CN109726560A - Terminal device system protection method and device - Google Patents
Terminal device system protection method and device Download PDFInfo
- Publication number
- CN109726560A CN109726560A CN201811640526.0A CN201811640526A CN109726560A CN 109726560 A CN109726560 A CN 109726560A CN 201811640526 A CN201811640526 A CN 201811640526A CN 109726560 A CN109726560 A CN 109726560A
- Authority
- CN
- China
- Prior art keywords
- terminal device
- dynamic link
- link library
- nonsystematic
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 87
- 231100001261 hazardous Toxicity 0.000 claims abstract description 43
- 230000009897 systematic effect Effects 0.000 claims abstract description 11
- 230000006399 behavior Effects 0.000 claims description 169
- 238000001514 detection method Methods 0.000 claims description 41
- 230000006870 function Effects 0.000 claims description 32
- 230000008569 process Effects 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 13
- 238000010276 construction Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims 1
- 230000026676 system process Effects 0.000 abstract description 30
- 238000005516 engineering process Methods 0.000 abstract description 8
- 230000000875 corresponding effect Effects 0.000 description 64
- 238000010586 diagram Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 4
- 230000018109 developmental process Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 241000607479 Yersinia pestis Species 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 230000003628 erosive effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000033772 system development Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The invention discloses a kind of terminal device system protection method and devices, it is related to security technology area, main purpose, which is can be realized, determines the case where terminal device system process is attacked, and the protection of system process loophole is realized, so as to promote the safety of terminal device.The described method includes: locally capturing application program to the corresponding call stack feature of the operation behavior of the terminal device in terminal device;The nonsystematic the dynamic link library whether application program loads the terminal device is detected using the call stack feature;If so, determining that the operation behavior is hazardous act;If not, it is determined that the operation behavior is safety behavior.The present invention is suitable for terminal device systematic protection.
Description
Technical field
The present invention relates to security technology areas, more particularly to a kind of terminal device system protection method and device.
Background technique
With the rapid development of internet technology, in order to facilitate the life and work of user, more and more application programs
Occur and is widely applied on terminal device.Therefore, in order to avoid terminal device leaking data, user's property loss is caused,
Terminal device system security protection becomes more and more important.
Currently, when carrying out the system security protection of terminal device, usually using the operation behavior of application program as system
The foundation of security protection, while in order to solve the problems, such as detection wrong report, white list mechanism is introduced, i.e., in program process category
When white list process, determine that application program is safe.In practical application scene, when attacker has found system process loophole
Afterwards, it will usually construct malicious code triggering loophole and execute corresponding malicious code, start to attack terminal device system process
It hits.However, the system process of terminal device is under the jurisdiction of white list process, therefore, terminal device can not be determined using aforesaid way
The case where system process is attacked, cause can not guard system process loophole, cause the safety of terminal device lower.Cause
This, proposes that a kind of new terminal device system security protection mode has become terminal device security fields technology urgently to be resolved and asks
Topic.
Summary of the invention
In view of this, the present invention provides a kind of terminal device system protection method and device, main purpose is can be real
Now determine the case where terminal device system process is attacked, the protection of system process loophole is realized, so as to promote terminal device
Safety.
According to the present invention in a first aspect, providing a kind of terminal device system protection method, comprising:
Application program is locally captured to the corresponding call stack feature of the operation behavior of the terminal device in terminal device;
The nonsystematic the dynamic chain whether application program loads the terminal device is detected using the call stack feature
Connect library;
If so, determining that the operation behavior is hazardous act;
If not, it is determined that the operation behavior is safety behavior.
Second aspect according to the present invention provides a kind of terminal device systematic protection device, comprising:
Capturing unit, for locally capture application program to be corresponding to the operation behavior of the terminal device in terminal device
Call stack feature;
Detection unit, for detecting whether the application program loads the terminal device using the call stack feature
Nonsystematic dynamic link library;
Determination unit, if for the detection unit detect the application program load the terminal device nonsystematic it is dynamic
State chained library, it is determined that the operation behavior is hazardous act;
The determination unit does not load the terminal device if being also used to the detection unit and detecting the application program
Nonsystematic dynamic link library, it is determined that the operation behavior be safety behavior.
The third aspect according to the present invention provides a kind of computer readable storage medium, is stored thereon with computer program,
The program performs the steps of when being executed by processor
Application program is locally captured to the corresponding call stack feature of the operation behavior of the terminal device in terminal device;
The nonsystematic the dynamic chain whether application program loads the terminal device is detected using the call stack feature
Connect library;
If so, determining that the operation behavior is hazardous act;
If not, it is determined that the operation behavior is safety behavior.
Fourth aspect according to the present invention, provides a kind of computer equipment, including memory, processor and is stored in storage
On device and the computer program that can run on a processor, the processor perform the steps of when executing described program
Application program is locally captured to the corresponding call stack feature of the operation behavior of the terminal device in terminal device;
The nonsystematic the dynamic chain whether application program loads the terminal device is detected using the call stack feature
Connect library;
If so, determining that the operation behavior is hazardous act;
If not, it is determined that the operation behavior is safety behavior.
The present invention provides a kind of terminal device system protection method and device, can locally journey is applied in capture in terminal device
The corresponding call stack feature of the operation behavior of terminal device described in ordered pair.And it can be answered using described in call stack feature detection
The nonsystematic dynamic link library of the terminal device whether is loaded with program;If so, determining that the operation behavior is dangerous row
For;If not, it is determined that the operation behavior is safety behavior, determines what terminal device system process was attacked so as to realize
Situation realizes the protection of system process loophole, and then is able to ascend the safety of terminal device.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow diagram of terminal device system protection method provided in an embodiment of the present invention;
Fig. 2 shows the flow diagrams of another terminal device system protection method provided in an embodiment of the present invention;
Fig. 3 shows a kind of structural schematic diagram of terminal device systematic protection device provided in an embodiment of the present invention;
Fig. 4 shows the structural schematic diagram of another terminal device systematic protection device provided in an embodiment of the present invention;
Fig. 5 shows a kind of entity structure schematic diagram of computer equipment provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
As stated in the background art, when carrying out the system security protection of terminal device, usually with the operation row of application program
For the foundation as system security protection, while in order to solve the problems, such as detection wrong report, white list mechanism is introduced, that is, is being applied
When program process belongs to white list process, determine that application program is safe.In practical application scene, when attacker has found system
After system process loophole, it will usually construct malicious code triggering loophole and execute corresponding malicious code, start to terminal device system
The attack of system process.However, the system process of terminal device is under the jurisdiction of white list process, therefore, can not be sentenced using aforesaid way
Determine the case where terminal device system process is attacked, cause can not guard system process loophole, lead to the safety of terminal device
Property is lower.It is therefore proposed that a kind of new terminal device system security protection mode has become terminal device security fields and urgently solves
Certainly the technical issues of.
In order to solve the above-mentioned technical problem, the embodiment of the invention provides a kind of terminal device system protection method, such as Fig. 1
It is shown, which comprises
101, in terminal device, locally capture application program is special to the corresponding call stack of the operation behavior of the terminal device
Sign.
Wherein, the terminal device can be computer, notebook or mobile phone etc..The call stack feature can be institute
It states application program and executes the system function function interface sequence called when the operation behavior, belong to dynamic memory data.For
The corresponding call stack feature of the different operation behavior of terminal device is different, same operation behavior corresponding calling under different scenes
Stack feature is also different.The executing subject of the embodiment of the present invention is terminal device, be may be implemented by terminal device to own system
It is protected offline.
For the embodiment of the present invention, default trapping module can be injected by process injection technique by the application program
The process space in, then by hook technology link up with the operation behavior system call, finally recycle back trace technique pair
The system calls the mode recalled, and obtains the corresponding call stack feature of the operation behavior.
102, using the call stack feature detect the application program whether load the terminal device nonsystematic it is dynamic
State chained library.If so, thening follow the steps 103;If it is not, thening follow the steps 104.
For the embodiment of the present invention, dynamic link library can be divided into nonsystematic dynamic link library and system in terminal device
Dynamic link library, system dynamic link library is the dynamic link library that system process operates normally load, if application program is loaded with
System dynamic link library illustrates system process then to operate normally, and application program belongs to normal operational termination equipment, can determine
The operation behavior is safety behavior;If application program is loaded with nonsystematic dynamic link library, illustrate the loophole of system process
It may be utilized, malicious code loads nonsystematic dynamic link library using loophole, terminal device system attacked, therefore,
The operation behavior for determining application program is hazardous act.
103, determine that the operation behavior is hazardous act.
For the embodiment of the present invention, in order to guarantee the safety of terminal device, determining the operation behavior for dangerous row
To be rear, prevention or intercept process can be carried out to the hazardous act.For example, terminal device default activation system menu
When the dynamic link library that loads be system dynamic link library, and when application program operates terminal device, application program adds
The nonsystematic dynamic link library for System menu starting is carried, it is determined that the operation behavior of activation system menu is dangerous row
To prevent System menu from starting at this time.
104, determine that the operation behavior is safety behavior.
It should be noted that determining that the operation behavior is security row to guarantee user's normal use terminal device
To be rear, clearance processing can be carried out to the operation behavior.For example, the file information of certain application program terminal device to be obtained,
If detecting that application program does not load nonsystematic dynamic link library by obtaining the corresponding call stack feature of the file information, adding
The dynamic link library of load is the system dynamic link library that system allows to load, it is determined that obtains the operation behavior of the file information as peace
Full behavior, and the file information for being intended to obtain feeds back to user.
A kind of terminal device system protection method provided through the embodiment of the present invention can locally be captured in terminal device
Application program is to the corresponding call stack feature of the operation behavior of the terminal device.And it can be detected using the call stack feature
Whether the application program loads the nonsystematic dynamic link library of the terminal device;If so, determining that the operation behavior is
Hazardous act;If not, it is determined that the operation behavior is safety behavior, determines terminal device system process quilt so as to realize
The case where attack, realizes the protection of system process loophole, and then is able to ascend the safety of terminal device.
Further, in order to better illustrate the process of above-mentioned terminal device systematic protection, as to above-described embodiment
Refinement and extension, the embodiment of the invention provides another terminal device system protection methods, as shown in Fig. 2, but not limited to this,
Shown in specific as follows:
201, in terminal device, locally capture application program is special to the corresponding call stack of the operation behavior of the terminal device
Sign.
For the embodiment of the present invention, in order to capture the call stack feature, the step 201 be can specifically include: will be pre-
If trapping module is injected into the process of the application program, the operation behavior is monitored;Using default hooking function to described
The power function of the system application layer of terminal device is linked up with, and is called with intercepting the corresponding system of the operation behavior;It utilizes
Default stack information backtracking function, which calls the system, carries out the backtracking of stack information, and it is special to obtain the corresponding call stack of the operation behavior
Sign.
Wherein, the default trapping module can be arranged for technical staff according to process injection technique, the default extension
Hook function can be write for technical staff according to hook technology, and stack information backtracking function is preset described in the hook technology can be with
It is write for technical staff according to back trace technique.Different trapping modules can be set for different operation behaviors, it is described to catch
Obtaining module can be corresponding function dynamic link library, or write different default hooking functions, different default stack information
Function is recalled, for example, the default hooking function can be hook NtCreateFile for the operation behavior for opening file
Function, the default stack information backtracking function can be RtlCaptureStackBackTrace function.
202, using the call stack feature detect the application program whether load the terminal device nonsystematic it is dynamic
State chained library.If so, thening follow the steps 203;If it is not, thening follow the steps 205.
For the embodiment of the present invention, the developer of terminal device system is in development system, it will usually set some systems
Dynamic link library simultaneously sets the corresponding load path of system dynamic link library, and therefore, the step 202 can specifically include: inspection
Whether the corresponding load path of dynamic link library surveyed in the call stack feature meets default load path.If not meeting,
Determine that the application program loads the nonsystematic dynamic link library of the terminal device;If meeting, it is determined that the application program
The nonsystematic dynamic link library of the terminal device is not loaded.Wherein, the dynamic link library in the call stack feature and its
Corresponding load path important procedure, function can parse according to from the allocating stack feature, and described preset adds
Terminal device local can be stored in by carrying path, can be the corresponding load path of system dynamic link library, such as system dynamic chain
Connecing the corresponding load path in library can be with are as follows: C: Windows System32 xx.dll.If existing such as in the call stack feature
Lower information " A.dll!SHCreateStreamFileW+0x38e (C: Windows Syst A.dll) ", it is special from the call stack
The dynamic link library parsed in sign be A.dll, the corresponding load path of A.dll be C: Windows Syst A.dll, not
For C: Windows System32 A.dll, then illustrate that the loophole of system process is utilized, the application program is added using loophole
The nonsystematic dynamic link library A.dll of the terminal device is carried, terminal device system is attacked.
It should be noted that determining the application program load to promote the accuracy of the operation behavior detection
Before the nonsystematic dynamic link library of the terminal device, the method can also detect the dynamic chain in the call stack feature
Connect whether the corresponding signature in library meets default signature;If meeting, it is determined that the application program does not load the terminal device
Nonsystematic dynamic link library;If not meeting, it is determined that the application program loads the nonsystematic dynamic chain of the terminal device
Connect library.In order to guarantee the safety of terminal device, the terminal device system development chamber of commerce signs to dynamic link library, when dynamic
When chained library passes through system signature, illustrate that the behavior for loading dynamic link library is allowed, the default signature can be terminal
The signature in signature list that equipment development quotient provides, the signature list can be stored in terminal device local, the signature
List can preserve Different Dynamic chained library and its corresponding signature.Specifically, the default signature can be pre-
If effectively signature, it can detect whether the corresponding signature of the dynamic link library in the call stack feature meets default effectively label
Name, if the corresponding signature of dynamic link library in the call stack feature meets default effectively signature, it is determined that described to apply journey
Sequence does not load the nonsystematic dynamic link library of the terminal device.
203, whether the nonsystematic dynamic link library for judging load is registered nonsystematic dynamic link library.If it is not, then
Execute step 204;If so, thening follow the steps 205.
It should be noted that in order to extend the use function of terminal device, terminal device system would generally allow some answer
It is installed and registered with program, application program is when being installed and registered, it will usually register some nonsystematic dynamic link libraries.In reality
In, terminal device system meeting default application loads these registered nonsystematic dynamic link libraries and belongs to normal load
Behavior, therefore, when judging the nonsystematic dynamic link library of application program load for registered nonsystematic dynamic link library, really
The operation behavior of the fixed application program is safety behavior.When application program loads unregistered nonsystematic dynamic link library,
Illustrating that the loophole of system process is utilized, unregistered nonsystematic dynamic link library belongs to what malicious code was loaded using loophole,
For attacking system process.Therefore, not registered in the nonsystematic dynamic link library for judging application program load
When nonsystematic dynamic link library, determine that the operation behavior of the application program is hazardous act.It can be avoided hair by step 203
The case where biological and ecological methods to prevent plant disease, pests, and erosion shield wrong report, that is, the case where application program is loaded to registered nonsystematic dynamic link library is avoided, reported by mistake to dislike
The case where meaning code intrusion system process.
Wherein, the registered nonsystematic dynamic link library can be input method dynamic link library, or registration its
His nonsystematic dynamic link library etc..In concrete application scene, determining that the application program loads the non-of the terminal device
After system dynamic link library, can continue to judge whether the nonsystematic dynamic link library of load is input method dynamic link library,
If input method dynamic link library, it is determined that the behavior that application program loads dynamic link library is lawful acts, determines the behaviour
Making behavior is safety behavior;If not input method dynamic link library, the nonsystematic dynamic link library of judgement load can be continued
It whether is other nonsystematic dynamic link libraries registered, if other nonsystematic dynamic link libraries of registration, it is determined that apply journey
The behavior that sequence loads dynamic link library is lawful acts, otherwise, it determines the operation behavior is hazardous act.
In concrete application scene, application program is when applying for the registration of, if terminal device system has passed through using journey
Nonsystematic dynamic link library can be saved in and preset registered nonsystematic and move by the nonsystematic dynamic link library that sequence is applied for the registration of
In state chained library list, the step 203 be can specifically include: whether the nonsystematic dynamic link library for judging load is to preset
Nonsystematic dynamic link library in the nonsystematic dynamic link library list of registration;If so, determining the nonsystematic dynamic chain of load
Connecing library is registered nonsystematic dynamic link library.
204, determine that the operation behavior is hazardous act.
It, can also be according to sample safety behavior in order to promote the accuracy of application program detection in concrete application scene
Corresponding security invocation stack feature construction presets call stack feature database, then further detects institute according to default call stack feature database
State whether operation behavior is hazardous act, can specifically include: detect dynamic link library in the call stack feature whether with
Safety actuality in default call stack feature database links storehouse matching, and the default call stack feature database is according to sample safety behavior
Corresponding security invocation stack feature construction, the Safety actuality chained library is the dynamic link in the security invocation stack feature
Library;If not, it is determined that the operation behavior is hazardous act.
For the embodiment of the present invention, in order to further enhance the safety of terminal device, after step 204, the side
Method can also include: to carry out intercept process to the operation behavior, and the application program is added to pre-set programs blacklist
In.By the way that the application program to be added in pre-set programs blacklist, it can be realized that there are when the operation behavior in next time
It is intercepted in time.In addition, can also utilize after determining that the operation behavior is hazardous act and answer described killing tool
Killing is carried out with the nonsystematic dynamic link library that program loads.
205, determine that the operation behavior is safety behavior.
Another terminal device system protection method provided through the embodiment of the present invention, can locally catch in terminal device
Application program is obtained to the corresponding call stack feature of the operation behavior of the terminal device.And it can be examined using the call stack feature
Survey the nonsystematic the dynamic link library whether application program loads the terminal device;If so, determining the operation behavior
For hazardous act;If not, it is determined that the operation behavior is safety behavior, determines terminal device system process so as to realize
The case where attack, the protection of system process loophole is realized, and then be able to ascend the safety of terminal device.
Further, as the specific implementation of Fig. 1, the embodiment of the invention provides a kind of terminal device systematic protection dresses
It sets, as shown in figure 3, described device includes: capturing unit 31, detection unit 32, determination unit 33.
The capturing unit 31 can be used in terminal device locally operation of the capture application program to the terminal device
The corresponding call stack feature of behavior.The capturing unit 31 is that operation of the Unknown Applications to terminal device is captured in the present apparatus
The functional module of the corresponding call stack feature of behavior.The call stack feature can execute the behaviour for the Unknown Applications
Make the system function function interface sequence called when behavior, belongs to dynamic memory data.The operation row different for terminal device
Different for corresponding call stack feature, same operation behavior corresponding call stack feature under different scenes is also different.
Whether the detection unit 32 can be used for loading using the call stack feature detection application program described
The nonsystematic dynamic link library of terminal device.The detection unit 32 is in the present apparatus using described in call stack feature detection
Whether application program loads the main functional modules of the nonsystematic dynamic link library of the terminal device.
The determination unit 33 is set if can be used for the detection unit 32 and detect the application program load terminal
Standby nonsystematic dynamic link library, it is determined that the operation behavior is hazardous act.If the determination unit 33 is in the present apparatus
The detection unit 32 detects the nonsystematic dynamic link library that the application program loads the terminal device, it is determined that the behaviour
Make the functional module that behavior is hazardous act.In order to guarantee user's normal use terminal device, determining that the operation behavior is
After safety behavior, clearance processing can be carried out to the operation behavior.
The determination unit 33 detects described in the application program do not load if can be also used for the detection unit 32
The nonsystematic dynamic link library of terminal device, it is determined that the operation behavior is safety behavior.The determination unit 33 or sheet
If the detection unit 32 detects the nonsystematic dynamic link library that the application program does not load the terminal device in device,
Then determine that the operation behavior is the functional module of safety behavior.In order to guarantee the safety of terminal device, the behaviour is being determined
Make behavior as prevention or intercept process can be carried out to the hazardous act after hazardous act.
In concrete application scene, in order to determine whether the application program loads the nonsystematic dynamic of the terminal device
Chained library, the detection unit 32 include: detection module 321 and determining module 322, as shown in Figure 4.
The detection module 321 can be used for detecting the corresponding load road of dynamic link library in the call stack feature
Whether diameter meets default load path.
The determining module 322, if can be used for the detection module 321 detects dynamic chain in the call stack feature
It connects the corresponding load path in library and does not meet default load path, it is determined that the application program loads the non-system of the terminal device
System dynamic link library.
The determining module 322, if specifically can be used for the detection module 321 detects moving in the call stack feature
The corresponding load path of state chained library meets default load path, it is determined that the application program does not load the terminal device
Nonsystematic dynamic link library.
Whether the detection module 321 is also used to detect the corresponding signature of dynamic link library in the call stack feature
Meet default signature.
The determining module 322, if being also used to the detection module 321 detects dynamic link in the call stack feature
The corresponding signature in library meets default signature, it is determined that the application program does not load the nonsystematic dynamic chain of the terminal device
Connect library.
The determining module 322, if detecting the dynamic link in the call stack feature specifically for the detection module
The corresponding wrong tally signature in library closes default signature, it is determined that the application program loads the nonsystematic dynamic link of the terminal device
Library.
For the embodiment of the present invention, in order to avoid there is a situation where protection to report by mistake, that is, avoids loading application program and infuse
The case where nonsystematic dynamic link library of volume, the case where wrong report by mistake as malicious code attacking system process, described device further include: sentence
Disconnected unit 34.
The judging unit 34 can be used for judging whether the nonsystematic dynamic link library of load is registered nonsystematic
Dynamic link library.
The determination unit 33, if the nonsystematic dynamic link library that can be also used for the judgement of judging unit 34 load is
Registered nonsystematic dynamic link library, it is determined that the operation behavior is safety behavior;
The determination unit 33, if specifically can be used for the nonsystematic dynamic link library of the judgement of judging unit 34 load
Not registered nonsystematic dynamic link library, it is determined that the operation behavior is hazardous act.
In concrete application scene, the judging unit 34 specifically can be used for judging the nonsystematic dynamic link of load
Whether library is the nonsystematic dynamic link library preset in registered nonsystematic dynamic link library list;If the judgment module is sentenced
The nonsystematic dynamic link library of disconnected load is the nonsystematic dynamic link preset in registered nonsystematic dynamic link library list
Library, it is determined that the nonsystematic dynamic link library of load is registered nonsystematic dynamic link library.
The detection unit 32, can be also used for detecting dynamic link library in the call stack feature whether with default tune
Storehouse matching is linked with the Safety actuality in stack feature database, the default call stack feature database is corresponding according to sample safety behavior
Security invocation stack feature construction, the Safety actuality chained library is the dynamic link library in the security invocation stack feature;
The determination unit 33, if the dynamic link library for being specifically also used to detect in the call stack feature and default calling
Safety actuality chained library in stack feature database mismatches, it is determined that the operation behavior is hazardous act.
In concrete application scene, in order to locally capture application program to the operation row of the terminal device in terminal device
For corresponding call stack feature, the capturing unit 31 may include: monitoring module 311, Hooking module 312 and backtracking module
313。
The monitoring module 311, in the process that can be used for for default trapping module being injected into the Unknown Applications,
Monitor the operation behavior.
The Hooking module 312 can be used for utilizing the system application layer for presetting hooking function to the terminal device
Power function is linked up with, and is called with intercepting the corresponding system of the operation behavior;
The backtracking module 313 can be used for being recalled using default stack information function and call progress stack letter to the system
Breath backtracking, obtains the corresponding call stack feature of the operation behavior.
For the embodiment of the present invention, in order to guarantee the safety of terminal device data, described device can also include: processing
Unit 35.
The processing unit 35 can be used for carrying out intercept process to the operation behavior, and by the unknown applications journey
Sequence is added in pre-set programs blacklist.The processing unit 35 is to carry out intercept process to the operation behavior in the present apparatus,
And the Unknown Applications are added to the functional module in pre-set programs blacklist.
It should be noted that each function mould involved by a kind of terminal device systematic protection device provided in an embodiment of the present invention
Other corresponding descriptions of block, can be with reference to the corresponding description of method shown in Fig. 1, and details are not described herein.
Based on above-mentioned method as shown in Figure 1, correspondingly, the embodiment of the invention also provides a kind of computer-readable storage mediums
Matter is stored thereon with computer program, which performs the steps of locally to capture in terminal device when being executed by processor and answer
With the corresponding call stack feature of operation behavior of the program to the terminal device;The application is detected using the call stack feature
Whether program loads the nonsystematic dynamic link library of the terminal device;If so, determining that the operation behavior is hazardous act;
If not, it is determined that the operation behavior is safety behavior.
Embodiment based on above-mentioned method as shown in Figure 1 and terminal device systematic protection device as shown in Figure 3, the present invention are real
It applies example and additionally provides a kind of entity structure diagram of computer equipment, as shown in figure 5, the device includes: processor 41, memory
42 and it is stored in the computer program that can be run on memory 42 and on a processor, wherein memory 42 and processor 41 are equal
Setting is performed the steps of when processor 41 described in bus 43 executes described program locally to be captured in terminal device using journey
The corresponding call stack feature of the operation behavior of terminal device described in ordered pair;The application program is detected using the call stack feature
Whether the nonsystematic dynamic link library of the terminal device is loaded;If so, determining that the operation behavior is hazardous act;If
It is no, it is determined that the operation behavior is safety behavior.The equipment further include: bus 43 is configured as coupling processor 41 and deposits
Reservoir 42.
According to the technical solution of the present invention, application program can locally be captured to the behaviour of the terminal device in terminal device
Make the corresponding call stack feature of behavior.And it can detect whether the application program loads the end using the call stack feature
The nonsystematic dynamic link library of end equipment;If so, determining that the operation behavior is hazardous act;If not, it is determined that the behaviour
Making behavior is safety behavior, determines the case where terminal device system process is attacked so as to realize, realizes system process leakage
Hole protection, and then it is able to ascend the safety of terminal device.
The embodiment of the present invention also provides the following technical solutions:
A1, a kind of terminal device system protection method, comprising:
Application program is locally captured to the corresponding call stack feature of the operation behavior of the terminal device in terminal device;
The nonsystematic the dynamic chain whether application program loads the terminal device is detected using the call stack feature
Connect library;
If so, determining that the operation behavior is hazardous act;
If not, it is determined that the operation behavior is safety behavior.
A2, method as described in a1, it is described whether the utilization call stack feature detection application program loads
The nonsystematic dynamic link library of terminal device, comprising:
Whether the corresponding load path of dynamic link library detected in the call stack feature meets default load path;
If not meeting, it is determined that the application program loads the nonsystematic dynamic link library of the terminal device;
If meeting, it is determined that the application program does not load the nonsystematic dynamic link library of the terminal device.
A3, as described in A2 method, the determination application program load the nonsystematic dynamic chain of the terminal device
Before connecing library, the method also includes:
Detect whether the corresponding signature of the dynamic link library in the call stack feature meets default signature;
If meeting, it is determined that the application program does not load the nonsystematic dynamic link library of the terminal device;
The determination application program loads the nonsystematic dynamic link library of the terminal device, comprising:
If not meeting, it is determined that the application program loads the nonsystematic dynamic link library of the terminal device.
The described in any item methods of A4, such as A1-A3, before the determination operation behavior is hazardous act, the side
Method further include:
Whether the nonsystematic dynamic link library for judging load is registered nonsystematic dynamic link library;
If so, determining that the operation behavior is safety behavior;
The determination operation behavior is hazardous act, comprising:
If not, it is determined that the operation behavior is hazardous act.
A5, the method as described in A4, whether the nonsystematic dynamic link library for judging load is registered nonsystematic
Dynamic link library, comprising:
Whether the nonsystematic dynamic link library for judging load is to preset in registered nonsystematic dynamic link library list
Nonsystematic dynamic link library;
If so, determining that the nonsystematic dynamic link library of load is registered nonsystematic dynamic link library.
A6, method as described in a1, before the determination operation behavior is hazardous act, the method also includes:
Detect dynamic link library in the call stack feature whether with the Safety actuality chain in default call stack feature database
Storehouse matching is connect, the default call stack feature database is according to the corresponding security invocation stack feature construction of sample safety behavior, institute
Stating Safety actuality chained library is the dynamic link library in the security invocation stack feature;
The determination operation behavior is hazardous act, comprising:
If not, it is determined that the operation behavior is hazardous act.
A7, method as described in a1, it is described in terminal device locally operation of the capture application program to the terminal device
The corresponding call stack feature of behavior, comprising:
Default trapping module is injected into the process of the application program, monitors the operation behavior;
It is linked up with using power function of the default hooking function to the system application layer of the terminal device, to intercept
The corresponding system of operation behavior is stated to call;
The system is called using default stack information backtracking function and carries out the backtracking of stack information, obtains the operation behavior pair
The call stack feature answered.
A8, method as described in a1, the determination operation behavior be hazardous act after, the method also includes:
Intercept process is carried out to the risky operation behavior, and the application program is added to pre-set programs blacklist
In.
B9, a kind of terminal device systematic protection device, comprising:
Capturing unit, for locally capture application program to be corresponding to the operation behavior of the terminal device in terminal device
Call stack feature;
Detection unit, for detecting whether the application program loads the terminal device using the call stack feature
Nonsystematic dynamic link library;
Determination unit, if for the detection unit detect the application program load the terminal device nonsystematic it is dynamic
State chained library, it is determined that the operation behavior is hazardous act;
The determination unit does not load the terminal device if being also used to the detection unit and detecting the application program
Nonsystematic dynamic link library, it is determined that the operation behavior be safety behavior.
B10, the device as described in B9, the detection unit include:
Detection module, it is pre- whether the corresponding load path of dynamic link library for detecting in the call stack feature meets
If load path;
Determining module, if detecting the corresponding load of dynamic link library in the call stack feature for the detection module
Path does not meet default load path, it is determined that the application program loads the nonsystematic dynamic link library of the terminal device;
The determining module, if detecting the dynamic link library pair in the call stack feature specifically for the detection module
The load path answered meets default load path, it is determined that the nonsystematic that the application program does not load the terminal device is dynamic
State chained library.
B11, the device as described in B10,
The detection module, is also used to detect whether the corresponding signature of the dynamic link library in the call stack feature meets
Default signature;
The determining module, if it is corresponding to be also used to the dynamic link library that the detection module detects in the call stack feature
Signature meet default signature, it is determined that the application program does not load the nonsystematic dynamic link library of the terminal device;
The determining module, if detecting the dynamic link library pair in the call stack feature specifically for the detection module
The wrong tally signature answered closes default signature, it is determined that the application program loads the nonsystematic dynamic link library of the terminal device.
The described in any item devices of B12, such as B9-B11, described device further include: judging unit,
The judging unit, for judging whether the nonsystematic dynamic link library of load is registered nonsystematic dynamic chain
Connect library;
The determination unit judges the nonsystematic dynamic link library of load to be registered if being also used to the judging unit
Nonsystematic dynamic link library, it is determined that the operation behavior is safety behavior;
The determination unit, if not having been infused specifically for the nonsystematic dynamic link library of judging unit judgement load
The nonsystematic dynamic link library of volume, it is determined that the operation behavior is hazardous act.
B13, as described in B12 device,
The judging unit, specifically for judging whether the nonsystematic dynamic link library of load is to preset registered non-system
Nonsystematic dynamic link library in system dynamic link library list;If the nonsystematic dynamic link library of the judgment module judgement load
To preset the nonsystematic dynamic link library in registered nonsystematic dynamic link library list, it is determined that the nonsystematic dynamic of load
Chained library is registered nonsystematic dynamic link library.
B14, as described in B12 device,
Whether the detection unit, the dynamic link library for being also used to detect in the call stack feature are special with default call stack
It levies the Safety actuality in library and links storehouse matching, the default call stack feature database is to be adjusted according to the corresponding safety of sample safety behavior
With stack feature construction, the Safety actuality chained library is the dynamic link library in the security invocation stack feature;
The determination unit, if being specifically also used to detect the dynamic link library and default call stack in the call stack feature
Safety actuality chained library in feature database mismatches, it is determined that the operation behavior is hazardous act.
B15, as described in B12 device, the capturing unit include:
Monitoring module monitors the operation row for default trapping module to be injected into the process of the application program
For;
Hooking module, for being carried out using power function of the default hooking function to the system application layer of the terminal device
Hook is called with intercepting the corresponding system of the operation behavior;
Backtracking module is carried out the backtracking of stack information for being called using default stack information backtracking function to the system, obtained
The corresponding call stack feature of the operation behavior.
B16, the device as described in B9, described device further include:
Processing unit for carrying out intercept process to the risky operation behavior, and the application program is added to pre-
If in program blacklist.
C17, a kind of computer readable storage medium, are stored thereon with computer program, and the computer program is processed
The step of method as described in any one of A1 to A8 is realized when device executes.
D18, a kind of computer equipment, including memory, processor and storage can transport on a memory and on a processor
Capable computer program, the processor realize the step such as any one of A1 to A8 the method when executing the computer program
Suddenly.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) are realized in terminal device systematic protection device according to an embodiment of the present invention
Some or all components some or all functions.The present invention is also implemented as executing side as described herein
Some or all device or device programs (for example, computer program and computer program product) of method.It is such
It realizes that program of the invention can store on a computer-readable medium, or can have the shape of one or more signal
Formula.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other shape
Formula provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
Claims (10)
1. a kind of terminal device system protection method characterized by comprising
Application program is locally captured to the corresponding call stack feature of the operation behavior of the terminal device in terminal device;
The nonsystematic the dynamic link library whether application program loads the terminal device is detected using the call stack feature;
If so, determining that the operation behavior is hazardous act;
If not, it is determined that the operation behavior is safety behavior.
2. the method according to claim 1, wherein described apply journey using call stack feature detection is described
Whether sequence loads the nonsystematic dynamic link library of the terminal device, comprising:
Whether the corresponding load path of dynamic link library detected in the call stack feature meets default load path;
If not meeting, it is determined that the application program loads the nonsystematic dynamic link library of the terminal device;
If meeting, it is determined that the application program does not load the nonsystematic dynamic link library of the terminal device.
3. according to the method described in claim 2, it is characterized in that, the determination application program loads the terminal device
Nonsystematic dynamic link library before, the method also includes:
Detect whether the corresponding signature of the dynamic link library in the call stack feature meets default signature;
If meeting, it is determined that the application program does not load the nonsystematic dynamic link library of the terminal device;
The determination application program loads the nonsystematic dynamic link library of the terminal device, comprising:
If not meeting, it is determined that the application program loads the nonsystematic dynamic link library of the terminal device.
4. method according to claim 1-3, which is characterized in that the determination operation behavior is dangerous row
For before, the method also includes:
Whether the nonsystematic dynamic link library for judging load is registered nonsystematic dynamic link library;
If so, determining that the operation behavior is safety behavior;
The determination operation behavior is hazardous act, comprising:
If not, it is determined that the operation behavior is hazardous act.
5. according to the method described in claim 4, it is characterized in that, it is described judge load nonsystematic dynamic link library whether be
Registered nonsystematic dynamic link library, comprising:
Whether the nonsystematic dynamic link library for judging load is the non-system preset in registered nonsystematic dynamic link library list
System dynamic link library;
If so, determining that the nonsystematic dynamic link library of load is registered nonsystematic dynamic link library.
6. the method according to claim 1, wherein the determination operation behavior be hazardous act before,
The method also includes:
Detect dynamic link library in the call stack feature whether with the Safety actuality chained library in default call stack feature database
Matching, the default call stack feature database are according to the corresponding security invocation stack feature construction of sample safety behavior, the peace
Full dynamic link library is the dynamic link library in the security invocation stack feature;
The determination operation behavior is hazardous act, comprising:
If not, it is determined that the operation behavior is hazardous act.
7. the method according to claim 1, wherein described locally capture application program to described in terminal device
The corresponding call stack feature of the operation behavior of terminal device, comprising:
Default trapping module is injected into the process of the application program, monitors the operation behavior;
It is linked up with using power function of the default hooking function to the system application layer of the terminal device, to intercept the behaviour
Make the corresponding system of behavior to call;
The system is called using default stack information backtracking function and carries out the backtracking of stack information, it is corresponding to obtain the operation behavior
Call stack feature.
8. a kind of terminal device systematic protection device characterized by comprising
Capturing unit, for locally capturing application program to the corresponding calling of the operation behavior of the terminal device in terminal device
Stack feature;
Detection unit, for detecting the non-the system whether application program loads the terminal device using the call stack feature
System dynamic link library;
Determination unit, if detecting the nonsystematic dynamic chain that the application program loads the terminal device for the detection unit
Connect library, it is determined that the operation behavior is hazardous act;
The determination unit does not load the non-of the terminal device if being also used to the detection unit and detecting the application program
System dynamic link library, it is determined that the operation behavior is safety behavior.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program quilt
The step of processor realizes method described in any one of claims 1 to 7 when executing.
10. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor
Calculation machine program, which is characterized in that the processor realizes any one of claims 1 to 7 institute when executing the computer program
The step of stating method.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810668277X | 2018-06-26 | ||
| CN201810668277.XA CN108846287A (en) | 2018-06-26 | 2018-06-26 | A kind of method and device of detection loophole attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109726560A true CN109726560A (en) | 2019-05-07 |
Family
ID=64202031
Family Applications (10)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810668277.XA Pending CN108846287A (en) | 2018-05-04 | 2018-06-26 | A kind of method and device of detection loophole attack |
| CN201811645578.7A Pending CN109711172A (en) | 2018-06-26 | 2018-12-29 | Data prevention method and device |
| CN201811645681.1A Pending CN109766698A (en) | 2018-06-26 | 2018-12-29 | Data prevention method and device |
| CN201811640471.3A Active CN109753806B (en) | 2018-06-26 | 2018-12-29 | Server protection method and device |
| CN201811640481.7A Active CN109711168B (en) | 2018-06-26 | 2018-12-29 | Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium |
| CN201811646131.1A Active CN109766701B (en) | 2018-06-26 | 2018-12-29 | Processing method and device for abnormal process ending operation and electronic device |
| CN201811640753.3A Pending CN109829309A (en) | 2018-06-26 | 2018-12-29 | Terminal device system protection method and device |
| CN201811640526.0A Pending CN109726560A (en) | 2018-06-26 | 2018-12-29 | Terminal device system protection method and device |
| CN201811640643.7A Pending CN109829307A (en) | 2018-06-26 | 2018-12-29 | Process behavior recognition methods and device |
| CN201811640231.3A Active CN109871691B (en) | 2018-06-26 | 2018-12-29 | Authority-based process management method, system, device and readable storage medium |
Family Applications Before (7)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810668277.XA Pending CN108846287A (en) | 2018-05-04 | 2018-06-26 | A kind of method and device of detection loophole attack |
| CN201811645578.7A Pending CN109711172A (en) | 2018-06-26 | 2018-12-29 | Data prevention method and device |
| CN201811645681.1A Pending CN109766698A (en) | 2018-06-26 | 2018-12-29 | Data prevention method and device |
| CN201811640471.3A Active CN109753806B (en) | 2018-06-26 | 2018-12-29 | Server protection method and device |
| CN201811640481.7A Active CN109711168B (en) | 2018-06-26 | 2018-12-29 | Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium |
| CN201811646131.1A Active CN109766701B (en) | 2018-06-26 | 2018-12-29 | Processing method and device for abnormal process ending operation and electronic device |
| CN201811640753.3A Pending CN109829309A (en) | 2018-06-26 | 2018-12-29 | Terminal device system protection method and device |
Family Applications After (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811640643.7A Pending CN109829307A (en) | 2018-06-26 | 2018-12-29 | Process behavior recognition methods and device |
| CN201811640231.3A Active CN109871691B (en) | 2018-06-26 | 2018-12-29 | Authority-based process management method, system, device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (10) | CN108846287A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111046377A (en) * | 2019-12-25 | 2020-04-21 | 五八同城信息技术有限公司 | Method and device for loading dynamic link library, electronic equipment and storage medium |
| CN111382076A (en) * | 2020-03-10 | 2020-07-07 | 北京字节跳动网络技术有限公司 | Application program testing method and device, electronic equipment and computer storage medium |
| CN111884884A (en) * | 2020-07-31 | 2020-11-03 | 北京明朝万达科技股份有限公司 | Method, system and device for monitoring file transmission |
Families Citing this family (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109711166B (en) * | 2018-12-17 | 2020-12-11 | 北京知道创宇信息技术股份有限公司 | Vulnerability detection method and device |
| CN109558730B (en) * | 2018-12-29 | 2020-10-16 | 360企业安全技术(珠海)有限公司 | Safety protection method and device for browser |
| CN109800576B (en) * | 2018-12-29 | 2021-07-23 | 360企业安全技术(珠海)有限公司 | Monitoring method and device for unknown program exception request and electronic device |
| CN112395585B (en) * | 2019-08-15 | 2023-01-06 | 奇安信安全技术(珠海)有限公司 | Database service login method, device, equipment and readable storage medium |
| CN112395604B (en) * | 2019-08-15 | 2022-09-30 | 奇安信安全技术(珠海)有限公司 | System monitoring login protection method, client, server and storage medium |
| CN112398789A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Remote login control method, device, system, storage medium and electronic device |
| CN112398784B (en) * | 2019-08-15 | 2023-01-06 | 奇安信安全技术(珠海)有限公司 | Method and device for defending vulnerability attack, storage medium and computer equipment |
| CN112398787B (en) * | 2019-08-15 | 2022-09-30 | 奇安信安全技术(珠海)有限公司 | Mailbox login verification method and device, computer equipment and storage medium |
| CN112395617A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
| CN110610086B (en) * | 2019-08-30 | 2021-06-18 | 北京卓识网安技术股份有限公司 | Illegal code identification method, system, device and storage medium |
| WO2021046811A1 (en) * | 2019-09-12 | 2021-03-18 | 奇安信安全技术(珠海)有限公司 | Attack behavior determination method and apparatus, and computer storage medium |
| CN110505247B (en) * | 2019-09-27 | 2022-05-17 | 百度在线网络技术(北京)有限公司 | Attack detection method and device, electronic equipment and storage medium |
| CN111209559B (en) * | 2019-12-23 | 2022-02-15 | 东软集团股份有限公司 | Permission processing method and device of application program, storage medium and electronic equipment |
| CN111859405A (en) * | 2020-07-31 | 2020-10-30 | 深信服科技股份有限公司 | Threat immunization framework, method, equipment and readable storage medium |
| CN112069505B (en) * | 2020-09-15 | 2021-11-23 | 北京微步在线科技有限公司 | Audit information processing method and electronic equipment |
| US20220083644A1 (en) * | 2020-09-16 | 2022-03-17 | Cisco Technology, Inc. | Security policies for software call stacks |
| CN112910868A (en) * | 2021-01-21 | 2021-06-04 | 平安信托有限责任公司 | Enterprise network security management method and device, computer equipment and storage medium |
| CN113392416B (en) * | 2021-06-28 | 2024-03-22 | 北京恒安嘉新安全技术有限公司 | Method, device, equipment and storage medium for acquiring application program encryption and decryption data |
| CN113742726A (en) * | 2021-08-27 | 2021-12-03 | 恒安嘉新(北京)科技股份公司 | Program recognition model training and program recognition method, device, equipment and medium |
| CN113779561B (en) * | 2021-09-09 | 2024-03-01 | 安天科技集团股份有限公司 | Kernel vulnerability processing method and device, storage medium and electronic equipment |
| CN115051905A (en) * | 2022-07-19 | 2022-09-13 | 广东泓胜科技股份有限公司 | Port security monitoring and analyzing method, device and related equipment |
| CN116707929A (en) * | 2023-06-16 | 2023-09-05 | 广州市玄武无线科技股份有限公司 | Mobile phone photographing and faking detection method and device based on call stack information acquisition |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103778375A (en) * | 2012-10-24 | 2014-05-07 | 腾讯科技(深圳)有限公司 | Device and method for preventing user equipment from loading illegal dynamic link library file |
| CN104268471A (en) * | 2014-09-10 | 2015-01-07 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
| US20150220707A1 (en) * | 2014-02-04 | 2015-08-06 | Pegasus Media Security, Llc | System and process for monitoring malicious access of protected content |
Family Cites Families (44)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7093239B1 (en) * | 2000-07-14 | 2006-08-15 | Internet Security Systems, Inc. | Computer immune system and method for detecting unwanted code in a computer system |
| US7546587B2 (en) * | 2004-03-01 | 2009-06-09 | Microsoft Corporation | Run-time call stack verification |
| US7891000B1 (en) * | 2005-08-05 | 2011-02-15 | Cisco Technology, Inc. | Methods and apparatus for monitoring and reporting network activity of applications on a group of host computers |
| KR100843701B1 (en) * | 2006-11-07 | 2008-07-04 | 소프트캠프(주) | Confirmation method of API by the information at Call-stack |
| CN101059829A (en) * | 2007-05-16 | 2007-10-24 | 珠海金山软件股份有限公司 | Device and method for automatically analyzing course risk grade |
| US8117424B2 (en) * | 2007-09-21 | 2012-02-14 | Siemens Industry, Inc. | Systems, devices, and/or methods for managing programmable logic controller processing |
| CN101373501B (en) * | 2008-05-12 | 2010-06-02 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| CN101286995B (en) * | 2008-05-23 | 2010-12-08 | 北京锐安科技有限公司 | Long-range control method and system |
| US9110801B2 (en) * | 2009-02-10 | 2015-08-18 | International Business Machines Corporation | Resource integrity during partial backout of application updates |
| CN101753377B (en) * | 2009-12-29 | 2011-11-09 | 吉林大学 | p2p_botnet real-time detection method and system |
| CN103136472B (en) * | 2011-11-29 | 2016-08-31 | 腾讯科技(深圳)有限公司 | A kind of anti-application program steals method and the mobile device of privacy |
| CN102546624A (en) * | 2011-12-26 | 2012-07-04 | 西北工业大学 | Method and system for detecting and defending multichannel network intrusion |
| CN103368904B (en) * | 2012-03-27 | 2016-12-28 | 百度在线网络技术(北京)有限公司 | The detection of mobile terminal, questionable conduct and decision-making system and method |
| US10037212B2 (en) * | 2012-04-20 | 2018-07-31 | Nxp Usa, Inc. | Information processing device and method for protecting data in a call stack |
| CN102750475B (en) * | 2012-06-07 | 2017-08-15 | 中国电子科技集团公司第三十研究所 | Malicious code behavioral value method and system are compared based on view intersection inside and outside virtual machine |
| US8990944B1 (en) * | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
| US9558347B2 (en) * | 2013-08-27 | 2017-01-31 | Globalfoundries Inc. | Detecting anomalous user behavior using generative models of user actions |
| CN103631712B (en) * | 2013-10-23 | 2016-03-02 | 北京信息控制研究所 | A kind of medelling software critical behavior tracking based on memory management |
| CN103761472B (en) * | 2014-02-21 | 2017-05-24 | 北京奇虎科技有限公司 | Application program accessing method and device based on intelligent terminal |
| US9652328B2 (en) * | 2014-05-12 | 2017-05-16 | International Business Machines Corporation | Restoring an application from a system dump file |
| CN105335654B (en) * | 2014-06-27 | 2018-12-14 | 北京金山安全软件有限公司 | Android malicious program detection and processing method, device and equipment |
| US9721112B2 (en) * | 2014-09-29 | 2017-08-01 | Airwatch Llc | Passive compliance violation notifications |
| JP6334069B2 (en) * | 2014-11-25 | 2018-05-30 | エンサイロ リミテッドenSilo Ltd. | System and method for accuracy assurance of detection of malicious code |
| CN104484599B (en) * | 2014-12-16 | 2017-12-12 | 北京奇虎科技有限公司 | A kind of behavior treating method and apparatus based on application program |
| US10614210B2 (en) * | 2015-07-31 | 2020-04-07 | Digital Guardian, Inc. | Systems and methods of protecting data from injected malware |
| CN105224862B (en) * | 2015-09-25 | 2018-03-27 | 北京北信源软件股份有限公司 | A kind of hold-up interception method and device of office shear plates |
| CN105279432B (en) * | 2015-10-12 | 2018-11-23 | 北京金山安全软件有限公司 | Software monitoring processing method and device |
| CN105678168A (en) * | 2015-12-29 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
| WO2017166037A1 (en) * | 2016-03-29 | 2017-10-05 | 深圳投之家金融信息服务有限公司 | Data tampering detection device and method |
| CN107330320B (en) * | 2016-04-29 | 2020-06-05 | 腾讯科技(深圳)有限公司 | Method and device for monitoring application process |
| US9807104B1 (en) * | 2016-04-29 | 2017-10-31 | STEALTHbits Technologies, Inc. | Systems and methods for detecting and blocking malicious network activity |
| CN105956462B (en) * | 2016-06-29 | 2019-05-10 | 珠海豹趣科技有限公司 | A kind of method, apparatus and electronic equipment preventing malicious loading driving |
| CN106203092B (en) * | 2016-06-30 | 2019-12-10 | 珠海豹趣科技有限公司 | Method and device for intercepting shutdown of malicious program and electronic equipment |
| CN106201811B (en) * | 2016-07-06 | 2019-03-26 | 青岛海信宽带多媒体技术有限公司 | The fault recovery method and terminal of application program |
| CN106411588B (en) * | 2016-09-29 | 2019-10-25 | 锐捷网络股份有限公司 | A kind of network device management method, main equipment and management server |
| CN107959595B (en) * | 2016-10-14 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Method, device and system for anomaly detection |
| CN108171056A (en) * | 2016-12-08 | 2018-06-15 | 武汉安天信息技术有限责任公司 | It is a kind of to automate the malicious detection method of judgement sample and device |
| CN106708734B (en) * | 2016-12-13 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Software anomaly detection method and device |
| CN108280346B (en) * | 2017-01-05 | 2022-05-31 | 腾讯科技(深圳)有限公司 | Application protection monitoring method, device and system |
| CN106991324B (en) * | 2017-03-30 | 2020-02-14 | 兴华永恒(北京)科技有限责任公司 | Malicious code tracking and identifying method based on memory protection type monitoring |
| CN107358071A (en) * | 2017-06-07 | 2017-11-17 | 武汉斗鱼网络科技有限公司 | Prevent the method and device that function illegally calls in Flash application programs |
| CN107704356B (en) * | 2017-06-12 | 2019-06-28 | 平安科技(深圳)有限公司 | Exception stack information acquisition method, device and computer readable storage medium |
| CN107483274A (en) * | 2017-09-25 | 2017-12-15 | 北京全域医疗技术有限公司 | Service item running state monitoring method and device |
| CN108052431A (en) * | 2017-12-08 | 2018-05-18 | 北京奇虎科技有限公司 | Terminal program exception closing information processing method, device, terminal |
-
2018
- 2018-06-26 CN CN201810668277.XA patent/CN108846287A/en active Pending
- 2018-12-29 CN CN201811645578.7A patent/CN109711172A/en active Pending
- 2018-12-29 CN CN201811645681.1A patent/CN109766698A/en active Pending
- 2018-12-29 CN CN201811640471.3A patent/CN109753806B/en active Active
- 2018-12-29 CN CN201811640481.7A patent/CN109711168B/en active Active
- 2018-12-29 CN CN201811646131.1A patent/CN109766701B/en active Active
- 2018-12-29 CN CN201811640753.3A patent/CN109829309A/en active Pending
- 2018-12-29 CN CN201811640526.0A patent/CN109726560A/en active Pending
- 2018-12-29 CN CN201811640643.7A patent/CN109829307A/en active Pending
- 2018-12-29 CN CN201811640231.3A patent/CN109871691B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103778375A (en) * | 2012-10-24 | 2014-05-07 | 腾讯科技(深圳)有限公司 | Device and method for preventing user equipment from loading illegal dynamic link library file |
| US20150220707A1 (en) * | 2014-02-04 | 2015-08-06 | Pegasus Media Security, Llc | System and process for monitoring malicious access of protected content |
| CN104268471A (en) * | 2014-09-10 | 2015-01-07 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111046377A (en) * | 2019-12-25 | 2020-04-21 | 五八同城信息技术有限公司 | Method and device for loading dynamic link library, electronic equipment and storage medium |
| CN111046377B (en) * | 2019-12-25 | 2023-11-14 | 五八同城信息技术有限公司 | Method and device for loading dynamic link library, electronic equipment and storage medium |
| CN111382076A (en) * | 2020-03-10 | 2020-07-07 | 北京字节跳动网络技术有限公司 | Application program testing method and device, electronic equipment and computer storage medium |
| CN111382076B (en) * | 2020-03-10 | 2023-04-25 | 抖音视界有限公司 | Application program testing method and device, electronic equipment and computer storage medium |
| CN111884884A (en) * | 2020-07-31 | 2020-11-03 | 北京明朝万达科技股份有限公司 | Method, system and device for monitoring file transmission |
| CN111884884B (en) * | 2020-07-31 | 2022-05-31 | 北京明朝万达科技股份有限公司 | Method, system and device for monitoring file transmission |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109711168A (en) | 2019-05-03 |
| CN109753806A (en) | 2019-05-14 |
| CN109871691B (en) | 2021-07-20 |
| CN108846287A (en) | 2018-11-20 |
| CN109829307A (en) | 2019-05-31 |
| CN109766701B (en) | 2021-04-27 |
| CN109753806B (en) | 2024-01-19 |
| CN109711168B (en) | 2021-01-15 |
| CN109829309A (en) | 2019-05-31 |
| CN109871691A (en) | 2019-06-11 |
| CN109711172A (en) | 2019-05-03 |
| CN109766698A (en) | 2019-05-17 |
| CN109766701A (en) | 2019-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109726560A (en) | Terminal device system protection method and device | |
| CN103559446B (en) | Dynamic virus detection method and device for equipment based on Android system | |
| EP3326100B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| KR101265173B1 (en) | Apparatus and method for inspecting non-portable executable files | |
| CN103699480B (en) | A kind of WEB dynamic security leak detection method based on JAVA | |
| CN103679032B (en) | Method and device for preventing malicious software | |
| KR20150106889A (en) | System for and a method of cognitive behavior recognition | |
| CN104506495A (en) | Intelligent network APT attack threat analysis method | |
| US11055168B2 (en) | Unexpected event detection during execution of an application | |
| CN104268475B (en) | A kind of system for running application program | |
| CN110138727A (en) | The information searching method and device that the shell that rebounds is connected to the network | |
| Barabosch et al. | Bee master: Detecting host-based code injection attacks | |
| Ramilli et al. | Multiprocess malware | |
| Li et al. | On locating malicious code in piggybacked android apps | |
| CN101599113A (en) | Driven malware defence method and device | |
| Tang et al. | Towards dynamically monitoring android applications on non-rooted devices in the wild | |
| CN106407815A (en) | Vulnerability detection method and device | |
| US11886599B2 (en) | Method and system for data flow monitoring to identify application security vulnerabilities and to detect and prevent attacks | |
| CN113761539B (en) | HongMong security vulnerability defense method and system | |
| CN113326539B (en) | Method, device and system for private data leakage detection aiming at applet | |
| CN109271787A (en) | A kind of operating system security active defense method and operating system | |
| CN113672933A (en) | Hongmen security vulnerability detection method and system | |
| Li | Boosting static security analysis of android apps through code instrumentation | |
| Kim et al. | Detection and Blocking Method against DLL Injection Attack Using PEB-LDR of ICS EWS in Smart IoT Environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Applicant after: Qianxin Technology Group Co.,Ltd. Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190507 |