Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
As stated in the background art, when carrying out the system security protection of terminal device, usually with the operation row of application program
For the foundation as system security protection, while in order to solve the problems, such as detection wrong report, white list mechanism is introduced, that is, is being applied
When program process belongs to white list process, determine that application program is safe.In practical application scene, when attacker has found system
After system process loophole, it will usually construct malicious code triggering loophole and execute corresponding malicious code, start to terminal device system
The attack of system process.However, the system process of terminal device is under the jurisdiction of white list process, therefore, can not be sentenced using aforesaid way
Determine the case where terminal device system process is attacked, cause can not guard system process loophole, lead to the safety of terminal device
Property is lower.It is therefore proposed that a kind of new terminal device system security protection mode has become terminal device security fields and urgently solves
Certainly the technical issues of.
In order to solve the above-mentioned technical problem, the embodiment of the invention provides a kind of terminal device system protection method, such as Fig. 1
It is shown, which comprises
101, in terminal device, locally capture application program is special to the corresponding call stack of the operation behavior of the terminal device
Sign.
Wherein, the terminal device can be computer, notebook or mobile phone etc..The call stack feature can be institute
It states application program and executes the system function function interface sequence called when the operation behavior, belong to dynamic memory data.For
The corresponding call stack feature of the different operation behavior of terminal device is different, same operation behavior corresponding calling under different scenes
Stack feature is also different.The executing subject of the embodiment of the present invention is terminal device, be may be implemented by terminal device to own system
It is protected offline.
For the embodiment of the present invention, default trapping module can be injected by process injection technique by the application program
The process space in, then by hook technology link up with the operation behavior system call, finally recycle back trace technique pair
The system calls the mode recalled, and obtains the corresponding call stack feature of the operation behavior.
102, using the call stack feature detect the application program whether load the terminal device nonsystematic it is dynamic
State chained library.If so, thening follow the steps 103;If it is not, thening follow the steps 104.
For the embodiment of the present invention, dynamic link library can be divided into nonsystematic dynamic link library and system in terminal device
Dynamic link library, system dynamic link library is the dynamic link library that system process operates normally load, if application program is loaded with
System dynamic link library illustrates system process then to operate normally, and application program belongs to normal operational termination equipment, can determine
The operation behavior is safety behavior;If application program is loaded with nonsystematic dynamic link library, illustrate the loophole of system process
It may be utilized, malicious code loads nonsystematic dynamic link library using loophole, terminal device system attacked, therefore,
The operation behavior for determining application program is hazardous act.
103, determine that the operation behavior is hazardous act.
For the embodiment of the present invention, in order to guarantee the safety of terminal device, determining the operation behavior for dangerous row
To be rear, prevention or intercept process can be carried out to the hazardous act.For example, terminal device default activation system menu
When the dynamic link library that loads be system dynamic link library, and when application program operates terminal device, application program adds
The nonsystematic dynamic link library for System menu starting is carried, it is determined that the operation behavior of activation system menu is dangerous row
To prevent System menu from starting at this time.
104, determine that the operation behavior is safety behavior.
It should be noted that determining that the operation behavior is security row to guarantee user's normal use terminal device
To be rear, clearance processing can be carried out to the operation behavior.For example, the file information of certain application program terminal device to be obtained,
If detecting that application program does not load nonsystematic dynamic link library by obtaining the corresponding call stack feature of the file information, adding
The dynamic link library of load is the system dynamic link library that system allows to load, it is determined that obtains the operation behavior of the file information as peace
Full behavior, and the file information for being intended to obtain feeds back to user.
A kind of terminal device system protection method provided through the embodiment of the present invention can locally be captured in terminal device
Application program is to the corresponding call stack feature of the operation behavior of the terminal device.And it can be detected using the call stack feature
Whether the application program loads the nonsystematic dynamic link library of the terminal device;If so, determining that the operation behavior is
Hazardous act;If not, it is determined that the operation behavior is safety behavior, determines terminal device system process quilt so as to realize
The case where attack, realizes the protection of system process loophole, and then is able to ascend the safety of terminal device.
Further, in order to better illustrate the process of above-mentioned terminal device systematic protection, as to above-described embodiment
Refinement and extension, the embodiment of the invention provides another terminal device system protection methods, as shown in Fig. 2, but not limited to this,
Shown in specific as follows:
201, in terminal device, locally capture application program is special to the corresponding call stack of the operation behavior of the terminal device
Sign.
For the embodiment of the present invention, in order to capture the call stack feature, the step 201 be can specifically include: will be pre-
If trapping module is injected into the process of the application program, the operation behavior is monitored;Using default hooking function to described
The power function of the system application layer of terminal device is linked up with, and is called with intercepting the corresponding system of the operation behavior;It utilizes
Default stack information backtracking function, which calls the system, carries out the backtracking of stack information, and it is special to obtain the corresponding call stack of the operation behavior
Sign.
Wherein, the default trapping module can be arranged for technical staff according to process injection technique, the default extension
Hook function can be write for technical staff according to hook technology, and stack information backtracking function is preset described in the hook technology can be with
It is write for technical staff according to back trace technique.Different trapping modules can be set for different operation behaviors, it is described to catch
Obtaining module can be corresponding function dynamic link library, or write different default hooking functions, different default stack information
Function is recalled, for example, the default hooking function can be hook NtCreateFile for the operation behavior for opening file
Function, the default stack information backtracking function can be RtlCaptureStackBackTrace function.
202, using the call stack feature detect the application program whether load the terminal device nonsystematic it is dynamic
State chained library.If so, thening follow the steps 203;If it is not, thening follow the steps 205.
For the embodiment of the present invention, the developer of terminal device system is in development system, it will usually set some systems
Dynamic link library simultaneously sets the corresponding load path of system dynamic link library, and therefore, the step 202 can specifically include: inspection
Whether the corresponding load path of dynamic link library surveyed in the call stack feature meets default load path.If not meeting,
Determine that the application program loads the nonsystematic dynamic link library of the terminal device;If meeting, it is determined that the application program
The nonsystematic dynamic link library of the terminal device is not loaded.Wherein, the dynamic link library in the call stack feature and its
Corresponding load path important procedure, function can parse according to from the allocating stack feature, and described preset adds
Terminal device local can be stored in by carrying path, can be the corresponding load path of system dynamic link library, such as system dynamic chain
Connecing the corresponding load path in library can be with are as follows: C: Windows System32 xx.dll.If existing such as in the call stack feature
Lower information " A.dll!SHCreateStreamFileW+0x38e (C: Windows Syst A.dll) ", it is special from the call stack
The dynamic link library parsed in sign be A.dll, the corresponding load path of A.dll be C: Windows Syst A.dll, not
For C: Windows System32 A.dll, then illustrate that the loophole of system process is utilized, the application program is added using loophole
The nonsystematic dynamic link library A.dll of the terminal device is carried, terminal device system is attacked.
It should be noted that determining the application program load to promote the accuracy of the operation behavior detection
Before the nonsystematic dynamic link library of the terminal device, the method can also detect the dynamic chain in the call stack feature
Connect whether the corresponding signature in library meets default signature;If meeting, it is determined that the application program does not load the terminal device
Nonsystematic dynamic link library;If not meeting, it is determined that the application program loads the nonsystematic dynamic chain of the terminal device
Connect library.In order to guarantee the safety of terminal device, the terminal device system development chamber of commerce signs to dynamic link library, when dynamic
When chained library passes through system signature, illustrate that the behavior for loading dynamic link library is allowed, the default signature can be terminal
The signature in signature list that equipment development quotient provides, the signature list can be stored in terminal device local, the signature
List can preserve Different Dynamic chained library and its corresponding signature.Specifically, the default signature can be pre-
If effectively signature, it can detect whether the corresponding signature of the dynamic link library in the call stack feature meets default effectively label
Name, if the corresponding signature of dynamic link library in the call stack feature meets default effectively signature, it is determined that described to apply journey
Sequence does not load the nonsystematic dynamic link library of the terminal device.
203, whether the nonsystematic dynamic link library for judging load is registered nonsystematic dynamic link library.If it is not, then
Execute step 204;If so, thening follow the steps 205.
It should be noted that in order to extend the use function of terminal device, terminal device system would generally allow some answer
It is installed and registered with program, application program is when being installed and registered, it will usually register some nonsystematic dynamic link libraries.In reality
In, terminal device system meeting default application loads these registered nonsystematic dynamic link libraries and belongs to normal load
Behavior, therefore, when judging the nonsystematic dynamic link library of application program load for registered nonsystematic dynamic link library, really
The operation behavior of the fixed application program is safety behavior.When application program loads unregistered nonsystematic dynamic link library,
Illustrating that the loophole of system process is utilized, unregistered nonsystematic dynamic link library belongs to what malicious code was loaded using loophole,
For attacking system process.Therefore, not registered in the nonsystematic dynamic link library for judging application program load
When nonsystematic dynamic link library, determine that the operation behavior of the application program is hazardous act.It can be avoided hair by step 203
The case where biological and ecological methods to prevent plant disease, pests, and erosion shield wrong report, that is, the case where application program is loaded to registered nonsystematic dynamic link library is avoided, reported by mistake to dislike
The case where meaning code intrusion system process.
Wherein, the registered nonsystematic dynamic link library can be input method dynamic link library, or registration its
His nonsystematic dynamic link library etc..In concrete application scene, determining that the application program loads the non-of the terminal device
After system dynamic link library, can continue to judge whether the nonsystematic dynamic link library of load is input method dynamic link library,
If input method dynamic link library, it is determined that the behavior that application program loads dynamic link library is lawful acts, determines the behaviour
Making behavior is safety behavior;If not input method dynamic link library, the nonsystematic dynamic link library of judgement load can be continued
It whether is other nonsystematic dynamic link libraries registered, if other nonsystematic dynamic link libraries of registration, it is determined that apply journey
The behavior that sequence loads dynamic link library is lawful acts, otherwise, it determines the operation behavior is hazardous act.
In concrete application scene, application program is when applying for the registration of, if terminal device system has passed through using journey
Nonsystematic dynamic link library can be saved in and preset registered nonsystematic and move by the nonsystematic dynamic link library that sequence is applied for the registration of
In state chained library list, the step 203 be can specifically include: whether the nonsystematic dynamic link library for judging load is to preset
Nonsystematic dynamic link library in the nonsystematic dynamic link library list of registration;If so, determining the nonsystematic dynamic chain of load
Connecing library is registered nonsystematic dynamic link library.
204, determine that the operation behavior is hazardous act.
It, can also be according to sample safety behavior in order to promote the accuracy of application program detection in concrete application scene
Corresponding security invocation stack feature construction presets call stack feature database, then further detects institute according to default call stack feature database
State whether operation behavior is hazardous act, can specifically include: detect dynamic link library in the call stack feature whether with
Safety actuality in default call stack feature database links storehouse matching, and the default call stack feature database is according to sample safety behavior
Corresponding security invocation stack feature construction, the Safety actuality chained library is the dynamic link in the security invocation stack feature
Library;If not, it is determined that the operation behavior is hazardous act.
For the embodiment of the present invention, in order to further enhance the safety of terminal device, after step 204, the side
Method can also include: to carry out intercept process to the operation behavior, and the application program is added to pre-set programs blacklist
In.By the way that the application program to be added in pre-set programs blacklist, it can be realized that there are when the operation behavior in next time
It is intercepted in time.In addition, can also utilize after determining that the operation behavior is hazardous act and answer described killing tool
Killing is carried out with the nonsystematic dynamic link library that program loads.
205, determine that the operation behavior is safety behavior.
Another terminal device system protection method provided through the embodiment of the present invention, can locally catch in terminal device
Application program is obtained to the corresponding call stack feature of the operation behavior of the terminal device.And it can be examined using the call stack feature
Survey the nonsystematic the dynamic link library whether application program loads the terminal device;If so, determining the operation behavior
For hazardous act;If not, it is determined that the operation behavior is safety behavior, determines terminal device system process so as to realize
The case where attack, the protection of system process loophole is realized, and then be able to ascend the safety of terminal device.
Further, as the specific implementation of Fig. 1, the embodiment of the invention provides a kind of terminal device systematic protection dresses
It sets, as shown in figure 3, described device includes: capturing unit 31, detection unit 32, determination unit 33.
The capturing unit 31 can be used in terminal device locally operation of the capture application program to the terminal device
The corresponding call stack feature of behavior.The capturing unit 31 is that operation of the Unknown Applications to terminal device is captured in the present apparatus
The functional module of the corresponding call stack feature of behavior.The call stack feature can execute the behaviour for the Unknown Applications
Make the system function function interface sequence called when behavior, belongs to dynamic memory data.The operation row different for terminal device
Different for corresponding call stack feature, same operation behavior corresponding call stack feature under different scenes is also different.
Whether the detection unit 32 can be used for loading using the call stack feature detection application program described
The nonsystematic dynamic link library of terminal device.The detection unit 32 is in the present apparatus using described in call stack feature detection
Whether application program loads the main functional modules of the nonsystematic dynamic link library of the terminal device.
The determination unit 33 is set if can be used for the detection unit 32 and detect the application program load terminal
Standby nonsystematic dynamic link library, it is determined that the operation behavior is hazardous act.If the determination unit 33 is in the present apparatus
The detection unit 32 detects the nonsystematic dynamic link library that the application program loads the terminal device, it is determined that the behaviour
Make the functional module that behavior is hazardous act.In order to guarantee user's normal use terminal device, determining that the operation behavior is
After safety behavior, clearance processing can be carried out to the operation behavior.
The determination unit 33 detects described in the application program do not load if can be also used for the detection unit 32
The nonsystematic dynamic link library of terminal device, it is determined that the operation behavior is safety behavior.The determination unit 33 or sheet
If the detection unit 32 detects the nonsystematic dynamic link library that the application program does not load the terminal device in device,
Then determine that the operation behavior is the functional module of safety behavior.In order to guarantee the safety of terminal device, the behaviour is being determined
Make behavior as prevention or intercept process can be carried out to the hazardous act after hazardous act.
In concrete application scene, in order to determine whether the application program loads the nonsystematic dynamic of the terminal device
Chained library, the detection unit 32 include: detection module 321 and determining module 322, as shown in Figure 4.
The detection module 321 can be used for detecting the corresponding load road of dynamic link library in the call stack feature
Whether diameter meets default load path.
The determining module 322, if can be used for the detection module 321 detects dynamic chain in the call stack feature
It connects the corresponding load path in library and does not meet default load path, it is determined that the application program loads the non-system of the terminal device
System dynamic link library.
The determining module 322, if specifically can be used for the detection module 321 detects moving in the call stack feature
The corresponding load path of state chained library meets default load path, it is determined that the application program does not load the terminal device
Nonsystematic dynamic link library.
Whether the detection module 321 is also used to detect the corresponding signature of dynamic link library in the call stack feature
Meet default signature.
The determining module 322, if being also used to the detection module 321 detects dynamic link in the call stack feature
The corresponding signature in library meets default signature, it is determined that the application program does not load the nonsystematic dynamic chain of the terminal device
Connect library.
The determining module 322, if detecting the dynamic link in the call stack feature specifically for the detection module
The corresponding wrong tally signature in library closes default signature, it is determined that the application program loads the nonsystematic dynamic link of the terminal device
Library.
For the embodiment of the present invention, in order to avoid there is a situation where protection to report by mistake, that is, avoids loading application program and infuse
The case where nonsystematic dynamic link library of volume, the case where wrong report by mistake as malicious code attacking system process, described device further include: sentence
Disconnected unit 34.
The judging unit 34 can be used for judging whether the nonsystematic dynamic link library of load is registered nonsystematic
Dynamic link library.
The determination unit 33, if the nonsystematic dynamic link library that can be also used for the judgement of judging unit 34 load is
Registered nonsystematic dynamic link library, it is determined that the operation behavior is safety behavior;
The determination unit 33, if specifically can be used for the nonsystematic dynamic link library of the judgement of judging unit 34 load
Not registered nonsystematic dynamic link library, it is determined that the operation behavior is hazardous act.
In concrete application scene, the judging unit 34 specifically can be used for judging the nonsystematic dynamic link of load
Whether library is the nonsystematic dynamic link library preset in registered nonsystematic dynamic link library list;If the judgment module is sentenced
The nonsystematic dynamic link library of disconnected load is the nonsystematic dynamic link preset in registered nonsystematic dynamic link library list
Library, it is determined that the nonsystematic dynamic link library of load is registered nonsystematic dynamic link library.
The detection unit 32, can be also used for detecting dynamic link library in the call stack feature whether with default tune
Storehouse matching is linked with the Safety actuality in stack feature database, the default call stack feature database is corresponding according to sample safety behavior
Security invocation stack feature construction, the Safety actuality chained library is the dynamic link library in the security invocation stack feature;
The determination unit 33, if the dynamic link library for being specifically also used to detect in the call stack feature and default calling
Safety actuality chained library in stack feature database mismatches, it is determined that the operation behavior is hazardous act.
In concrete application scene, in order to locally capture application program to the operation row of the terminal device in terminal device
For corresponding call stack feature, the capturing unit 31 may include: monitoring module 311, Hooking module 312 and backtracking module
313。
The monitoring module 311, in the process that can be used for for default trapping module being injected into the Unknown Applications,
Monitor the operation behavior.
The Hooking module 312 can be used for utilizing the system application layer for presetting hooking function to the terminal device
Power function is linked up with, and is called with intercepting the corresponding system of the operation behavior;
The backtracking module 313 can be used for being recalled using default stack information function and call progress stack letter to the system
Breath backtracking, obtains the corresponding call stack feature of the operation behavior.
For the embodiment of the present invention, in order to guarantee the safety of terminal device data, described device can also include: processing
Unit 35.
The processing unit 35 can be used for carrying out intercept process to the operation behavior, and by the unknown applications journey
Sequence is added in pre-set programs blacklist.The processing unit 35 is to carry out intercept process to the operation behavior in the present apparatus,
And the Unknown Applications are added to the functional module in pre-set programs blacklist.
It should be noted that each function mould involved by a kind of terminal device systematic protection device provided in an embodiment of the present invention
Other corresponding descriptions of block, can be with reference to the corresponding description of method shown in Fig. 1, and details are not described herein.
Based on above-mentioned method as shown in Figure 1, correspondingly, the embodiment of the invention also provides a kind of computer-readable storage mediums
Matter is stored thereon with computer program, which performs the steps of locally to capture in terminal device when being executed by processor and answer
With the corresponding call stack feature of operation behavior of the program to the terminal device;The application is detected using the call stack feature
Whether program loads the nonsystematic dynamic link library of the terminal device;If so, determining that the operation behavior is hazardous act;
If not, it is determined that the operation behavior is safety behavior.
Embodiment based on above-mentioned method as shown in Figure 1 and terminal device systematic protection device as shown in Figure 3, the present invention are real
It applies example and additionally provides a kind of entity structure diagram of computer equipment, as shown in figure 5, the device includes: processor 41, memory
42 and it is stored in the computer program that can be run on memory 42 and on a processor, wherein memory 42 and processor 41 are equal
Setting is performed the steps of when processor 41 described in bus 43 executes described program locally to be captured in terminal device using journey
The corresponding call stack feature of the operation behavior of terminal device described in ordered pair;The application program is detected using the call stack feature
Whether the nonsystematic dynamic link library of the terminal device is loaded;If so, determining that the operation behavior is hazardous act;If
It is no, it is determined that the operation behavior is safety behavior.The equipment further include: bus 43 is configured as coupling processor 41 and deposits
Reservoir 42.
According to the technical solution of the present invention, application program can locally be captured to the behaviour of the terminal device in terminal device
Make the corresponding call stack feature of behavior.And it can detect whether the application program loads the end using the call stack feature
The nonsystematic dynamic link library of end equipment;If so, determining that the operation behavior is hazardous act;If not, it is determined that the behaviour
Making behavior is safety behavior, determines the case where terminal device system process is attacked so as to realize, realizes system process leakage
Hole protection, and then it is able to ascend the safety of terminal device.
The embodiment of the present invention also provides the following technical solutions:
A1, a kind of terminal device system protection method, comprising:
Application program is locally captured to the corresponding call stack feature of the operation behavior of the terminal device in terminal device;
The nonsystematic the dynamic chain whether application program loads the terminal device is detected using the call stack feature
Connect library;
If so, determining that the operation behavior is hazardous act;
If not, it is determined that the operation behavior is safety behavior.
A2, method as described in a1, it is described whether the utilization call stack feature detection application program loads
The nonsystematic dynamic link library of terminal device, comprising:
Whether the corresponding load path of dynamic link library detected in the call stack feature meets default load path;
If not meeting, it is determined that the application program loads the nonsystematic dynamic link library of the terminal device;
If meeting, it is determined that the application program does not load the nonsystematic dynamic link library of the terminal device.
A3, as described in A2 method, the determination application program load the nonsystematic dynamic chain of the terminal device
Before connecing library, the method also includes:
Detect whether the corresponding signature of the dynamic link library in the call stack feature meets default signature;
If meeting, it is determined that the application program does not load the nonsystematic dynamic link library of the terminal device;
The determination application program loads the nonsystematic dynamic link library of the terminal device, comprising:
If not meeting, it is determined that the application program loads the nonsystematic dynamic link library of the terminal device.
The described in any item methods of A4, such as A1-A3, before the determination operation behavior is hazardous act, the side
Method further include:
Whether the nonsystematic dynamic link library for judging load is registered nonsystematic dynamic link library;
If so, determining that the operation behavior is safety behavior;
The determination operation behavior is hazardous act, comprising:
If not, it is determined that the operation behavior is hazardous act.
A5, the method as described in A4, whether the nonsystematic dynamic link library for judging load is registered nonsystematic
Dynamic link library, comprising:
Whether the nonsystematic dynamic link library for judging load is to preset in registered nonsystematic dynamic link library list
Nonsystematic dynamic link library;
If so, determining that the nonsystematic dynamic link library of load is registered nonsystematic dynamic link library.
A6, method as described in a1, before the determination operation behavior is hazardous act, the method also includes:
Detect dynamic link library in the call stack feature whether with the Safety actuality chain in default call stack feature database
Storehouse matching is connect, the default call stack feature database is according to the corresponding security invocation stack feature construction of sample safety behavior, institute
Stating Safety actuality chained library is the dynamic link library in the security invocation stack feature;
The determination operation behavior is hazardous act, comprising:
If not, it is determined that the operation behavior is hazardous act.
A7, method as described in a1, it is described in terminal device locally operation of the capture application program to the terminal device
The corresponding call stack feature of behavior, comprising:
Default trapping module is injected into the process of the application program, monitors the operation behavior;
It is linked up with using power function of the default hooking function to the system application layer of the terminal device, to intercept
The corresponding system of operation behavior is stated to call;
The system is called using default stack information backtracking function and carries out the backtracking of stack information, obtains the operation behavior pair
The call stack feature answered.
A8, method as described in a1, the determination operation behavior be hazardous act after, the method also includes:
Intercept process is carried out to the risky operation behavior, and the application program is added to pre-set programs blacklist
In.
B9, a kind of terminal device systematic protection device, comprising:
Capturing unit, for locally capture application program to be corresponding to the operation behavior of the terminal device in terminal device
Call stack feature;
Detection unit, for detecting whether the application program loads the terminal device using the call stack feature
Nonsystematic dynamic link library;
Determination unit, if for the detection unit detect the application program load the terminal device nonsystematic it is dynamic
State chained library, it is determined that the operation behavior is hazardous act;
The determination unit does not load the terminal device if being also used to the detection unit and detecting the application program
Nonsystematic dynamic link library, it is determined that the operation behavior be safety behavior.
B10, the device as described in B9, the detection unit include:
Detection module, it is pre- whether the corresponding load path of dynamic link library for detecting in the call stack feature meets
If load path;
Determining module, if detecting the corresponding load of dynamic link library in the call stack feature for the detection module
Path does not meet default load path, it is determined that the application program loads the nonsystematic dynamic link library of the terminal device;
The determining module, if detecting the dynamic link library pair in the call stack feature specifically for the detection module
The load path answered meets default load path, it is determined that the nonsystematic that the application program does not load the terminal device is dynamic
State chained library.
B11, the device as described in B10,
The detection module, is also used to detect whether the corresponding signature of the dynamic link library in the call stack feature meets
Default signature;
The determining module, if it is corresponding to be also used to the dynamic link library that the detection module detects in the call stack feature
Signature meet default signature, it is determined that the application program does not load the nonsystematic dynamic link library of the terminal device;
The determining module, if detecting the dynamic link library pair in the call stack feature specifically for the detection module
The wrong tally signature answered closes default signature, it is determined that the application program loads the nonsystematic dynamic link library of the terminal device.
The described in any item devices of B12, such as B9-B11, described device further include: judging unit,
The judging unit, for judging whether the nonsystematic dynamic link library of load is registered nonsystematic dynamic chain
Connect library;
The determination unit judges the nonsystematic dynamic link library of load to be registered if being also used to the judging unit
Nonsystematic dynamic link library, it is determined that the operation behavior is safety behavior;
The determination unit, if not having been infused specifically for the nonsystematic dynamic link library of judging unit judgement load
The nonsystematic dynamic link library of volume, it is determined that the operation behavior is hazardous act.
B13, as described in B12 device,
The judging unit, specifically for judging whether the nonsystematic dynamic link library of load is to preset registered non-system
Nonsystematic dynamic link library in system dynamic link library list;If the nonsystematic dynamic link library of the judgment module judgement load
To preset the nonsystematic dynamic link library in registered nonsystematic dynamic link library list, it is determined that the nonsystematic dynamic of load
Chained library is registered nonsystematic dynamic link library.
B14, as described in B12 device,
Whether the detection unit, the dynamic link library for being also used to detect in the call stack feature are special with default call stack
It levies the Safety actuality in library and links storehouse matching, the default call stack feature database is to be adjusted according to the corresponding safety of sample safety behavior
With stack feature construction, the Safety actuality chained library is the dynamic link library in the security invocation stack feature;
The determination unit, if being specifically also used to detect the dynamic link library and default call stack in the call stack feature
Safety actuality chained library in feature database mismatches, it is determined that the operation behavior is hazardous act.
B15, as described in B12 device, the capturing unit include:
Monitoring module monitors the operation row for default trapping module to be injected into the process of the application program
For;
Hooking module, for being carried out using power function of the default hooking function to the system application layer of the terminal device
Hook is called with intercepting the corresponding system of the operation behavior;
Backtracking module is carried out the backtracking of stack information for being called using default stack information backtracking function to the system, obtained
The corresponding call stack feature of the operation behavior.
B16, the device as described in B9, described device further include:
Processing unit for carrying out intercept process to the risky operation behavior, and the application program is added to pre-
If in program blacklist.
C17, a kind of computer readable storage medium, are stored thereon with computer program, and the computer program is processed
The step of method as described in any one of A1 to A8 is realized when device executes.
D18, a kind of computer equipment, including memory, processor and storage can transport on a memory and on a processor
Capable computer program, the processor realize the step such as any one of A1 to A8 the method when executing the computer program
Suddenly.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) are realized in terminal device systematic protection device according to an embodiment of the present invention
Some or all components some or all functions.The present invention is also implemented as executing side as described herein
Some or all device or device programs (for example, computer program and computer program product) of method.It is such
It realizes that program of the invention can store on a computer-readable medium, or can have the shape of one or more signal
Formula.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other shape
Formula provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.