CN109299608B - Method and related device for detecting number of process instances based on hidden window - Google Patents

Method and related device for detecting number of process instances based on hidden window Download PDF

Info

Publication number
CN109299608B
CN109299608B CN201811242047.3A CN201811242047A CN109299608B CN 109299608 B CN109299608 B CN 109299608B CN 201811242047 A CN201811242047 A CN 201811242047A CN 109299608 B CN109299608 B CN 109299608B
Authority
CN
China
Prior art keywords
text
window
identifier
control window
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811242047.3A
Other languages
Chinese (zh)
Other versions
CN109299608A (en
Inventor
周志刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Douyu Network Technology Co Ltd
Original Assignee
Wuhan Douyu Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Douyu Network Technology Co Ltd filed Critical Wuhan Douyu Network Technology Co Ltd
Priority to CN201811242047.3A priority Critical patent/CN109299608B/en
Publication of CN109299608A publication Critical patent/CN109299608A/en
Application granted granted Critical
Publication of CN109299608B publication Critical patent/CN109299608B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3089Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents
    • G06F11/3093Configuration details thereof, e.g. installation, enabling, spatial arrangement of the probes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/865Monitoring of software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a method for detecting the number of process instances based on a hidden window, which is used for more covertly detecting the number of the process instances existing at the same time. The method provided by the embodiment of the invention comprises the following steps: creating a text control window and hiding the text control window; acquiring a process unique identifier of a process, and encrypting the process unique identifier of the process by using a self-defined encryption KEY to obtain the encrypted process unique identifier; writing the encrypted process unique identifier into a text control window; creating a detection thread; when the number of the current process instances needs to be detected, determining a text control window from all windows in the system according to a specific identifier in a detection thread; and acquiring a text of the text control window, decrypting the encrypted process unique identifier in the text according to the encrypted KEY to obtain a decrypted process unique identifier, wherein the number of the decrypted process unique identifiers is the number of the current process instance.

Description

Method and related device for detecting number of process instances based on hidden window
Technical Field
The invention relates to the field of development platforms, in particular to a method and a related device for detecting the number of process instances based on a hidden window.
Background
For some PC client programs, only one instance of the program can be created by one system, and the possibility of cheating exists when a plurality of programs are opened simultaneously, the normal functions of the programs can be influenced, and the influence on the performance is also great. Most of the existing detection methods determine whether the instance has been created or not by creating a mutex variable, or determine whether the process name has a plurality of copies. However, such detection methods are well known and have been easily bypassed. A more concealed approach is therefore needed.
Disclosure of Invention
The embodiment of the invention provides a method for detecting the number of process instances based on a hidden window, which is used for more covertly detecting the number of the process instances existing at the same time.
A first aspect of an embodiment of the present invention provides a method for detecting a number of process instances based on a hidden window, including: creating a text control window and hiding the text control window, wherein the window identifier of the text control window is a specific identifier, and the specific identifier is used for distinguishing the text control window from other windows in a system; acquiring a process unique identifier of a process, and encrypting the process unique identifier of the process by using a self-defined encryption KEY to obtain the encrypted process unique identifier; writing the encrypted process unique identification into the text control window; creating a detection thread, wherein the detection thread is used for detecting the number of the current process instances; when the number of the current process instances needs to be detected, determining the text control window from all windows in the system according to the specific identification in the detection thread; and acquiring a text of the text control window, decrypting the encrypted unique process identifier in the text according to the encrypted KEY to obtain a decrypted unique process identifier, wherein the number of the decrypted unique process identifier is the number of the current process instance.
In one possible embodiment, the creating the text control window and hiding the text control window comprises creating the text control window by calling a system function CreateWindowW; hiding the text control window so that the text control window is a window invisible to a user.
In a possible embodiment, the obtaining the process unique identifier of the process and encrypting the process unique identifier of the process by using a self-defined encryption KEY to obtain the encrypted process unique identifier comprises the steps of obtaining the process unique identifier of the process by calling a system function GetCurrentProcessId (); and taking the process unique identifier of the process and the encryption KEY as the input of an encryption interface DES.
In a possible embodiment, the method further comprises: and setting the help text of the text control window through a system function SetWindowContextHelpid, wherein the text identifier of the help text is the specific identifier.
In one possible embodiment, the determining the text control window from all windows in the system according to the specific identifier in the thread function includes: acquiring window identifications of all windows in the system by calling a system function GetClassName; determining the window with the window identifier as the specific identifier as a target text control window; judging whether the target text space window is visible or not by calling a system function IsWindowsVissible; if the target text space window is not visible, acquiring a help text of the target text space window by calling a system function GetWindowContextHelpID; and if the help text of the target text space window is the specific identifier, determining that the target text space window is the text space window.
In a possible embodiment, the obtaining the text of the text control window and decrypting the encrypted process unique identifier in the text according to the encrypted KEY to obtain the decrypted process unique identifier includes: acquiring a text of the text space window through a system function SendMessageW, wherein the text comprises the encrypted process unique identifier; and taking the encrypted process unique identification and the encrypted KEY as the input of a decryption interface Des.
A second aspect of an embodiment of the present invention provides a detection apparatus, including: the system comprises a creating unit, a displaying unit and a control unit, wherein the creating unit is used for creating a text control window and hiding the text control window, the window mark of the text control window is a specific mark, and the specific mark is used for distinguishing the text control window from other windows in the system; the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a process unique identifier of a process and encrypting the process unique identifier of the process by using a self-defined encryption KEY to obtain an encrypted process unique identifier; the writing unit is used for writing the encrypted process unique identifier into the text control window; the creating unit is further configured to create a detection thread, where the detection thread is used to detect the number of current process instances; a determining unit, configured to determine, in the detection thread, the text control window from all windows in the system according to the specific identifier when the number of current process instances needs to be detected; the acquiring unit is further configured to acquire a text of the text control window, and decrypt the encrypted unique process identifier in the text according to the encrypted KEY to obtain a decrypted unique process identifier, where the number of the decrypted unique process identifiers is the number of the current process instance.
A third aspect of the present invention provides an electronic device comprising a memory and a processor, wherein the processor is configured to implement the steps of the method according to any one of the above when executing a computer management class program stored in the memory.
A fourth aspect of the present invention provides a computer-readable storage medium having a computer management-like program stored thereon, characterized in that: the computer management like program when executed by a processor performs the steps of the method as described in any one of the above.
According to the technical scheme, the embodiment of the invention has the following advantages: creating a text control window and hiding the text control window, wherein the window identifier of the text control window is a specific identifier, and the specific identifier is used for distinguishing the text control window from other windows in a system; acquiring a process unique identifier of a process, and encrypting the process unique identifier of the process by using a self-defined encryption KEY to obtain the encrypted process unique identifier; writing the encrypted process unique identification into the text control window; creating a detection thread, wherein the detection thread is used for detecting the number of the current process instances; when the number of the current process instances needs to be detected, determining the text control window from all windows in the system according to the specific identification in the detection thread; and acquiring a text of the text control window, decrypting the encrypted unique process identifier in the text according to the encrypted KEY to obtain a decrypted unique process identifier, wherein the number of the decrypted unique process identifier is the number of the current process instance. In the embodiment of the invention, the number of the process instances can be detected more covertly, and the number of the process instances existing at the same time can be detected.
Drawings
Fig. 1 is a flowchart of a possible method for detecting the number of process instances based on a hidden window according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a possible detection apparatus according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a hardware structure of a possible electronic device according to an embodiment of the present invention;
fig. 4 is a schematic hardware structure diagram of a possible computer-readable storage medium according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method for detecting the number of process instances based on a hidden window, which is used for more covertly detecting the number of the process instances existing at the same time.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, a flowchart of a method for acquiring data according to an embodiment of the present invention includes:
for a PC client software, a window can be created, and the created window has a system level, and other processes can also be accessed and enumerated. The idea here is to create a text box, which is also a window of the system, and then to have a good hiding effect without affecting the normal program. It is set to be invisible here so that this window is not visible from the user's perspective. And simultaneously, in order to detect the number of the currently created process instances, the unique ID of the process is written into the created text window. And during detection, whether the process ID of the window is consistent with the process ID of the text written in the window can be judged, if so, the window is a process instance in the text, and if so, a plurality of instances exist. Therefore, the window passing method belongs to a relatively hidden method, and the normal program cannot be influenced.
The embodiment of the application provides a method for detecting the number of process instances based on a hidden window. The specific design steps are shown in fig. 1:
101. creating a text control window and hiding the text control window;
the detection method of the text is to create a text control window and hide the text control window, so that the normal program is hidden and not influenced. Wherein the create text control window is created herein by calling the system function createwindow. The functional prototype is as follows:
Figure BDA0001839575930000041
Figure BDA0001839575930000051
HWND hEdit=CreateWindowW(L"EDIT",L"",0,0,0,0,0,NULL,NULL,GetModuleHandleA(NULL),NULL);
where lpcsname represents a string or integer number pointing to an empty end, lpWindowName represents a string pointer pointing to an empty end specifying a window name, dwstyle represents a style specifying a window to CREATE, X represents an initial horizontal position of the specified window, Y represents an initial vertical position of the specified window, nWidth represents a width specifying a window by device unit, nhight represents a height specifying a window by device unit, hWndParent represents a handle pointing to a parent window or owner window of the created window, hMenu represents a menu handle, or a child window identification by window style, htansnce represents a handle of a module instance associated with the window, lpParam represents a pointer to a value that is passed to the window WM _ ate message.
In addition, the name of the window created herein is a text control, so the window may be named as "EDIT" in the embodiment of the present application; the name of the window may be set herein as an empty string; while other window coordinates and sizes may be set to 0 herein. And an instance handle of a window is needed, the handle GetModuleHandleA of the current process is obtained, and the incoming parameter is a null representation and is used for obtaining the handle of the module.
102. Creating help text for the hidden text control window;
it can be understood that, for a normal program, there are very many text controls of the system, and in order to prevent the occurrence of false positives, in the embodiment of the present application, the help text of the window of the created text control is set to "EDIT", so as to be distinguished from the normal window, because there is no normal program that sets the help text of the window to "EDIT". It should be noted that the help text may be other character string names, but the maximum length must be 4 bytes.
Optionally, in the embodiment of the present application, the help text of one window may be set through a system function setwindowcontexthellpid. The functional prototype is as follows:
BOOL SetWindowContextHelpId(
DWORD dwContextHelpId
);
wherein dwcontexthellpid is a set 4-byte data, and is "EDIT" corresponding to the text.
SetWindowContextHelpId(hEdit,'EDIT');
Where hEdit is the window handle of the text control created in step 101.
103. Acquiring a process unique identifier of a process, and encrypting the process unique identifier of the process by using a self-defined encryption KEY to obtain the encrypted process unique identifier;
after a window exists, the process unique mark of the current process needs to be encrypted and then written into the text of the window.
A system function is first called to obtain a process unique identifier.
DWORD dwProcessId=GetCurrentProcessId();
The function prototype is as follows:
DWORD GetCurrentProcessId(VOID);
the return value is the unique identification of the acquired process.
Then, the data is encrypted by using the customized encryption KEY, and the specific implementation function is as follows:
Encryptdata=Des.Encrypt(dwProcessId,KEY);
encrypt is the interface of the encryption algorithm, dwProcessId is the data to be encrypted, and KEY is the encrypted KEY value to be encrypted.
Note that fixed encryption KEY is used for encryption herein. For example, the encrypted KEY may define a 32-bit signature string, such as: "abcd 1122334455667788 aabbbccddabc", so that the encrypted process unique identifier Encryptdata can be finally obtained.
104. Writing the encrypted process unique identifier into a text control window;
after the encrypted string is obtained, the encrypted value may be written to the created text control. Optionally, in this embodiment of the present application, a system function sendmessage w is called to send a message to the text control, so as to implement data writing. The function prototype is as follows:
SendMessage(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM IParam);
where hWnd represents the handle to the window where the windowing program will receive the message; msg denotes a message designated to be sent; wParam denotes specifying additional message specific information; IParam indicates that additional message specific information is specified.
SendMessageW(hEdit,WM_SETTEXT,MAX_PATH,(LPARAM)Encryptdata);
It should be noted that the sendmessage w function is used to send a message for writing a text to the created text control window; hEDIt represents the text control created in the above step; encryptdata represents encrypted data.
105. Creating a detection thread;
in view of the fact that the independent threads have a more hidden effect and can be separated from the logic of the main program, in the embodiment of the present application, the number of instances of the current process is checked by creating the independent threads. Specifically, in this embodiment, a system function createnethread is used to create an independent thread function. The functional prototype is as follows:
HANDLE WINAPI CreateThread(
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
DWORD lpThreadId,
);
wherein lpthreadattenbutes represent the security attribute of the thread kernel object, generally, NULL is transmitted to represent that default setting is used, and dwStackSize represents the size of the thread stack space; lpStartAddress represents the address of a thread function executed by the new thread; lpParameter represents the parameter passed to the thread function; dwCreationFlags indicates that an additional flag is specified to control the creation of the thread, lpThreadId indicates the ID number of the thread to be returned.
The specific calls are as follows:
hThread=CreateThread(NULL,0,ThreadFunc,0,0,&threadId);
through the above process, a detection thread is created herein, and the execution function of the thread is ThreadFunc. The entire subsequent check logic is programmed in the thread execution function ThreadFunc.
106. And checking the number of process instances in the detection thread.
In step 105, a detection thread is created, which is used to perform the process instance number for checking the current system. The concrete implementation is as follows:
DWORD WINAPI ThreadFunc(LPVOID p){
in the embodiment of the application, the process information is recorded by creating an edit text box for each process. Then the text enumerates all windows in the system through the function enum windows and checks the windows of the text box.
EnumWindows(CheckEditCallBack,(LPARAM)this);
The functional prototype is as follows:
BOOL WINAPI EnumWindows(
_In_WNDENUMPROC lpEnumFunc,
_In_LPARAM lParam
);
wherein lpEnumFunc represents a pointer to an application-defined callback function; lParam represents the application-defined value passed to the callback function; the function EnumWindows represents a function with enumerating all windows of the system.
Next, a specific window enumeration process is written.
BOOL CALLBACK CheckEditCallBack(HWND hWnd,LPARAM pParam){
Firstly, the name of a window is obtained by calling a system function GetClassName, and the specific implementation function is as follows:
GetClassName(hWnd,szClassName,MAX_PATH);
and it needs to judge whether the window text is "EDIT" created in this document, if yes, then obtain the help text of the window through the system function dwordwwwindowhellpid ═ getwindowcontexthellpid (hwnd). The steps of judging whether the window text is the EDIT created in the text are as follows: whether the window is visible or not is judged by a system function IsWindowVisible, and if the window is visible, the window is not the window created in the text.
Bool bV=IsWindowVisible(hWnd);
If(bV){return;}
And judging the help text of the window, if the help text is not EDIT, the window is not the window created in the text, and the specific implementation function is as follows:
If(dwWindowHelpId!='EDIT'){return;}
if the help text is "EDIT", the text of the text EDIT box is obtained, similarly, the text EDIT box can be obtained by sending a message SendMessageW, and the specific implementation function is as follows:
SendMessageW(hWnd,WM_GETTEXT,MAX_PATH,(LPARAM)wzWndName);
and obtaining the text wzWndName of the text control through the calling. When the data is stored in an encrypted manner before, the data is decrypted in the text, and the specific decryption operation is realized as follows:
dwProcessId=Des.Decrypt(Encryptdata,KEY);
decrypt represents the interface of the decryption algorithm; dwProcessId is the only mark of the process obtained after decryption; the KEY is the KEY value to be decrypted, which is the same as the encrypted KEY value used in the encryption.
And then acquiring a unique process mark corresponding to the window, wherein the specific implementation function is as follows:
GetWindowThreadProcessId(hWnd,&dwWndPid);
the function prototype is as follows:
DWORD GetWindowThreadProcessId(
HWND hWnd,
LPDWORD lpdwProcessId
);
wherein, hWnd represents the handle of the window; lpdwProcessId represents the resulting process unique identifier. Thus we show that this window was indeed created when we created the process before, if we compare the values of lpdwProcessId and dwProcessId to be consistent, then we show that an instance of a process was found. If multiple process instances are found, then multiple process instances exist.
In addition, in the embodiment of the present application, in addition to detecting the number of process instances based on the memory mapped file, other methods for detecting the number of process instances are also provided, for example, detecting the number of current process instances based on the memory mapped file or detecting the number of current process instances based on a window of a default input method specifically includes:
1) detecting the number of process instances based on the memory mapping file;
the memory mapping file is a mapping from a file to a memory, so that an application program can access the file on a disk through a memory pointer, and the process is just like the access to the memory loaded with the file. Because the memory mapping file has a function of reading a file of a disk, and meanwhile, in the application, the memory mapping file can share memory data by a plurality of processes, that is, one memory mapping file can be shared, accessed, read and written by a plurality of processes, so that the memory mapping file is cross-process. In view of this, an embodiment of the present invention provides a method for detecting a number of process instances based on a memory mapped file, including:
step 1, defining a data storage format for writing a process into a memory mapping file;
for the memory mapping file, data needs to be written into the memory mapping file, and meanwhile, in order to achieve higher safety and prevent conflict with a normal mapping file, a self-defined data writing format, namely a data storage format written into the memory mapping file, is defined, so that the memory mapping file is more concealed. The data storage format includes the following information: the method comprises a feature code, a process unique identifier of a process and an encryption KEY, wherein the feature code is a section of hidden characters, the feature code represents that a memory mapping file is used for detecting the program multiple-open instance, and the encryption KEY is used for encrypting the process unique identifier of the process.
Specifically, first, a feature code is written in the header of the memory mapped file, and it should be noted that the feature code is unique and indicates the memory mapped file used herein for detecting the multiple instances of the program. In this embodiment of the present application, the feature code is an invisible character, and may have 32 bytes, for example, the feature code may be: 0x245631a4d7ea56dc2145632abc2ef 365. It should be noted that the feature code may be customized as long as it is unique or not easy to generate a collision.
And then defining the data format written by each process. For each process, the process unique identifier of the process needs to be written in the memory mapping file, and meanwhile, for higher security, the written data needs to be encrypted, so that a piece of KEY data, namely encrypted KEY, also needs to be written. Meanwhile, in order to distinguish the format of the data written by each process, a section of feature code is also required to be added.
For ease of understanding, table 1 provides a look-your data storage format for the embodiment of the present application, which includes a table of 10 bytes of signature codes, 32 bytes of encrypted KEY, 16 bytes of process unique Identification (ID), and 58 bytes in total, and the signature codes written by each process are the same.
TABLE 1
10 byte signature code 32 byte encrypted KEY 16-byte process unique identifier
Step 2, designing the name of the memory mapping file;
after defining the data storage format for writing the process into the memory mapping file, the file name of the memory mapping is designed. Since this name is shared throughout the system, it cannot be consistent or conflict with other process-created or system-created names, and a name hiding function is also required. In addition, in order to prevent the memory mapping file from being cracked and discovered by hackers, the memory mapping file needs to be changed every time when the computer is started, and all processes of the program can be calculated in a consistent mode.
In the embodiment of the invention, the unique process ID of a process started by starting is encrypted and used as a part of the name of the memory mapping file, and meanwhile, the unique name of the memory mapping file is generated by adding the feature code of the text to the name of the memory mapping file; and the unique process ID of the process started by starting the computer is changed every time the computer is started. In the embodiment of the application, since the winlogo. exe process is used for managing user login and logout, the process is created and exists, and the process unique ID of the process is changed after each startup. For ease of understanding, the implementation of the winlogo. exe process is specifically determined as follows:
a signature code is defined that may be 10 bytes in length, such as 0x4578 abdcab. Next, the process unique ID of the process needs to be found by the process name, specifically, the process Snapshot of the system is obtained by calling the system function CreateToolhelp32 Snapshot. The function prototype is as follows:
HANDLE_WINAPI CreateToolHelp32Snapshot(
DWORD dwFlags,
DWORD th32ProcessID)
wherein dwFlags is used for indicating the type of obtaining the system process snapshot is specified; th32process ID is used to indicate ID pointing to process snapshot to be obtained, and is 0 when all process snapshots in the system are obtained;
and defining a structure for storing the process information, wherein the function prototype is as follows:
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(PROCESSENTRY32);
then, do while loop function is written to traverse all processes of the search system, and whether the process name is winlogo
Figure BDA0001839575930000101
Note that the do while loop calls a system function Process32Next to indicate that data of the Next Process is acquired. The function prototype is as follows:
BOOL Process32Next(
HANDLE hSnapshot,
LPROCESSENTRY32lppe);
wherein hSnapshot is the handle of the system process Snapshot returned by the CreateToolHelp32Snapshot function; lppe is a structure pointer to process, and details of the process are stored in the structure. Judging whether the process is the winlogon.exe process or not according to the name of the process, if so, obtaining the process unique identification of the winlogon.exe process from the data structure of the winlogon.exe process, and storing the process unique identification in the variable th32process ID.
After obtaining the unique process identifier of the winlogo. exe process, the HASH algorithm MD4 is used to calculate HASH on the data to obtain the Name of the memory mapping file, and the specific function is implemented as follows:
Name=MD4.Create(0x4578abdcab+th32ProcessID)。
step 3, determining an encryption mode of the memory mapping file;
in order to ensure the security of writing data into the memory mapping file, the data needs to be encrypted and stored. In the embodiment of the application, the encryption KEY and the encryption result are written into the memory mapping file, and the encryption KEY used each time is ensured to be changed, so that the data security is further improved. The use of the Tiny Encryption Algorithm (TEA) and Blowfish based encryption algorithms, i.e. the combination of fast encryption and strong encryption algorithms, makes it difficult for the cracker to analyze and know what encryption algorithm is used. The specific encryption algorithm may be as follows:
first, a random seed is generated each time based on the current time, specifically: acquiring current system Time through a function Time Time () and calling a system function srad to set a random seed, namely srad (Time); secondly, generating a random number KEY with the length of 32 by a function KEY as Rand (), thereby obtaining an encryption KEY used for encryption; after the encryption KEY is obtained, encrypting data, namely the process unique identifier of the process by using the encryption KEY, for example, encrypting by using a Blowfish encryption algorithm, wherein the specific functions are realized as follows:
Encryptdata=Blowfish.Encrypt(data,KEY);
encrypt is the encryption interface of Blowfish encryption algorithm; the data is data needing encryption, namely a process unique identifier of the process; the KEY is an encryption KEY needing to be encrypted;
after the Blowfish encryption algorithm is adopted for primary encryption, the TEA encryption algorithm is used for encrypting the data again, and the specific functions are realized as follows:
Encryptdata2=TEA.Encrypt(Encryptdata,KEY);
wherein TEA is an encryption interface of TEA encryption algorithm; the KEY is an encryption KEY needing to be encrypted; encryptdata is primary encrypted data obtained after encryption by a Blowfish encryption algorithm; encryptdata2 is the secondary encrypted data output after secondary encryption, i.e. the unique process identifier of the encrypted process.
Step 4, creating a memory mapping file;
after the previous step is ready, the step is that after the program is started, a memory mapping file needs to be created, and data is written into the created memory mapping file. The specific creation is created through an Application Programming Interface (API) function of the windows system. The concrete implementation is as follows: unsection ═ CreateFileMapping (INVALID _ HANDLE _ VALUE, NULL, PAGE _ READWRITE,0, session _ SIZE, Name); specifically, the prototype of the function that creates the memory mapped file is as follows:
first, a memory mapped file is created.
HANDLE CreateFileMapping(
HANDLE hFile,
LPSECURITY_ATTRIBUTES lpAttributes,
DWORD flProtect,
DWORD dwMaximumSizeHigh,
DWORD dwMaximumSizeLow,
LPCTSTR lpName
);
Wherein hFile represents a physical file handle; lpAttributes denotes security settings; flProtect denotes protection settings; dwmaximszehigh represents the high-order file size; dwmaximumsizeLow represents the low-order file size; lpName represents the shared memory name, i.e., the name of the memory mapped file generated in step 2.
Then, the memory mapped file needs to be acquired, and the corresponding address is acquired to write the unique process identifier of the process, specifically, the head end of the memory mapped file can be acquired by calling a system function MapViewOfFile, so that data can be written into the memory mapped file, and specifically, the function of acquiring the head end of the memory mapped file is implemented as follows:
PBYTE pMap=(PBYTE)MapViewOfFile(hSection,FILE_MAP_ALL_ACCESS,0,0,0)。
step 5, writing the process unique identification of the process into a memory mapping file according to the data storage format;
after the memory mapping file is created, the memory mapping file is written in according to the format of the previously defined memory mapping file. Firstly, in order to mark the particularity of the mapping file, copying a feature code to a memory mapping file header through a system function memory copy memcpy, wherein the specific functions are realized as follows: memcpy (pMap,0x245631a4d7ea56dc2145632abc2ef365, 32); next, the process unique identifier of the process needs to be written in a format similar to that in table 1, and a system function GetCurrentProcessId () is called to obtain the process unique identifier, and a return value of the process unique identifier is the obtained process unique identifier. The concrete implementation is as follows:
DWORD dwProcessId=GetCurrentProcessId();
after the process unique identifier of the process is obtained, the process unique identifier needs to be encrypted and then written into the memory mapping file. How to encrypt makes data more covert, in this application embodiment, a process unique identifier of a winlogo process acquired before can be adopted, the identifier can change with each startup, and current timestamp information can be adopted in the text, so that a value at each moment can change, the data are spliced together, an encryption KEY used for final encryption is obtained by calculating a HASH value, and thus, the variability of the encryption KEY is guaranteed.
The process unique identifier th32process id of the winlogo. exe process can be acquired in the above steps, and then the system function Long Time () is called to acquire the current timestamp information; optionally, in this embodiment of the present application, the algorithm SHA-1 may be used to calculate an encryption KEY that needs to be used for subsequent encryption, that is, KEY — SHA-1.Create (th32process id + time). After obtaining the encryption KEY, encrypting the unique process identifier of the process by using a Blowfish encryption algorithm and a TEA encryption algorithm, respectively, wherein the specific implementation functions are as follows:
Encryptdata=Blowfish.Encrypt(dwProcessId,KEY);
encrypt is the encryption interface of Blowfish encryption algorithm; dwProcessId is the unique process identifier of the acquired process; the KEY is an encryption KEY needing to be encrypted;
after the Blowfish encryption algorithm is adopted for primary encryption, the TEA encryption algorithm is used for encrypting the data again, and the specific functions are realized as follows:
Encryptdata2=TEA.Encrypt(Encryptdata,KEY);
wherein TEA is an encryption interface of TEA encryption algorithm; the KEY is an encryption KEY needing to be encrypted; encryptdata is primary encrypted data obtained after encryption by a Blowfish encryption algorithm; encryptdata2 is the secondary encrypted data output after secondary encryption, i.e. the unique process identifier of the encrypted process.
After the encrypted process unique identifier is obtained through calculation, the encrypted process unique identifier needs to be written into the memory mapping file, wherein the feature code can be written into the head end of the memory mapping file, and then the encrypted KEY and the encrypted process unique identifier are written into the memory mapping file, and specifically, the encrypted KEY is written into the memory mapping file through a system function Memcpy (pMap +10, KEY, 32); the writing of the process unique identification of the encrypted process is realized by a system function Memcpy (pMap +10+32, EncryptData2, 32). If other processes are started subsequently, the information is written into the process.
And 6, detecting the number of the current process instances.
At any moment, after the process is started, the memory mapping file can be read, so that the data of the memory mapping file is traversed, the process information of how many memory mapping files exist is checked, and for a normal example, only one memory mapping file exists. If the process starts multiple instances, then there will be multiple instances, so that it can get how many process instances are started. The specific reading method is to read the relevant unique process identifier according to the written format; if the identification is not the unique identification of the own process, the fact that a plurality of unique identifications of the process exist at the same time is shown. Specifically, the memory mapping file is read and then the data is decrypted, and the specific functions are implemented as follows:
EncryptData=TEA.decrypt(EncryptData2,KEY);
dwProcessId=Blowfish.decrypt(EncryptData,KEY);
wherein, TEA.decrypt is the decryption algorithm of TEA encryption algorithm; encrypt is the decryption algorithm of the Blowfish encryption algorithm, KEY, the encryption KEY used for encryption, can be read from the memory mapping file, EncryptData2 is the only identification of the encrypted process, dwProcessId obtains the only identification of the original process.
It should be noted that, in the case of actual inspection, it is found herein that sometimes, due to a fault occurring in the program, the program is in a stuck state when exiting or running, and thus a false judgment may be caused. Then in order to more accurately check whether the process of multiple instances is running in the current system, the unique identification of the process checked in step 6 is needed to determine whether it is in a stuck state. The concrete implementation is as follows:
firstly, a module handle of a system ntdll is obtained by calling a system function GetModuleHandle, and the specific realization functions are as follows:
HMODULE hNtdll=GetModuleHandle(“ntdll.dll”);
the function prototype is as follows:
HMODULE WINAPI GetModuleHandle(
_In_opt_LPCTSTR lpModuleName
);
that is, the input parameter is the name of the module, and the return value is the module handle of the module ntdll.
Then, the system function ntqueryinformation process is obtained from the module of the system ntdll through the system function GetProcAddress, and the function ntqueryinformation process can obtain the process-related information.
DWORD dwFunc=GetProcAddress(hNtdll,“NtQueryInformationProcess”);
Wherein the function prototype is as follows:
FARPROC GetProcAddress(
HMODULE hModule;
LPCSTR lpProcName;
);
wherein, hModule identifies DLL module handle, lpProcName represents function name, and the return value is the handle of the module.
After the handle of the module is obtained, an existing process object is opened through a system function OpenProcess, and the handle of the process is returned. The specific function is implemented as follows:
hProc=OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,dwProcessId);
wherein the function prototype is as follows:
HANDLE OpenProcess(
DWORD dwDesiredAccess,
BOOL bInheritHandle,
DWORD dwProcessId,
);
wherein dwDesiredAccess indicates the desired access right (flag), bInheritHandle indicates whether the handle is inherited, and dwProcessId indicates the process identifier.
After the process handle is obtained, a variable is defined to store the obtained process information, and the specific implementation function is as follows:
PROCESS_BASIC_INFORMATION info={0};
ZwQueryInformationProcess(hProc,ProcessBasicInformation,&info,sizeof(PROCESS_BASIC_INFORMATION),NULL);
the parameter hProc is the process handle acquired before; the parameter ProcessBasiciInformation is the basic information of the process needing to be acquired; the parameter info is a storage variable of the information acquired by the user.
After the process related information is acquired, the state of the process can be judged through the process related information, and the specific implementation function is as follows:
Figure BDA0001839575930000151
wherein, if the process STATUS is STATUS _ PENDING, it indicates that the process is in a stuck state, otherwise, the process is active. Therefore, by this function, the possibility of some erroneous judgment can be excluded.
In this embodiment, a unique fixed memory mapped file is created for each process when creating an instance, and in order to prevent normal program conflicts, the name is very unique and does not create the possibility of collision with other programs. The process unique ID of the process is encrypted and then written into the memory mapping file, so that when a subsequent program is read, a plurality of process unique IDs in the current mapping file can be searched, and if a plurality of process unique IDs exist, a plurality of instances are considered to exist currently. The method based on the text is not only more concealed, but also can detect the number of the instances existing at the same time, and has less possibility of misjudgment.
2) The number of process instances is detected based on a window of a default input method.
For a piece of PC client software, each process has a default input method window, and the text can hide some process-related information from the default input method windows of all the processes created in the text based on the default input method windows, so that when enumerating all the input method windows in the subsequent process, if a plurality of processes meet the hiding method in the text, a plurality of instance processes exist, and a very hidden method for detecting the number of current process instances can be achieved.
This step mainly describes the process-based default input method. The specific design steps are as follows:
step 1, enumerating all windows of the current system to search a default input method window of the process.
After the PC client software is started, all windows of the system are traversed, and a window of a default input method is obtained, so that process related information can be hidden in the window of the default input method subsequently. The concrete implementation is as follows:
all windows of the system need to be enumerated first.
EnumWindows(SDefaultIMECallBack,(LPARAM)this);
BOOL WINAPI EnumWindows(
_In_WNDENUMPROC lpEnumFunc,
_In_LPARAM lParam
);
Wherein lpEnumFunc represents a pointer to an application-defined callback function; lParam represents the application-defined value passed to the callback function; the function EnumWindows then has the function of enumerating all the windows of the system.
Next, a specific window enumeration process is written.
BOOL CALLBACK SDefaultIMECallBack(HWND hWnd,LPARAM pParam){
Similarly, the unique process identifier dwwnpid of the process to which the window belongs is obtained through a system function GetWindowThreadProcessId, and the specific implementation function is as follows:
GetWindowThreadProcessId(hWnd,&dwWndPid);
then, a system function GetCurrentProcessId is called to obtain the unique identifier of the process, and the specific implementation function is as follows:
DWORD dwCurrentPid=GetCurrentProcessId();
if the unique process identifications are not consistent, quitting, which indicates that the window is not the default input method window of the process, and the specific implementation function is as follows:
If(dwCurrentPid!=dwWndPid){return;}
then, the name of the window needs to be obtained through a system function SendMessage, the window name is stored in the szwnname variable, and the specific implementation function is as follows:
SendMessage(hWnd,WM_GETTEXT,MAX_PATH,(LPARAM)szWndName);
then, it needs to judge whether the window name is 'defaultIME', if so, it indicates that the window is a default input method window, and the specific implementation function is as follows:
If(strcmp(“defaultIME”,szWndName)!=0){return;}
if the name of the window is not 'defaultIME', the window is not the default input method window and is directly exited. Otherwise, the description is an input method window. So that in this step a window handle for the input method is found. }
And step 2, hiding process related information for the input method window of the process.
In step 1, the window of the default input method is obtained, and in this step, the process unique identifier needs to be encrypted and then stored in the window of the default input method. For purposes of this document, however, since the default input method window is text-incapable, how the encrypted process-unique id is stored in the default input method window. The idea of this document is that the process unique ID is a 4-byte integer, and for each window, the coordinates of the position of the window are set, and for the entire screen, one coordinate contains the horizontal position and the vertical position, and then exactly one 4-byte integer is needed for storage. It is similar to the coordinates of X and the coordinates of Y in one coordinate system.
The process unique ID is encrypted using the TEA encryption algorithm herein.
In step one, the unique identification dwCurrentPid of the process is obtained.
EncryptData=Tea.encrypt(dwCurrentPid,KEY);
Wherein, Tea. encrypt is an encrypted interface; dwCurrentPid is the only indication of 4 bytes for the original unencrypted process; KEY is an encrypted KEY as used herein (a 32-bit string may be randomly generated); the encrypted data is EncryptData, which is also 4 bytes of data.
After obtaining the encrypted unique process identifier, the encrypted data needs to be split and then used as the coordinate data of the window to set the coordinate position of the window. Wherein EncryptData is 4 bytes of data, the first 2 bytes are split into one data, and the last 2 bytes are split into another data.
Posx=EncryptdataHead;Posy=EncryptdataEnd;
Wherein Posx represents the X coordinate of the window; posy represents the y coordinate of the window; EncrypttdataHead indicates the first 2 bytes of data of EncrypttData; EncrypttdataEnd then marks the last 2 bytes of data for EncrypttData. Next, a system function SetWindowPos is called to set the coordinates, and the function prototype is as follows:
BOOL
WINAPI
SetWindowPos(
HWND hWnd,
HWND hWndInsertAfter,
int X,
int Y,
int cx,
int cy,
UINT uFlags);
wherein, hWnd is the handle of the window; hwndInsertAfter is the window Z order attribute; x is the position of the window on the X axis; y is the position of the window in Y; cx is the width of the window; cy is the height of the window; uFlags is a flag that is selectively set.
This document calls the following:
SetWindowPos(hWnd,HWND_BOTTOM,Posx,Posy,0,0,SWP_NOZORDER);
the window handle hWnd is a window of a previously acquired default input method; posx and Posy are the coordinate positions of the setup window. Thus, the unique identification of the process is stored by converting the encrypted and split process into the coordinate position of the default input method.
And 3, checking the number of the current process instances by creating an independent thread.
The number of the instances of the current process is checked by creating the independent thread, and the independent thread has a more hidden effect and can be separated from the logic of the main program. In particular, the system function createnethread is used to create an independent thread function. The functional prototype is as follows:
HANDLE WINAPI CreateThread(
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
DWORD lpThreadId
);
wherein lpthreadattembutes represents the security attribute of the thread kernel object, and the general NULL input represents that the thread stack space size is represented by using a default setting dwStackSize; lpStartAddress represents the address of a thread function executed by the new thread; lpParameter represents the parameter passed to the thread function; dwCreationFlags indicates that an additional flag is specified to control the creation of a thread; lpThreadId indicates the ID number of the thread to be returned.
The specific calls are as follows:
hThread=CreateThread(NULL,0,ThreadFunc,0,0,&threadId);
where a thread is created and the execution function of the thread is ThreadFunc.
The entire subsequent check logic is programmed in the thread execution function ThreadFunc.
And 4, checking the number of process instances in the thread function.
In step 3 we create a thread function, which is the number of process instances used to perform the present document to look at the current system. The concrete implementation is as follows:
DWORD WINAPI ThreadFunc(LPVOID p){
the process information is recorded by creating an edit text box for each process. Then the document needs to enumerate all windows in the system and check the windows of the text box.
The function CheckDefaultIMECallBack is written to check all windows, and the specific implementation function is as follows:
EnumWindows(CheckDefaultIMECallBack,(LPARAM)this);
BOOL CALLBACK CheckDefaultIMECallBack(HWND hWnd,LPARAM pParam)
{
firstly, calling a system function GetClassName to obtain the name of a current window, wherein the obtained window name is stored in an szClassName. The specific implementation function is as follows:
GetClassName(hWnd,szClassName,MAX_PATH);
if(strcmp(“IME”,szClassName)!=0){return;}
then, whether the input method is the IME or not is compared, if not, the window is not a window of a default input method, and otherwise, the window is the window of the default input method.
Then, defining a matrix variable RECT ═ {0 }; the position of this window is then obtained by calling the system function GetWindowRect. The function prototype is as follows:
BOOL GetWindowRect(HWND hWnd,LPRECT lpRect);
wherein the parameter HWND HWND represents the handle of the window that needs to be fetched; the parameter LPRECT represents a parameter for storing acquired window coordinate information.
GetWindowRect(hWnd,&rect);
After the function is called, the coordinate information is stored in the variable rect; next, the original process unique ID needs to be decrypted from the window coordinate, specifically, after the window coordinate is obtained, the X and Y coordinates are spliced into an encrypted data EncryptData, and the original process unique ID is decrypted according to the encrypted data, and the specific function is implemented as follows:
EncryptData=rect.top+rect.left;
top stores the Y coordinate of the window; left stores the X coordinate of this window. And then, decrypting the data, wherein the specific function is realized as follows:
dwCurrentPid=Tea.encrypt(EncryptData,KEY);
among them, Tea. EncryptData is encrypted data; dwCurrentPid is the only indication of 4 bytes for the original unencrypted process; KEY is decrypted KEY as used herein (this KEY and encrypted KEY are the same value).
Then, the process unique ID to which the window belongs needs to be obtained by calling the system function GetWindowThreadProcessId: GetWindowThreadProcessId (hWnd, & dwndPid); wherein the unique identification of the process is stored in the variable dwndpid. Based on this, the process unique mark of one window is obtained, and the other process unique mark is obtained through the coordinate decryption of the window.
if(dwWndPid==dwCurrentPid){
If the acquired process unique ID and the process unique ID acquired by the default input method are equal, the window showing this default input method is set by the process created here before, and the description is an example of this process. Thus, if one window is detected, one instance is indicated, and if there are multiple instances, multiple instances are indicated.
The embodiment of the present invention is described above from the perspective of a method for detecting the number of process instances based on a hidden window, and the embodiment of the present invention is described below from the perspective of a detection device.
Referring to fig. 2, fig. 2 is a schematic diagram of an embodiment of a possible detection apparatus according to an embodiment of the present invention, wherein the detection apparatus specifically includes:
a creating unit 201, configured to create a text control window and hide the text control window, where a window identifier of the text control window is a specific identifier, and the specific identifier is used to distinguish the text control window from other windows in a system;
an obtaining unit 202, configured to obtain a unique process identifier of a process, and encrypt the unique process identifier of the process by using a custom encryption KEY to obtain an encrypted unique process identifier;
a writing unit 203, configured to write the encrypted process unique identifier into the text control window;
the creating unit 201 is further configured to create a detection thread, where the detection thread is used to detect the number of current process instances;
a determining unit 204, configured to determine, in the detection thread, the text control window from all windows in the system according to the specific identifier when the number of current process instances needs to be detected;
the obtaining unit 202 is further configured to obtain a text of the text control window, and decrypt the encrypted unique process identifier in the text according to the encrypted KEY to obtain a decrypted unique process identifier, where the number of the decrypted unique process identifiers is the number of the current process instance.
Referring to fig. 3, fig. 3 is a schematic diagram of an embodiment of an electronic device according to an embodiment of the invention.
As shown in fig. 3, an embodiment of the present invention provides an electronic device, which includes a memory 310, a processor 320, and a computer program 311 stored in the memory 320 and executable on the processor 320, where the processor 320 executes the computer program 311 to implement the following steps: creating a text control window and hiding the text control window, wherein the window identifier of the text control window is a specific identifier, and the specific identifier is used for distinguishing the text control window from other windows in a system; acquiring a process unique identifier of a process, and encrypting the process unique identifier of the process by using a self-defined encryption KEY to obtain the encrypted process unique identifier; writing the encrypted process unique identification into the text control window; creating a detection thread, wherein the detection thread is used for detecting the number of the current process instances; when the number of the current process instances needs to be detected, determining the text control window from all windows in the system according to the specific identification in the detection thread; and acquiring a text of the text control window, decrypting the encrypted unique process identifier in the text according to the encrypted KEY to obtain a decrypted unique process identifier, wherein the number of the decrypted unique process identifier is the number of the current process instance.
Optionally, in a possible embodiment, the processor 320 is specifically configured to: creating the text control window by calling a system function CreateWindowW; hiding the text control window so that the text control window is a window invisible to a user.
Optionally, in a possible embodiment, the processor 320 is specifically configured to: acquiring a process unique identifier of the process by calling a system function GetCurrentProcessId (); and taking the process unique identifier of the process and the encryption KEY as the input of an encryption interface DES.
Optionally, in a possible embodiment, the processor 320 is specifically configured to: and creating the detection thread by calling a system function CreatTread, wherein the input of the system function CreatTread comprises identification information of the detection thread, the execution function of the detection thread is a system function TreadFunc, and the system function TreadFunc is used for detecting the number of the current process instances.
Optionally, in a possible embodiment, the processor 320 is further configured to: and setting the help text of the text control window through a system function SetWindowContextHelpid, wherein the text identifier of the help text is the specific identifier.
Optionally, in a possible embodiment, the processor 320 is specifically configured to: acquiring window identifications of all windows in the system by calling a system function GetClassName; determining the window with the window identifier as the specific identifier as a target text control window; judging whether the target text space window is visible or not by calling a system function IsWindowsVissible; if the target text space window is not visible, acquiring a help text of the target text space window by calling a system function GetWindowContextHelpID; and if the help text of the target text space window is the specific identifier, determining that the target text space window is the text space window.
Optionally, in a possible embodiment, the processor 320 is specifically configured to: acquiring a text of the text space window through a system function SendMessageW, wherein the text comprises the encrypted process unique identifier; and taking the encrypted process unique identification and the encrypted KEY as the input of a decryption interface Des.
Since the electronic device described in this embodiment is a device used for implementing one of the servers in the embodiment of the present invention, based on the method described in the embodiment of the present invention, those skilled in the art can understand the specific implementation manner of the electronic device in this embodiment and various variations thereof, so that how to implement the method in the embodiment of the present invention by the electronic device is not described in detail herein, and as long as the device used for implementing the method in the embodiment of the present invention by those skilled in the art is within the scope of the present invention to be protected.
Referring to fig. 4, fig. 4 is a schematic diagram illustrating an embodiment of a computer-readable storage medium according to the present invention.
As shown in fig. 4, the present embodiment provides a computer-readable storage medium 400, on which a computer program 411 is stored, the computer program 411 implementing the following steps when executed by a processor: creating a text control window and hiding the text control window, wherein the window identifier of the text control window is a specific identifier, and the specific identifier is used for distinguishing the text control window from other windows in a system; acquiring a process unique identifier of a process, and encrypting the process unique identifier of the process by using a self-defined encryption KEY to obtain the encrypted process unique identifier; writing the encrypted process unique identification into the text control window; creating a detection thread, wherein the detection thread is used for detecting the number of the current process instances; when the number of the current process instances needs to be detected, determining the text control window from all windows in the system according to the specific identification in the detection thread; and acquiring a text of the text control window, decrypting the encrypted unique process identifier in the text according to the encrypted KEY to obtain a decrypted unique process identifier, wherein the number of the decrypted unique process identifier is the number of the current process instance.
Optionally, in a possible embodiment, the computer program 411 is specifically adapted to implement the following steps when being executed by a processor: creating the text control window by calling a system function CreateWindowW; hiding the text control window so that the text control window is a window invisible to a user.
Optionally, in a possible embodiment, the computer program 411 is specifically adapted to implement the following steps when being executed by a processor: acquiring a process unique identifier of the process by calling a system function GetCurrentProcessId (); and taking the process unique identifier of the process and the encryption KEY as the input of an encryption interface DES.
Optionally, in a possible embodiment, the computer program 411 is specifically adapted to implement the following steps when being executed by a processor: and creating the detection thread by calling a system function CreatTread, wherein the input of the system function CreatTread comprises identification information of the detection thread, the execution function of the detection thread is a system function TreadFunc, and the system function TreadFunc is used for detecting the number of the current process instances.
Optionally, in a possible embodiment, the computer program 411 is specifically adapted to implement the following steps when being executed by a processor: and setting the help text of the text control window through a system function SetWindowContextHelpid, wherein the text identifier of the help text is the specific identifier.
Optionally, in a possible embodiment, the computer program 411 is specifically adapted to implement the following steps when being executed by a processor: acquiring window identifications of all windows in the system by calling a system function GetClassName; determining the window with the window identifier as the specific identifier as a target text control window; judging whether the target text space window is visible or not by calling a system function IsWindowsVissible; if the target text space window is not visible, acquiring a help text of the target text space window by calling a system function GetWindowContextHelpID; and if the help text of the target text space window is the specific identifier, determining that the target text space window is the text space window.
Optionally, in a possible embodiment, the computer program 411 is specifically adapted to implement the following steps when being executed by a processor: acquiring a text of the text space window through a system function SendMessageW, wherein the text comprises the encrypted process unique identifier; and taking the encrypted process unique identification and the encrypted KEY as the input of a decryption interface Des.
It should be noted that, in the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to relevant descriptions of other embodiments for parts that are not described in detail in a certain embodiment.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. A method for detecting the number of process instances based on a hidden window is characterized by comprising the following steps:
creating a text control window and hiding the text control window, wherein the window identifier of the text control window is a specific identifier, and the specific identifier is used for distinguishing the text control window from other windows in a system;
acquiring a process unique identifier of a process, and encrypting the process unique identifier of the process by using a self-defined encryption KEY to obtain the encrypted process unique identifier;
writing the encrypted process unique identification into the text control window;
creating a detection thread, wherein the detection thread is used for detecting the number of the current process instances;
when the number of the current process instances needs to be detected, determining the text control window from all windows in the system according to the specific identification in the detection thread;
and acquiring a text of the text control window, decrypting the encrypted unique process identifier in the text according to the encrypted KEY to obtain a decrypted unique process identifier, wherein the number of the decrypted unique process identifier is the number of the current process instance.
2. The method of claim 1, wherein creating the text control window and hiding the text control window comprises:
creating the text control window by calling a system function CreateWindowW;
hiding the text control window so that the text control window is a window invisible to a user.
3. The method of claim 1, wherein the obtaining the process unique identifier of the process and encrypting the process unique identifier of the process using a custom encryption KEY to obtain the encrypted process unique identifier comprises:
acquiring a process unique identifier of the process by calling a system function GetCurrentProcessId ();
and taking the process unique identifier of the process and the encryption KEY as the input of an encryption interface DES.
4. The method of claim 1, wherein creating a detection thread comprises:
and creating the detection thread by calling a system function CreatTread, wherein the input of the system function CreatTread comprises identification information of the detection thread, the execution function of the detection thread is a system function TreadFunc, and the system function TreadFunc is used for detecting the number of the current process instances.
5. The method of claim 1, further comprising:
and setting the help text of the text control window through a system function SetWindowContextHelpid, wherein the text identifier of the help text is the specific identifier.
6. The method of claim 5, wherein determining the text control window from all windows in the system according to the specific identifier in the detection thread comprises:
acquiring window identifications of all windows in the system by calling a system function GetClassName;
determining the window with the window identifier as the specific identifier as a target text control window;
judging whether the target text control window is visible or not by calling a system function IsWindowsVissible;
if the target text control window is invisible, acquiring a help text of the target text control window by calling a system function GetWindowContextHelpID;
and if the help text of the target text control window is the specific identifier, determining that the target text control window is the text space window.
7. The method according to claim 6, wherein the obtaining the text of the text control window and decrypting the encrypted process unique identifier in the text according to the encryption KEY to obtain the decrypted process unique identifier comprises:
acquiring a text of the text space window through a system function SendMessageW, wherein the text comprises the encrypted process unique identifier;
and taking the encrypted process unique identification and the encrypted KEY as the input of a decryption interface Des.
8. A detection device, comprising:
the system comprises a creating unit, a displaying unit and a control unit, wherein the creating unit is used for creating a text control window and hiding the text control window, the window mark of the text control window is a specific mark, and the specific mark is used for distinguishing the text control window from other windows in the system;
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a process unique identifier of a process and encrypting the process unique identifier of the process by using a self-defined encryption KEY to obtain an encrypted process unique identifier;
the writing unit is used for writing the encrypted process unique identifier into the text control window;
the creating unit is further configured to create a detection thread, where the detection thread is used to detect the number of current process instances;
a determining unit, configured to determine, in the detection thread, the text control window from all windows in the system according to the specific identifier when the number of current process instances needs to be detected;
the acquiring unit is further configured to acquire a text of the text control window, and decrypt the encrypted unique process identifier in the text according to the encrypted KEY to obtain a decrypted unique process identifier, where the number of the decrypted unique process identifiers is the number of the current process instance.
9. A computer-readable storage medium comprising instructions that, when executed on a computer, cause the computer to perform the method of any of claims 1-7.
10. A computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 7.
CN201811242047.3A 2018-10-24 2018-10-24 Method and related device for detecting number of process instances based on hidden window Active CN109299608B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811242047.3A CN109299608B (en) 2018-10-24 2018-10-24 Method and related device for detecting number of process instances based on hidden window

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811242047.3A CN109299608B (en) 2018-10-24 2018-10-24 Method and related device for detecting number of process instances based on hidden window

Publications (2)

Publication Number Publication Date
CN109299608A CN109299608A (en) 2019-02-01
CN109299608B true CN109299608B (en) 2020-10-16

Family

ID=65158588

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811242047.3A Active CN109299608B (en) 2018-10-24 2018-10-24 Method and related device for detecting number of process instances based on hidden window

Country Status (1)

Country Link
CN (1) CN109299608B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113495651B (en) * 2020-03-20 2024-05-21 北京京东振世信息技术有限公司 Window control method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106484500A (en) * 2015-08-26 2017-03-08 北京奇虎科技有限公司 A kind of application operation method and device
CN106776050A (en) * 2016-10-17 2017-05-31 广州视源电子科技股份有限公司 Multi-user's process exclusive method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9953182B2 (en) * 2015-09-29 2018-04-24 International Business Machines Corporation Inter-process access control

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106484500A (en) * 2015-08-26 2017-03-08 北京奇虎科技有限公司 A kind of application operation method and device
CN106776050A (en) * 2016-10-17 2017-05-31 广州视源电子科技股份有限公司 Multi-user's process exclusive method and device

Also Published As

Publication number Publication date
CN109299608A (en) 2019-02-01

Similar Documents

Publication Publication Date Title
CN109324952B (en) Method and device for detecting number of process instances based on memory mapping file
US9396082B2 (en) Systems and methods of analyzing a software component
US10586026B2 (en) Simple obfuscation of text data in binary files
Mariani Userland Hooking in Windows
US7962952B2 (en) Information processing apparatus that executes program and program control method for executing program
CN109784007B (en) Byte code encryption method, byte code decryption method and terminal
US10545851B2 (en) Breakpoint insertion into kernel pages
EP3048550B1 (en) Measurement method, electronic device and measurement system
KR20130007659A (en) Protecting video content using virtualization
US11151251B2 (en) System and method for validating in-memory integrity of executable files to identify malicious activity
CN109117201B (en) Program exiting method and related equipment
US9047448B2 (en) Branch auditing in a computer program
CN105683985B (en) For virtual machine idiotropic system, method and non-transitory computer-readable medium
US11636197B2 (en) Selective import/export address table filtering
CN109684126B (en) Memory verification method for ARM equipment and ARM equipment for executing memory verification
CN109299608B (en) Method and related device for detecting number of process instances based on hidden window
US10275595B2 (en) System and method for characterizing malware
WO2013039527A1 (en) Security mechanism for developmental operating systems
US20230376610A1 (en) Non-Intrusive Method of Detecting Security Flaws of a Computer Program
EP2942728B1 (en) Systems and methods of analyzing a software component
CN111090480B (en) Method for detecting number of process instances and related device
JP2011243073A (en) Authentication program, program set, authentication method, authentication device, and software expiration date change device
KR102066580B1 (en) Program for injecting watermark into captured data and screen leak realisation service providing method
JP5549810B2 (en) Program obfuscation device, program control device, program obfuscation method, and program
US20180053016A1 (en) Visually configurable privacy enforcement

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant