CN109800571A - Event-handling method and device and storage medium and electronic device - Google Patents
Event-handling method and device and storage medium and electronic device Download PDFInfo
- Publication number
- CN109800571A CN109800571A CN201811645705.3A CN201811645705A CN109800571A CN 109800571 A CN109800571 A CN 109800571A CN 201811645705 A CN201811645705 A CN 201811645705A CN 109800571 A CN109800571 A CN 109800571A
- Authority
- CN
- China
- Prior art keywords
- thread
- object event
- active
- event
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 98
- 230000001960 triggered effect Effects 0.000 claims abstract description 40
- 230000006399 behavior Effects 0.000 claims description 65
- 230000008569 process Effects 0.000 claims description 50
- 230000015654 memory Effects 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 10
- 230000008901 benefit Effects 0.000 claims description 2
- 241000700605 Viruses Species 0.000 abstract description 10
- 238000005516 engineering process Methods 0.000 abstract description 6
- 230000000977 initiatory effect Effects 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 38
- 230000000694 effects Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 235000013399 edible fruits Nutrition 0.000 description 2
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000003631 expected effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention provides a kind of event-handling methods and device and storage medium and electronic device, wherein this method comprises: detect receive object event in the case where, obtain receive object event subject thread target information;Judge whether object event is triggered by user's operation behavior using target information;If it is, allowing the corresponding operation of subject thread performance objective event;If it is not, then forbidding the corresponding operation of subject thread performance objective event.Through the invention, the problem of malicious act being likely to result in the related technology Wu by virus on backstage is identified as the normal behaviour of user's active initiation and lets pass, lose so as to cause user is solved.
Description
Technical field
The present invention relates to computer fields, in particular to a kind of event-handling method and device and storage medium
And electronic device.
Background technique
As internet becomes increasingly popular, people are increasingly dependent on computer to handle various affairs, and more and more
File is processed and is transmitted in the form of electronic document, and electronic information assets have become one of modern most important assets,
How electronic document to be protected to be particularly important.
In general the program operated in subscriber computer is hundreds and thousands of, and the program of malice is to the private in subscriber computer
Ciphertext part is coveted for a long time, and the protection thinking of current most of terminal security softwares is that identification and killing are carried out to viral wooden horse, this
Relatively good effect can be obtained to known virus, but expected effect is extremely difficult to the malicious act of unknown virus, this is just
The malicious act accidentally by virus on backstage is likely to result in be identified as the normal behaviour of user's active initiation and let pass, so as to cause
The problems such as user data leakage, damage.
For the above problem present in the relevant technologies, at present it is not yet found that the solution of effect.
Summary of the invention
The embodiment of the invention provides a kind of event-handling methods and device and storage medium and electronic device.
According to one embodiment of present invention, a kind of event-handling method is provided, comprising: receive target detecting
In the case where event, the target information for receiving the subject thread of object event is obtained;Object event is judged using target information
Whether triggered by user's operation behavior;If it is, allowing the corresponding operation of subject thread performance objective event;If not,
Then forbid the corresponding operation of subject thread performance objective event.
Further, whether target information includes current stack information, judge object event by user using target information
Operation behavior is triggered, comprising: judges whether the current stack information of subject thread matches with default storehouse feature, wherein
Default storehouse feature is the feature extracted in the stack information for receiving the thread of user's operation behavior in advance;Wherein, such as
Fruit matching, it is determined that object event is triggered by user's operation behavior.
Further, after determining that object event triggered by user's operation behavior, this method further include: by target
Target collection is added in thread, wherein further includes true in the process of operating system and thread using preset rules in target collection
The active process and active thread made, preset rules include: the response message received for input equipment window interface
Thread is active thread, and the sub thread by the active thread creation in target collection is active thread, by the master in target collection
The subprocess of dynamic thread creation is active process, and the main thread by the active process in target collection is active thread;And
After judging whether the current stack information of subject thread matches with default storehouse feature, this method further include: if not
Match, then judge subject thread whether in target collection, wherein if subject thread is not in target collection, it is determined that target
Event is triggered by user's operation behavior.
Further, in the case where judging subject thread not in target collection, this method further include: to score
Whether journey recalls specified level, and judge the thread of each level in target collection, wherein if it is, object event is
It is triggered by user's operation behavior, if it is not, then object event is triggered by user's operation behavior.
Further, it in the case that the process in target collection or thread terminate, is deleted in target collection corresponding
Process or thread.
Further, before the target information for obtaining the subject thread for receiving object event, this method further include: benefit
Whether it is called with the objective function of Hook mechanism monitor operating system, wherein receive target if it is, determining to detect
Event.
Further, objective function is used to open file destination, and target information includes the requested power of invocation target function
Limit, before judging whether object event is triggered by user's operation behavior using target information, this method further include: judgement is adjusted
It whether include read right or write permission to the content of file destination with the requested permission of objective function, wherein if it is,
Judge whether object event is triggered by user's operation behavior using target information, if it is not, then subject thread is allowed to call mesh
Mark function.
Further, objective function is used to open file destination, is forbidding the corresponding behaviour of subject thread performance objective event
Before work, this method further include: judge whether file destination is dragged, replicate or paste, wherein if it is, allowing target
Thread dispatching objective function, if not, forbidding subject thread invocation target function.
Further, before judging whether object event is triggered by user's operation behavior using target information, the party
Method further include: judge whether object event is executed by specified bug code, wherein if it is, subject thread is forbidden to execute mesh
The corresponding operation of mark event, if it is not, then judging whether object event is triggered by user's operation behavior using target information.
According to another embodiment of the invention, a kind of event processing apparatus is provided, comprising: acquiring unit is used for
It detects in the case where receiving object event, obtains the target information for receiving the subject thread of object event;Judging unit,
For judging whether object event is triggered by user's operation behavior using target information;First execution unit, be used for if so,
Then allow the corresponding operation of subject thread performance objective event;Second execution unit, for if it is not, then subject thread is forbidden to hold
The corresponding operation of row object event.
According to still another embodiment of the invention, a kind of storage medium is additionally provided, meter is stored in the storage medium
Calculation machine program, wherein the computer program is arranged to execute the step in any of the above-described embodiment of the method when operation.
According to still another embodiment of the invention, a kind of electronic device, including memory and processor are additionally provided, it is described
Computer program is stored in memory, the processor is arranged to run the computer program to execute any of the above-described
Step in embodiment of the method.
Event-handling method provided in an embodiment of the present invention proposes a kind of technical solution of new event-handling method,
Judge whether the object event that receives is user's operation behavior, that is, to receive object event subject thread whether be
Active thread described in the embodiment of the present invention is judged, to take different processing plans according to the difference of judging result
Slightly, using from it is different in the prior art by the way of intercept event, solve to be likely to result in the related technology accidentally virus exist
The problem of malicious act on backstage is identified as the normal behaviour that user actively initiates and lets pass, and loses so as to cause user, reaches
Improve the effect of checking and killing virus accuracy rate.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of hardware block diagram of computer equipment of the embodiment of the present invention;
Fig. 2 is a kind of flow chart of optional event-handling method according to embodiments of the present invention;
Fig. 3 is to obtain active process, sets of threads in another optional event-handling method according to embodiments of the present invention
Flow chart;
Fig. 4 is the flow chart of another optional event-handling method according to embodiments of the present invention;
Fig. 5 is a kind of structural block diagram of optional event processing apparatus according to an embodiment of the present invention.
Specific embodiment
Hereinafter, the present invention will be described in detail with reference to the accompanying drawings and in combination with Examples.It should be noted that not conflicting
In the case of, the features in the embodiments and the embodiments of the present application can be combined with each other.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.
Embodiment 1
Embodiment of the method provided by the embodiment of the present application one can mobile terminal, computer equipment, server or
It is executed in similar arithmetic unit.For running on a computing device, Fig. 1 is that a kind of computer of the embodiment of the present invention is set
Standby hardware block diagram.As shown in Figure 1, computer equipment may include one or more (only showing one in Fig. 1) processing
Device 102 (processing unit that processor 102 can include but is not limited to Micro-processor MCV or programmable logic device FPGA etc.) and
Memory 104 for storing data, optionally, above-mentioned computer equipment can also include the transmission device for communication function
106 and input-output equipment 108.It will appreciated by the skilled person that structure shown in FIG. 1 is only to illustrate, simultaneously
The structure of above-mentioned computer equipment is not caused to limit.For example, computer equipment may also include than shown in Fig. 1 more or more
Few component, or with the configuration different from shown in Fig. 1.
Memory 104 can be used for storing computer program, for example, the software program and module of application software, such as this hair
The corresponding computer program of event-handling method in bright embodiment, processor 102 are stored in memory 104 by operation
Computer program realizes above-mentioned method thereby executing various function application and data processing.Memory 104 may include
High speed random access memory, may also include nonvolatile memory, as one or more magnetic storage device, flash memory or its
His non-volatile solid state memory.In some instances, memory 104 can further comprise remotely setting relative to processor 102
The memory set, these remote memories can pass through network connection to mobile terminal 10.The example of above-mentioned network includes but not
It is limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Transmitting device 106 is used to that data to be received or sent via a network.Above-mentioned network specific example may include
The wireless network that the communication providers of computer equipment provide.In an example, transmitting device 106 includes a Network adaptation
Device (Network Interface Controller, referred to as NIC), can be connected by base station with other network equipments to
It can be communicated with internet.In an example, transmitting device 106 can for radio frequency (Radio Frequency, referred to as
RF) module is used to wirelessly be communicated with internet.
A kind of event-handling method for running on computer equipment is provided in the present embodiment, and Fig. 2 is according to the present invention
The flow chart of the event-handling method of embodiment, as shown in Fig. 2, the process includes the following steps:
Step 201, detect receive object event in the case where, obtain and receive the score of the object event
The target information of journey;
Step 202, judge whether the object event is triggered by user's operation behavior using the target information;
Step 203, if it is, allowing the corresponding operation of subject thread performance objective event;
Step 204, if it is not, then forbidding the corresponding operation of subject thread performance objective event.
Event can be triggered by operation behavior of the user to input equipment (for example, mouse, keyboard etc.), can also be by malice
Program triggering, in embodiments of the present invention, provides a kind of event-handling method, by whether judging the object event that monitors
For user's operation behavior initiate event, to determine whether the corresponding operation of performance objective event.
Event can drive operating system to execute certain service and function (operation), for example, event can be opening file,
It can be triggered by modes such as the one file triggering of user's left double click or draggings, opening file can be reading file attribute
Or file content or written document etc..
In embodiments of the present invention, object event refers to preassigned event, opens file as described above, due to
Family normal operating file or rogue program, which steal, destroys file requires to be first turned on file, therefore, implements by the present invention
When the method that example provides is applied to the field of protection data safety, it is possible to specify object event is the event for opening file.
Monitor whether that the concrete mode for receiving object event can be determined according to the case where specific needs and operating system.
For example, the corresponding message of object event can whether be received by monitor operating system to judge, if received pair
The message answered, determination monitors object event, if not receiving corresponding message, determination does not monitor object event.
For another example, the corresponding operation of specified object event usually requires to call the function (service) of providing to operating system,
In turn, objective function (the object event needs of Hook (hook) mechanism monitor operating system of operating system offer are provided
The function of the operating system of calling) whether it is called, if monitoring that objective function is called, it is determined that receive target thing
Part.
For example, by object event be open file for, can with the api function NtCreateFile of Hook operating system,
NtOpenFile etc., to intercept the event for opening file.
It should be noted that Hook mechanism is a kind of monitoring method, the behavior of invocation target function can be intercepted, and is adjusted
With filter function predetermined, in embodiments of the present invention, filter function is used to judge to receive the score of object event
Whether journey is active thread, if it is, allowing the corresponding operation of subject thread performance objective event, if it is not, then forbidding mesh
The corresponding operation of graticule journey performance objective event.
Subject thread refers to the thread for receiving object event.Thread is the minimum unit that program executes stream, is in process
An entity.Detect receive object event in the case where, obtain receive object event subject thread target
Information.Target information may include the stack information of subject thread, for permission of object event request etc..
When judging whether object event is triggered by user's active operation behavior, the user collected in advance can use actively
The feature that the thread stacks information (call stack information) of operation behavior extracts is matched with subject thread stack information.
Specifically, collecting the stack information for receiving the thread of user's operation behavior in advance, the feature of stack information is extracted,
And extract the key element of stack information: such as storehouse calls serial number, module name, function name, function offset, sums up formatting
Data, be stored in storehouse feature database.The formation of storehouse feature database may include manually participating in.
It is matched using each storehouse feature in storehouse feature database with the current stack information of subject thread, if mesh
The current stack information of graticule journey matches with any default storehouse feature in storehouse feature database, it is determined that subject thread is main
Moving-wire journey.
In embodiments of the present invention, a kind of concept for becoming " active thread " is proposed, to use householder for indicating to exist
The thread of dynamic operation behavior, in addition, active thread can also include by there are the threads of user's active operation behavior to be created
Once the response message for input equipment window interface was received in the main thread and operating system of sub thread or subprocess
Thread.It should be noted that active thread is not equal to main thread, main thread typically refers to stand when a process is created
A thread of operation is carved, and active process defined in the embodiment of the present invention is related with user's active operation behavior.
In turn, if any default storehouse feature in the current stack information and storehouse feature database of subject thread not
Match, can continue with subject thread whether be by active thread creation sub thread or by active thread creation son into
Whether the main thread and thread of journey, which received for modes such as the response messages of input equipment window interface, is continued to judge mesh
Whether graticule journey is active thread.
A kind of optional implementation method is to establish and update target collection, includes known in operating system in target collection
Active thread and active process, specifically, after determining that subject thread is active thread using storehouse characteristic matching, by mesh
Graticule journey is added to target collection, and active process and active thread in operating system are determined using following rule:
1. receiving the thread for the response message of input equipment window interface is active thread;
2. the sub thread by the active thread creation in target collection is active thread;
3. the subprocess by the active thread creation in target collection is active process;
4. the main thread by the active process creation in target collection is active thread.
Wherein, rule 1. can message dispatch api function DispatchMessage be real by the way that Hook operating system is called
It is existing, in the case where determining that message dispatch api function returns to the response message for the input equipment window interface of subject thread,
Determine that subject thread is main moving-wire journey.
It 2., 3., 4. for rule, can be by creating the Basic API of process, thread in Hook operating system (such as
NtCreateUserProcess and NtCreateThreadEx) Lai Shixian.
Target collection is added in the active thread and active process determined according to above-mentioned four kinds of rules.That is, object set
Include the active process determined of above-mentioned four kinds of rules in conjunction, and after receiving object event, utilize any default heap
The successful active thread of stack characteristic matching.
It should be noted that if the stack information of subject thread and default storehouse feature mismatch, and subject thread exists
In target collection, then n (predetermined value) a level of subject thread is further recalled, if the thread of n level is all in target
In set, just finally determine that object event triggers (that is, subject thread is main moving-wire journey) by user's operation behavior, otherwise, such as
Fruit traces back to the thread of some level not in target collection, it is determined that object event is not triggered by user's operation behavior.
In the case where thering is process or thread to be moved to end in an operating system, judge whether in target collection, if it is,
Corresponding process or thread are deleted in target collection.
After judging object event by user's operation behavior triggering, allow subject thread performance objective event corresponding
Operation, otherwise, forbids the corresponding operation of subject thread performance objective event.Further, in performance objective event pair each time
After the operation answered, work log can recorde, and be sent to server-side for further analyzing.
Optionally, in order to accelerate the response speed to object event, treatment effeciency is improved, is judging mesh using target information
Before whether mark event is triggered by user's operation behavior, it can first judge object event whether by specifying bug code (such as
Shellcode it) executes, if it is judged that object event is executed by specified bug code, then executes and judged using target information
Whether object event is triggered by user's operation behavior, otherwise, it is determined that object event is executed by rogue program, not by with
Family operation behavior executes, and forbids the corresponding operation of performance objective event.
Event-handling method provided in an embodiment of the present invention proposes a kind of technical solution of new event-handling method,
Judge whether the object event that receives is user's operation behavior, that is, to receive object event subject thread whether be
Active thread described in the embodiment of the present invention is judged, to take different processing plans according to the difference of judging result
Slightly, using from it is different in the prior art by the way of intercept event, solve to be likely to result in the related technology accidentally virus exist
The problem of malicious act on backstage is identified as the normal behaviour that user actively initiates and lets pass, and loses so as to cause user, reaches
Improve the effect of checking and killing virus accuracy rate.
It is used to handle the opening text in Windows operating system with event-handling method provided in an embodiment of the present invention below
The process of the scene of part event is specifically described as follows:
In a first aspect, illustrating the foundation/renewal process in stacked data library: being collected into the thread of user's normal operating file
Stack information extracts Partial key element therein, such as storehouse calls serial number, module name, function name, function offset, and
It is formatted, summarizes storehouse feature using the key element of formatting.After obtaining storehouse feature, storehouse feature is added
Library, there are many storehouse features of user's active operation behavior for storage in storehouse feature database.
Second aspect illustrates active process, foundation/renewal process of sets of threads: in turn, as shown in figure 3, using as follows
Rule determines whether thread is main moving-wire journey:
1. the message dispatch api function DispatchMessage that Hook operating system is called, receives for input equipment
The thread of the response message of window interface is active thread;
2. Hook operating system creates the Basic API such as NtCreateThreadEx of thread, by active process, sets of threads
In the sub thread of active thread creation be active thread;
3. Hook operating system creates the Basic API such as NtCreateUserProcess of process, by active process, thread
The subprocess of active thread creation in set is active process;
4. Hook operating system creates the Basic API such as NtCreateThreadEx of thread, by active process, sets of threads
In the main thread of active process creation be active thread.
In addition, as shown in figure 3, further include the thread using storehouse feature database successful match in active process, sets of threads,
Specifically, specified event is intercepted, for example, api function NtCreateFile, NtOpenFile etc. of Hook operating system, to block
Cut the event for opening file, obtain the stack information of thread, and with any one storehouse characteristic matching in storehouse feature database at
In the case where function, determine that thread is main moving-wire journey, and active process, sets of threads is added.
The third aspect illustrates the process that monitoring is opened the event of file and handled, as shown in Figure 4:
Using Hook intercept operating system provide open file service api function such as NtCreateFile,
NtOpenFile etc. before calling the service for opening file, is intercepted and captured when there is the event for opening file to occur and is opened file event
Relevant information, the stack information of permission including request and corresponding thread (including current API Calls procedural information).
If it is determined that the permission of request does not include the permission that reads or writes of demand file content, then allows to execute and opens file,
If it is determined that the permission of request includes the permission that reads or writes of demand file content, then first judge whether the event is shellcode
Execute, if it is, forbid open file, if it is not, then judge opening file event whether by user's active operation
Behavior is triggered, that is, judgement receives and opens whether the thread of file event is main moving-wire journey.
When judging whether opening file event is triggered by the operation behavior of user's active, using in storehouse feature database
Each storehouse feature is matched with the stack information for the thread for opening file, if there is the storehouse feature of successful match, then
It determines that thread is main moving-wire journey, that is, opening file is user's active operation behavior, allows to open file and otherwise judge thread
Whether in active process, sets of threads.If it is judged that whether thread is in active process, sets of threads, it is also necessary to recall
Specified level, verifies each layer line journey of backtracking whether in active process, sets of threads, if, it is determined that based on thread
Moving-wire journey.
If current thread is not active thread, or the thread for any level recalled is not active thread, into one
Step judges whether file is dragged, duplication or pastes, if it is, determine that opening file is user's active operation behavior, it is no
Then, it prevents to execute to open file.
Further, when forbidding opening file each time, recoding daily log, and server-side is sent to for further
Analysis.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The method of example can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but it is very much
In the case of the former be more preferably embodiment.Based on this understanding, technical solution of the present invention is substantially in other words to existing
The part that technology contributes can be embodied in the form of software products, which is stored in a storage
In medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculate
Machine, server or network equipment etc.) execute method described in each embodiment of the present invention.
Embodiment 2
A kind of event processing apparatus is additionally provided in the present embodiment, and the device is for realizing above-mentioned event-handling method
Embodiment and optional embodiment, the descriptions that have already been made will not be repeated.As used below, term " module " can be with
Realize the combination of the software and/or hardware of predetermined function.Although device described in following embodiment is preferably come with software real
It is existing, but the realization of the combination of hardware or software and hardware is also that may and be contemplated.
Fig. 5 is a kind of structural block diagram of optional event processing apparatus according to an embodiment of the present invention, as shown in figure 5, should
Device includes: acquiring unit 10, judging unit 20, the first execution unit 30 and the second execution unit 40.
Wherein, acquiring unit be used for detect receive object event in the case where, acquisition receive object event
The target information of subject thread;Judging unit is used to judge whether object event is touched by user's operation behavior using target information
Hair;First execution unit is used for if it is, allowing the corresponding operation of subject thread performance objective event;Second execution unit is used
In if it is not, then forbidding the corresponding operation of subject thread performance objective event.
Optionally, target information includes current stack information, and judging unit includes: first judgment module, for judging mesh
Whether the current stack information of graticule journey matches with default storehouse feature, wherein default storehouse feature is to receive in advance
The feature extracted in the stack information of the thread of user's operation behavior, wherein if it does, then determining that subject thread is actively
Thread.
Optionally, the device further include: adding module, for determining that object event is triggered by user's operation behavior
Later, target collection is added in subject thread, wherein further include the process using preset rules in operating system in target collection
With the active process and active thread determined in thread, preset rules include: to receive for input equipment window interface
The thread of response message is active thread, and the sub thread by the active thread creation in target collection is active thread, by target
The subprocess of active thread creation in set is active process, and the main thread by the active process in target collection is active line
Journey;And second judgment module, for judge in first judgment module subject thread current stack information and default storehouse
In the unmatched situation of feature, judge subject thread whether in target collection, wherein if subject thread is not in target collection
In, it is determined that object event is triggered by user's operation behavior.
Optionally, the device further include: backtracking module, for judging situation of the subject thread not in target collection
Under, specified level is recalled to subject thread;Third judgment module, for judging the thread of each level whether in target collection
In, wherein if it is, object event is triggered by user's operation behavior, if it is not, then object event is grasped by user
Make behavior to be triggered.
Optionally, the device further include: removing module, in target collection process or thread terminate the case where
Under, corresponding process or thread are deleted in target collection.
Optionally, the device further include: monitoring modular, for obtaining the score for receiving object event in acquiring unit
Before the target information of journey, whether it is called using the objective function of Hook mechanism monitor operating system, wherein if it is,
It determines to detect and receives object event.
Optionally, it is used to open file destination in objective function, target information includes the requested power of invocation target function
In the case where limit, the device further include: the 4th judgment module, for judging that object event is using target information in judging unit
It is no triggered by user's operation behavior before, judge whether the requested permission of invocation target function includes in file destination
The read right or write permission of appearance, wherein if it is, judging object event whether by user's operation behavior institute using target information
Triggering, if it is not, then allowing subject thread invocation target function.
Optionally, in the case where objective function is used to open file destination, the device further include: the 5th judgment module,
For before forbidding the corresponding operation of subject thread performance objective event, judging whether file destination is dragged, duplication or viscous
Patch, wherein if it is, allowing subject thread invocation target function, if not, forbidding subject thread invocation target function.
Optionally, the device further include: the 6th judgment module, for using target information judge object event whether by
Before user's operation behavior triggers, judge whether object event is executed by specified bug code, wherein if it is, forbidding
The corresponding operation of subject thread performance objective event, if it is not, then judging whether object event is grasped by user using target information
Make behavior to be triggered.
Event processing apparatus provided in an embodiment of the present invention judges whether the object event received is user's operation row
For, that is, whether be that active thread described in the embodiment of the present invention judges to the subject thread for receiving object event,
To taking different processing strategies according to the difference of judging result, using from it is different in the prior art by the way of intercept thing
Part solves the malicious act being likely to result in the related technology Wu by virus on backstage and is identified as the normal of user's active initiation
Behavior and let pass, so as to cause user loss the problem of, achieved the effect that improve checking and killing virus accuracy rate.
It should be noted that above-mentioned modules can be realized by software or hardware, for the latter, Ke Yitong
Following manner realization is crossed, but not limited to this: above-mentioned module is respectively positioned in same processor;Alternatively, above-mentioned modules are with any
Combined form is located in different processors.
Embodiment 3
The embodiments of the present invention also provide a kind of storage medium, computer program is stored in the storage medium, wherein
The computer program is arranged to execute the step in any of the above-described embodiment of the method when operation.
Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, read-only memory (Read-
Only Memory, referred to as ROM), it is random access memory (Random Access Memory, referred to as RAM), mobile hard
The various media that can store computer program such as disk, magnetic or disk.
Embodiment 4
The embodiments of the present invention also provide a kind of electronic device, including memory and processor, stored in the memory
There is computer program, which is arranged to run computer program to execute the step in any of the above-described embodiment of the method
Suddenly.
Optionally, above-mentioned electronic device can also include transmission device and input-output equipment, wherein the transmission device
It is connected with above-mentioned processor, which connects with above-mentioned processor.
Optionally, the specific example in the present embodiment can be with reference to described in above-described embodiment and optional embodiment
Example, details are not described herein for the present embodiment.
Obviously, those skilled in the art should be understood that each module of the above invention or each step can be with general
Computing device realize that they can be concentrated on a single computing device, or be distributed in multiple computing devices and formed
Network on, optionally, they can be realized with the program code that computing device can perform, it is thus possible to which they are stored
It is performed by computing device in the storage device, and in some cases, it can be to be different from shown in sequence execution herein
Out or description the step of, perhaps they are fabricated to each integrated circuit modules or by them multiple modules or
Step is fabricated to single integrated circuit module to realize.In this way, the present invention is not limited to any specific hardware and softwares to combine.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field
For art personnel, the invention may be variously modified and varied.It is all within principle of the invention, it is made it is any modification, etc.
With replacement, improvement etc., should all be included in the protection scope of the present invention.
Claims (10)
1. a kind of event-handling method characterized by comprising
Detect receive object event in the case where, obtain receive the object event subject thread target letter
Breath;
Judge whether the object event is triggered by user's operation behavior using the target information;
If it is, the subject thread is allowed to execute the corresponding operation of the object event;
If it is not, then the subject thread is forbidden to execute the corresponding operation of the object event.
2. the method according to claim 1, wherein the target information includes current stack information, the benefit
Judge whether the object event is triggered by user's operation behavior with the target information, comprising:
Judge whether the current stack information of the subject thread matches with default storehouse feature, wherein the default storehouse
Feature is the feature extracted in the stack information for receiving the thread of the user's operation behavior in advance;
Wherein, if it does, then determining that the object event is triggered by the user's operation behavior.
3. according to the method described in claim 2, it is characterized in that,
After determining that the object event triggered by the user's operation behavior, the method also includes: by the mesh
Target collection is added in graticule journey, wherein further includes the process and line using preset rules in operating system in the target collection
The active process and active thread determined in journey, the preset rules include:
Receiving and being directed to the thread of the response message of input equipment window interface is the active thread,
Sub thread by the active thread creation in the target collection is the active thread,
Subprocess by the active thread creation in the target collection is the active process,
Main thread by the active process in the target collection is the active thread;And
After whether the current stack information for judging the subject thread matches with default storehouse feature, the method is also wrapped
It includes:
If it does not match, judging the subject thread whether in the target collection, wherein if the subject thread is not
In the target collection, it is determined that the object event is triggered by the user's operation behavior.
4. according to the method described in claim 3, it is characterized in that, judging the subject thread not in the target collection
In in the case where, the method also includes:
Specified level is recalled to the subject thread, and judges the thread of each level whether in the target collection, wherein
If it is, the object event is triggered by the user's operation behavior, if it is not, then the object event is not by institute
User's operation behavior is stated to be triggered.
5. a kind of event processing apparatus characterized by comprising
Acquiring unit, for detect receive object event in the case where, obtain and receive the target of the object event
The target information of thread;
Judging unit, for judging whether the object event is triggered by user's operation behavior using the target information;
First execution unit, for if it is, the subject thread is allowed to execute the corresponding operation of the object event;
Second execution unit, for if it is not, then the subject thread is forbidden to execute the corresponding operation of the object event.
6. device according to claim 5, which is characterized in that the target information includes current stack information, described to sentence
Disconnected unit includes:
First judgment module, for judging whether the current stack information of the subject thread matches with default storehouse feature,
Wherein, the default storehouse feature is to extract in the stack information of thread for receiving the user's operation behavior in advance
Feature, wherein if it does, then determining that the subject thread is the active thread.
7. device according to claim 6, which is characterized in that described device further include:
Adding module, for after determining that the object event triggered by the user's operation behavior, by the target
Target collection is added in thread, wherein further includes the process and thread using preset rules in operating system in the target collection
In the active process determined and active thread, the preset rules include:
Receiving and being directed to the thread of the response message of input equipment window interface is the active thread,
Sub thread by the active thread creation in the target collection is the active thread,
Subprocess by the active thread creation in the target collection is the active process,
Main thread by the active process in the target collection is the active thread;And
Second judgment module, for judge in the first judgment module current stack information of the subject thread with it is described
In the default unmatched situation of storehouse feature, judge the subject thread whether in the target collection, wherein if described
Subject thread is not in the target collection, it is determined that the object event is triggered by the user's operation behavior.
8. device according to claim 7, which is characterized in that described device further include:
Backtracking module, in the case where judging the subject thread not in the target collection, to the score
Journey recalls specified level;
Third judgment module, for judging the thread of each level whether in the target collection, wherein if it is, institute
Stating object event is triggered by the user's operation behavior, if it is not, then the object event is not by the user's operation
Behavior is triggered.
9. a kind of storage medium, which is characterized in that be stored with computer program in the storage medium, wherein the computer
Program is arranged to perform claim when operation and requires method described in 1 to 4 any one.
10. a kind of electronic device, including memory and processor, which is characterized in that be stored with computer journey in the memory
Sequence, the processor are arranged to run the computer program in method described in perform claim 1 to 4 any one of requirement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811645705.3A CN109800571B (en) | 2018-12-29 | 2018-12-29 | Event processing method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811645705.3A CN109800571B (en) | 2018-12-29 | 2018-12-29 | Event processing method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109800571A true CN109800571A (en) | 2019-05-24 |
| CN109800571B CN109800571B (en) | 2021-04-27 |
Family
ID=66558167
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811645705.3A Active CN109800571B (en) | 2018-12-29 | 2018-12-29 | Event processing method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109800571B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112235451A (en) * | 2020-10-21 | 2021-01-15 | 广州三星通信技术研究有限公司 | Method and device for providing alarm about deleted contact |
| CN112395593A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Instruction execution sequence monitoring method and device, storage medium and computer equipment |
| CN113518055A (en) * | 2020-04-09 | 2021-10-19 | 奇安信安全技术(珠海)有限公司 | Data security protection processing method and device, storage medium and terminal |
| CN113806189A (en) * | 2020-06-16 | 2021-12-17 | 北京字节跳动网络技术有限公司 | User interface operation monitoring method, device, equipment and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350711A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and device for protecting target process |
| CN101373502A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Automatic analysis system of virus behavior based on Win32 platform |
| CN102750487A (en) * | 2012-06-01 | 2012-10-24 | 钱袋网(北京)信息技术有限公司 | Verification method of keyboard input truth and terminal device |
| CN102890641A (en) * | 2012-08-30 | 2013-01-23 | 北京奇虎科技有限公司 | Process behavior control method and device |
| CN103559439A (en) * | 2013-11-19 | 2014-02-05 | 浪潮(北京)电子信息产业有限公司 | Detection method and system for buffer overflow |
| CN103839007A (en) * | 2014-03-03 | 2014-06-04 | 珠海市君天电子科技有限公司 | Method and system for detecting abnormal threading |
| US20140298002A1 (en) * | 2013-01-28 | 2014-10-02 | Tencent Technology (Shenzhen) Company Limited | Method and device for identifying a disk boot sector virus, and storage medium |
| CN104375887A (en) * | 2013-08-16 | 2015-02-25 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN104778415A (en) * | 2015-02-06 | 2015-07-15 | 北京北信源软件股份有限公司 | Computer behavior-based data anti-leakage system and method |
| CN105095758A (en) * | 2015-07-15 | 2015-11-25 | 北京奇虎科技有限公司 | Processing method and device for lock-screen application program and mobile terminal |
-
2018
- 2018-12-29 CN CN201811645705.3A patent/CN109800571B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350711A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and device for protecting target process |
| CN101373502A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Automatic analysis system of virus behavior based on Win32 platform |
| CN102750487A (en) * | 2012-06-01 | 2012-10-24 | 钱袋网(北京)信息技术有限公司 | Verification method of keyboard input truth and terminal device |
| CN102890641A (en) * | 2012-08-30 | 2013-01-23 | 北京奇虎科技有限公司 | Process behavior control method and device |
| US20140298002A1 (en) * | 2013-01-28 | 2014-10-02 | Tencent Technology (Shenzhen) Company Limited | Method and device for identifying a disk boot sector virus, and storage medium |
| CN104375887A (en) * | 2013-08-16 | 2015-02-25 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN103559439A (en) * | 2013-11-19 | 2014-02-05 | 浪潮(北京)电子信息产业有限公司 | Detection method and system for buffer overflow |
| CN103839007A (en) * | 2014-03-03 | 2014-06-04 | 珠海市君天电子科技有限公司 | Method and system for detecting abnormal threading |
| CN104778415A (en) * | 2015-02-06 | 2015-07-15 | 北京北信源软件股份有限公司 | Computer behavior-based data anti-leakage system and method |
| CN105095758A (en) * | 2015-07-15 | 2015-11-25 | 北京奇虎科技有限公司 | Processing method and device for lock-screen application program and mobile terminal |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112395593A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Instruction execution sequence monitoring method and device, storage medium and computer equipment |
| CN112395593B (en) * | 2019-08-15 | 2024-03-29 | 奇安信安全技术(珠海)有限公司 | Method and device for monitoring instruction execution sequence, storage medium and computer equipment |
| CN113518055A (en) * | 2020-04-09 | 2021-10-19 | 奇安信安全技术(珠海)有限公司 | Data security protection processing method and device, storage medium and terminal |
| CN113806189A (en) * | 2020-06-16 | 2021-12-17 | 北京字节跳动网络技术有限公司 | User interface operation monitoring method, device, equipment and storage medium |
| CN112235451A (en) * | 2020-10-21 | 2021-01-15 | 广州三星通信技术研究有限公司 | Method and device for providing alarm about deleted contact |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109800571B (en) | 2021-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109766696A (en) | The setting method and device of software permission, storage medium, electronic device | |
| CN103023906B (en) | Method and system aiming at remote procedure calling conventions to perform status tracking | |
| CN106844137A (en) | The monitoring method and device of server | |
| CN109800571A (en) | Event-handling method and device and storage medium and electronic device | |
| CN104598241B (en) | A kind of window monitoring method and system | |
| WO2018216000A1 (en) | A system and method for on-premise cyber training | |
| CN110210213A (en) | The method and device of filtering fallacious sample, storage medium, electronic device | |
| CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
| CN107426231A (en) | A kind of method and device for identifying user behavior | |
| CN111651754A (en) | Intrusion detection method and device, storage medium and electronic device | |
| CN109800576A (en) | Monitoring method, device and the electronic device of unknown program exception request | |
| CN110149319A (en) | The method for tracing and device, storage medium, electronic device of APT tissue | |
| CN108304447A (en) | Processing method, device, storage medium and the processor of exception information | |
| CN110365637A (en) | Internetbank login detecting method, device, electronic equipment and storage medium | |
| CN107479798A (en) | Multi-screen interaction method and device | |
| CN114139178A (en) | Data link-based data security monitoring method and device and computer equipment | |
| CN114465741A (en) | Anomaly detection method and device, computer equipment and storage medium | |
| CN111711529A (en) | Group operation processing method, device, system, equipment and storage medium | |
| CN107547523A (en) | Message processing method, device, the network equipment and machinable medium | |
| CN105245336B (en) | A kind of file encryption management system | |
| CN112527772A (en) | Graph database auditing method and auditing equipment | |
| US10572661B2 (en) | Automated blackbox inference of external origin user behavior | |
| CN110213301A (en) | A kind of method, server and system shifting network attack face | |
| CN110224975A (en) | The determination method and device of APT information, storage medium, electronic device | |
| CN109784041A (en) | Event-handling method and device and storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Patentee after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Patentee after: QAX Technology Group Inc. Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Patentee before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |