CN109815700A - Processing method and processing device, storage medium, the computer equipment of application program - Google Patents
Processing method and processing device, storage medium, the computer equipment of application program Download PDFInfo
- Publication number
- CN109815700A CN109815700A CN201811640556.1A CN201811640556A CN109815700A CN 109815700 A CN109815700 A CN 109815700A CN 201811640556 A CN201811640556 A CN 201811640556A CN 109815700 A CN109815700 A CN 109815700A
- Authority
- CN
- China
- Prior art keywords
- application
- destination application
- user
- application program
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012545 processing Methods 0.000 title claims abstract description 35
- 238000003672 processing method Methods 0.000 title claims abstract description 19
- 238000000034 method Methods 0.000 claims abstract description 498
- 230000008569 process Effects 0.000 claims abstract description 465
- 238000004590 computer program Methods 0.000 claims description 9
- 230000006399 behavior Effects 0.000 description 23
- 238000001514 detection method Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000011112 process operation Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000003116 impacting effect Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000032258 transport Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
This application discloses a kind of processing method and processing device of application program, storage medium, computer equipments, this method comprises: determining the corresponding parent process of process of destination application according to the process of destination application after the process of interception target application program;If parent process is not that process has been adjusted in default active, the process of destination application is terminated;If parent process is that process has been adjusted in default active, according to the corresponding execution object of the process of destination application, the process of processing target application program.The application can prevent malicious application from manipulating to the malice of destination application process, improve the safety of system information, help that company information is protected not revealed maliciously.
Description
Technical field
This application involves the processing technology fields of application program, a kind of processing method particularly with regard to application program and
Device, storage medium, computer equipment.
Background technique
Malware refers to the application program for executing malice task on the computer systems.If the computer equipment of enterprise by
Malware is installed, Malware, which will do it, the operation such as steals end message or send fraud information, seriously affects the letter of enterprise
Breath safety.It prevents Malware from carrying out malicious operation on a computing device, is the key that improve enterprise information security to solve
One of problem.
It is to judge software to be detected by judging the software action of software to be detected at present in the detection of Malware
It whether is Malware, if the software action of software to be detected executes permission beyond it, then it is assumed that the software is Malware,
And then prevent the software action.
But many Malwares are to go to do evil using the reasonable permission of trusted software by controlling trusted software.Such as
Rogue program controls QQ process, is communicated using QQ and distance host, and significant data is sent.In this case, existing
Technology lacks relevant preventive means, it is difficult to prevent malicious act in time, cause and seriously threaten to the information security of enterprise.
Summary of the invention
In view of this, this application provides a kind of processing method and processing device of application program, storage medium, computers to set
It is standby, help to prevent the operation of malicious application on the terminal device in time, improves the information security of terminal device.
According to the one aspect of the application, a kind of processing method of application program is provided, comprising:
After the process of interception target application program, the target application journey is determined according to the process of the destination application
The corresponding parent process of the process of sequence;
If the parent process is not that process has been adjusted in default active, the process of the destination application is terminated;
If the parent process is that the default active tune plays process, the process according to the destination application is corresponding
Object is executed, the process of the destination application is handled.
According to the another aspect of the application, a kind of processing unit of application program is provided, comprising:
Parent process obtains module, after the process for interception target application program, according to the destination application into
Journey determines the corresponding parent process of the process of the destination application;
Process terminates module, if not being that process has been adjusted in default active for the parent process, terminates the target application
The process of program;
Process processing module is answered if being that the default active tune plays process for the parent process according to the target
With the corresponding execution object of the process of program, the process of the destination application is handled.
According to the application another aspect, a kind of storage medium is provided, computer program, described program are stored thereon with
The processing method of above-mentioned application program is realized when being executed by processor.
According to the application another aspect, a kind of computer equipment is provided, including storage medium, processor and be stored in
On storage medium and the computer program that can run on a processor, the processor realize above-mentioned application when executing described program
The processing method of program.
By above-mentioned technical proposal, a kind of processing method and processing device of application program provided by the present application, storage medium, meter
Machine equipment is calculated, is intercepted by the process of the destination application to interception, its corresponding parent process is determined, thus in determination
Parent process is not belonging to default when actively having adjusted process, terminates the process, and is determining that parent process belongs to the pre- of user's active initiation
If execution object when process according to process has actively been adjusted to determine whether to let pass the process of the destination application, it is therefore prevented that maliciously
Application program manipulates the malice of destination application process, improves the safety of system information, helps to protect enterprise's letter
Breath is not revealed maliciously.
Above description is only the general introduction of technical scheme, in order to better understand the technological means of the application,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects, features and advantages of the application can
It is clearer and more comprehensible, below the special specific embodiment for lifting the application.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present application, constitutes part of this application, this Shen
Illustrative embodiments and their description please are not constituted an undue limitation on the present application for explaining the application.In the accompanying drawings:
Fig. 1 shows a kind of flow diagram of the processing method of application program provided by the embodiments of the present application;
Fig. 2 shows the flow diagrams of the processing method of another application program provided by the embodiments of the present application;
Fig. 3 shows a kind of structural schematic diagram of the processing unit of application program provided by the embodiments of the present application;
Fig. 4 shows the structural schematic diagram of the processing unit of another application program provided by the embodiments of the present application.
Specific embodiment
The application is described in detail below with reference to attached drawing and in conjunction with the embodiments.It should be noted that not conflicting
In the case of, the features in the embodiments and the embodiments of the present application can be combined with each other.
A kind of processing method of application program is provided in the present embodiment, as shown in Figure 1, this method comprises:
Step 101, after the process of interception target application program, target application journey is determined according to the process of destination application
The corresponding parent process of the process of sequence.
