so as to close a third application, the hook function that hooks the preset function in advance intercepts the close instruction before the close instruction is executed, and the first application acquires the intercepted close instruction. In this embodiment of the present invention, the closing the third application program may refer to: closing the process of the third application.

The second application program may be: any application program installed in the same electronic device as the first application program and capable of sending a closing instruction for closing other application programs may be: other applications installed by the electronic device and/or controlled by the electronic device than the second application itself. In one case, the third application may or may not be the first application. When the third application program is not the first application program, the third application program may be: and the application program is installed in the same electronic equipment as the first application program and the second application program.

The identification information of the second application program is: the program name and serial number of the second application program may uniquely identify the information of the second application program. The process information corresponding to the third application, that is, the process information to be closed, is: the process identifier, the process name, the process path, and the like of the process of the third application may uniquely identify the process of the third application.

S102: determining whether the process of the third application program is a process needing protection or not based on the information of the process to be closed;

in one case, the process information corresponding to the preset process to be protected is stored in advance in the local electronic device or an external storage device connected to the electronic device, and when the first application program obtains the process information to be closed, the obtained process information to be closed and the process information corresponding to the preset process to be protected can be matched one by one; when the obtained process information to be closed is successfully matched with the process information corresponding to any preset process to be protected, namely the process information corresponding to the preset process to be protected exists, the process of the third application program is determined to be the process to be protected, and a subsequent process protection flow is executed; and when the obtained process information to be closed fails to be matched with the process information corresponding to all the preset processes to be protected, namely the process information corresponding to the preset processes to be protected does not exist, the process of the third application program is determined not to be the process to be protected.

In another case, after the first application program obtains the information of the process to be closed, a check value corresponding to the process of the third application program may be calculated based on the information of the process to be closed, and the check value is used as a first check value, and whether the process of the third application program is the process to be protected is determined based on the first check value. The process of determining whether the process of the third application is the process to be protected based on the first check value may be: judging whether the first check value is within a first preset range, and if so, determining that the process of the third application program is a process to be protected; otherwise, it is determined that the process of the third application is not the process that needs protection.

Or, the process of determining whether the process of the third application is the process to be protected based on the first check value may be: matching the first check value with a pre-stored check value corresponding to the process to be protected; when the first check value is the same as a pre-stored check value corresponding to any process needing protection, namely the matching is successful, determining the process of the third application program as the process needing protection; and when the first check value is different from the pre-stored check values corresponding to all processes needing to be protected, namely the matching fails, determining that the process of the third application program is not the process needing to be protected.

S103: when the process of the third application program is determined to be the process needing to be protected, determining process information corresponding to the second application program as target process information based on the identification information of the second application program;

in this step, each application program runs a corresponding process in the system of the electronic device, where the application program corresponds to the identification information and the process corresponds to the process information.

S104: determining whether the process of the second application program is a process needing to be intercepted or not based on the target process information;

in one case, the process information corresponding to the preset process to be intercepted is stored in advance in the local electronic device or an external storage device connected to the electronic device, and after the first application program obtains the target process information, the obtained target process information and the process information corresponding to the preset process to be intercepted can be matched one by one; when the obtained target process information is successfully matched with the process information corresponding to any preset process to be intercepted, namely the process information which is the same as the obtained target process information exists in the process information corresponding to the preset process to be intercepted, determining the process of the second application program as the process to be intercepted, and executing a subsequent process protection flow; and when the obtained target process information fails to be matched with the process information corresponding to all the preset processes needing to be intercepted, namely the process information which is the same as the obtained target process information does not exist in the process information corresponding to the preset processes needing to be intercepted, determining that the process of the second application program is not the process needing to be intercepted.

In another case, after the first application obtains the target process information, a check value corresponding to the process of the second application may be calculated based on the target process information, and as a second check value, it may be determined whether the process of the second application is a process to be intercepted based on the second check value. The process of determining whether the process of the second application is the process to be intercepted based on the second check value may be: judging whether the second check value is within a second preset range, and if so, determining the process of the second application program as the process to be intercepted; otherwise, determining that the process of the second application program is not the process needing to be intercepted.

Or, the process of determining whether the process of the second application is the process to be intercepted based on the second check value may be: matching the second check value with a pre-stored check value corresponding to the process to be intercepted; when the second check value is the same as a pre-stored check value corresponding to any process needing to be intercepted, namely the matching is successful, determining the process of the second application program as the process needing to be intercepted; and when the second check value is different from the pre-stored check values corresponding to all processes needing to be intercepted, namely the matching fails, determining that the process of the second application program is not the process needing to be intercepted.

In one case, the process to be intercepted may be a process of a malicious application, that is, a process of an application carrying a virus, a worm, a trojan horse, and the like, which execute a malicious task on the electronic device system.

S105: when the process of the second application program is determined to be the process needing to be intercepted, controlling a driver corresponding to the first application program to discard a closing instruction based on a process ending function hooked in advance, wherein the process ending function is as follows: based on the function called by the NtTerminateProcess function.

In this embodiment of the present invention, when it is determined that the process of the third application is a process to be protected, and the process of the second application is a process to be intercepted, it may be characterized that the operation of closing the process of the third application is not desired to be executed, at this time, the first application may control the driver corresponding to the first application to discard the closing instruction based on a process ending function hooked in advance, where the process ending function is: based on the function called by the NtTerminateProcess function, the process termination function is: the function of the system kernel of the electronic equipment is a lower-layer function of an NtTerminateprocess function.

In the embodiment of the present invention, the first application program may obtain a close instruction sent by the second application program for closing the third application program, and when it is determined that the process of the third application program is a process to be protected based on information carried by the close instruction and the process of the second application program is a process to be intercepted, the driver corresponding to the first application program is controlled to discard the close instruction based on a process end function called by a pre-hooked NtTerminateProcess function based on the NtTerminateProcess function, so as to prevent the process to be protected from being closed by the intercepted application program, thereby protecting the process to be protected, and improving the security of the electronic device to a certain extent.

In one implementation, when the second application sends a close instruction to close the process of the third application by calling a process end function, the first application may intercept the close instruction by hooking in advance a hook function of the process end function, in one case, the process end function may be a PspTerminateProcess function. Specifically, the step of intercepting a close instruction sent by the second application program to close the third application program may include:

and intercepting a closing instruction sent by the second application program to close the third application program by calling the PspTerminateProcess function based on a hook function hooking the PspTerminateProcess function in advance.

In one case, the sending, by the second application, a close instruction for closing the third application by calling the PspTerminateProcess function may be: and the second application program sends a closing instruction for closing the third application program by calling a PspTerminateProcess function based on the driver program corresponding to the second application program.

In one implementation, as shown in fig. 2, the method may include the steps of:

s201: acquiring a closing instruction which is sent by a second application program and used for closing a third application program, wherein the closing instruction carries: the identification information of the second application program and the process information corresponding to the third application program are used as the information of the process to be closed;

s202: determining whether the process of the third application program is a process needing protection or not based on the information of the process to be closed, executing S203 when determining that the process of the third application program is the process needing protection, and executing S206 when determining that the process of the third application program is not the process needing protection;

s203: determining process information corresponding to the second application program as target process information based on the identification information of the second application program;

s204: determining whether the process of the second application program is a process required to be intercepted by the process required to be intercepted based on the target process information, executing S205 when determining that the process of the second application program is the process required to be intercepted, and executing S206 when determining that the process of the second application program is not the process required to be intercepted;

s205: controlling a driver corresponding to the first application program to discard a closing instruction based on a process ending function hooked in advance, wherein the process ending function is as follows: a function called based on the NtTerminatepprocesses function;

s206: and controlling a driver corresponding to the first application program to call the process ending function to close the process of the third application program.

Here, S201 is the same as S101 shown in fig. 1, S202 is the same as S102 shown in fig. 1, S203 is the same as S103 shown in fig. 1, S204 is the same as S104 shown in fig. 1, and S205 is the same as S105 shown in fig. 1.

When the first application program determines that the process of the third application program is the process needing to be protected and determines that the process of the second application program is the process needing to be intercepted, the step of discarding the closing instruction is executed. When the process of the third application program is determined not to be the process which needs to be protected, the driver corresponding to the first application program can be directly controlled, and a process ending function is called to close the process of the third application program; and when the process of the third application program is determined to be the process to be protected and the process of the second application program is determined not to be the process to be intercepted, the driver corresponding to the first application program can be directly controlled to call the process ending function to close the process of the third application program.

In one implementation, before the step of intercepting the close instruction sent by the second application program to close the third application program, the method may further include:

a driver corresponding to the first application program acquires a kernel address of the NtTerminatepprocess function as a first kernel address;

determining a kernel address of the PspTerminateProcess function as a second kernel address by a driver corresponding to the first application program based on the acquired first kernel address and a preset calling characteristic;

and the driver corresponding to the first application program hooks the PspTerminateProcess function by utilizing a hook function based on the second kernel address.

In one case, the first application program needs to call a function of a system kernel of the electronic device through a driver corresponding to the first application program, before executing the method for protecting a process provided by the embodiment of the present invention, the driver function of the first application program needs to be controlled to hook the process ending function by using a hook function, so that when the driver corresponding to the second application program sends a closing instruction for closing other application programs except the second application program itself by calling the process ending function, the first application program can control the driver corresponding to the first application program to intercept the closing instruction based on the hook function hooking the process ending function.

In this embodiment of the present invention, the driver corresponding to the first application may first determine a kernel address of the PspTerminateProcess function, and then hook the PspTerminateProcess function by using a hook function based on the determined kernel address of the PspTerminateProcess function.

When determining the kernel address of the PspTerminateProcess function, the driver corresponding to the first application may determine the kernel address based on the kernel address of the NtTerminateProcess function and a preset calling feature. Wherein, the preset calling characteristics are as follows: and calling features set based on the type of the operating system of the electronic equipment where the first application program is located, wherein different operating systems correspond to different calling features.

In an embodiment of the present invention, in an operating system of a different electronic device, the driver corresponding to the first application may first obtain a kernel address of the NtTerminateProcess function, that is, a first kernel address, determine, according to the first kernel address, an instruction pointing to the beginning of 0xE8 of the pspteterminateprocess function, determine an address of the instruction at the beginning of 0xE8, and subsequently add 5 to the address of the instruction at the beginning of 0xE8 and add 4 bytes after the instruction at the beginning of 0xE8, where the result is the kernel address of the pspteterminateprocess function.

For example, when the operating system of the electronic device is a windows xp system, the process of determining the kernel address of the PspTerminateProcess function based on the first kernel address and the preset calling feature may be: determining an instruction starting from 0xE8 based on a first core address, and determining an address of the instruction starting from 0xE8, wherein 6 bytes before the instruction starting from 0xE8 are 0x68, 0x18,0x07,0x00,0x00,0x53, a 5 th byte after the instruction starting from 0xE8 is 0x85, and a 6 th byte after the byte is 0xC 0; the result of adding 5 to the address of the first instruction of 0xE8 and adding 4 bytes after the first instruction of 0xE8 is the kernel address of the pspterminated process function.

When the operating system of the electronic device is a windows7 system, the above-mentioned process for determining the kernel address of the PspTerminateProcess function based on the first kernel address and the preset calling feature may be: determining an instruction at the beginning of 0xE8 and determining an address of the instruction at the beginning of 0xE8 based on the first kernel address, wherein the first 5 bytes of the instruction at the beginning of 0xE8 are 0x68, 0x18,0x07,0x00 and 0x00 respectively, the 5 th byte after the instruction at the beginning of 0xE8 is 0x66, and the 6 th byte after the instruction at the beginning of 0xE8 is 0 xFF; the result of adding 5 to the address of the first instruction of 0xE8 and adding 4 bytes after the first instruction of 0xE8 is the kernel address of the pspterminated process function.

When the operating system of the electronic device is a windows8 system, the above-mentioned process for determining the kernel address of the PspTerminateProcess function based on the first kernel address and the preset calling feature may be: determining an instruction starting from 0xE8 based on a first core address, and determining an address of the instruction starting from 0xE8, wherein 4 bytes before the instruction starting from 0xE8 are 0x8B,0x 7D,0xF0,0x56, respectively, a 5 th byte after the instruction starting from 0xE8 is 0xBA, a 10 th byte after the instruction starting from 0xE8 is 0x8B, and a 11 th byte after the instruction starting from 0xE8 is 0 xCF; the kernel address of the PspTerminateProcess function is obtained by adding 5 to the address of the first instruction of 0xE8 and adding 4 bytes after the first instruction of 0xE 8.

When the operating system of the electronic device is a windows8.1 system, the above-mentioned process of determining the kernel address of the PspTerminateProcess function based on the first kernel address and the preset calling feature may be: determining a first instruction of 0xE8 based on the first kernel address, and determining an address of the first instruction of 0xE8, wherein the first 4 bytes of the first instruction of 0xE8 are 0x57, 0xFF,0x75,0x0C, and the last 3 bytes of the first instruction of 0xE8 are 0x8B,0x4D,0xF 8; the result of adding 5 to the address of the first instruction of 0xE8 and adding 4 bytes after the first instruction of 0xE8 is the kernel address of the pspterminated process function.

When the operating system of the electronic device is a windows10 system, the above-mentioned process for determining the kernel address of the PspTerminateProcess function based on the first kernel address and the preset calling feature may be: determining an instruction at the beginning of 0xE8 and determining an address of the instruction at the beginning of 0xE8 based on the first core address, wherein 4 bytes before the instruction at the beginning of 0xE8 are 0x8B, 0xD7,0x8B and 0xCE respectively, the 5 th byte after the instruction at the beginning of 0xE8 is 0xBA, the 10 th byte after the instruction at the beginning of 0xE8 is 0x89, and the 13 th byte after the instruction at the beginning of 0xE8 is 0x 8B; the result of adding 5 to the address of the first instruction of 0xE8 and adding 4 bytes after the first instruction of 0xE8 is the kernel address of the pspterminated process function.

In an implementation manner, the step of determining whether the process of the third application is a process that needs to be protected based on the information of the process to be closed may include:

matching the process information to be closed with each preset protection process information in a pre-stored first feature library, wherein when the preset protection process information matched with the process information to be closed exists in the first feature library, determining the process of a third application program as the process to be protected; and when the preset protection process information matched with the process information to be closed does not exist in the first feature library, determining that the process of the third application program is not the process needing protection.

In one case, an operator may collect, in advance, process information corresponding to a process to be protected, as preset protection process information, store the process information, and generate a first feature library in which the preset protection process information is stored. And after the first application program obtains the information of the process to be closed, matching the information of the process to be closed with each piece of preset protection process information in the first feature library, and determining whether the process of the third application program corresponding to the information of the process to be closed is the process to be protected or not based on the matching result. When preset protection process information matched with the process information to be closed exists in the first feature library, representing that the process of the third application program is a process needing protection; and when the preset protection process information matched with the process information to be closed does not exist in the first feature library, the process representing the third application program is not a process needing protection.

In one implementation, the step of determining whether the process of the second application is a process that needs to be intercepted based on the target process information may include:

matching the target process information with each preset interception process information in a pre-stored second feature library, wherein when the preset interception process information matched with the target process information exists in the second feature library, determining the process of the second application program as a process to be intercepted; and when the preset interception process information matched with the target process information does not exist in the second feature library, determining that the process of the second application program is not the process needing to be intercepted.

In one case, the operator may collect, in advance, process information corresponding to a process to be intercepted, as preset intercepted process information, store the process information, and generate a second feature library in which the preset intercepted process information is stored. And after the first application program obtains the target process information, matching the target process information with each preset interception process information in the second feature library, and determining whether the process of the second application program corresponding to the target process information is a process to be intercepted or not based on a matching result. When preset interception process information matched with the target process information exists in the second feature library, representing that the process of the second application program is a process needing to be intercepted; and when the preset interception process information matched with the target process information does not exist in the second feature library, the process representing the second application program is not the process needing to be intercepted.

In one implementation, after the step of discarding the shutdown instruction, the method may further include:

In order to enable a user to better know the safety condition of the electronic equipment, after the closing instruction is discarded, prompt information can be output to prompt the user to successfully intercept the operation that the process to be protected is closed by the process to be intercepted. In one case, the prompt message may be output in the form of an audio prompt, in the form of a screen brightness prompt, in the form of a text message prompt, in the form of an interface jump prompt, and the like, and the prompt form of the prompt message is not limited in the embodiment of the present invention. The prompt information may carry the identification information of the second application program to perform positioning on the second application program, and the user may process the second application program according to the prompt information, for example: uninstall or set permission restrictions. Or the prompt message is prompted in the form of interface jump, and the prompt message can be directly jumped to a program unloading interface of the electronic equipment and positioned on the second application program so as to be processed by a user of the electronic equipment. Etc., which are all reasonable.

A process protection method provided in the embodiment of the present invention is described below with reference to specific embodiments.

In the user computer, a second application program A, a first application program B, a function PspTerminateProcessfunction of which the hook is a system kernel and a third application program C are arranged in advance in a driver corresponding to the first application program B. When the second application program A calls a PspTerminateProcess function based on a driver corresponding to the second application program A and sends a closing instruction for closing the process of the third application program C, the first application program B intercepts the closing instruction based on a hook function hooking the PspTerminateProcess function in advance, and the closing instruction is judged to be: the malicious application program, namely the second application program A, is sent out aiming at the process needing to be protected, namely the process of the third application program C; the first application program B controls a driver corresponding to the first application program B to discard a closing instruction based on a PspTerminateProcess function hooked in advance. The process to be protected is prevented from being closed by the intercepted application program, the process to be protected is protected, and the safety of the electronic equipment is improved to a certain extent. In one case, the third application C and the first application B may be the same application.

Corresponding to the above method embodiment, an embodiment of the present invention provides a device for process protection, which is applied to a first application program, and as shown in fig. 3, the device includes:

an obtaining module 310, configured to obtain a closing instruction for closing a third application program, where the closing instruction carries: the identification information of the second application program and the process information corresponding to the third application program are used as process information to be closed;

a first determining module 320, configured to determine, based on the information about the process to be closed, whether the process of the third application is a process that needs to be protected;

a second determining module 330, configured to determine, when it is determined that the process of the third application is a process that needs to be protected, process information corresponding to the second application as target process information based on the identification information of the second application;

a third determining module 340, configured to determine, based on the target process information, whether the process of the second application is a process that needs to be intercepted;

a discarding module 350, configured to, when it is determined that the process of the second application is a process that needs to be intercepted, control the driver corresponding to the first application to discard the closing instruction based on a process ending function hooked in advance, where the process ending function is: based on the function called by the NtTerminateProcess function.

In one implementation, the process termination function is: a PspTerminateProcesses function;

the obtaining module 310 is specifically configured for

And intercepting a closing instruction sent by the second application program to close the third application program by calling the PspTerminateProcessfunction based on a hook function hooking the PspTerminateProcessfunction in advance.

In one implementation, as shown in fig. 4, the apparatus further includes: a calling module 410;

the calling module 410 is configured to, when it is determined that the process of the third application is not the process that needs to be protected, or when it is determined that the process of the third application is the process that needs to be protected and it is determined that the process of the second application is not the process that needs to be intercepted, control the driver corresponding to the first application to call the process ending function to close the process of the third application.

In one implementation, the process end function is a PspTerminateProcess function;

In one implementation, the first determining module 320 is specifically configured to

In one implementation, the third determining module 340 is specifically configured to

In one implementation, the apparatus further includes an output module;

Corresponding to the above method embodiments, the embodiment of the present invention further provides an electronic device, as shown in fig. 5, including a processor 510, a communication interface 520, a memory 530 and a communication bus 540, where the processor 510, the communication interface 520, and the memory 530 complete mutual communication through the communication bus 540,

a memory 530 for storing a first application;

the processor 510 is configured to, when executing the first application program stored in the memory 530, implement any of the method steps for protecting a process provided by the embodiment of the present invention:

the obtaining of the closing instruction for closing the third application program sent by the second application program includes:

In one implementation, the method further comprises:

In one implementation, the process end function is: a PspTerminateProcesses function;

before the obtaining of the closing instruction for closing the third application program sent by the second application program, the method further includes:

In one implementation, the determining whether the process of the third application is a process that needs to be protected based on the information about the process to be closed includes:

In one implementation, the determining whether the process of the second application is a process that needs to be intercepted based on the target process information includes:

In one implementation, after the discarding the close instruction, the method further comprises:

The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

The communication interface is used for communication between the electronic equipment and other equipment.

The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.

Corresponding to the foregoing method embodiment, an embodiment of the present invention provides a computer-readable storage medium, where a first application program is stored in the computer-readable storage medium, and when the first application program is executed by a processor, the method for protecting a process according to any one of the method steps provided in the embodiment of the present invention is implemented:

In one implementation, the method further comprises:

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the device and electronic apparatus embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for relevant points.

The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims

1. A method for process protection, applied to a first application, the method comprising:

2. The method of claim 1, wherein the end-of-process function is: a PspTerminateProcesses function;

3. The method of claim 1, further comprising:

4. The method of claim 1, wherein the end-of-process function is: a PspTerminateProcesses function;

5. The method according to claim 1, wherein the step of determining whether the process of the third application is a process requiring protection based on the process to be shut down information comprises:

6. The method of claim 1, wherein the step of determining whether the process of the second application is a process that needs to be intercepted based on the target process information comprises:

7. The method according to any of claims 1-6, wherein after the step of discarding the close command, the method further comprises:

8. An apparatus for process protection, applied to a first application, the apparatus comprising:

9. The apparatus of claim 8, wherein the end-of-process function is: a PspTerminateProcesses function;

the acquisition module is particularly used for

10. The apparatus of claim 8, further comprising: calling a module;

11. The apparatus of claim 8, wherein the end of process function is a PspTerminateProcess function;

12. The apparatus according to claim 8, wherein the first determining means is specifically configured to determine the first threshold value

13. The apparatus according to claim 8, wherein the third determination module is specifically configured to determine the second threshold value

14. The apparatus of any one of claims 8-13, further comprising an output module;

15. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;

the memory is used for storing a first application program;

a processor for implementing the method steps of process protection as claimed in any one of claims 1 to 7 when executing the first application program stored in the memory.

16. A computer-readable storage medium, wherein a first application program is stored in the computer-readable storage medium, and wherein the first application program, when executed by a processor, implements the method steps for process protection as recited in any of claims 1-7.