CN109214183A

CN109214183A - The method, apparatus and equipment of software, storage medium and processor are extorted in killing

Info

Publication number: CN109214183A
Application number: CN201710534551.XA
Authority: CN
Inventors: 董斌雁
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2017-07-03
Filing date: 2017-07-03
Publication date: 2019-01-15

Abstract

This application discloses method, apparatus and equipment, storage mediums and processor that software is extorted in a kind of killing.Wherein, the equipment which extorts software includes: memory, including at least one storage region, at least one preset formatted file of any one storage region, wherein formatted file is located at the head and/or tail portion of storage region；Processor, if changed for monitoring formatted file preset in memory, it is determined that exist and extort software processing format file, the corresponding process of software, and killing process are extorted in acquisition.Software scenario is extorted present application addresses existing killing, and the technical issues of killing has lag, leads to killing low efficiency is carried out to software is extorted by blacklist mode.

Description

The method, apparatus and equipment of software, storage medium and processor are extorted in killing

Technical field

The present invention relates to network safety fileds, extort the method, apparatus of software in particular to a kind of killing and set Standby, storage medium and processor.

Background technique

With the development of internet technology, network has become the indispensable a part of people's life and work.Interconnection Network users are easily linked up and are exchanged with other users by the available massive information of computer network, realize letter Cease the shared of resource.However, the fast development of computer networking technology, so that network environment becomes to become increasingly complex, network peace Full problem becomes increasingly conspicuous, and extorting software is most fast one of the Cyberthreat of quantity increase in recent years.

Extorting software would generally be a variety of by document, mail, database, source code, picture, compressed file etc. in custom system File carries out some form of cryptographic operation, is allowed to unavailable, or is normally made by modification system configuration file, interference user Reduce the availability of system with the method for system, then by way of pop-up window, dialog box or generation text file etc. It issues the user with and extorts notice, it is desirable that user obtains the password of decryption file to designated account remittance or obtains recovery system The method of normal operation.

Currently, commonly extorting software defense method is by blacklist mode, by all programs or file and blacklist In program or file be compared, if compared successfully, it is determined that be to extort software, by corresponding process carry out killing, and Corresponding binary file is isolated.But as blacklist be collected into advance known to extort the program or file of software, For unknown software of extorting, there are lag issues, it may appear that the case where leakage is killed, unknown software of extorting once runs success, i.e., Quarter can encrypt formatted file, if victim user does not shift to an earlier date Backup Data, can not restore encrypted file.

Extorting software scenario for above-mentioned existing killing, to software progress killing is extorted, there are stagnant by blacklist mode Afterwards, the problem of leading to killing low efficiency, currently no effective solution has been proposed.

Summary of the invention

The embodiment of the present application provides a kind of killing and extorts the method, apparatus and equipment of software, storage medium and processor, By at least solve existing killing extort software scenario by blacklist in a manner of to extort software carry out killing exist lag, cause The technical issues of killing low efficiency.

According to the one aspect of the embodiment of the present application, a kind of equipment that software is extorted in killing is provided, comprising: memory, Including at least one storage region, at least one preset formatted file of any one storage region, wherein formatted file Positioned at the head and/or tail portion of storage region；Processor, if become for monitoring formatted file preset in memory Change, it is determined that exist and extort software processing format file, the corresponding process of software, and killing process are extorted in acquisition.

According to the another aspect of the embodiment of the present application, a kind of method that software is extorted in killing is additionally provided, comprising: monitoring is deposited Preset formatted file in storage area domain, wherein formatted file is located at the head and/or tail portion of storage region；If monitoring lattice Formula file changes, it is determined that exists and extorts software processing format file；The corresponding process of software is extorted in acquisition, and killing into Journey.

According to the another aspect of the embodiment of the present application, the device that software is extorted in a kind of killing is additionally provided, comprising: monitoring is single Member, for monitoring formatted file preset in storage region, wherein formatted file is located at the head and/or tail portion of storage region； Determination unit, if changed for monitoring formatted file, it is determined that exist and extort software processing format file；Killing list Member extorts the corresponding process of software, and killing process for obtaining.

According to the another aspect of the embodiment of the present application, a kind of security processing is additionally provided characterized by comprising Monitor formatted file preset in storage region, wherein formatted file is located at the head and/or tail portion of storage region；If prison It controls formatted file to change, it is determined that there are security threats；Obtain the corresponding process of security threat, and killing process.

According to the another aspect of the embodiment of the present application, a kind of storage medium is additionally provided, comprising: the program of storage, wherein In program operation, equipment where control storage medium executes following processing step: preset format text in monitoring storage region Part, wherein formatted file is located at the head and/or tail portion of storage region；If monitoring formatted file to change, it is determined that In the presence of extorting software processing format file；The corresponding process of software, and killing process are extorted in acquisition.

According to the another aspect of the embodiment of the present application, a kind of processor is additionally provided, processor is used to run program, In, program executes following processing step when running: preset formatted file in monitoring storage region, wherein formatted file is located at The head and/or tail portion of storage region；If monitoring formatted file to change, it is determined that exist and extort software processing format File；The corresponding process of software, and killing process are extorted in acquisition.

In the embodiment of the present application, formatted file preset in storage region is monitored, if monitoring formatted file Variation, it is determined that exist and extort software processing format file, the corresponding process of software, and killing process are extorted in acquisition, thus real The purpose of software is extorted in existing killing.It is easily noted that, due to being prefixed formatted file on the head of storage region or tail portion, Can preferentially formatted file be handled by extorting software, and whether real time monitoring formatted file changes, further, due to strangling The processing of rope software is pre-set formatted file, rather than the normal formatted file of victim, guarantees the format of user The file software that will not pay through the nose is handled, and extorts the real-time of software to reach and promote killing, and promoted killing extort it is soft The technical effect of the killing effect of part.Therefore, the above-mentioned scheme that offer is provided of the application solve existing killing extort it is soft Part scheme carries out the technical issues of killing has lag, leads to killing low efficiency to software is extorted by blacklist mode.

Detailed description of the invention

The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:

Fig. 1 is the schematic diagram that the equipment of software is extorted according to a kind of killing of the embodiment of the present application；

Fig. 2 is according to a kind of the hard of the terminal of method for extorting software for realizing killing of the embodiment of the present application Part structural block diagram；

Fig. 3 is the flow chart that the method for software is extorted according to a kind of killing of the embodiment of the present application；

Fig. 4 is the flow chart that the method for software is extorted according to a kind of optional killing of the embodiment of the present application；

Fig. 5 is the schematic diagram that the device of software is extorted according to a kind of killing of the embodiment of the present application；

Fig. 6 is the flow chart according to a kind of security processing of the embodiment of the present application；And

Fig. 7 is the structural block diagram according to a kind of terminal of the embodiment of the present application.

Specific embodiment

In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is only The embodiment of the application a part, instead of all the embodiments.Based on the embodiment in the application, ordinary skill people Member's every other embodiment obtained without making creative work, all should belong to the model of the application protection It encloses.

It should be noted that the description and claims of this application and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances, so as to embodiments herein described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product Or other step or units that equipment is intrinsic.

Firstly, the part noun or term that occur during the embodiment of the present application is described are suitable for following solution It releases:

Formatted file: can be and extort the sensitive document that software often encrypts, for example, it may be file type be doc, c, The file of cpp, java, html, ppt etc..

Process: it is the program in computer about the primary operation activity on certain data acquisition system, is that system carries out resource point The basic unit matched and dispatched is the basis of operating system configuration.Program is the description of instruction, data and its organizational form, into Journey is the entity of program.

ASCII character: it is writing a Chinese character in simplified form for American Standard Code for Information Interchange, makes It is combined with specified 7 or 8 bits to indicate 128 or 256 kind of possible character.Standard ASCII character is also named basis ASCII character indicates that all upper case and lower cases are alphabetical using 7 bits, digital 0 to 9, punctuation mark, and in beauty Special controlling character used in formula English.

Embodiment 1

According to the embodiment of the present application, the embodiment that the equipment of software is extorted in a kind of killing is provided.Fig. 1 is according to the application The schematic diagram of the equipment of software is extorted in a kind of killing of embodiment, as shown in Figure 1, the equipment that software is extorted in the killing includes:

Memory 12, including at least one storage region 120, at least one preset lattice of any one storage region Formula file, wherein formatted file is located at the head and/or tail portion of storage region.

Optionally, in the above embodiments of the present application, above-mentioned preset formatted file includes the number of at least one type According to file, and by the different character string of the head mark in formatted file come so that formatted file is located at the head of storage region The tail portion and/or.

Optionally, in the above embodiments of the present application, in the case where head mark is the smallest letter in ASCII character, Formatted file is located at the tail portion of storage region；In the case where head mark is maximum letter in ASCII character, formatted file position In the head of storage region.

Specifically, above-mentioned storage region can be each subregion drive in client；Above-mentioned preset formatted file It can be to defend to extort software, the sensitive document extorting software and often encrypting being pre-created；Above-mentioned type can be Doc, c, cpp, java, html, ppt etc., the application is not construed as limiting this；Above-mentioned character string can be "！" add in ASCII character The smallest letter, either "~" plus ASCII character in maximum letter, when formatted file head mark be "！" plus ASCII character In the smallest letter situation when, formatted file is located at the physics tail portion of storage region；When the head mark of formatted file is In "~" plus ASCII character when the situation of maximum letter, formatted file is located at the physics head of storage region.

Processor 14, if changed for monitoring formatted file preset in memory, it is determined that exist and extort The corresponding process of software, and killing process are extorted in software processing format file, acquisition.

Specifically, it is above-mentioned change can be extort software formatted file be encrypted, cause format literary Part changes；Above-mentioned killing, which can be, forbids extorting the corresponding process operation of software, and the corresponding file of process is carried out Isolation, above-mentioned file can be the binary file for extorting software.

In a kind of optional scheme, formatted file can be preset in each subregion drive, and by formatted file Filename form modifying be with "！" plus visible mutation name in the smallest letter ASCII character so that system traversal is literary Part function uses the formatted file that preamble can be preset with first traversal when traversing, or the format of the filename of formatted file is repaired It is changed to the ASCII character of maximum letter in "~" plus visible mutation name, so that system traversal documentation function uses postorder Formatted file that can be preset with first traversal when traversal.The variation of formatted file preset in each subregion drive can be monitored, Judge whether formatted file can normally access, that is, judge whether formatted file is encrypted modification, if formatted file is encrypted Modification, it is determined that formatted file changes；If formatted file is not encrypted modification, it is determined that formatted file can positive frequentation It asks.It changes when monitoring profile in each subregion drive, i.e., formatted file is encrypted modification, it is determined that extorts software Encryption modification is carried out to formatted file, this is further obtained and extorts the corresponding process of software, forbids extorting the corresponding process of software Operation, and the corresponding binary file of isolated process.

According to the above embodiments of the present application, formatted file preset in storage region is monitored, if monitoring formatted file It changes, it is determined that exist and extorts software processing format file, the corresponding process of software, and killing process are extorted in acquisition, from And it realizes killing and extorts the purpose of software.It is easily noted that, due to being prefixed format on the head of storage region or tail portion File, can preferentially formatted file be handled by extorting software, and whether real time monitoring formatted file changes, further, Since extort software processing is pre-set formatted file, rather than the normal formatted file of victim, guarantee user The formatted file software that will not pay through the nose handled, extort the real-time of software to reach and promote killing, and promote killing Extort the technical effect of the killing effect of software.Therefore, the above-mentioned scheme for implementing offer of the application solves existing killing It extorts software scenario and killing is carried out in the presence of lag to software is extorted by blacklist mode, the technology of killing low efficiency is caused to be asked Topic.

Optionally, in the above embodiments of the present application, if processor 14 is also used to monitor formatted file and is modified, Determine that formatted file changes, wherein by judging whether the content of any one or more positions of formatted file occurs Variation is to determine whether formatted file is modified.

It, can be by calling Hook function FindFirstFileEx () and function in a kind of optional scheme FindFirstFile (), monitors the state of preset formatted file, and judge the stem of formatted file, centre, tail portion it is interior Hold and whether change, if the content change of the stem of formatted file, centre, tail portion, it is determined that the formatted file software that pays through the nose adds Close modification determines that formatted file changes.

Optionally, in the above embodiments of the present application, processor 14 be also used to judge formatted file it is following at least one The HASH value of position.

It, can be by calling Hook function FindFirstFileEx () and function in a kind of optional scheme FindFirstFile (), monitors the state of preset formatted file, and judge the stem of formatted file, centre, tail portion it is interior Hold and whether change, that is, judge the stem of formatted file, centre, tail portion HASH value whether change, if formatted file Stem, centre, tail portion HASH value change, that is, judge the stem of formatted file, centre, tail portion content change, Then determine formatted file pay through the nose software cryptography modification, that is, determine formatted file change.

Optionally, in the above embodiments of the present application, processor 14 is also used to be modified according to counter look into of file read-write table Formatted file corresponding to process, and killing process, processor are also used to send formatted file to driver, driver Enumerate reading and writing of files record, obtain corresponding with formatted file process, if inquiring the process that obtains in white list, killing into Journey, and the corresponding file of isolated process.

Specifically, the content that each file is modified is had recorded in above-mentioned file read-write table, and modifies this document Process.

In a kind of optional scheme, after determining and formatted file paying through the nose software carries out encryption modification, it can notify Driver records the reading and writing of files of the formatted file in file read-write table and carries out by driver according to file read-write table It enumerates, obtains carrying out formatted file the process of encryption modification to get to the process for extorting software, by the progress information of the process It is inquired in white list, if can inquire, the process is forbidden to run, and the corresponding binary system text of the process is isolated Part.

Optionally, in the above embodiments of the present application, processor 14 is also used to create at least one in storage region File under hidden state, wherein the preset formatted file in file, launching process are in hidden to traverse at least one File under hiding state, if traversing preset formatted file in file, supervisory format file.

Specifically, victim modifies to preset formatted file, deletes in order to prevent, can create in storage region Hidden folder is built, and preset formatted file is placed in hidden folder, so that victim can not view this document Folder.

In a kind of optional scheme, a hidden folder can be created under each subregion drive of system, and hidden Preset formatted file in hiding file, and by the form modifying of the filename of formatted file be with "！" plus visible mutation name In the smallest letter ASCII character so that system traversal documentation function use preamble traversal when can be preset with first traversal Formatted file, or by the form modifying of the filename of formatted file be with "~" plus visible mutation name in it is maximum letter ASCII character, so that the formatted file that system traversal documentation function can be preset with first traversal when using postorder traversal.Starting One process, the process can traverse each hidden folder, and by traversing each hidden folder, judge hidden folder In with the presence or absence of formatted file if it is present monitoring the state of the formatted file in real time judge whether formatted file can be just Frequentation is asked, so that it is determined that extorting whether software carries out encryption modification to formatted file.

Embodiment 2

According to the embodiment of the present application, the embodiment that the method for software is extorted in a kind of killing is additionally provided, it should be noted that Step shown in the flowchart of the accompanying drawings can execute in a computer system such as a set of computer executable instructions, and It, in some cases, can be to be different from sequence execution institute herein and although logical order is shown in flow charts The step of showing or describing.

The embodiment of the method that software is extorted in killing provided by the present application can be applied to the public cloud (example of internet area Such as, Baidu's cloud, Tencent's cloud, Ali's cloud etc.) and some bigger websites (for example, commercial company, search engine or political affairs The website of mansion department etc.) in, software is extorted with defence.

Embodiment of the method provided by the embodiment of the present application one can be in mobile terminal, terminal or similar fortune It calculates and is executed in device.Fig. 2 is whole according to a kind of computer of method for extorting software for realizing killing of the embodiment of the present application The hardware block diagram at end.As shown in Fig. 2, terminal 20 may include it is one or more (in figure using 202a, 202b ... ..., 202n are shown) (processor 202 can include but is not limited to Micro-processor MCV or programmable patrols processor 202 The processing unit of volume device FPGA etc.), memory 204 for storing data and the transmitting device for communication function 206.It in addition to this, can also include: display, input/output interface (I/O interface), the port universal serial bus (USB) (a port that can be used as in the port of I/O interface is included), power supply and/or camera.Those of ordinary skill in the art can To understand, structure shown in Fig. 2 is only to illustrate, and does not cause to limit to the structure of above-mentioned electronic device.For example, computer is whole End 20 may also include than shown in Fig. 2 more perhaps less component or with the configuration different from shown in Fig. 2.

It is to be noted that said one or multiple processors 202 and/or other data processing circuits lead to herein Can often " data processing circuit " be referred to as.The data processing circuit all or part of can be presented as software, hardware, firmware Or any other combination.In addition, data processing circuit for single independent processing module or all or part of can be integrated to meter In any one in other elements in calculation machine terminal 20.Such as processor involved in the embodiment of the present application, the data Processing circuit controls (such as the selection for the variable resistance end path connecting with interface) as a kind of processor.

Memory 204 can be used for storing the software program and module of application software, such as the killing in the embodiment of the present invention Corresponding program instruction/the data storage device of method of software is extorted, processor 202 is stored in memory 204 by operation Software program and module realize that software is extorted in above-mentioned killing thereby executing various function application and data processing Method.Memory 204 may include high speed random access memory, may also include nonvolatile memory, such as one or more magnetic Property storage device, flash memory or other non-volatile solid state memories.In some instances, memory 204 can further comprise The memory remotely located relative to processor 202, these remote memories can pass through network connection to terminal 20. The example of above-mentioned network includes but is not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.

Transmitting device 206 is used to that data to be received or sent via a network.Above-mentioned network specific example may include The wireless network that the communication providers of terminal 20 provide.In an example, transmitting device 206 includes that a network is suitable Orchestration (Network Interface Control ler, NIC), can be connected by base station with other network equipments so as to It is communicated with internet.In an example, transmitting device 206 can be radio frequency (Radio Frequency, RF) module, It is used to wirelessly be communicated with internet.

Display can such as touch-screen type liquid crystal display (LCD), the liquid crystal display aloow user with The user interface of terminal 20 interacts.

Herein it should be noted that in some optional embodiments, above-mentioned computer equipment shown in Fig. 2 may include hard Part element (including circuit), software element (including the computer code that may be stored on the computer-readable medium) or hardware element With the combination of both software elements.It should be pointed out that Fig. 2 is only an example of particular embodiment, and it is intended to show that It may be present in the type of the component in above-mentioned computer equipment.

Under above-mentioned service environment, this application provides the methods that software is extorted in a kind of killing as shown in Figure 3.Fig. 3 is The flow chart of the method for software is extorted according to a kind of killing of the embodiment of the present application, as shown in figure 3, the side of software is extorted in the killing Method includes the following steps:

Step S302 monitors formatted file preset in storage region, wherein formatted file is located at the head of storage region The tail portion and/or.

Step S304 changes if monitoring formatted file, it is determined that exists and extorts software processing format file.

Specifically, it is above-mentioned change can be extort software formatted file be encrypted, cause format literary Part changes.

The corresponding process of software, and killing process are extorted in step S306, acquisition.

Specifically, above-mentioned killing, which can be, forbids extorting software corresponding process operation, and by the corresponding file of process It is isolated, above-mentioned file can be the binary file for extorting software.

Optionally, in the above embodiments of the present application, step S304 changes, really if monitoring formatted file Determine to exist and extort software processing format file, comprising:

Step S3042 is modified, it is determined that formatted file changes, wherein by sentencing if monitoring formatted file Whether the content of any one or more positions of disconnected formatted file changes to determine whether formatted file is modified.

Optionally, in the above embodiments of the present application, step S3042 judges any one or more positions of formatted file The content set includes:

Step S30422 judges the HASH value of at least one following position of formatted file.

Optionally, in the above embodiments of the present application, the corresponding process of software is extorted in step S306, acquisition, and killing into Journey, comprising:

Step S3062 looks into process corresponding to the formatted file modified according to file read-write table is counter, and killing into Journey, step S3062 include:

Step S30622 sends formatted file to driver.

Step S30624, driver enumerate reading and writing of files record, obtain process corresponding with formatted file.

Step S30626, if inquiry obtains process, killing process, and the corresponding text of isolated process in white list Part.

Optionally, in the above embodiments of the present application, in step S302, monitor formatted file preset in storage region it Before, this method further includes following steps:

Step S308 creates at least one file being under hidden state, wherein in file in storage region In preset formatted file.

Step S310, launching process traverse the file that at least one is under hidden state.

Step S312, if the step of traversing preset formatted file in file, starting supervisory format file.

Fig. 4 is the flow chart that the method for software is extorted according to a kind of optional killing of the embodiment of the present application, below with reference to A kind of preferred embodiment of the application is described in detail in Fig. 4, as shown in figure 4, this method may comprise steps of:

Step S41, launching process.

It is alternatively possible to create a hidden folder under each subregion drive of system, and pre- in hidden folder Formatted file is first set, and the file type of formatted file can be the types such as doc, c, cpp, java, html, ppt, and by format The form modifying of the filename of file be with "！" plus visible mutation name in the smallest letter ASCII character so that system time It goes through documentation function and uses the formatted file that preamble can be preset with first traversal when traversing, or by the lattice of the filename of formatted file Formula is revised as with the ASCII character of maximum letter in "~" plus visible mutation name.Creation complete after, can star one into Journey.

Step S42, traversal whether there is the hidden folder comprising preset formatted file.

Optionally, which traverses each hidden folder under each subregion drive, and judge be in hidden folder No there are preset formatted files, if it is present entering step S43；If it does not exist, then entering step S44.

Step S43 monitors the stem of preset formatted file, whether centre, tail portion change.

Optionally, if traversing the preset formatted file in hidden folder, the variation of the formatted file is monitored, Judge the stem of formatted file, centre, tail portion HASH value whether change, if it is, determining formatted file The software cryptography that pays through the nose modification, and enter step S45；If it is not, then entering step S44.

Step S44 lets pass, and exits killing process.

Optionally, if there is no the hidden folder comprising preset formatted file, or preset format is monitored The stem of file, centre, tail portion HASH value do not change, it is determined that there is no extorting software, can to all processes into Row is let pass, and terminates the process that software is extorted in killing.

Step S45 sends formatted file to driver.

Step S46, driver enumerates reading and writing of files record, counter to look into process according to formatted file, by looking into after white list Enter journey, isolated process respective file.

Alternatively, if it is determined that formatted file has paid through the nose, software cryptography is modified, then formatted file is sent to driving Program enumerates the reading and writing of files record of the formatted file in file read-write table by driver according to file read-write table, Obtain carrying out formatted file the process of encryption modification to get to the process for extorting software, by the progress information of the process white It is inquired in list, if can inquire, forbids the process to run, and the corresponding binary file of the process is isolated.

S41 to step S46 through the above steps, this application provides one kind before extorting software and forming destruction, to Le Rope software carries out the scheme of identification and killing, by the way that formatted file is arranged, makes to extort software and encrypts to formatted file, and According to the state of formatted file, killing is carried out to software is extorted, it is ensured that it is endangered to the generation of user's normal file extorting software It is preceding by killing, improve real-time and killing effect that software is extorted in killing.

It should be noted that for the various method embodiments described above, for simple description, therefore, it is stated as a series of Combination of actions, but those skilled in the art should understand that, the application is not limited by the described action sequence because According to the application, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know It knows, the embodiments described in the specification are all preferred embodiments, related actions and modules not necessarily the application It is necessary.

Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The method of example can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but it is very much In the case of the former be more preferably embodiment.Based on this understanding, the technical solution of the application is substantially in other words to existing The part that technology contributes can be embodied in the form of software products, which is stored in a storage In medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculate Machine, server or network equipment etc.) execute each embodiment of the application method.

Embodiment 3

According to the embodiment of the present application, additionally provides a kind of killing for implementing the method that software is extorted in above-mentioned killing and extort The device of software, as shown in figure 5, the device 500 includes: monitoring unit 502, determination unit 504 and killing unit 506.

Wherein, monitoring unit 502 is for monitoring formatted file preset in storage region, wherein formatted file, which is located at, to be deposited The head and/or tail portion in storage area domain；If determination unit 504 changes for monitoring formatted file, it is determined that there is Le Rope software processing format file；Killing unit 506 extorts the corresponding process of software, and killing process for obtaining.

Specifically, above-mentioned storage region can be each subregion drive in client；Above-mentioned preset formatted file It can be to defend to extort software, the sensitive document extorting software and often encrypting being pre-created；Above-mentioned type can be Doc, c, cpp, java, html, ppt etc., the application is not construed as limiting this；Above-mentioned character string can be "！" add in ASCII character Maximum letter in the smallest letter, either "~" plus ASCII character, when the head mark of formatted file is！Add in ASCII character When the situation of the smallest letter, formatted file is located at the physics tail portion of storage region；When the head mark of formatted file is "~" When adding the situation of maximum letter in ASCII character, formatted file is located at the physics head of storage region；Above-mentioned changing can To be to extort software formatted file is encrypted, formatted file is caused to change；Above-mentioned killing, which can be, to be forbidden The corresponding process operation of software is extorted, and the corresponding file of process is isolated, above-mentioned file, which can be, extorts software Binary file.

Optionally, in the above embodiments of the present application, as shown in figure 5, determination unit 504 comprises determining that module 508.

Wherein it is determined that if module 508 is modified for monitoring formatted file, it is determined that formatted file changes, Wherein, whether formatted file is determined by judging whether the contents of any one or more positions of formatted file changes It is modified.

Optionally, in the above embodiments of the present application, as shown in figure 5, determining module 508 includes: judging submodule 510.

Wherein, judging submodule 510 is used to judge the HASH value of at least one following position of formatted file.

Optionally, it in the above embodiments of the present application, as shown in figure 5, killing unit 506 includes: killing module 512, looks into Killing module 512 includes: sending submodule 514, acquisition submodule 516 and isolation submodule 518.

Wherein, killing module 512 is used to look into process corresponding to the formatted file modified according to file read-write table is counter, And killing process；Sending submodule 514 is for sending formatted file to driver；Acquisition submodule 516 is used for driver Reading and writing of files record is enumerated, process corresponding with formatted file is obtained；If isolation submodule 518 in white list for inquiring Process is obtained, then killing process, and the corresponding file of isolated process.

Optionally, in the above embodiments of the present application, as shown in figure 5, the device 500 further include: creating unit 520 and time Go through unit 522.

Wherein, creating unit 520 is used to create at least one file being under hidden state in storage region, In, the preset formatted file in file；Traversal Unit 522 is under hidden state for launching process to traverse at least one File；If monitoring unit 502 is also used to traverse preset formatted file, supervisory format file in file.

Embodiment 4

According to the embodiment of the present application, a kind of embodiment of security processing is additionally provided, it should be noted that in attached drawing Process the step of illustrating can execute in a computer system such as a set of computer executable instructions, although also, Logical order is shown in flow charts, but in some cases, can be executed with the sequence for being different from herein it is shown or The step of description.

Fig. 6 is according to a kind of flow chart of security processing of the embodiment of the present application, as shown in fig. 6, the safe handling Method includes the following steps:

Step S602 monitors formatted file preset in storage region, wherein formatted file is located at the head of storage region The tail portion and/or.

Specifically, above-mentioned storage region can be each subregion drive in client；Above-mentioned preset formatted file Can be to carry out safe handling, be pre-created there are the sensitive documents that the software of security threat often encrypts；Above-mentioned class Type can be doc, c, cpp, java, html, ppt etc., and the application is not construed as limiting this；Above-mentioned character string can be "！" plus The smallest letter in ASCII character, either "~" plus ASCII character in maximum letter, when formatted file head mark be "！" When adding the situation of the smallest letter in ASCII character, formatted file is located at the physics tail portion of storage region；When the head of formatted file Labeled as when the situation of maximum letter, formatted file is located at the physics head of storage region in "~" plus ASCII character.

Step S604 changes, it is determined that there are security threats if monitoring formatted file.

Specifically, above-mentioned change can be that there are the softwares of security threat, and formatted file is encrypted, Formatted file is caused to change；It is above-mentioned that there are security threats can be in the presence of extorting software.

Step S606 obtains the corresponding process of security threat, and killing process.

Specifically, above-mentioned killing, which can be, forbids security threat corresponding process operation, and by the corresponding file of process It is isolated, above-mentioned file can be the binary file of the software there are security threat.

In a kind of optional scheme, formatted file can be preset in each subregion drive, and by formatted file Filename form modifying be with "！" plus visible mutation name in the smallest letter ASCII character so that system traversal is literary Part function uses the formatted file that preamble can be preset with first traversal when traversing, or the format of the filename of formatted file is repaired It is changed to the ASCII character of maximum letter in "~" plus visible mutation name, so that system traversal documentation function uses postorder Formatted file that can be preset with first traversal when traversal.The variation of formatted file preset in each subregion drive can be monitored, Judge whether formatted file can normally access, that is, judge whether formatted file is encrypted modification, if formatted file is encrypted Modification, it is determined that formatted file changes；If formatted file is not encrypted modification, it is determined that formatted file can positive frequentation It asks.It changes when monitoring profile in each subregion drive, i.e., formatted file is encrypted modification, it is determined that there are safety The software of threat carries out encryption modification to formatted file, further obtains the corresponding process of the security threat, forbids security threat Corresponding process operation, and the corresponding binary file of isolated process.

According to the above embodiments of the present application, formatted file preset in storage region is monitored, if monitoring formatted file It changes, it is determined that there are security threats, the corresponding process of security threat, and killing process are obtained, to realize safe place The purpose of reason.It is easily noted that, due to being prefixed formatted file on the head of storage region or tail portion, there are security threats Software preferentially formatted file can be handled, real time monitoring formatted file whether change, further, due to exist The software processing of security threat is pre-set formatted file, rather than the normal formatted file of victim, guarantees to use The software that the formatted file at family will not be stored in security threat is handled, thus reach the real-time for promoting safe handling, and Promote the technical effect of the treatment effect of safe handling.Therefore, the above-mentioned scheme for implementing offer of the application solves existing Killing extorts software scenario and carries out killing in the presence of lag to software is extorted by blacklist mode, leads to the technology of killing low efficiency Problem.

Embodiment 5

Embodiments herein can provide a kind of terminal, which can be in terminal group Any one computer terminal.Optionally, in the present embodiment, above-mentioned terminal also could alternatively be mobile whole The terminal devices such as end.

Optionally, in the present embodiment, above-mentioned terminal can be located in multiple network equipments of computer network At least one network equipment.

In the present embodiment, above-mentioned terminal can execute the program that following steps in the method for software are extorted in killing Code: preset formatted file in monitoring storage region, wherein formatted file is located at the head and/or tail portion of storage region；Such as Fruit monitors formatted file and changes, it is determined that exists and extorts software processing format file；Acquisition extort software it is corresponding into Journey, and killing process.

Optionally, Fig. 7 is the structural block diagram according to a kind of terminal of the embodiment of the present application.As shown in fig. 7, the meter Calculation machine terminal 700 may include: one or more (one is only shown in figure) processor 702, memory 704.