In embodiments herein, when detecting in equipment there are after the process of destination application, the target is intercepted
The process of application program selects processing scheme, specifically, interception target after analyzing so as to the process to destination application
After the process of application program, the corresponding parent process of process of the destination application is determined according to the process of destination application,
Determine that the tune of the process of destination application plays person's process, it may also be said to which the process for being determining destination application is by which
Process manipulation.
It should be noted that in the application can according to pre-set detection cycle to the process of destination application into
Row detection is also possible to intercepting corresponding process by the process real time monitoring to destination application, to answer target
Real-time blocking is carried out with the process of program.If not finding the process in operating system there are destination application, do not make
Processing.
In addition, the application sets the sensitive process to application program by HOOK (hook) technology or function filtration drive
Interception.Hook, is computer safety field a kind of commonly safety monitoring technology method, can be to the system of some keys
API (Application Programming Interface, application programming interface) is linked up with, when system executes certain
It when one task, will enter in HOOK process flow, can be handled in code in HOOK and the legitimacy of task is detected.
If a task (behavior in other words) in pre-set minimum behavior authority set, is not intercepted, is needed into one
Step judges whether to let pass the behavior;If the task directly lets pass this in pre-set minimum behavior authority set
Business.
When a sensitive behavior generation, and there is no receive in advance for the behavior permission of the main body (system or application program) of behavior
Collection, not among preset behavior authority set when, will apply " system and the minimum behavior authority set of application " setting, carry out decision
Whether this behavior, which allows, occurs.That is: minimum behavior authority set will be suitable for all system and application program.
The setting principle of " system and the minimum behavior authority set of application ", to avoid uncontrollable dangerous hair to the greatest extent
It is raw, while the influence system of minimum and the normal operation of third party application, to user's normal operating and the system of using
And it is criterion that application program, which does not cause puzzlement,.
Setting for minimum behavior authority set is summarized through long-term research, big data analysis and continuous test, researcher
It is as follows to determine principle: (1) application program cannot automatic running, can only be manually performed by user, specifically need automatic running
Program is solved by the exclusive behavior collection of program.(2) application program may only full powers operation (reading and writing, opening, deletion etc.) oneself wound
File that is building or directly or indirectly being created together with oneself by same installation kit.(3) file of the application program to system itself
Only read-only permission.(4) application program cannot operate (reading and writing, opening, deletion etc.) in addition to the 2nd article of regulation, Ren Hefei
The file of system.(5) non-user active operation, application program do not allow to access internal-external network and net interior device node.(6) non-use
Family active operation, application program do not allow to carry out striding course operation to other processes.(7) system itself and application program, not
Allow directly to operate disk around file system.(8) non-user active operation, system itself and application program cannot download or
Execute another program, it is not possible to load driver.(9) non-user active operation, any program, including operating system itself, no
Allow to read and write user's private data, including but not limited to: document, photo etc..(10) in user's active operation, only data institute
Corresponding default editing procedure can operate the document of corresponding data type, default editing procedure with the registration in system registry
Subject to.Such as: word document only allows winword program or WPS to operate.(11) in user's active operation, corresponding behavior
Main body, the permission that only single object of crime is operated.Such as: user calls winword program to open word document A, that
Winword program will possess operating right to A;But there is no word document B, winword that display is actively opened to user
Program does not have operating right.(12) non-user active operation, system and application program do not have the permission of addition account.
(13) non-user active operation, system and application program do not have the permission for writing crucial registry entry, such as: main browser page, from
Startup item, the default program setting of all types of files, system starting setting etc..(14) non-user active operation, system itself
And application program does not have the permission of calling system function class method, and such as: shell program, Registry Editor, plan are appointed
Business, the permission change class method of disk file registration table etc..(15) non-user active operation, system and application program do not have
Create the permission of simultaneously perform script file.
Step 102, if parent process is not that process has been adjusted in default active, the process of destination application is terminated.
When parent process be not it is default actively adjusted process when, illustrate be not to the operation of destination application user active
Operation, it may be the corresponding process of malicious application that the tune of the process of destination application, which plays person's process, and target at this time is answered
It may be the malicious operation for being not easy to be easily noticed by the users that malicious application carries out on operating system backstage with the process of program.This
When, the process of destination application should be terminated, the application for having access right by manipulating user to avoid malicious application
Program realizes that the malicious operation such as malice transmission data, malice obtain facility information mentions to provide protection for terminal device
The safety of high terminal device information.
Step 103, if parent process is that process has been adjusted in default active, according to the corresponding execution of the process of destination application
Object, the process of processing target application program.
If parent process be it is default has actively adjusted process, such as double-click Word document, by system calling winWord program Lai
It opens;Pass through menu or drag operation opening document again with winWord program is double-clicked, be all the behavior because of user's operation triggering,
It is considered as " behavior of user's active operation ", has actively been adjusted in process default.This parent process is that process has been adjusted in default active
The case where, illustrate that process behavior at this time is controlled by user, be the active wish of user, the process is corresponding to be held at this point, coping with
Row object is analyzed, and determines whether the process of letting pass.
Even it should be noted that the behavior of user's active wish, also there are still by malicious application induce can
Can property, therefore, detect parent process be it is default actively adjusted process when, can execution object corresponding to the process divide
Analysis, determines whether the process of letting pass, to improve security of system.
Technical solution by applying this embodiment is intercepted, really by the process of the destination application to interception
Its fixed corresponding parent process, thus determine parent process be not belonging to it is default actively adjusted process when, terminate the process, and in determination
Parent process, which belongs to, determines whether the mesh of letting pass according to the execution object of process when the default active tune that user actively initiates plays process
Mark the process of application program, it is therefore prevented that malicious application manipulates the malice of destination application process, improves system letter
The safety of breath helps that company information is protected not revealed maliciously.
Further, as the refinement and extension of above-described embodiment specific embodiment, in order to completely illustrate the present embodiment
Specific implementation process, provide the processing method of another application program, as shown in Fig. 2, this method comprises:
Step 201, when user's registration terminal equipment, the log-on message of user is obtained.
In order to guarantee the information security of terminal device, different user is limited to operation on the terminal device, when user steps on
When recording the terminal device, the log-on message of user is obtained, log-on message can determine uniquely for the employee number etc. of user
The information of user identity, to obtain the corresponding access right information of the user using the log-on message of user.
Wherein, terminal device can be computer equipment, such as laptop, desktop computer, tablet computer.
Step 202, according to the log-on message of user, the authority information of user is obtained from intranet server, default executes visitor
Body list and preset standard calling sequence table, wherein the authority information of user includes that user's target for having operating right is answered
Use program.
The corresponding authority information of the user, default execution object are obtained from intranet server according to the log-on message of user
List and preset standard calling sequence table, detailed process are as follows:, will after generating authority acquiring request according to the log-on message of user
Authority acquiring request is sent in intranet server, has been stored in advance that different user is corresponding to have operating rights in intranet server
The destination application list of limit, thus when receiving authority acquiring request, it can be according to included in authority acquiring request
The log-on messages such as employee number determine authority information that the user has, default execute object list and preset standard is called
Sequence table, then, intranet server will be according to the authority informations of the determining user of authority acquiring request, default execution object list
And preset standard calling sequence table feeds back to terminal device, so that terminal device is being received from intranet server feedback
It, can be to the user in the terminal after the authority information of user, default execution object list and preset standard calling sequence table
Operation in equipment is limited.
For example, be stored in advance in intranet server the permission that has of user that employee number is 123 include using Word,
The application programs such as PPT, Excel;And the permission that the user that employee number is 456 has includes using Word, PPT, Excel, QQ
Etc. application programs.The permission that winWord program only has operation AWord document has been stored in advance in default execute in object list,
The permission of other Word documents such as operation B, C or non-Word document is not had.And each single item process operation in system all needs
A series of system function is called in a certain order, and preset standard calling sequence table then has recorded each process and normally transports
The system call sequence of corresponding standard when row.
Step 203, the local cache for emptying terminal device, store user authority information, it is default execute object list with
And preset standard calling sequence table.
Authority information, default execution object list and the preset standard for receiving the user of intranet server transmission are called
After sequence table, the local cache in terminal device is carried out to empty processing, to remove some historical usage journeys in the equipment
The log of sequence prevents from impacting process operational safety in equipment, then by the authority information of the user, default execute visitor
Body list and preset standard calling sequence table are stored in terminal device, consequently facilitating user is when using the terminal device pair
The operating right of user controls.
Step 204, according to the authority information of user, judge to use after the process of any application program in interception terminal device
Whether family has operating right to any application program.
When user's registration terminal equipment is after equipment operates, the process intercepted certainly is not limited to the operation of user,
It is likely to be the malicious operation of malicious application, intercepts the operation in terminal device to any application program, is i.e. interception terminal
The process of any application program in equipment, to judge user according to the process of the application program and the authority information of user
Whether have operating right to the application program of interception, judges whether application program corresponding to the process intercepted is use in other words
Destination application in the extent of competence at family, to realize the management to user's operation permission.
Step 205, if user does not have operating right to any application program, the process of any application program is terminated.
If the process intercepted is not the corresponding process of destination application that user has operating right, illustrate user couple
The application program that system intercepts does not have operating right, then the process of the application program of the interception is terminated, furthermore it is also possible to prompt to use
Family, since user does not have the operating right to the application program, system cannot carry out the process of the application program corresponding.From
And prevent user from not having the application program of permission using it, the malicious operation of illegal user is avoided, terminal device letter is improved
The safety of breath.
Step 206, if user has operating right to any application program, any application program mark is answered for target
With program, and determine the corresponding parent process of process of destination application.
And if the process intercepted is the corresponding process of destination application that user has operating right, illustrate user couple
The application program has operating right, if be able to respond the process need to the corresponding father of the process of the destination application into
Therefore the application program mark is target application when determining above-mentioned application program for destination application by Cheng Jinhang analysis
Program, and corresponding parent process is searched in system log according to the process of the destination application.
Step 207, if parent process is that process has been adjusted in default active, according to the process of destination application, from system day
Obtained in will it is corresponding with the process of destination application it is practical execute object, and from default executions object list acquisition and
The matched execution object authority information of the process of destination application.
If the corresponding parent process of the process of destination application is that process has been adjusted in default active, illustrate that the parent process may be
The behavior of user's active wish is then obtained from system log corresponding with the process of destination application by the control of user
Practical execution object, and obtained and the matched execution object of process of destination application from default execution object list
Authority information, to judge whether the process of letting pass.
Step 208, if practical execute object not in executing object authority information, the process of destination application is terminated
And parent process.
If practical execute object not in executing object authority information, illustrates that the process does not have at this time and visitor is executed to this
The operating right of body should then terminate the process and its corresponding parent process, prevent destination application to beyond its extent of competence
File operated.
Step 209, if the practical object that executes is in executing object authority information, the process for destination application of letting pass.
And if the practical object that executes in executing object authority information, illustrates that the process has to the practical execution object
Operating right, can let pass the destination application at this time, so that user operates on the terminal device.For example, user
It double-clicks on the terminal device and opens Word document A, the corresponding destination application of the process is winWord program, practical to execute
Object is Word document A, and the document belongs to the content for executing and including in object authority information, then can open the document A.
Step 210, if parent process is not that process has been adjusted in default active, the process of destination application is terminated.
In the above-described embodiments, step 210 specifically includes:
Step 2101, if parent process is not that process has been adjusted in default active, detect whether parent process is default malicious application
The corresponding process of program.
If the corresponding parent process of the process of destination application be not belonging to it is default actively adjusted process, to parent process into
Row detection, to judge whether the parent process is that the default corresponding process of malicious application specifically can be by the parent process
Process corresponding with the default malicious application in malicious process library is compared, or by rogue program inspection software,
The detection of the progress parent process such as rogue program detection platform.
Step 2102, if parent process is the default corresponding process of malicious application, terminate destination application into
Journey and parent process.
If detecting the corresponding parent process of process that obtained result is above-mentioned destination application is default malicious application
The corresponding process of program, or detect that above-mentioned parent process is the process of malicious application by other methods, illustrate if held
The process of row destination application there may be security risk, should terminate destination application process and corresponding father into
Journey, to avoid malicious application by manipulate user have access right application program realize for example malice transmission data,
Malice obtains the malicious operations such as facility information and improves the safety of terminal device information to provide protection for terminal device.
Step 2103, if parent process is not the default corresponding process of malicious application, mesh is obtained from system log
The corresponding system call sequence of process of application program is marked, and is obtained and target application journey from preset standard calling sequence table
The corresponding standard calling sequence of the process of sequence.
And if the corresponding parent process of process that the result that detection obtains is above-mentioned destination application is not belonging to default evil
The corresponding process of application program of anticipating illustrates the parent process not in existing malicious process library, then needing to carry out further
Analysis, so that it is determined that the processing scheme of the process to destination application.In this application, it is searched in the monitoring log of system
The corresponding system call sequence of the process of destination application, to judge that parent process is according to the function call situation of system
The no process for belonging to malicious application, and then determine the processing scheme of the process of destination application, it realizes to being likely to occur
Novel malicious process taken precautions against, further promoted terminal device information security.
In preset standard calling sequence table, the matched standard calling sequence of process of inquiry and destination application, with
Just process processing scheme is specified according to the actual system call sequence of the process of destination application and standard calling sequence.
It should be noted that preset standard calling sequence table be according to the multiple normal software behavior of destination application into
Row analysis obtains.Specifically, destination application can be operated on the terminal device by administrator, so that terminal is set
The process of standby response ownership goal application program realizes corresponding function, thus after the completion of once-through operation, from the target application journey
In the monitoring log of sequence, for the secondary operation, the system call sequence with the process of destination application, multi-pass operation are extracted
Acquired results are after analysis expert confirms, using the system call sequence as standard corresponding with the process of destination application
Calling sequence is stored in preset standard calling sequence table, thus when there is the process of destination application in an operating system,
Can be judged according to actual system call sequence the process whether be rogue program calling.
Step 2104, if system call sequence is consistent with standard calling sequence, according to the process pair of destination application
The execution object answered, the process of processing target application program.
If actual system call sequence is consistent with preset standard calling sequence, according to above-mentioned steps 207 to step
209, response process is handled according to the execution object of process.
Step 2105, if system call sequence and standard calling sequence are inconsistent, the process of destination application is terminated.
Since application program would generally be changed by the system call sequence generated after malicious attack, so if practical
System call sequence and the standard calling sequence in preset standard calling sequence table it is inconsistent, illustrate destination application may
By malicious attack, by the control of malicious application, if allowing process operation that can make to the information security of equipment
At threat, therefore, the process and its corresponding parent process of the destination application of interception should be terminated, to ensure system from malice
The manipulation of program prevents the leakage threat information safety of system information.
In the above-described embodiments, specifically, if system call sequence and standard calling sequence are inconsistent, by parent process mark
It is denoted as the corresponding process of default malicious application.
In addition, when system call sequence and standard calling sequence are inconsistent, it can also be by above-mentioned parent process labeled as evil
The corresponding process of meaning application program is saved, and after detecting parent process so as to next time, determines the parent process directly maliciously to answer
With the corresponding process of program, the termination without can be carried out process according to system call sequence is operated, and improves detection efficiency.
It should be noted that when system call sequence and standard calling sequence are inconsistent, it can be by corresponding parent process
It is sent to safety manager, decides whether for the parent process to be added after analyzing specific problem by safety manager
Into the corresponding process of malicious application.
Technical solution by applying this embodiment, firstly, the authority information of user is obtained according to the log-on message of user,
The operating right of application program, default execution object list and preset standard are called to control user in terminal device
Sequence table;Secondly, judging that user has what the corresponding parent process of process of the application program of operating right had actively been adjusted for user
When process, judges that process is corresponding and execute whether object belongs to the default destination application process for executing and recording in object list
It is corresponding to execute the execution object for including in object authority information, and then letting pass when belonging in the execution object authority information should
Process;Adjusted process finally, for non-active, obtained corresponding system call sequence, so when system call sequence with it is corresponding
Standard calling sequence it is inconsistent when, terminate the process and its parent process, prevent the behaviour of malicious application on the terminal device
Make, avoids information leakage, improve the safety of facility information.
Further, the specific implementation as Fig. 1 method, the embodiment of the present application provide a kind of processing dress of application program
It sets, as shown in figure 3, the device includes: that parent process obtains module 31, process terminates module 32, process processing module 33.
Parent process obtains module 31, after the process for interception target application program, according to the process of destination application
Determine the corresponding parent process of the process of destination application;
Process terminates module 32, if not being that process has been adjusted in default active for parent process, terminates destination application
Process;
Process processing module 33, if for parent process be it is default actively adjusted process, according to destination application into
The corresponding execution object of journey, the process of processing target application program.
In specific application scenarios, as shown in figure 4, process processing module 33, specifically includes: executing object acquiring unit
331, the first process terminates unit 332, process clearance unit 333.
Object acquiring unit 331 is executed, for the process according to destination application, acquisition and target from system log
The corresponding practical execution object of the process of application program, and obtained and destination application from default execution object list
The matched execution object authority information of process;
First process terminates unit 332, if executing object not in executing object authority information for practical, terminates mesh
Mark the process and parent process of application program;
Process clearance unit 333, if for the practical object that executes in executing object authority information, target application of letting pass
The process of program.
It in specific application scenarios, as shown in figure 4, process terminates module 32, specifically includes: malicious application detection
Unit 321, the second process terminate unit 322, calling sequence acquiring unit 323, process processing unit 324, third process and terminate
Unit 325.
Malicious application detection unit 321 detects parent process if not being that process has been adjusted in default active for parent process
It whether is the default corresponding process of malicious application;
Second process terminates unit 322, if being the default corresponding process of malicious application for parent process, terminates mesh
Mark the process and parent process of application program;
Calling sequence acquiring unit 323, if for parent process not being the default corresponding process of malicious application, from being
The corresponding system call sequence of process of destination application is obtained in system log, and is obtained from preset standard calling sequence table
Take standard calling sequence corresponding with the process of destination application;
Process processing unit 324, if consistent with standard calling sequence for system call sequence, according to target application journey
The corresponding execution object of the process of sequence, the process of processing target application program;
Third process terminates unit 325, if inconsistent for system call sequence and standard calling sequence, terminates target
The process of application program.
In specific application scenarios, as shown in figure 4, the device further include: log-on message obtains module 34, authority information
Obtain module 35.
Log-on message obtains module 34, after the process for interception target application program, according to destination application into
Before journey determines the corresponding parent process of the process of destination application, when user's registration terminal equipment, the login of user is obtained
Information;
Permission acquisition module 35 obtains the permission of user from intranet server for the log-on message according to user
Information, default execution object list and preset standard calling sequence table, wherein the authority information of user includes that user has behaviour
Make the application program of permission.
In specific application scenarios, as shown in figure 4, the device further include: empty module 36.
Module 36 is emptied, for the log-on message according to user, after the authority information that intranet server obtains user,
The local cache for emptying terminal device, authority information, default execution object list and the preset standard for storing user call sequence
List.
In specific application scenarios, as shown in figure 4, parent process obtains module 31, specifically include: operating right judgement is single
First 311, the 4th process terminates unit 312, parent process acquiring unit 313.
Operating right judging unit 311, for intercepting in terminal device after the process of any application program, according to user's
Authority information, judges whether user has operating right to any application program;
4th process terminates unit 312 and terminates any if not having operating right to any application program for user
The process of application program;
Parent process acquiring unit 313 applies journey for any if having operating right to any application program for user
Sequence is labeled as destination application, and determines the corresponding parent process of process of destination application.
In specific application scenarios, as shown in figure 4, device further include: mark module 37.
Mark module 37, if inconsistent for system call sequence and standard calling sequence, by parent process labeled as pre-
If the corresponding process of malicious application.
It should be noted that each functional unit involved by a kind of processing unit of application program provided by the embodiments of the present application
Other it is corresponding describe, can be with reference to the corresponding description in Fig. 1 and Fig. 2, details are not described herein.
Based on above-mentioned method as depicted in figs. 1 and 2, correspondingly, the embodiment of the present application also provides a kind of storage medium,
On be stored with computer program, which realizes the processing of above-mentioned application program as depicted in figs. 1 and 2 when being executed by processor
Method.
Based on this understanding, the technical solution of the application can be embodied in the form of software products, which produces
Product can store in a non-volatile memory medium (can be CD-ROM, USB flash disk, mobile hard disk etc.), including some instructions
With so that computer equipment (can be personal computer, server or the network equipment an etc.) execution the application is each
Method described in implement scene.
Based on above-mentioned method as shown in Figure 1 and Figure 2 and Fig. 3, virtual bench embodiment shown in Fig. 4, in order to realize
Above-mentioned purpose, the embodiment of the present application also provides a kind of computer equipments, are specifically as follows personal computer, server, network
Equipment etc., the computer equipment include storage medium and processor;Storage medium, for storing computer program;Processor is used
The processing method of above-mentioned application program as depicted in figs. 1 and 2 is realized in execution computer program.
Optionally, which can also include user interface, network interface, camera, radio frequency (Radio
Frequency, RF) circuit, sensor, voicefrequency circuit, WI-FI module etc..User interface may include display screen
(Display), input unit such as keyboard (Keyboard) etc., optional user interface can also connect including USB interface, card reader
Mouthful etc..Network interface optionally may include standard wireline interface and wireless interface (such as blue tooth interface, WI-FI interface).
It will be understood by those skilled in the art that a kind of computer equipment structure provided in this embodiment is not constituted to the meter
The restriction for calculating machine equipment, may include more or fewer components, perhaps combine certain components or different component layouts.
It can also include operating system, network communication module in storage medium.Operating system is management and preservation computer
The program of device hardware and software resource supports the operation of message handling program and other softwares and/or program.Network communication
Module is for realizing the communication between each component in storage medium inside, and between other hardware and softwares in the entity device
Communication.
Through the above description of the embodiments, those skilled in the art can be understood that the application can borrow
It helps software that the mode of necessary general hardware platform is added to realize, the target application to interception can also be passed through by hardware realization
The process of program is intercepted, and determines its corresponding parent process, to actively adjust process determining that parent process is not belonging to preset
When, terminate the process, and determining that parent process belongs to holding according to process when the default active tune that user actively initiates plays process
Row object determines whether to let pass the process of the destination application, it is therefore prevented that malicious application is to destination application process
Malice manipulates, and improves the safety of system information, helps that company information is protected not revealed maliciously.
The embodiment of the invention provides following technical schemes:
1, a kind of processing method of application program, comprising:
After the process of interception target application program, the target application journey is determined according to the process of the destination application
The corresponding parent process of the process of sequence;
If the parent process is not that process has been adjusted in default active, the process of the destination application is terminated;
If the parent process is that the default active tune plays process, the process according to the destination application is corresponding
Object is executed, the process of the destination application is handled.
2, according to the method described in claim 1, the process according to the destination application is corresponding to execute visitor
Body handles the process of the destination application, specifically includes:
According to the process of the destination application, the process pair with the destination application is obtained from system log
The practical execution object answered, and obtain from default execution object list and the process of the destination application is matched holds
Row object authority information;
If the practical object that executes terminates the destination application not in the execution object authority information
Process and the parent process;
If the practical object that executes in the execution object authority information, the destination application of letting pass into
Journey.
If 3, according to the method described in claim 2, the parent process is not that the default active tune plays process,
The process for terminating the destination application, specifically includes:
If the parent process is not that the default active tune plays process, detect whether the parent process is that default malice is answered
With the corresponding process of program;
If the parent process is the corresponding process of the default malicious application, the destination application is terminated
Process and the parent process;
If the parent process is not the corresponding process of the default malicious application, obtained from the system log
The corresponding system call sequence of the process of the destination application, and from preset standard calling sequence table obtain with it is described
The corresponding standard calling sequence of the process of destination application;
If the system call sequence is consistent with the standard calling sequence, according to the process of the destination application
Corresponding execution object, handles the process of the destination application;
If the system call sequence and the standard calling sequence are inconsistent, terminate the destination application into
Journey.
4, according to the method described in claim 3, being answered after the process of the interception target application program according to the target
Before the corresponding parent process of process for determining the destination application with the process of program, the method also includes:
When user's registration terminal equipment, the log-on message of the user is obtained;
According to the log-on message of the user, from intranet server obtains the authority information of the user, described preset is held
The list of row object and the preset standard calling sequence table, wherein the authority information of the user includes that the user has
The application program of operating right.
5, according to the method described in claim 4, the log-on message according to the user, obtains from intranet server
After the authority information of the user, the method also includes:
The local cache for emptying the terminal device stores authority information, the default execution object column of the user
Table and the preset standard calling sequence table.
6, according to the method described in claim 4, being answered after the process of the interception target application program according to the target
The corresponding parent process of process that the destination application is determined with the process of program, specifically includes:
It intercepts in the terminal device after the process of any application program, according to the authority information of the user, judges institute
It states user and whether has operating right to any application program;
If the user does not have operating right to any application program, terminate any application program into
Journey;
It is institute by any application program mark if the user has operating right to any application program
Destination application is stated, and determines the corresponding parent process of process of the destination application.
7, according to the method described in claim 3, the method also includes:
If the system call sequence and the standard calling sequence are inconsistent, the parent process is disliked labeled as default
The corresponding process of application program of anticipating.
8, a kind of processing unit of application program, comprising:
Parent process obtains module, after the process for interception target application program, according to the destination application into
Journey determines the corresponding parent process of the process of the destination application;
Process terminates module, if not being that process has been adjusted in default active for the parent process, terminates the target application
The process of program;
Process processing module is answered if being that the default active tune plays process for the parent process according to the target
With the corresponding execution object of the process of program, the process of the destination application is handled.
9, device according to claim 8, the process processing module, specifically includes:
Object acquiring unit is executed, for the process according to the destination application, acquisition and institute from system log
The corresponding practical execution object of process of destination application is stated, and is obtained and the target from default execution object list
The matched execution object authority information of the process of application program;
First process terminates unit, if for the practical object that executes not in the execution object authority information,
Terminate the process and the parent process of the destination application;
Process clearance unit, if let pass institute for the practical object that executes in the execution object authority information
State the process of destination application.
10, device according to claim 8, the process terminate module, specifically include:
Malicious application detection unit detects if not being that the default active tune plays process for the parent process
Whether the parent process is the default corresponding process of malicious application;
Second process terminates unit, if being the corresponding process of the default malicious application for the parent process,
Terminate the process and the parent process of the destination application;
Calling sequence acquiring unit, if not being the corresponding process of the default malicious application for the parent process,
Then obtain the corresponding system call sequence of process of the destination application from the system log, and from preset standard
Standard calling sequence corresponding with the process of the destination application is obtained in calling sequence table;
Process processing unit, if consistent with the standard calling sequence for the system call sequence, according to
The corresponding execution object of the process of destination application, handles the process of the destination application;
Third process terminates unit, if inconsistent for the system call sequence and the standard calling sequence, eventually
The only process of the destination application.
11, device according to claim 10, described device further include:
Log-on message obtains module, after the process for interception target application program, according to the destination application
Before process determines the corresponding parent process of the process of the destination application, when user's registration terminal equipment, described in acquisition
The log-on message of user;
Permission acquisition module obtains the user from intranet server for the log-on message according to the user
Authority information, the default execution object list and the preset standard calling sequence table, wherein the permission of the user
Information includes the application program that the user has operating right.
12, device according to claim 11, described device further include:
Module is emptied, for the log-on message according to the user, the permission letter of the user is obtained from intranet server
After breath, the local cache of the terminal device is emptied, stores the authority information of the user, the default execution object list
And the preset standard calling sequence table.
13, device according to claim 11, the parent process obtain module, specifically include:
Operating right judging unit, for intercepting in the terminal device after the process of any application program, according to described
The authority information of user, judges whether the user has operating right to any application program;
4th process terminates unit, if not having operating right to any application program for the user, eventually
The only process of any application program;
Parent process acquiring unit will be described if having operating right to any application program for the user
Any application program mark is the destination application, and determines the corresponding parent process of process of the destination application.
14, device according to claim 10, described device further include:
Mark module, if for the system call sequence and the standard calling sequence it is inconsistent, by the father into
Journey is labeled as the default corresponding process of malicious application.
15, a kind of storage medium is stored thereon with computer program, realizes that right is wanted when described program is executed by processor
The processing method of application program described in asking any one of 1 to 7.
16, a kind of computer equipment, including storage medium, processor and storage are on a storage medium and can be on a processor
The computer program of operation, the processor realize application journey described in any one of claims 1 to 7 when executing described program
The processing method of sequence.
It will be appreciated by those skilled in the art that the accompanying drawings are only schematic diagrams of a preferred implementation scenario, module in attached drawing or
Process is not necessarily implemented necessary to the application.It will be appreciated by those skilled in the art that the mould in device in implement scene
Block can according to implement scene describe be distributed in the device of implement scene, can also carry out corresponding change be located at be different from
In one or more devices of this implement scene.The module of above-mentioned implement scene can be merged into a module, can also be into one
Step splits into multiple submodule.
Above-mentioned the application serial number is for illustration only, does not represent the superiority and inferiority of implement scene.Disclosed above is only the application
Several specific implementation scenes, still, the application is not limited to this, and the changes that any person skilled in the art can think of is all
The protection scope of the application should be fallen into.
Claims (10)
1. a kind of processing method of application program characterized by comprising
After the process of interception target application program, the destination application is determined according to the process of the destination application
The corresponding parent process of process;
If the parent process is not that process has been adjusted in default active, the process of the destination application is terminated;
If the parent process is that the default active tune plays process, according to the corresponding execution of the process of the destination application
Object handles the process of the destination application.
2. the method according to claim 1, wherein the process according to the destination application is corresponding
Object is executed, the process of the destination application is handled, specifically includes:
According to the process of the destination application, obtained from system log corresponding with the process of the destination application
It is practical to execute object, and obtain from default execution object list and the process of the destination application is matched executes visitor
Body authority information;
If the practical object that executes terminates the process of the destination application not in the execution object authority information
And the parent process;
If the practical object that executes is in the execution object authority information, the process for the destination application of letting pass.
3. if according to the method described in claim 2, it is characterized in that, the parent process is not that the default active tune rises
Process then terminates the process of the destination application, specifically includes:
If the parent process is not that the default active tune plays process, detect whether the parent process is default malicious application journey
The corresponding process of sequence;
If the parent process is the corresponding process of the default malicious application, the process of the destination application is terminated
And the parent process;
If the parent process is not the corresponding process of the default malicious application, from the system log described in acquisition
The corresponding system call sequence of the process of destination application, and obtained and the target from preset standard calling sequence table
The corresponding standard calling sequence of the process of application program;
It is corresponding according to the process of the destination application if the system call sequence is consistent with the standard calling sequence
Execution object, handle the process of the destination application;
If the system call sequence and the standard calling sequence are inconsistent, the process of the destination application is terminated.
4. according to the method described in claim 3, it is characterized in that, after the process of the interception target application program, according to institute
State destination application process determine the corresponding parent process of the process of the destination application before, the method is also wrapped
It includes:
When user's registration terminal equipment, the log-on message of the user is obtained;
According to the log-on message of the user, the authority information of the user is obtained from intranet server, described default executes visitor
Body list and the preset standard calling sequence table, wherein the authority information of the user includes that the user has operation
The application program of permission.
5. according to the method described in claim 4, it is characterized in that, the log-on message according to the user, takes from Intranet
After business device obtains the authority information of the user, the method also includes:
The local cache for emptying the terminal device, store the authority information of the user, the default execution object list with
And the preset standard calling sequence table.
6. according to the method described in claim 4, it is characterized in that, after the process of the interception target application program, according to institute
The process for stating destination application determines the corresponding parent process of the process of the destination application, specifically includes:
It intercepts in the terminal device after the process of any application program, according to the authority information of the user, judges the use
Whether family has operating right to any application program;
If the user does not have operating right to any application program, the process of any application program is terminated;
It is the mesh by any application program mark if the user has operating right to any application program
Application program is marked, and determines the corresponding parent process of process of the destination application.
7. according to the method described in claim 3, it is characterized in that, the method also includes:
If the system call sequence and the standard calling sequence are inconsistent, the parent process is answered labeled as default malice
With the corresponding process of program.
8. a kind of processing unit of application program characterized by comprising
Parent process obtains module, and after the process for interception target application program, the process according to the destination application is true
The corresponding parent process of process of the fixed destination application;
Process terminates module, if not being that process has been adjusted in default active for the parent process, terminates the destination application
Process;
Process processing module, if being that the default active tune plays process for the parent process, according to the target application journey
The corresponding execution object of the process of sequence, handles the process of the destination application.
9. a kind of storage medium, is stored thereon with computer program, which is characterized in that realization when described program is executed by processor
The processing method of application program described in any one of claims 1 to 7.
