CN109388946A - Malicious process detection method, device, electronic equipment and storage medium - Google Patents
Malicious process detection method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN109388946A CN109388946A CN201811144191.3A CN201811144191A CN109388946A CN 109388946 A CN109388946 A CN 109388946A CN 201811144191 A CN201811144191 A CN 201811144191A CN 109388946 A CN109388946 A CN 109388946A
- Authority
- CN
- China
- Prior art keywords
- target
- file
- pdb
- information
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 303
- 230000008569 process Effects 0.000 title claims abstract description 281
- 238000001514 detection method Methods 0.000 title claims abstract description 30
- 208000010378 Pulmonary Embolism Diseases 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 4
- 241000208340 Araliaceae Species 0.000 claims 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 claims 1
- 235000003140 Panax quinquefolius Nutrition 0.000 claims 1
- 238000004364 calculation method Methods 0.000 claims 1
- 235000008434 ginseng Nutrition 0.000 claims 1
- 238000011161 development Methods 0.000 description 3
- 230000005611 electricity Effects 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000011982 device technology Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Telephonic Communication Services (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the present invention provides a kind of malicious process detection method, device, electronic equipment and storage medium, for solving to be difficult to the technical issues of process is controlled by Malware, wherein method includes: that the corresponding process file path of the target process is obtained from memory when detecting target process starting;The corresponding process file of the target process is loaded according to the process file path, PE the file information can be performed to obtain target portable, the target PE the file information includes target program database PDB file;Obtain the target PDB file path of the target PDB file;If the target PDB file path meets default interception rule, the target process is prevented to continue to start.Implement the embodiment of the present invention, the safety of electronic equipment can be improved.
Description
Technical field
The present invention relates to technical field of network information safety, and in particular to a kind of malicious process detection method, device, electronics
Equipment and storage medium.
Background technique
Malware refers to virus, the program of worm and Trojan Horse for executing malice task on the computer systems, leads to
Destruction software process is crossed to implement control.And with the development of electronic device technology, the development and spread speed of Malware
It is getting faster, it is therefore desirable to process is monitored, and intercept the dangerous process initiation of tool.
Summary of the invention
The embodiment of the present invention provides a kind of malicious process detection method, device, electronic equipment and storage medium, for solving
It is difficult to the technical issues of process is controlled by Malware, the safety of electronic equipment can be improved.
First aspect of the embodiment of the present invention provides a kind of malicious process detection method, comprising:
When detecting target process starting, the corresponding process file path of the target process is obtained from memory;
The corresponding process file of the target process is loaded according to the process file path, it can to obtain target
Executable PE the file information is transplanted, the target PE the file information includes target program database PDB file;
Obtain the target PDB file path of the target PDB file;
If the target PDB file path meets default interception rule, the target process is prevented to continue to start.
In conjunction with the embodiment of the present invention in a first aspect, first aspect of the embodiment of the present invention the first possible implementation
In, the target PDB file path for obtaining the target PDB file, comprising:
The file structure of the target PE the file information is analyzed, to obtain the corresponding virtual address of the target process;
The corresponding target PDB file path is obtained from the virtual address.
In conjunction with the possible implementation of the first of first aspect of the embodiment of the present invention or first aspect, implement in the present invention
In second of possible implementation of example first aspect, the method also includes:
The corresponding PE the file information of each dangerous process in predetermined multiple dangerous processes is obtained, to obtain multiple PE
The file information, every PE the file information include PDB file;
The file path of the corresponding PDB file of every PE the file information in the multiple PE the file information is obtained, to obtain
Multiple PDB file paths;
The multiple PDB file path is analyzed, to obtain the default interception rule.
In conjunction with second of possible implementation of first aspect of the embodiment of the present invention, in first aspect of the embodiment of the present invention
The third possible implementation in, the multiple PDB file path of the analysis is regular to obtain default interceptions,
Include:
Determine the corresponding target process type of the target process;
The dangerous process that process type is the target process type is chosen from the multiple dangerous process, it is more to obtain
A dangerous process of reference;
It is divided with reference to each in dangerous process with reference to the corresponding PDB file path of dangerous process to the multiple, with
Obtain multiple reference information collection;
The multiple reference information collection is analyzed, to obtain the default interception rule.
In conjunction with first aspect of the embodiment of the present invention, the first possible implementation, second of possible implementation or
The third possible implementation, in the 4th kind of possible implementation of first aspect of the embodiment of the present invention, the method
Further include:
The corresponding multiple characteristic informations of the target PDB file are determined according to the target PDB file path;
Object of attack is determined according to the multiple characteristic information, and based on the multiple characteristic information to the target process
Corresponding target program is repaired.
Second aspect of the embodiment of the present invention provides a kind of malicious process detection device, comprising:
Processing unit, for detect target process starting when, obtained from memory the target process it is corresponding into
Journey file path;The corresponding process file of the target process is loaded according to the process file path, to obtain mesh
Marking portable can be performed PE the file information, and the target PE the file information includes target program database PDB file;Described in acquisition
The target PDB file path of target PDB file;
Execution unit prevents the target program pair if meeting default interception rule for the file destination information
The target process starting answered.
In conjunction with second aspect of the embodiment of the present invention, in the first possible implementation of second aspect of the embodiment of the present invention
In, in terms of the target PDB file path for obtaining the target PDB file, the processing unit is specifically used for analysis institute
The file structure of target PE the file information is stated, to obtain the corresponding virtual address of the target process;From the virtual address
Obtain the corresponding target PDB file path.
In conjunction with the possible implementation of the first of second aspect of the embodiment of the present invention or second aspect, implement in the present invention
In second of possible implementation of example second aspect, the processing unit is also used to obtain predetermined multiple default danger
The corresponding PE the file information of each default dangerous process in dangerous process, to obtain multiple PE the file informations, every PE the file information
Including PDB file;The file path of the corresponding PDB file of every PE the file information in the multiple PE the file information is obtained, with
Obtain multiple PDB file paths;The multiple PDB file path is analyzed, to obtain the default interception rule.
In conjunction with second of possible implementation of second aspect of the embodiment of the present invention, in second aspect of the embodiment of the present invention
The third possible implementation in, it is regular to obtain default interceptions in the multiple PDB file path of the analysis
Aspect, the processing unit are specifically used for determining the corresponding target process type of the target process;From the multiple default danger
The default dangerous process that process type is the target process type is chosen in dangerous process, it is multiple with reference to dangerous process to obtain;
It is divided with reference to each in dangerous process with reference to the corresponding PDB file path of dangerous process to the multiple, it is multiple to obtain
Reference information collection;The multiple reference information collection is analyzed, to obtain the default interception rule.
In conjunction with second aspect of the embodiment of the present invention, the first possible implementation, second of possible implementation or
The third possible implementation, after the prevention target process continues starting, the processing unit is also used to root
The corresponding multiple characteristic informations of the target PDB file are determined according to the target PDB file path;Believed according to the multiple feature
It ceases and determines object of attack, and the corresponding target program of the target process is repaired based on the multiple characteristic information.
The third aspect of the embodiment of the present invention provide a kind of electronic equipment, comprising: shell, processor, memory, circuit board and
Power circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Electricity
Source circuit, for each circuit or the device power supply for electronic equipment;Memory is for storing executable program code;Processor
Program corresponding with executable program code is run by reading the executable program code stored in memory, for holding
The malicious process detection method that row first aspect of the embodiment of the present invention provides.
Fourth aspect of the embodiment of the present invention provides a kind of non-transitorycomputer readable storage medium, wherein the storage
Medium realizes that first aspect of the embodiment of the present invention mentions for storing computer program, when the computer program is executed by processor
The malicious process detection method of confession.
The 5th aspect of the embodiment of the present invention provides a kind of application program, wherein the application program for holding at runtime
A kind of malicious process detection method that row first aspect of the embodiment of the present invention provides.
In the embodiment of the present invention, when detecting target process starting, it is corresponding that the target process is obtained from memory
Process file path loads the corresponding process file of the target process according to the process file path, to obtain
PE the file information can be performed in target portable, and the target PE the file information includes target program database PDB file, obtains institute
The target PDB file path of target PDB file is stated, if the target PDB file path meets default interception rule, prevents institute
Target process is stated to continue to start.In this way, the PDB file path identification process that will not generally modify when based on process file publication is
It is no to be modified by Malware, if so, preventing the target process from continuing to start, to improve the safety of electronic equipment.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are some embodiments of the invention, general for this field
For logical technical staff, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of malicious process detection method provided in an embodiment of the present invention;
Fig. 2 is the flow chart of another malicious process detection method provided in an embodiment of the present invention;
Fig. 3 is a kind of structure chart of malicious process detection device provided in an embodiment of the present invention;
Fig. 4 is the structure chart of a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on this hair
Embodiment in bright, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall within the protection scope of the present invention.
Description and claims of this specification and term " first " in the attached drawing, " second " and " third " etc. are
For distinguishing different objects, it is not use to describe a particular order.In addition, term " includes " and " having " and their any changes
Shape, it is intended that cover and non-exclusive include.Such as contain the process, method of a series of steps or units, system, product or
Equipment is not limited to listed step or unit, but optionally further comprising the step of not listing or unit or optional
Ground further includes the other step or units intrinsic for these process, methods, product or equipment.
Referenced herein " embodiment " is it is meant that a particular feature, structure, or characteristic described can wrap in conjunction with the embodiments
Containing at least one embodiment of the present invention.Each position in the description occur the phrase might not each mean it is identical
Embodiment, nor the independent or alternative embodiment with other embodiments mutual exclusion.Those skilled in the art explicitly and
Implicitly understand, embodiment described herein can be combined with other embodiments.
Electronic equipment described in the embodiment of the present invention may include smart phone (such as Android phone), tablet computer,
Palm PC, laptop, mobile internet device (Mobile Internet Devices, MID) or wearable device
It is only citing Deng, above equipment, and it is non exhaustive, including but not limited to above-mentioned electronic equipment.
In order to facilitate understanding, the word designed in the embodiment of the present invention is explained first:
Process (Process) is program in computer about the primary operation activity on certain data acquisition system, be system into
The basic unit of row Resource Distribution and Schedule is the basis of operating system configuration.In computer structure of the early stage towards process design
In structure, process is the basic execution entity of program;In computer configuation of the present age towards threaded design, process is the appearance of thread
Device.Program is the description of instruction, data and its organizational form, and process is the entity of program.
(Portable Executable, PE) file: the program in Microsoft's Windows operating system can be performed in portable
File (may be to be performed indirectly, such as dynamic link library (Dynamic Link Library, DLL) file).
Dll file: in systems, many application programs are not a complete executable file, they are divided into
Some relatively independent dynamic link libraries, i.e. dll file.When executing some program, corresponding dll file will be adjusted
With each DLL realizes different software functions.Tester can write new dll file and allow target program load and execution.
Program data base (program database, PDB) file: being the Integrated Development Environment software provided using Microsoft
The symbol file for debugging that (Microsoft Visual studio, VS) is generated, in store Debugging message.PE file is deposited
Storage is usually with the presence of program data base (Program Database, PDB) document form.The in store application program two of PDB file
The debugging and project status information of binary file, have recorded all variables, the relative position of main information table and size, these tables
It can be reserved for resource, importing, export, reorientation, debugging, thread-local storage and The Component Object Model (Component Object
Model, COM) operation when for information about.Debugging message can help tuner to analyze the interior layout of debugged program, work as journey
When sequence recompilates, Debugging message can correctly reflect the modification of variable and function, can be to program using these information
Debugging configuration carry out increment link.
And Debugging message is equally generated in the operational process of the corresponding application program of Malware, i.e., there is also PDB file,
And the PDB file is difficult to modify, therefore analyzes the PDB file, facilitates the further analysis to malice sample and provides
Clue.
The embodiment of the present invention provides a kind of malicious process detection method, device, electronic equipment and storage medium, for solving
It is difficult to the technical issues of process is controlled by Malware, the safety of electronic equipment can be improved.
Referring to Fig. 1, Fig. 1 is a kind of flow diagram of malicious process detection method provided in an embodiment of the present invention.Its
In, which is suitable for the electronic equipments such as mobile phone, tablet computer.As shown in Figure 1, the malicious process detection side
Method may comprise steps of.
S101, detect target process starting when, the corresponding process file road of the target process is obtained from memory
Diameter.
In this application, target process can be the corresponding process of operating system of electronic equipment, is also possible to electronics and sets
Corresponding process of standby middle installation application etc..Starting method of the application for detecting target process without limitation, can be detected one
A enabled instruction, the enabled instruction include the identification information of the target process, also include the corresponding file path of the target process
Deng.Wherein, identification information is for determining the process of starting, and file path is for searching the corresponding process file of the target process.
S102, the corresponding process file of the target process is loaded according to the process file path, to obtain
PE the file information can be performed in target portable, and the target PE the file information includes target program database PDB file.
After determining process file path, the corresponding process text of target process can be obtained according to the process file path
Part, and the process file is loaded, PE the file information can be performed to obtain target portable.
In this application, PE file may include program data base PDB file, dll file, executable file EXE, COM text
Part, object type extension component (Object Linking and Embedding (OLE) Control Extension, OCX) text
Part etc..Target PE the file information includes above-mentioned a variety of file respective file information etc., it is not limited here.
S103, the target PDB file path for obtaining the target PDB file.
In this application, target PDB file path is the store path of target PDB file, and target PDB file path exists
When process is issued, it would not change, and other contents can change with operating status.In this way, the application is according to target
PDB file path is identified, if target PDB file path meets default interception rule, target process is prevented to continue to open
Dynamic, otherwise, target process continues to start.
The application is described to obtain in a kind of possible embodiment for how to obtain target PDB file path without limitation
Take the target PDB file path of the target PDB file, comprising: the file structure of the target PE the file information is analyzed, with
To the corresponding virtual address of the target process;The corresponding target PDB file path is obtained from the virtual address.
Since target PE file is executable file, code has certain regularity, in a kind of possible embodiment,
The file structure of the analysis target PE the file information, to obtain the corresponding virtual address of the target process, comprising: root
The target PE the file information is parsed according to pre-set shell script, obtains the virtual address.In this way, according to
The rule of PDB file generated shell script parses target PE the file information, to obtain target PDB file path.
It is appreciated that in this application, it is corresponding to obtain target process first to analyze the file structure of target PE the file information
Virtual address, corresponding target PDB file path is then obtained from virtual address, in this way, according to target PE file believe
Virtual address in breath obtains target PDB file path, improves determining accuracy.
In the embodiment of the present application, it can also obtain the File header information of target PDB file, check all records, Ge Geji
The information such as offset address, length, attribute, the mark of record, it is not limited here.
If S104, the target PDB file path meet default interception rule, the target process is prevented to continue to open
It is dynamic.
The application intercepts rule without limitation for default, can be the naming rule of file or variable name, is also possible to
The safety of store path can also be the relevance etc. between file identification and target program.
In a kind of possible embodiment, the method also includes: it obtains each in predetermined multiple dangerous processes
The corresponding PE the file information of dangerous process, to obtain multiple PE the file informations, every PE the file information includes PDB file;It obtains
The file path of the corresponding PDB file of every PE the file information in the multiple PE the file information, to obtain multiple PDB files road
Diameter;The multiple PDB file path is analyzed, to obtain the default interception rule.
Wherein, dangerous process is in electronic equipment by the dangerous process of tool of safety verification determination or to electricity
Sub- equipment generates dangerous process, for safety verification method without limitation, periodic scanning can be carried out by security software,
Can every time software starting when or installation software after carry out security sweep etc..
Multiple PE the file informations are the file information of the corresponding PE file of each dangerous process in multiple dangerous processes, wherein
It include PDB file, the i.e. Debugging message of the process in each PE the file information.
It is appreciated that obtaining the corresponding PE the file information of each dangerous process in multiple dangerous processes first to obtain multiple PE
Then the file information obtains the corresponding file path of each PE the file information to obtain multiple PDB file paths, to analyze
Multiple PDB file paths determine the rule of the corresponding PDB file path of dangerous process, to obtain default interception rule.In this way, according to
Default interception rule is determined according to the corresponding PDB file path of fixed danger process, convenient for the accuracy of raising detection.
The application obtains default interception rule without limitation for how to analyze PDB file path, in a kind of possible reality
Apply in example, the multiple PDB file path of the analysis, it is regular to obtain default interceptions, comprising: determine the target into
The corresponding target process type of journey;The danger that process type is the target process type is chosen from the multiple dangerous process
Process, it is multiple with reference to dangerous process to obtain;To the multiple with reference to each with reference to the corresponding PDB of dangerous process in dangerous process
File path is divided, to obtain multiple reference information collection;The multiple reference information collection is analyzed, is blocked with obtaining described preset
Cut rule.
It is appreciated that first determining the corresponding target process type of target process, then process is chosen from multiple dangerous processes
Type is that the dangerous process of target process type is multiple with reference to dangerous process to obtain, then, for multiple with reference to dangerous process
Corresponding PDB file path is divided, and can be divided according to the region in file path, in this way, analysis is multiple with reference to letter
Breath collection is to obtain default interception rule.That is, being drawn for the corresponding PDB file path process of same type of target process
Point, improve the accuracy for determining detection target program.
In the malicious process detection method described in Fig. 1, when detecting target process starting, institute is obtained from memory
The corresponding process file path of target process is stated, according to the process file path by the corresponding process file of the target process
It is loaded to obtain target portable and PE the file information can be performed, the target PE the file information includes target program database
PDB file obtains the target PDB file path of the target PDB file, if the target PDB file path meets default block
Cut rule then prevents the target process from continuing to start.In this way, the PDB text that will not be generally modified when based on process file publication
Whether part Path Recognition process is modified by Malware, if so, preventing the target process from continuing to start, to improve electronics
The safety of equipment.
It is consistent with the embodiment of Fig. 1, referring to Fig. 2, Fig. 2 is another malicious process detection provided in an embodiment of the present invention
The flow chart of method.Wherein, which is suitable for the electronic equipments such as mobile phone, tablet computer.As shown in Fig. 2, the evil
Meaning process detection method may comprise steps of.
S201, detect target process starting when, the corresponding process file road of the target process is obtained from memory
Diameter.
S202, the corresponding process file of the target process is loaded according to the process file path, to obtain
PE the file information can be performed in target portable, and the target PE the file information includes target program database PDB file.
S203, the target PDB file path for obtaining the target PDB file.
If S204, the target PDB file path meet default interception rule, the target process is prevented to continue to open
It is dynamic.
Wherein, step S201~S204 can refer to step S101~S104, and details are not described herein.
S205, the corresponding multiple characteristic informations of the target PDB file are determined according to the target PDB file path.
Wherein, multiple characteristic informations include the corresponding national information of target PDB file path, attacker ID, attack project
Title, filename of PDB file etc. are used for the information of identified attacks object, it is not limited here.The application is for determining feature
The method of information without limitation, can also be matched according to target PDB file path with presetting database, the multiple to obtain
Characteristic information, wherein presetting database includes country identification code, the character string style library of known attack person ID, known attack item
Character string style library of mesh title etc., the filename of PDB file can by the last one in target PDB file path " " and after
Sew the intermediate information of name " .pdb " to be determined.
S206, object of attack is determined according to the multiple characteristic information, and based on the multiple characteristic information to the mesh
The corresponding target program of mark process is repaired.
Wherein, multiple characteristic informations can obtain the information of object of attack, to determine object of attack for the information.This
Outside, the corresponding program of process or process that can also attack further directed to multiple characteristic informations it is repaired, such as: according to
The corresponding hazard types of characteristic information are repaired, and can also be repaired etc. according to restorative procedure corresponding with object of attack,
This is without limitation.In this way, can further improve the safety of electronic equipment after repairing target program.
In the malicious process detection method described in Fig. 2, when detecting target process starting, institute is obtained from memory
The corresponding process file path of target process is stated, according to the process file path by the corresponding process file of the target process
It is loaded to obtain target portable and PE the file information can be performed, the target PE the file information includes target program database
PDB file obtains the target PDB file path of the target PDB file, if the target PDB file path meets default block
Cut rule then prevents the target process from continuing to start.In this way, the PDB text that will not be generally modified when based on process file publication
Whether part Path Recognition process is modified by Malware, if so, the target process is prevented to continue to start, improves electronic equipment
Safety.Then, then for target PDB file path determine the corresponding multiple characteristic informations of target PDB file, thus according to
Multiple characteristic informations determine object of attack, that is, determine object of attack, in order to avoid attacking process again, and are believed based on the multiple feature
Breath repairs the corresponding target program of the target process, to further improve the safety of electronic equipment.
It is consistent with the embodiment of Fig. 1 and Fig. 2, referring to Fig. 3, Fig. 3 is a kind of malicious process provided in an embodiment of the present invention
The structure chart of detection device.Wherein, which can be set in the electronic equipments such as mobile phone, tablet computer,
As shown in figure 3, the malicious process detection device 300 includes:
Processing unit 301 is used to that it is corresponding to obtain the target process from memory when detecting target process starting
Process file path;The corresponding process file of the target process is loaded according to the process file path, to obtain
PE the file information can be performed in target portable, and the target PE the file information includes target program database PDB file;Obtain institute
State the target PDB file path of target PDB file;
If execution unit 302 meets default interception rule for the file destination information, the target program is prevented
Corresponding target process starting.
In a kind of possible embodiment, in terms of the target PDB file path for obtaining the target PDB file,
The processing unit 301 is specifically used for analyzing the file structure of the target PE the file information, to obtain the target process pair
The virtual address answered;The corresponding target PDB file path is obtained from the virtual address.
In a kind of possible embodiment, the processing unit 301 is also used to obtain predetermined multiple default danger
The corresponding PE the file information of each default dangerous process in process, to obtain multiple PE the file informations, every PE the file information packet
Include PDB file;The file path of the corresponding PDB file of every PE the file information in the multiple PE the file information is obtained, with
To multiple PDB file paths;The multiple PDB file path is analyzed, to obtain the default interception rule.
In a kind of possible embodiment, in the multiple PDB file path of analysis, to obtain the default interception
Regular aspect, the processing unit 301 are specifically used for determining the corresponding target process type of the target process;From the multiple
The default dangerous process that process type is the target process type is chosen in default danger process, it is multiple with reference to dangerous to obtain
Process;It is divided with reference to each in dangerous process with reference to the corresponding PDB file path of dangerous process to the multiple, to obtain
Multiple reference information collection;The multiple reference information collection is analyzed, to obtain the default interception rule.
In a kind of possible embodiment, after the prevention target process continues starting, the processing unit
301 are also used to determine the corresponding multiple characteristic informations of the target PDB file according to the target PDB file path;According to institute
It states multiple characteristic informations and determines object of attack, and based on the multiple characteristic information to the corresponding target program of the target process
It is repaired.
In the malicious process detection device described in Fig. 3, when detecting target process starting, institute is obtained from memory
The corresponding process file path of target process is stated, according to the process file path by the corresponding process file of the target process
It is loaded, PE the file information can be performed to obtain target portable, the target PE the file information includes target program data
Library PDB file obtains the target PDB file path of the target PDB file, presets if the target PDB file path meets
Rule is intercepted, then the target process is prevented to continue to start.In this way, the PDB that will not be generally modified when based on process file publication
Whether file path identification process is modified by Malware, if so, preventing the target process from continuing to start, to improve electricity
The safety of sub- equipment.
It is consistent with the embodiment of Fig. 1 and Fig. 2, referring to Fig. 4, Fig. 4 is a kind of electronic equipment disclosed by the embodiments of the present invention.
Wherein, electronic equipment can be mobile phone, tablet computer etc..As shown in figure 4, the electronic equipment may include shell 401, processor
402, memory 403, circuit board 404 and power circuit 405, wherein circuit board 404 is placed in the space interior that shell surrounds,
Processor 402 and memory 403 are arranged on circuit board 404;Power circuit 405, for for electronic equipment each circuit or
Device power supply;Memory 403 is for storing executable program code;Processor 402 can by what is stored in reading memory 403
Program code is executed to run program corresponding with executable program code, for executing following steps:
When detecting target process starting, the corresponding process file path of the target process is obtained from memory;
The corresponding process file of the target process is loaded according to the process file path, it can to obtain target
Executable PE the file information is transplanted, the target PE the file information includes target program database PDB file;
Obtain the target PDB file path of the target PDB file;
If the target PDB file path meets default interception rule, the target process is prevented to continue to start.
As a kind of possible embodiment, in the file path side target PDB for obtaining the target PDB file
Face, the processor 402 are specifically used for executing following operation:
The file structure of the target PE the file information is analyzed, to obtain the corresponding virtual address of the target process;
The corresponding target PDB file path is obtained from the virtual address.
As a kind of possible embodiment, the processor 402 is also used to execute following operation:
The corresponding PE the file information of each dangerous process in predetermined multiple dangerous processes is obtained, to obtain multiple PE
The file information, every PE the file information include PDB file;
The file path of the corresponding PDB file of every PE the file information in the multiple PE the file information is obtained, to obtain
Multiple PDB file paths;
The multiple PDB file path is analyzed, to obtain the default interception rule.
As a kind of possible embodiment, it in the multiple PDB file path of analysis, is blocked with obtaining described preset
In terms of cut rule, the processor 402 is specifically used for executing following operation:
Determine the corresponding target process type of the target process;
The dangerous process that process type is the target process type is chosen from the multiple dangerous process, it is more to obtain
A dangerous process of reference;
It is divided with reference to each in dangerous process with reference to the corresponding PDB file path of dangerous process to the multiple, with
Obtain multiple reference information collection;
The multiple reference information collection is analyzed, to obtain the default interception rule.
As a kind of possible embodiment, after the prevention target process continues starting, the processor
402 are also used to execute following operation:
The corresponding multiple characteristic informations of the target PDB file are determined according to the target PDB file path;
Object of attack is determined according to the multiple characteristic information, and based on the multiple characteristic information to the target process
Corresponding target program is repaired.
In the electronic equipment described in Fig. 4, detect target process starting when, obtained from memory the target into
The corresponding process file path of journey is added the corresponding process file of the target process according to the process file path
It carries, PE the file information can be performed to obtain target portable, the target PE the file information includes target program database PDB text
Part obtains the target PDB file path of the target PDB file, if the target PDB file path meets default intercept and advises
Then, then the target process is prevented to continue to start.In this way, the PDB file road that will not be generally modified when based on process file publication
Whether diameter identification process is modified by Malware, if so, preventing the target process from continuing to start, to improve electronic equipment
Safety.
A kind of non-transitorycomputer readable storage medium is provided in one embodiment, is stored thereon with computer journey
Sequence, wherein the malicious process detection method as shown in Fig. 1 or Fig. 2 embodiment is realized when the computer program is executed by processor.
A kind of application program is provided in one embodiment, and the application program for executing such as Fig. 1 or Fig. 2 at runtime
Malicious process detection method shown in embodiment.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage
Medium may include: flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access
Memory, RAM), disk or CD etc..
It is provided for the embodiments of the invention malicious process detection method, device and electronic equipment above and has carried out detailed Jie
It continues, used herein a specific example illustrates the principle and implementation of the invention, and the explanation of above embodiments is only
It is to be used to help understand method and its core concept of the invention;At the same time, for those skilled in the art, according to this hair
Bright thought, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification should not manage
Solution is limitation of the present invention.
Claims (10)
1. a kind of malicious process detection method characterized by comprising
When detecting target process starting, the corresponding process file path of the target process is obtained from memory;
The corresponding process file of the target process is loaded according to the process file path, to obtain target portable
Executable PE the file information, the target PE the file information includes target program database PDB file;
Obtain the target PDB file path of the target PDB file;
If the target PDB file path meets default interception rule, the target process is prevented to continue to start.
2. the method according to claim 1, wherein the target PDB file for obtaining the target PDB file
Path, comprising:
The file structure of the target PE the file information is analyzed, to obtain the corresponding virtual address of the target process;
The corresponding target PDB file path is obtained from the virtual address.
3. method according to claim 1 or 2, which is characterized in that the method also includes:
The corresponding PE the file information of each dangerous process in predetermined multiple dangerous processes is obtained, to obtain multiple PE files
Information, every PE the file information include PDB file;
The file path of the corresponding PDB file of every PE the file information in the multiple PE the file information is obtained, it is multiple to obtain
PDB file path;
The multiple PDB file path is analyzed, to obtain the default interception rule.
4. according to the method described in claim 3, it is characterized in that, described analyze the multiple PDB file path, to obtain
State default interception rule, comprising:
Determine the corresponding target process type of the target process;
The dangerous process that process type is the target process type is chosen from the multiple dangerous process, to obtain multiple ginsengs
Examine dangerous process;
It is divided with reference to each in dangerous process with reference to the corresponding PDB file path of dangerous process to the multiple, to obtain
Multiple reference information collection;
The multiple reference information collection is analyzed, to obtain the default interception rule.
5. method according to claim 1-4, which is characterized in that prevent the target process from continuing to open described
After dynamic, the method also includes:
The corresponding multiple characteristic informations of the target PDB file are determined according to the target PDB file path;
Object of attack is determined according to the multiple characteristic information, and corresponding to the target process based on the multiple characteristic information
Target program repaired.
6. a kind of malicious process detection device characterized by comprising
Processing unit, for when detecting target process starting, obtaining the corresponding process text of the target process from memory
Part path;The corresponding process file of the target process is loaded according to the process file path, it can to obtain target
Executable PE the file information is transplanted, the target PE the file information includes target program database PDB file;Obtain the target
The target PDB file path of PDB file;
Execution unit prevents the target program corresponding if meeting default interception rule for the file destination information
Target process starting.
7. device according to claim 6, which is characterized in that in the target PDB text for obtaining the target PDB file
In terms of part path, the processing unit is specifically used for analyzing the file structure of the target PE the file information, to obtain the mesh
The corresponding virtual address of mark process;The corresponding target PDB file path is obtained from the virtual address.
8. device according to claim 6 or 7, which is characterized in that the processing unit is also used to obtain predetermined
The corresponding PE the file information of each default dangerous process, each to obtain multiple PE the file informations in multiple default dangerous processes
PE the file information includes PDB file;Obtain the text of the corresponding PDB file of every PE the file information in the multiple PE the file information
Part path, to obtain multiple PDB file paths;The multiple PDB file path is analyzed, to obtain the default interception rule.
9. a kind of electronic equipment characterized by comprising shell, processor, memory, circuit board and power circuit, wherein
Circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power circuit, for being electric
The each circuit or device of sub- equipment are powered;Memory is for storing executable program code;Processor is by reading memory
The executable program code of middle storage runs program corresponding with executable program code, for executing such as claim 1-
5 described in any item methods.
10. a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is characterized in that the meter
Such as method as claimed in any one of claims 1 to 5 is realized when calculation machine program is executed by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811144191.3A CN109388946B (en) | 2018-09-28 | 2018-09-28 | Malicious process detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811144191.3A CN109388946B (en) | 2018-09-28 | 2018-09-28 | Malicious process detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109388946A true CN109388946A (en) | 2019-02-26 |
| CN109388946B CN109388946B (en) | 2022-02-25 |
Family
ID=65418268
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811144191.3A Active CN109388946B (en) | 2018-09-28 | 2018-09-28 | Malicious process detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109388946B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110889116A (en) * | 2019-11-15 | 2020-03-17 | 珠海豹趣科技有限公司 | Advertisement blocking method and device and electronic equipment |
| CN111639339A (en) * | 2020-05-26 | 2020-09-08 | 珠海豹趣科技有限公司 | Process monitoring method and device, electronic equipment and storage medium |
| CN112100619A (en) * | 2019-06-18 | 2020-12-18 | 深信服科技股份有限公司 | Malicious file detection method, system, equipment and computer storage medium |
| CN113110976A (en) * | 2021-04-20 | 2021-07-13 | 北京百家科技集团有限公司 | Abnormity analysis method and device, electronic equipment and readable storage medium |
| CN113360913A (en) * | 2021-08-10 | 2021-09-07 | 杭州安恒信息技术股份有限公司 | Malicious program detection method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120260337A1 (en) * | 2005-12-14 | 2012-10-11 | Jacobus Van Der Merwe | System and Method for Avoiding and Mitigating a DDoS Attack |
| CN103955645A (en) * | 2014-04-28 | 2014-07-30 | 百度在线网络技术(北京)有限公司 | Method, device and system for detecting malicious process behavior |
| CN105095759A (en) * | 2015-07-21 | 2015-11-25 | 安一恒通(北京)科技有限公司 | File detection method and device |
| CN105488405A (en) * | 2014-12-25 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | PDB debug information based malicious code analysis method and system |
| CN107871079A (en) * | 2017-11-29 | 2018-04-03 | 深信服科技股份有限公司 | A kind of suspicious process detection method, device, equipment and storage medium |
| CN108073808A (en) * | 2017-12-21 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | Method and system based on pdb Debugging message generation attacker's portrait |
-
2018
- 2018-09-28 CN CN201811144191.3A patent/CN109388946B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120260337A1 (en) * | 2005-12-14 | 2012-10-11 | Jacobus Van Der Merwe | System and Method for Avoiding and Mitigating a DDoS Attack |
| CN103955645A (en) * | 2014-04-28 | 2014-07-30 | 百度在线网络技术(北京)有限公司 | Method, device and system for detecting malicious process behavior |
| CN105488405A (en) * | 2014-12-25 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | PDB debug information based malicious code analysis method and system |
| CN105095759A (en) * | 2015-07-21 | 2015-11-25 | 安一恒通(北京)科技有限公司 | File detection method and device |
| CN107871079A (en) * | 2017-11-29 | 2018-04-03 | 深信服科技股份有限公司 | A kind of suspicious process detection method, device, equipment and storage medium |
| CN108073808A (en) * | 2017-12-21 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | Method and system based on pdb Debugging message generation attacker's portrait |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112100619A (en) * | 2019-06-18 | 2020-12-18 | 深信服科技股份有限公司 | Malicious file detection method, system, equipment and computer storage medium |
| CN112100619B (en) * | 2019-06-18 | 2024-01-05 | 深信服科技股份有限公司 | Malicious file detection method, system, equipment and computer storage medium |
| CN110889116A (en) * | 2019-11-15 | 2020-03-17 | 珠海豹趣科技有限公司 | Advertisement blocking method and device and electronic equipment |
| CN110889116B (en) * | 2019-11-15 | 2024-02-27 | 珠海豹趣科技有限公司 | Advertisement interception method and device and electronic equipment |
| CN111639339A (en) * | 2020-05-26 | 2020-09-08 | 珠海豹趣科技有限公司 | Process monitoring method and device, electronic equipment and storage medium |
| CN111639339B (en) * | 2020-05-26 | 2023-06-23 | 珠海豹趣科技有限公司 | Process monitoring method and device, electronic equipment and storage medium |
| CN113110976A (en) * | 2021-04-20 | 2021-07-13 | 北京百家科技集团有限公司 | Abnormity analysis method and device, electronic equipment and readable storage medium |
| CN113360913A (en) * | 2021-08-10 | 2021-09-07 | 杭州安恒信息技术股份有限公司 | Malicious program detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109388946B (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109388946A (en) | Malicious process detection method, device, electronic equipment and storage medium | |
| EP2426618B1 (en) | Information device, program, method for preventing execution of unauthorized program code, and computer readable recording medium | |
| CN109271789A (en) | Malicious process detection method, device, electronic equipment and storage medium | |
| Kim et al. | A Brief Survey on Rootkit Techniques in Malicious Codes. | |
| CN106709325B (en) | Method and device for monitoring program | |
| CN105760787B (en) | System and method for the malicious code in detection of random access memory | |
| US11250110B2 (en) | Method to secure a software code | |
| JP2009129451A (en) | Apparatus and method for detecting dynamic link library inserted by malicious code | |
| CN110941552A (en) | Memory analysis method and device based on dynamic taint analysis | |
| CN107808096A (en) | Method, terminal device and the storage medium of malicious code are injected into during detection APK operations | |
| CN110866258A (en) | Method for quickly positioning bug, electronic device and storage medium | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| CN105678168A (en) | Method and apparatus for detecting Shellcode based on stack frame abnormity | |
| US11868465B2 (en) | Binary image stack cookie protection | |
| CN115391230A (en) | Test script generation method, test script penetration method, test script generation device, test penetration device, test equipment and test medium | |
| CN110889116A (en) | Advertisement blocking method and device and electronic equipment | |
| EP3807799A1 (en) | Binary risk evaluation | |
| CN104239801B (en) | The recognition methods of 0day leaks and device | |
| CN109472135B (en) | Method, device and storage medium for detecting process injection | |
| JP2013222422A (en) | Program, information processing device, and information processing method | |
| CN107168875B (en) | Activity component leakage detection method based on android application multi-entry characteristics | |
| CN108073411A (en) | A kind of kernel loads method and device of patch | |
| KR101052735B1 (en) | Method for detecting presence of memory operation and device using same | |
| CN108874462A (en) | A kind of browser behavior acquisition methods, device, storage medium and electronic equipment | |
| CN114741700A (en) | Public component library vulnerability availability analysis method and device based on symbolic taint analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20191129 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 519070, No. 10, main building, No. six, science Road, Harbour Road, Tang Wan Town, Guangdong, Zhuhai, 601F Applicant before: Zhuhai Juntian Electronic Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231128 Address after: Room 2322-9, Zone C, 23rd Floor, No. 108 Huitong Third Road, Hengqin New District, Zhuhai City, Guangdong Province, 519000 Patentee after: Zhuhai Mingting Technology Co.,Ltd. Address before: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee before: Zhuhai Leopard Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right |