Wherein, memory can be used for storing software program and module, as software is extorted in the killing in the embodiment of the present invention The corresponding program instruction/module of method and apparatus, processor passes through the software program that is stored in memory of operation and mould Block realizes the method that software is extorted in above-mentioned killing thereby executing various function application and data processing.Memory can wrap Include high speed random access memory, can also include nonvolatile memory, as one or more magnetic storage device, flash memory or Other non-volatile solid state memories of person.In some instances, memory can further comprise remotely located relative to processor Memory, these remote memories can pass through network connection to terminal 700.The example of above-mentioned network is including but not limited to mutual Networking, intranet, local area network, mobile radio communication and combinations thereof.

Processor can call the information and application program of memory storage by transmitting device, to execute following step: Monitor formatted file preset in storage region, wherein formatted file is located at the head and/or tail portion of storage region；If prison It controls formatted file to change, it is determined that exist and extort software processing format file；The corresponding process of software is extorted in acquisition, and Killing process.

Optionally, the program code of following steps can also be performed in above-mentioned processor: preset formatted file includes at least A type of data file, and by the different character string of the head mark in formatted file come so that formatted file be located at deposit The head and/or tail portion in storage area domain.

Optionally, the program code of following steps can also be performed in above-mentioned processor: head mark be ASCII character in most In the case where small letter, formatted file is located at the tail portion of storage region；It is maximum letter in ASCII character in head mark In the case of, formatted file is located at the head of storage region.

Optionally, the program code of following steps can also be performed in above-mentioned processor: being repaired if monitoring formatted file Change, it is determined that formatted file changes, wherein by judge formatted file any one or more positions content whether It changes to determine whether formatted file is modified.

Optionally, the program code of following steps can also be performed in above-mentioned processor: looking into generation according to file read-write table is counter Process corresponding to the formatted file of modification, and killing process.

Optionally, the program code of following steps can also be performed in above-mentioned processor: sending formatted file to driver； Driver enumerates reading and writing of files record, obtains process corresponding with formatted file；If inquiry obtains process in white list, Then killing process, and the corresponding file of isolated process.

Optionally, the program code of following steps can also be performed in above-mentioned processor: judge formatted file it is following at least The HASH value of one position.

Optionally, the program code of following steps can also be performed in above-mentioned processor: preset in monitoring storage region Before formatted file, at least one file being under hidden state is created in storage region, wherein pre- in file Set formatted file；Launching process traverses the file that at least one is under hidden state；If traversed in file Preset formatted file, then the step of starting supervisory format file.

Using the embodiment of the present application, formatted file preset in storage region is monitored, if monitoring formatted file Variation, it is determined that exist and extort software processing format file, the corresponding process of software, and killing process are extorted in acquisition, thus real The purpose of software is extorted in existing killing.It is easily noted that, due to being prefixed formatted file on the head of storage region or tail portion, Can preferentially formatted file be handled by extorting software, and whether real time monitoring formatted file changes, further, due to strangling The processing of rope software is pre-set formatted file, rather than the normal formatted file of victim, guarantees the format of user The file software that will not pay through the nose is handled, and extorts the real-time of software to reach and promote killing, and promoted killing extort it is soft The technical effect of the killing effect of part.Therefore, the above-mentioned scheme that offer is provided of the application solve existing killing extort it is soft Part scheme carries out the technical issues of killing has lag, leads to killing low efficiency to software is extorted by blacklist mode.

It will appreciated by the skilled person that structure shown in Fig. 7 is only to illustrate, terminal is also possible to intelligence It can mobile phone (such as Android phone, iOS mobile phone), tablet computer, applause computer and mobile internet device (Mobile Internet Devices, MID), the terminal devices such as PAD.Fig. 7 it does not cause to limit to the structure of above-mentioned electronic device.Example Such as, terminal 700 may also include the more or less component (such as network interface, display device) than shown in Fig. 7, Or with the configuration different from shown in Fig. 7.

Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can It is completed with instructing the relevant hardware of terminal device by program, which can store in a computer readable storage medium In, storage medium may include: flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), disk or CD etc..

Embodiment 6

Embodiments herein additionally provides a kind of storage medium.Optionally, in the present embodiment, above-mentioned storage medium can To extort program code performed by the method for software for saving killing provided by above-described embodiment one.

Optionally, in the present embodiment, above-mentioned storage medium can be located in computer network in computer terminal group In any one terminal, or in any one mobile terminal in mobile terminal group.

Optionally, in the present embodiment, storage medium is arranged to store the program code for executing following steps: prison Control formatted file preset in storage region, wherein formatted file is located at the head and/or tail portion of storage region；If monitoring It changes to formatted file, it is determined that exist and extort software processing format file；The corresponding process of software is extorted in acquisition, and is looked into Enter journey.

Optionally, storage medium is also configured to store the program code for executing following steps: preset format text Part includes the data file of at least one type, and by the different character string of the head mark in formatted file come so that format File is located at the head and/or tail portion of storage region.

Optionally, storage medium is also configured to store the program code for executing following steps: being in head mark In ASCII character in the case where the smallest letter, formatted file is located at the tail portion of storage region；It is in ASCII character in head mark In the case where maximum letter, formatted file is located at the head of storage region.

Optionally, storage medium is also configured to store the program code for executing following steps: if monitoring lattice Formula file is modified, it is determined that formatted file changes, wherein by any one or more positions for judging formatted file Content whether change to determine whether formatted file is modified.

Optionally, storage medium is also configured to store the program code for executing following steps: according to file read-write Table is counter to look into process corresponding to the formatted file modified, and killing process.

Optionally, storage medium is also configured to store the program code for executing following steps: sending formatted file To driver；Driver enumerates reading and writing of files record, obtains process corresponding with formatted file；If looked into white list Inquiry obtains process, then killing process, and the corresponding file of isolated process.

Optionally, storage medium is also configured to store the program code for executing following steps: judging formatted file At least one following position HASH value.

Optionally, storage medium is also configured to store the program code for executing following steps: in monitoring memory block In domain before preset formatted file, at least one file being under hidden state is created in storage region, wherein Preset formatted file in file；Launching process traverses the file that at least one is under hidden state；If in file The step of traversing preset formatted file in folder, then starting supervisory format file.

Above-mentioned the embodiment of the present application serial number is for illustration only, does not represent the advantages or disadvantages of the embodiments.

In above-described embodiment of the application, all emphasizes particularly on different fields to the description of each embodiment, do not have in some embodiment The part of detailed description, reference can be made to the related descriptions of other embodiments.

In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, only A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module It connects, can be electrical or other forms.

The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.

It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.

If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the application whole or Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code Medium.

The above is only the preferred embodiment of the application, it is noted that for the ordinary skill people of the art For member, under the premise of not departing from the application principle, several improvements and modifications can also be made, these improvements and modifications are also answered It is considered as the protection scope of the application.

Claims

1. the equipment that software is extorted in a kind of killing characterized by comprising

Memory, including at least one storage region are used at least one preset formatted file of any one storage region, In, the formatted file is located at the head and/or tail portion of the storage region；

Processor, if changed for monitoring formatted file preset in the memory, it is determined that exist extort it is soft Part handles the formatted file, extorts the corresponding process of software, and process described in killing described in acquisition.

2. a kind of method that software is extorted in killing characterized by comprising

Monitor preset formatted file in storage region, wherein the formatted file be located at the storage region head and/or Tail portion；

If monitoring the formatted file to change, it is determined that exist and extort the software processing formatted file；

The corresponding process of software, and process described in killing are extorted described in acquisition.

3. according to the method described in claim 2, it is characterized in that, the preset formatted file includes at least one type Data file, and by the different character string of the head mark in the formatted file come so that the formatted file be located at it is described The head and/or tail portion of storage region.

4. according to the method described in claim 3, it is characterized in that, being the smallest letter in ASCII character in the head mark In the case where, the formatted file is located at the tail portion of the storage region；It is maximum word in ASCII character in the head mark In the case where mother, the formatted file is located at the head of the storage region.

5. method as claimed in any of claims 2 to 4, which is characterized in that if monitoring the formatted file It changes, it is determined that exist and extort the software processing formatted file, comprising:

If monitoring the formatted file to be modified, it is determined that the formatted file changes, wherein by described in judgement Whether the content of any one or more positions of formatted file changes to determine whether the formatted file is modified.

6. according to the method described in claim 5, it is characterized in that, extorting the corresponding process of software, and killing institute described in obtaining State process, comprising:

Process corresponding to the formatted file modified, and process described in killing, the step packet are looked into according to file read-write table is counter It includes:

The formatted file is sent to driver；

The driver enumerates reading and writing of files record, obtains process corresponding with the formatted file；

If inquiry obtains the process, process described in killing in white list, and the corresponding file of the process is isolated.

7. according to the method described in claim 5, it is characterized in that, judging any one or more positions of the formatted file Content include: to judge the HASH value of at least one following position of the formatted file.

8. according to the method described in claim 2, it is characterized in that, in monitoring storage region before preset formatted file, The method also includes:

At least one file being under hidden state is created in the storage region, wherein pre- in the file Set the formatted file；

Launching process come traverse it is described at least one be in the file under hidden state；

If traversing the preset formatted file in the file, start the step of monitoring the formatted file.

9. the device that software is extorted in a kind of killing characterized by comprising

Monitoring unit, for monitoring formatted file preset in storage region, wherein the formatted file is located at the memory block The head and/or tail portion in domain；

Determination unit, if changed for monitoring the formatted file, it is determined that exist and extort the software processing lattice Formula file；

Killing unit described extorts the corresponding process of software, and process described in killing for obtaining.

10. a kind of security processing characterized by comprising

If monitoring the formatted file to change, it is determined that there are security threats；

Obtain the corresponding process of the security threat, and process described in killing.

11. a kind of storage medium, which is characterized in that the storage medium includes the program of storage, wherein run in described program When control the storage medium where equipment execute following processing step: preset formatted file in monitoring storage region, wherein The formatted file is located at the head and/or tail portion of the storage region；If monitoring the formatted file to change, It determines to exist and extorts the software processing formatted file；The corresponding process of software, and process described in killing are extorted described in acquisition.

12. a kind of processor, which is characterized in that the processor is for running program, wherein executed such as when described program is run Lower processing step: preset formatted file in monitoring storage region, wherein the formatted file is located at the head of the storage region Portion and/or tail portion；If monitoring the formatted file to change, it is determined that exist and extort the software processing format text Part；The corresponding process of software, and process described in killing are extorted described in acquisition.