10. a kind of computer equipment, including storage medium, processor and storage can be run on a storage medium and on a processor
Computer program, which is characterized in that the processor is realized described in any one of claims 1 to 7 when executing described program
Application program processing method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811640556.1A CN109815700B (en) | 2018-12-29 | 2018-12-29 | Application program processing method and device, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811640556.1A CN109815700B (en) | 2018-12-29 | 2018-12-29 | Application program processing method and device, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109815700A true CN109815700A (en) | 2019-05-28 |
| CN109815700B CN109815700B (en) | 2021-10-01 |
Family
ID=66603086
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811640556.1A Active CN109815700B (en) | 2018-12-29 | 2018-12-29 | Application program processing method and device, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109815700B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111125721A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Control method for process starting, computer equipment and readable storage medium |
| CN111797387A (en) * | 2020-06-24 | 2020-10-20 | 北京三快在线科技有限公司 | Method and device for intercepting plug-in |
| CN112395611A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Processing method, device and equipment of process chain |
| CN113407940A (en) * | 2021-06-21 | 2021-09-17 | 成都欧珀通信科技有限公司 | Script detection method and device, storage medium and computer equipment |
| CN116451269A (en) * | 2023-03-29 | 2023-07-18 | 北京华路时代信息技术股份有限公司 | Data protection method, device, electronic equipment and readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7363493B2 (en) * | 2001-01-19 | 2008-04-22 | Antimalware, Ltd. | Method for protecting computer programs and data from hostile code |
| CN103617395A (en) * | 2013-12-06 | 2014-03-05 | 北京奇虎科技有限公司 | Method, device and system for intercepting advertisement programs based on cloud security |
| CN105094996A (en) * | 2015-07-21 | 2015-11-25 | 电子科技大学 | Security-enhancing method and system of Android system based on dynamic authority verification |
| CN105787302A (en) * | 2016-02-23 | 2016-07-20 | 北京金山安全软件有限公司 | Application processing method and device and electronic equipment |
| CN105989283A (en) * | 2015-02-06 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for recognizing virus variant |
-
2018
- 2018-12-29 CN CN201811640556.1A patent/CN109815700B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7363493B2 (en) * | 2001-01-19 | 2008-04-22 | Antimalware, Ltd. | Method for protecting computer programs and data from hostile code |
| CN103617395A (en) * | 2013-12-06 | 2014-03-05 | 北京奇虎科技有限公司 | Method, device and system for intercepting advertisement programs based on cloud security |
| CN105989283A (en) * | 2015-02-06 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for recognizing virus variant |
| CN105094996A (en) * | 2015-07-21 | 2015-11-25 | 电子科技大学 | Security-enhancing method and system of Android system based on dynamic authority verification |
| CN105787302A (en) * | 2016-02-23 | 2016-07-20 | 北京金山安全软件有限公司 | Application processing method and device and electronic equipment |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112395611A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Processing method, device and equipment of process chain |
| CN112395611B (en) * | 2019-08-15 | 2024-01-30 | 奇安信安全技术(珠海)有限公司 | Process chain processing method, device and equipment |
| CN111125721A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Control method for process starting, computer equipment and readable storage medium |
| CN111797387A (en) * | 2020-06-24 | 2020-10-20 | 北京三快在线科技有限公司 | Method and device for intercepting plug-in |
| CN111797387B (en) * | 2020-06-24 | 2024-02-23 | 北京三快在线科技有限公司 | Method and device for intercepting plug-in |
| CN113407940A (en) * | 2021-06-21 | 2021-09-17 | 成都欧珀通信科技有限公司 | Script detection method and device, storage medium and computer equipment |
| CN116451269A (en) * | 2023-03-29 | 2023-07-18 | 北京华路时代信息技术股份有限公司 | Data protection method, device, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109815700B (en) | 2021-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109815700A (en) | Processing method and processing device, storage medium, the computer equipment of application program | |
| CN109831420B (en) | Method and device for determining kernel process permission | |
| US7647622B1 (en) | Dynamic security policy through use of empirical security events | |
| US20190097807A1 (en) | Network access control based on distributed ledger | |
| US9619654B2 (en) | Application monitoring through collective record and replay | |
| US8832796B2 (en) | Wireless communication terminal, method for protecting data in wireless communication terminal, program for having wireless communication terminal protect data, and recording medium storing the program | |
| US9152784B2 (en) | Detection and prevention of installation of malicious mobile applications | |
| US11757924B2 (en) | Third-party application risk assessment in an authorization service | |
| EP2852913B1 (en) | Method and apparatus for determining malicious program | |
| US9509697B1 (en) | Systems and methods for authorizing attempts to access shared libraries | |
| CN108763951B (en) | Data protection method and device | |
| CN107193666B (en) | Control method and device for calling between application programs | |
| US11099889B2 (en) | Method-call-chain tracking method, electronic device, and computer readable storage medium | |
| CN111641610B (en) | Remote response and remote control method, device, equipment and storage medium | |
| CN109726601A (en) | The recognition methods of unlawful practice and device, storage medium, computer equipment | |
| CN109815701B (en) | Software security detection method, client, system and storage medium | |
| JP2023543596A (en) | Systems and methods for processing customer data | |
| US9552481B1 (en) | Systems and methods for monitoring programs | |
| CN116226865A (en) | Security detection method, device, server, medium and product of cloud native application | |
| US20220198013A1 (en) | Detecting suspicious activation of an application in a computer device | |
| US11379568B2 (en) | Method and system for preventing unauthorized computer processing | |
| EP3333743B1 (en) | System and method of preventing unfair evaluation of applications by users | |
| CN109784051A (en) | Protecting information safety method, device and equipment | |
| JP2009080561A (en) | External device management system | |
| US20230038774A1 (en) | System, Method, and Apparatus for Smart Whitelisting/Blacklisting |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Patentee after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Patentee after: QAX Technology Group Inc. Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Patentee before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |