CN111597553A

CN111597553A - Process processing method, device, equipment and storage medium in virus searching and killing

Info

Publication number: CN111597553A
Application number: CN202010348745.2A
Authority: CN
Inventors: 全永春; 饶帅; 程虎
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-04-28
Filing date: 2020-04-28
Publication date: 2020-08-28

Abstract

The application relates to a process processing method, a device, equipment and a storage medium in virus checking and killing, and relates to the technical field of system security. The method comprises the following steps: extracting portable executable PE file characteristics of a target process from the currently running target process; extracting the PE file characteristics of the disk file from the disk file corresponding to the target process; acquiring the process type of the target process according to the PE file characteristics of the target process and the PE file characteristics of the disk file; the process type is used for indicating whether the corresponding process has a safety risk or not, and responding to the existence of the safety risk, and carrying out risk processing on the target process. By the difference between the PE file characteristics of the target process and the PE file characteristics of the corresponding disk file, the puppet process in the system can be accurately identified, thereby improving the accuracy of risk process identification and processing.

Description

Process processing method, device, equipment and storage medium in virus searching and killing

Technical Field

The embodiment of the application relates to the technical field of system security, in particular to a process processing method, a device, equipment and a storage medium in virus checking and killing.

Background

With the continuous development of computer application technology, the requirements of users on the security of computer systems are higher and higher. Currently, many applications in the system security class provide the function of risk process identification.

In the related art, the identification of the risk process is mainly achieved by scanning the disk file corresponding to the process, for example, when the risk process is identified, a file path of the disk file corresponding to the currently identified process is obtained, the disk file is obtained according to the file path, whether the disk file is in a blacklist is detected, if yes, the process is determined to be the risk process, and a safety risk exists.

However, some trojan viruses may be parasitic in other processes, such parasitic processes are called puppet processes, and the disk file corresponding to the puppet process is usually not listed in the black list. The risk process identification scheme identifies a risk process only by scanning a disk file, and cannot identify such a puppet process, which results in lower accuracy of risk process identification.

Disclosure of Invention

The embodiment of the application provides a process processing method, a device, an apparatus and a storage medium for virus killing, which can realize the identification and processing of a puppet process and improve the accuracy of risk process identification and processing, and the technical scheme is as follows:

in one aspect, a method for processing a process in virus killing is provided, and the method includes:

extracting portable executable PE file characteristics of a target process from the currently running target process;

extracting the PE file characteristics of the disk file from the disk file corresponding to the target process;

acquiring the process type of the target process according to the PE file characteristics of the target process and the PE file characteristics of the disk file; the process type is used for indicating whether a corresponding process has a security risk or not;

and responding to the process type of the target process to indicate that the target process has a security risk, and carrying out risk processing on the target process.

In another aspect, a process processing apparatus in virus killing is provided, the apparatus including:

the first file feature acquisition module is used for extracting portable executable PE file features of a target process from the currently running target process;

the second file characteristic acquisition module is used for extracting the PE file characteristics of the disk file from the disk file corresponding to the target process;

the type obtaining module is used for obtaining the process type of the target process according to the PE file characteristics of the target process and the PE file characteristics of the disk file; the process type is used for indicating whether a corresponding process has a security risk or not;

and the process processing module is used for responding to the process type of the target process to indicate that the target process has the security risk and carrying out risk processing on the target process.

In one possible implementation manner, the PE file characteristics include at least one of PE file attribute characteristics and PE entry point data;

the PE file attribute characteristics comprise at least one attribute of a timestamp, the number of PE sections, an entry point address offset, a mirror image size and a section name;

the PE entry point data includes code data of a specified length starting from an entry point address.

In one possible implementation manner, in response to the PE file characteristics including PE file attribute characteristics, the first file characteristic obtaining module is configured to,

reading a memory area corresponding to the target process to obtain a process structure block PEB of the target process;

extracting a pointer of a specified structure from a process structure block PEB of the target process;

acquiring the specified structural body through the pointer of the specified structural body;

and extracting the specified field in the specified structural body as the PE file attribute feature of the target process.

In one possible implementation manner, in response to the PE file characteristics including PE file attribute characteristics, the second file characteristic obtaining module is configured to,

acquiring a file path of a disk file corresponding to the target process;

mapping the disk file of the target process to a memory according to the file path;

reading a specified structural body from the memory mapped by the disk file of the target process;

and extracting the specified field in the specified structural body as the PE file attribute feature of the disk file.

In one possible implementation manner, in response to the PE file characteristics including PE entry point data, the first file characteristic obtaining module is configured to,

acquiring a process base address of the target process and an offset of a PE entry point relative to the process base address, and positioning the PE entry point address of the target process from a memory of the target process;

and reading the code data with the specified length from the PE entry point address of the target process to obtain the PE entry point data of the target process.

In one possible implementation manner, in response to the PE file characteristics including PE entry point data, the second file characteristic obtaining module is configured to,

traversing the section table of the disk file, and determining a target section where a PE entry point of the disk file is located;

acquiring a PE entry point address of the disk file according to the virtual address of the target node, the offset of the PE entry point of the disk file relative to the target node and the offset of the target node relative to the disk file;

and reading the code data with the specified length from the PE entry point address of the disk file to obtain the PE entry point data of the disk file.

In one possible implementation manner, in response to the PE file characteristics including PE file attribute characteristics, the type obtaining module is configured to,

acquiring feature consistency information, wherein the feature consistency information is used for indicating whether the PE file attribute feature of the target process is consistent with the PE file attribute feature of the disk file;

and in response to the characteristic consistency information indicating that the PE file attribute characteristics of the target process are inconsistent with the PE file attribute characteristics of the disk file, acquiring that the process type of the target process is a first type, wherein the first type is used for indicating that the target process has a security risk.

In one possible implementation manner, in response to the PE file characteristics further including PE entry point data, the type obtaining module is further configured to,

responding to the characteristic consistency information to indicate that the PE file attribute characteristic of the target process is consistent with the PE file attribute characteristic of the disk file, and acquiring the matching proportion between the PE inlet point data of the target process and the PE inlet point data of the disk file;

and responding to the matching proportion not larger than a proportion threshold value, and acquiring the process type of the target process as the first type.

In one possible implementation, in response to the PE file characteristics including PE entry point data, the type obtaining module is configured to,

obtaining the matching proportion between the PE inlet point data of the target process and the PE inlet point data of the disk file;

and responding to the matching proportion not larger than a proportion threshold value, and acquiring the process type of the target process as a first type, wherein the first type is used for indicating that the target process has a security risk.

In one possible implementation manner, in response to the PE file characteristics further including PE file attribute characteristics, the type obtaining module is further configured to,

responding to the matching proportion being larger than the proportion threshold value, and acquiring feature consistency information, wherein the feature consistency information is used for indicating whether the PE file attribute feature of the target process is consistent with the PE file attribute feature of the disk file;

and acquiring the process type of the target process as the first type in response to the characteristic consistency information indicating that the PE file attribute characteristic of the target process is inconsistent with the PE file attribute characteristic of the disk file.

In one possible implementation manner, the process processing module includes:

the prompting unit is used for responding to the process type of the target process to indicate that the target process has a safety risk and displaying risk prompting information, wherein the risk prompting information is used for prompting whether to carry out risk processing on the target process;

and the process stopping unit is used for responding to the received operation of carrying out risk processing on the target process and stopping the target process.

In one possible implementation, the apparatus further includes:

the file processing module is used for responding to the received operation of risk processing on the target process and responding to the fact that the disk file is located in a white list, and reserving the disk file;

and the file processing module is also used for responding to the received operation of risk processing on the target process and responding to the disk file in a blacklist and isolating the disk file.

In yet another aspect, a computer device is provided, which includes a processor and a memory, wherein at least one instruction, at least one program, a set of codes, or a set of instructions is stored in the memory, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by the processor to implement the process handling method in virus antivirus killing as described above.

In yet another aspect, a computer-readable storage medium is provided, in which at least one instruction, at least one program, a set of codes, or a set of instructions is stored, which is loaded and executed by a processor to implement the process handling method in virus killing as described above.

The technical scheme provided by the application can comprise the following beneficial effects:

the method comprises the steps of extracting PE file features of a target process and a target process corresponding to a disk file respectively, identifying the type of the target process according to the PE file features of the target process and the target process corresponding to the disk file, determining whether the target process has a safety risk, and performing risk processing on the target process with the safety risk.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.

FIG. 1 is a process diagram illustrating a virus killing process, according to an example embodiment;

FIG. 2 is a schematic diagram of a process parasitic and identification process according to the embodiment shown in FIG. 1;

FIG. 3 is a flow diagram illustrating a method of process handling in virus killing in accordance with an exemplary embodiment;

FIG. 4 is a diagram illustrating a PE file structure according to the embodiment shown in FIG. 3;

FIG. 5 is a flow diagram illustrating PE entry point data acquisition according to the embodiment shown in FIG. 3;

FIG. 6 is a schematic diagram of a risk hint information presentation according to the embodiment shown in FIG. 3;

FIG. 7 is a schematic diagram of an isolated file interface according to the embodiment of FIG. 3;

FIG. 8 is a diagram illustrating a process parasitic and identification process in accordance with an exemplary embodiment;

FIG. 9 is a flow chart illustrating risk process detection according to the embodiment shown in FIG. 8;

FIG. 10 is a block diagram of a process handling device in virus killing according to an exemplary embodiment of the present application;

FIG. 11 is a block diagram illustrating a computer device in accordance with an exemplary embodiment.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

The application provides a process processing scheme in virus checking and killing, which can accurately identify a puppet process in a system, thereby improving the accuracy of risk process identification. For ease of understanding, the terms referred to in this application will be first introduced.

1) Process

A Process (Process) is a running activity of a program in a computer system with respect to a data set, is a basic unit of resource allocation and scheduling of the system, and is also the basis of an operating system architecture. In early process-oriented design of computer architecture, processes were the basic execution entities of programs; in modern computer architectures designed for threads, a process is a container for a thread. A process is an entity that is a program if it is described as a computer program of instructions, data, or an organization thereof.

In a computer system, a process may include (or "own") the following data:

the process corresponds to an image of the executable machine code of the program in the memory;

the process' allocated memory (usually comprising a region of virtual memory), the contents of which include executable code, process-specific data (input, output), call stack, stack (for holding data generated in the middle of a run-time run);

operating system descriptors of the resources allocated to the process, such as file descriptors (Unix terminology) or file handles (Windows), data sources and data terminals;

security features such as process owner and set of permissions (operations that may be allowed) for the process;

processor state (context), such as register contents, physical memory addressing, etc.; this state is typically stored in registers while the process is running, and in other cases memory is present.

2) Puppet process

In a computer system, a type of trojan virus may replace a mapping file of another process with a virus code file, thereby implementing "ghost" to the other process, and such a process replaced with a virus code file (i.e. being "ghost") may be referred to as a puppet process.

3) PE file

PE files are program files that can be directly or indirectly executed in an operating system, for example, common PE files include Executable (EXE) files, Dynamic Link Library (DLL) files, Object Linking and Embedding Control eXtension (OCX) files, system (sysstem, SYS) files, and com files, among others.

The scheme shown in the application can be applied to computer equipment. For example, the Computer device may be a mobile terminal such as a smartphone, a tablet Computer, and an electronic book reader, or the Computer device may be a Personal Computer (PC) such as a desktop Computer, a notebook Computer, and a Personal workstation, or the Computer device may be an intelligent wearable device such as smart glasses and a smart watch, or the Computer device may be an in-vehicle Computer.

Taking Windows system platform as an example, the memory space of the operating system of the computer device includes a user space and a kernel space. The user space runs various processes, application programs, environment subsystems and the like, wherein the processes comprise system processes and user processes; and the kernel space runs a system core, system services, hardware drivers, graphics drivers, and a hardware abstraction layer, etc.

In the above operating system, a trojan virus may replace a mapping file in a normal process with a virus code file, so as to obtain a puppet process, and implement malicious behaviors such as destroying system functions, stealing user privacy information, and the like by using the puppet process.

The scheme shown in the embodiments of the present application is a scheme for identifying a puppet process from currently running processes (i.e. a system process and a user process).

In one possible implementation, the solution shown in the present application may be implemented by an application installed and running in a computer device. Optionally, the application program implementing the scheme shown in the present application may be a system security class application program.

Optionally, the system security application may be various antivirus software or application management software.

For example, in an operating system, a system security class application may perform risk identification on each currently running process separately, periodically or under user trigger, to detect a currently running puppet process.

Fig. 1 is a process diagram illustrating virus killing according to an exemplary embodiment. The process flow can be executed by the computer device. For example, the computer device may be a mobile terminal, a personal computer, a smart wearable device, or a vehicle-mounted computer, among others. The process flow in virus killing can be as follows:

and S11, extracting the portable executable PE file characteristics of the target process from the currently running target process.

In this embodiment of the present application, extracting the PE file feature from the currently running target process means extracting the PE file feature from the memory space in which the target process runs.

The PE file characteristics are characteristics of the corresponding PE file.

In one possible implementation, the PE file characteristics may include at least one of PE file attribute characteristics and PE entry point data.

Optionally, the PE file attribute feature includes at least one attribute of a timestamp, a PE section number, an entry point address offset, a mirror size, and a section name;

optionally, the PE entry point data includes code data of a specified length starting from the entry point address.

And S12, extracting the PE file characteristics of the disk file from the disk file corresponding to the target process.

In this embodiment of the present application, the disk file corresponding to the target process may refer to a code file stored in a disk and used for triggering creation of the target process.

S13, acquiring the process type of the target process according to the PE file characteristics of the target process and the PE file characteristics of the disk file; the process type is used to indicate whether a corresponding process has a security risk.

In a possible implementation manner, the process type of the target process is obtained according to the PE file feature of the target process and the PE file feature of the disk file, and may be obtained according to a difference between the PE file feature of the target process and the PE file feature of the disk file.

Optionally, the computer device may match, by an application of a system security class, a PE file feature of the target process with a PE file feature of the disk file, and determine a process type of the target process according to a matching result, that is, determine whether the target process has a security risk, for example, if the target process has a security risk, it may be determined that the target process is a puppet process "parasitized by a trojan virus.

For a process of triggering creation of a disk file, the PE file characteristics of the disk file should be consistent with or similar to the PE file characteristics of the created process. For the trojan horse virus generating a puppet process in a "parasitic" manner, the action principle of the trojan horse virus is to replace a mapping file for a created process, so as to modify an original process, in this process, a PE file of the "parasitic" process is changed, and at the same time, a disk file creating the process is not modified, that is, a PE file feature of the disk file is not changed, which may cause a difference between a PE file feature of the "parasitic" process and a PE file feature of the disk file creating the process.

For example, please refer to fig. 2, which illustrates a schematic diagram of a process parasitic and identification process according to an embodiment of the present application. As shown in fig. 2, in the "parasitic" stage, the disk file 21 initiates a creation process to the operating system to obtain an original target process 22, and then the trojan virus 23 performs parasitic on the original target process 22 by replacing the mapping file to obtain a parasitic target process 24. In the identification stage, the system security class application extracts the PE file features 25 of the target process 24 from the parasitic target process 24 on one hand, and extracts the PE file features 26 of the disk file from the disk file 21 on the other hand, then matches the PE file features 25 and the PE file features 26, determines that the parasitic target process 24 has a security risk according to the matching result, and obtains the process type of the target process 24.

And S14, responding to the process type of the target process indicating that the target process has a security risk, and performing risk processing on the target process.

In summary, in the solution shown in the embodiment of the present application, the PE file feature of the target process and the PE file feature of the disk file corresponding to the target process are respectively extracted, and then the type of the target process is identified according to the PE file feature of the target process and the PE file feature of the disk file corresponding to the target process, so as to determine whether the target process has a security risk, and perform risk processing on the target process having the security risk.

Fig. 3 is a flowchart illustrating a method for processing a process in virus killing according to an exemplary embodiment, where the method for processing a process in virus killing can be executed by the computer device. For example, the computer device may be a mobile terminal, a personal computer, a smart wearable device, or a vehicle-mounted computer, among others. For example, as shown in fig. 3, the method for processing a process in virus antivirus search and kill may include the following steps:

step 301, extracting the portable executable PE file feature of the target process from the currently running target process.

In one possible implementation, the PE file characteristics include at least one of PE file attribute characteristics and PE entry point data;

the PE file attribute characteristics include at least one attribute among a timestamp (TimeDateStamp), a PE SECTION number (numberofconnections), an entry point address offset (AddressOfEntryPoint), a mirror size (SizeOfImage), and a SECTION name (picture _ separation _ header.name);

the PE entry point data includes code data of a specified length from an entry point address.

In a possible implementation manner, the specified length may be a length preset by a developer, for example, the specified length may be set to 200 bytes.

In another possible implementation manner, the specified length may also be dynamically determined by the computer device according to the related information. For example, a security management application in the computer device may obtain the memory occupancy of the target process, and determine the specified length according to the memory occupancy, where the specified length is positively correlated to the memory occupancy of the target process.

In the embodiment of the present application, memory usage of different processes may also be different, where a process with a lower memory usage amount may have a lower code data amount, and a process with a higher memory usage amount may have a higher code data amount. For a process with a lower code data amount, the subsequent similarity/matching degree judgment requirement can be met only by needing less PE entry point data, and if the obtained PE entry point data with the specified length is longer (namely the data amount is larger), the subsequent identification efficiency in the type identification process is influenced; for a process with a higher code data amount, more PE entry point data may be needed to meet the subsequent requirement for determining similarity/matching degree, and if the obtained PE entry point data with a specified length is shorter (i.e. the data amount is smaller), the accuracy of subsequent type identification will be affected.

In contrast, in the solution shown in the embodiment of the present application, when the system security application running in the computer device extracts the PE entry point data from the target process and the corresponding disk file, the specified length may be determined according to the memory occupancy amount of the target process.

For example, a plurality of memory occupation intervals and entry point data lengths corresponding to the memory occupation intervals can be preset in the system security application program; when extracting the PE entry point data, the system security application may determine a memory occupancy interval in which the memory occupancy of the target process is located, and acquire the entry point data length corresponding to the determined memory occupancy interval as the specified length.

Optionally, in response to that the PE file feature includes a PE file attribute feature, when the portable executable PE file feature of the target Process is extracted from the currently running target Process, the computer device may read a memory area corresponding to the target Process to obtain a Process Environment Block (PEB) of the target Process; extracting a pointer of a specified structure from a process structure block PEB of the target process; acquiring the specified structural body through the pointer of the specified structural body; and extracting the specified field in the specified structural body as the PE file attribute characteristic of the target process.

In this embodiment of the present application, when the PE file features include PE file attribute features, the system security application may read the PE file attribute features of the target process from the memory area corresponding to the target process, where the PE file attribute features exist in specified fields in specified structural bodies, so that the system security application first needs to obtain a process structural block of the target process from the memory area corresponding to the target process, where the process structural block includes pointers of each structural body of the target process, and the system security application reads the pointers of the specified structural bodies therein, then locates the specified structural bodies from the memory area corresponding to the target process according to the specified structural bodies, and extracts the specified fields in the specified structural bodies as the PE file attribute features of the target process.

Optionally, the target structures are an IMAGE _ DOS _ HEADER structure and an IMAGE _ NT _ HEADER structure in the PE file structure.

For example, please refer to fig. 4, which shows a schematic diagram of a PE file structure according to an embodiment of the present application, and as shown in fig. 4, the IMAGE _ DOS _ HEADER structure is located in a DOS HEADER 41 of the PE file structure, and the IMAGE _ NT _ HEADER structure is located in a PE file HEADER 42 after the DOS HEADER. After the system security application program obtains the pointers of the IMAGE _ DOS _ HEADER structural body and the IMAGE _ NT _ HEADER structural body, the system security application program can locate the positions of the IMAGE _ DOS _ HEADER structural body and the IMAGE _ NT _ HEADER structural body in the memory, and read the designated fields in the positions as the attribute features of the PE file.

Optionally, the specified field may be a field in a specified structure corresponding to the attribute feature of the PE file.

Optionally, in response to that the PE file feature includes PE entry point data, when the portable executable PE file feature of the target process is extracted from the currently running target process, the computer device may obtain a process base address of the target process and an offset of the PE entry point with respect to the process base address, and locate the PE entry point address of the target process from the memory of the target process; and reading the code data with the specified length from the PE entry point address of the target process to obtain the PE entry point data of the target process.

In this embodiment of the present application, when reading PE entry point data, a PE entry point address needs to be known first, where the PE entry point address of a target process may be obtained by adding an offset of a PE entry point with respect to a process base address of the target process on the basis of the process base address of the target process, and after the PE entry point address of the target process is located, a system security application program may read continuous code data with a specified length from a memory corresponding to the PE entry point address of the target process, where the code data is used as the PE entry point data of the target process.

Step 302, extracting the PE file feature of the disk file from the disk file corresponding to the target process.

Optionally, in response to that the PE file features include PE file attribute features, when extracting the PE file features of the process created by the disk file from the disk file corresponding to the target process, the computer device may obtain a file path of the disk file corresponding to the target process; mapping the disk file of the target process to a memory according to the file path; reading a specified structural body from a memory mapped by the disk file of the target process; and extracting the specified field in the specified structural body as the PE file attribute characteristic of the disk file.

In the embodiment of the application, when traversing a target process, a system security application program can acquire a file path of a disk file corresponding to the target process, on this basis, the corresponding disk file is read through the acquired file path, then the read disk file is mapped into a memory, and then a specified field in a specified structure is read from the memory according to a pointer of the specified structure obtained in the mapping process to serve as the attribute feature of the PE file of the disk file.

Optionally, in response to that the PE file feature includes PE entry point data, when the PE file feature of the process created by the disk file is extracted from the disk file corresponding to the target process, the computer device may traverse the node table of the disk file, and determine a target node where the PE entry point of the disk file is located; acquiring the PE entry point address of the disk file according to the virtual address of the target node, the offset of the PE entry point of the disk file relative to the target node and the offset of the target node relative to the disk file; and reading the code data with the specified length from the PE entry point address of the disk file to obtain the PE entry point data of the disk file.

For example, please refer to fig. 5, which shows a schematic flow chart of PE entry point data acquisition according to an embodiment of the present application. As shown in fig. 5, during the traversal process, the system security class application first traverses each section in the section table, and during the traversal process, it is determined whether the PE entry point is in the current section according to the virtual address (VirtualAddress) Of the current section, the PE entry point address offset (AddressOfEntryPoint), and the current section Size (Size Of Raw Data) (S51), for example, if the condition is satisfied: if the virtual address of the current section < the PE entry point address offset < the virtual address of the current section + the size of the current section, the current section is a target section where the PE entry point is located, and then the offset of the PE entry point relative to the target section is obtained: y is the PE entry point address offset-the virtual address of the target section (S52), and the PE entry point address is Y + Point To Raw Data (S53) by combining the offset (Point To Raw Data) of the target section relative To the disk file.

Step 303, obtaining the process type of the target process according to the PE file characteristics of the target process and the PE file characteristics of the disk file; the process type is used to indicate whether a corresponding process has a security risk.

Optionally, in response to that the PE file features include PE file attribute features, when the process type of the target process is acquired according to the PE file features of the target process and the PE file features of the disk file, the computer device may acquire feature consistency information, where the feature consistency information is used to indicate whether the PE file attribute features of the target process are consistent with the PE file attribute features of the disk file; and in response to the feature consistency information indicating that the PE file attribute feature of the target process is inconsistent with the PE file attribute feature of the disk file, acquiring that the process type of the target process is a first type, wherein the first type is used for indicating that the target process has a security risk.

Optionally, in response to that the feature consistency information indicates that the PE file attribute feature of the target process is consistent with the PE file attribute feature of the disk file, obtaining that the process type of the target process is a second type, where the second type is used to indicate that the target process has no security risk.

In this embodiment of the present application, the system security class application may obtain the process type of the target process by using the PE file attribute feature alone, that is, the system security class application may compare the consistency between the PE file attribute feature of the target process and the PE file attribute feature of the disk file, and if the two are consistent, the target process is considered not to belong to a puppet process, and there is no security risk; otherwise, if the two are not consistent, the target process is considered to belong to the puppet process, and there is a security risk.

Further, in response to that the PE file characteristics also include PE entry point data, the computer device also obtains a matching ratio between the PE entry point data of the target process and the PE entry point data of the disk file in response to that the characteristic consistency information indicates that the PE file attribute characteristics of the target process are consistent with the PE file attribute characteristics of the disk file; and acquiring the process type of the target process as the first type in response to the matching proportion not being larger than a proportion threshold value.

Optionally, in response to that the feature consistency information indicates that the PE file attribute feature of the target process is consistent with the PE file attribute feature of the disk file, and that the matching proportion is greater than a proportion threshold, the computer device may acquire that the process type of the target process is the second type.

In this embodiment, the system security class application may obtain the process type of the target process by combining the PE file attribute feature and the PE entry point data, that is, the system security class application may first perform consistency comparison between the PE file attribute feature of the target process and the PE file attribute feature of the disk file, and if the two are not consistent, the target process is considered to belong to a puppet process, which may cause a security risk. If the data of the PE entry point of the target process and the data of the PE entry point of the disk file are consistent, continuing to compare the data of the PE entry point of the target process and the data of the PE entry point of the disk file, and if the matching ratio of the data of the target process and the data of the PE entry point of the disk file is not greater than a preset ratio threshold, determining that the target process belongs to a puppet process and; if the matching ratio of the two is greater than the ratio threshold, the target process is considered not to belong to the puppet process, and there is no security risk.

Optionally, in response to that the PE file characteristics include PE entry point data, when the process type of the target process is obtained according to the PE file characteristics of the target process and the PE file characteristics of the disk file, the computer device may obtain a matching ratio between the PE entry point data of the target process and the PE entry point data of the disk file; and responding to the matching proportion not larger than a proportion threshold value, and acquiring the process type of the target process as a first type, wherein the first type is used for indicating that the target process has a security risk.

Optionally, in response to that the matching proportion is greater than the proportion threshold, acquiring that the process type of the target process is the second type.

In this embodiment of the present application, the system security application may obtain the process type of the target process through the PE entry point data alone, that is, the system security application may directly calculate a matching ratio between the PE entry point data of the target process and the PE entry point data of the disk file, and directly determine whether the process type of the target process is the first type or the second type according to the obtained matching ratio.

Optionally, in response to that the PE file characteristics further include PE file attribute characteristics, when the process type of the target process is acquired according to the PE file characteristics of the target process and the PE file characteristics of the disk file, the computer device may further acquire feature consistency information in response to that the matching proportion is greater than the proportion threshold, where the feature consistency information is used to indicate whether the PE file attribute characteristics of the target process are consistent with the PE file attribute characteristics of the disk file; and acquiring the process type of the target process as the first type in response to the characteristic consistency information indicating that the PE file attribute characteristic of the target process is inconsistent with the PE file attribute characteristic of the disk file.

Optionally, in response to that the matching proportion is greater than the proportion threshold and the feature consistency information indicates that the PE file attribute feature of the target process is consistent with the PE file attribute feature of the disk file, acquiring that the process type of the target process is the second type.

In the embodiment of the present application, when the system security application obtains the process type of the target process by combining the PE file attribute feature and the PE entry point data, the matching ratio between the PE entry point data of the target process and the PE entry point data of the disk file may also be calculated first, and if the matching ratio obtained by calculation is greater than a ratio threshold, consistency comparison is further performed between the PE file attribute feature of the target process and the PE file attribute feature of the disk file, so as to determine whether the process type of the target process is the first type or the second type.

In another possible implementation manner, when the system security application acquires the process type of the target process by combining the PE file attribute feature and the PE entry point data, the system security application may also synchronously perform a step of calculating a matching ratio between the PE entry point data of the target process and the PE entry point data of the disk file, perform consistency comparison on the PE file attribute feature of the target process and the PE file attribute feature of the disk file, and then determine whether the process type of the target process is the first type or the second type by integrating the matching ratio and the consistency comparison result. For example, when the matching proportion is not greater than the proportion threshold value, the PE file attribute characteristic of the target process is not consistent with the PE file attribute characteristic of the disk file, and any one of the two conditions is satisfied, it is determined that the process type of the target process is the first type; and if the matching proportion is larger than the proportion threshold value and the PE file attribute characteristics of the target process are consistent with the PE file attribute characteristics of the disk file, determining that the process type of the target process is the second type.

And 304, responding to the process type of the target process indicating that the target process has a security risk, and displaying risk prompt information, wherein the risk prompt information is used for prompting whether to carry out risk processing on the target process.

In the embodiment of the application, when it is determined that the process type of the target process indicates that the target process has a security risk, the computer device may directly perform risk processing on the target process, or may prompt the user according to a prompt to prompt the user whether to select processing.

For example, please refer to fig. 6, which illustrates a schematic diagram of a risk suggestion information display according to an embodiment of the present application. As shown in fig. 6, when the system security class application determines that the process type of the target process is the first type, a risk prompt message 62 including a process name 62a, a file address 62b, and risk description information 62c of the target process may be presented through a risk prompt interface 61. The risk prompt interface 61 further includes a processing control 63, and the user can select to process the target process through the processing control 63.

Step 305, in response to receiving the operation of risk processing for the target process, stopping the target process.

Optionally, in response to receiving the operation of performing risk processing on the target process, the computer device may further retain the disk file in response to that the disk file is located in the white list; and responding to the disk file being in the blacklist, and isolating the disk file.

Alternatively, the isolated disk file may be placed in a file isolation area, and the user may provide a choice to delete the disk file completely or restore the disk file in the file isolation area.

For example, please refer to fig. 7, which illustrates a schematic diagram of an isolated file interface according to an embodiment of the present application. As shown in fig. 7, in a file isolation area interface 71 of the system security class application, an option 72 corresponding to the disk file that has been isolated, a delete control 73 for performing a delete operation on the disk file, and a restore control 74 for restoring the disk file are included. After the option 72 is selected, if the user clicks the delete control 73, the system security application program deletes the disk file corresponding to the control 72, and if the user clicks the restore control 74, the system security application program restores the disk file corresponding to the control 72 to the file address before isolation.

FIG. 8 is a diagram illustrating a process parasitic and identification process, according to an example embodiment. As shown in fig. 8, in the "parasitic" stage, the disk file 81 initiates a creation process to the operating system, and obtains an original target process 82, and then the trojan virus 83 performs parasitic on the original target process 82 by replacing the mapping file, and obtains a parasitic target process 84. In the identification phase, the system security class application extracts, on the one hand, the PE file attribute features 85 and PE entry point data 86 of the target process 84 from the hosted target process 84, and on the other hand, the PE file attribute features 87 and PE entry point data 88 of the disk file from the disk file 81. Then, for the PE file attribute characteristics 85 and the PE file attribute characteristics 87, the system security application program compares the consistency of the two to obtain a consistency result 89; for PE entry point data 86 and PE entry point data 88, the system security class application calculates a match ratio 810 between the two; the system security class application determines the process type of the target process 84 based on the consistency results 89 and/or the match ratio 810.

In a possible implementation scheme of fig. 8, the system security application may first obtain the PE file attribute feature 85 and the PE file attribute feature 87 to obtain a consistency result 89, determine whether the target process 84 has a security risk according to the consistency result 89, further obtain the PE entry point data 86 and the PE entry point data 88 to obtain a matching proportion 810 if it is determined that the target process 84 does not have a security risk according to the consistency result 89, and determine whether the target process 84 has a security risk according to the matching proportion 810.

In another possible implementation of fig. 8, the system security application may first obtain PE entry point data 86 and PE entry point data 88 to obtain a matching proportion 810, and determine whether the target process 84 has a security risk according to the matching proportion 810, and if it is determined that the target process 84 does not have a security risk according to the matching proportion 810, further obtain PE file attribute features 85 and PE file attribute features 87 to obtain a consistency result 89, and determine whether the target process 84 has a security risk according to the consistency result 89.

In another possible implementation of fig. 8, the system security class application may also obtain the matching proportion 810 and the consistency result 89 at the same time, and determine that the target process 84 is at a security risk when either of the matching proportion 810 and the consistency result 89 indicates that the target process 84 is at a security risk.

For example, taking an example that the system security application may first obtain the consistency result 89, and then obtain the matching proportion 810 when it is determined that the target process 84 has no security risk according to the consistency result 89, please refer to fig. 9, which shows a schematic flow diagram of risk process detection according to an embodiment of the present application. As shown in fig. 9, the processing flow of the present technology can be divided into four processes, namely, obtaining a scan object, comparing PE file attribute feature sets, comparing entry point similarity, and risk detection.

The basic flow of the scheme shown in fig. 9 is as follows:

A) and acquiring a scanning object, namely calling a system interface to enumerate all current processes of the system (S91) as an object of subsequent scanning detection.

Wherein, the scanning object refers to all processes in the current system.

And (3) a scanning object acquisition mode, namely calling a system interface to enumerate processes in the system, wherein a returned result is a set of process information, and the information of each process comprises a process identifier (pid), a process name and a process path. When a user selects a designated function in the system security class application, such as a "full disk disinfection" or "lightning disinfection" function, the detection scan may be turned on.

B) And (2) comparing the PE file attribute feature sets, namely searching an IMAGE _ DOS _ HEADER structural body and an IMAGE _ NT _ HEADER structural body from the memory area corresponding to the current process, extracting corresponding PE feature fields (such as at least one of a timestamp, the number of PE programs, an entry point address offset, a mirror IMAGE size, a node name and an entry point address) from the two structural bodies to serve as a PE file feature set p1(S92) of the current process, mapping the disk file corresponding to the current process into the memory and acquiring a PE file feature set p2 of the memory, comparing whether the p1 and the p2 are consistent, if not, detecting a risk, entering the step D), and if so, continuing to execute the subsequent step C).

The basic principle of the comparison of the PE file attribute feature sets is that a Trojan horse virus covers malicious codes in a process A, the process possibly causes the attribute features of a current PE file of the process A to be changed, the original clean PE file attribute features of the process A can be obtained by mapping a disk file corresponding to the process A into a memory, and if the attribute features of the current PE file are inconsistent with the attribute features of the original clean PE file, a risk is reported.

The PE file attribute characteristics in the embodiment of the application include but are not limited to timestamp TimeDateStamp, PE SECTION number NumberOfSections, entry point address offset Address EntryPoint, mirror image size SizeOfImage, SECTION name PIMAGE _ SECTION _ HEADER.

The process PE file attribute feature is obtained by analyzing the corresponding PE file structure to obtain the corresponding PE attribute field value. The process is as follows:

1) opening the detected process A, reading the memory of the process A, and acquiring a process structure PEB;

2) reading a process memory, and acquiring IMAGE _ DOS _ HEADER and IMAGE _ NT _ HEADER structural bodies;

3) and acquiring corresponding PE characteristic fields in the IMAGE _ DOS _ HEADER and IMAGE _ NT _ HEADER structural bodies to form a current process PE characteristic set p 1.

The process of obtaining the attribute characteristics of the PE file of the disk file corresponding to the process a may be as follows:

the method includes the steps of obtaining a file path of a disk file of a current process (S93) obtained in the process of traversing the current process (i.e., process a), opening the disk file corresponding to the current process a according to the file path, mapping the disk file into a memory (S94), obtaining PE feature fields corresponding to IMAGE _ DOS _ HEADER and IMAGE _ NT _ HEADER structures in the mapped memory, and forming an original clean PE file attribute feature set p2 of the current process a (S95), namely, PE file attribute features of the disk file corresponding to the process a.

And (3) comparing the PE file attribute feature sets:

in the scheme shown in fig. 6, the system security class application may compare the obtained PE file attribute feature sets p1 and p2, for example, compare the corresponding field values in the PE file attribute feature sets p1 and p2 in sequence: TimeDateStamp, numberofselections, et al (S96), determine whether the characteristics of the two are consistent (S97), and if there is a characteristic value inconsistency, a risk may be reported (S98).

If the PE file attribute feature sets p1, p2 are consistent, a next comparison of entry point similarities may be made.

C) And D) comparing the similarity of the entry points, namely reading the X byte data of the entry point of the PE file of the current process, mapping the disk file corresponding to the current process into the memory and reading the X byte data of the entry point, comparing the similarity of the entry point data, determining that no risk exists if the similarity is greater than a threshold, and detecting the risk if the similarity is not greater than the threshold to enter the step D).

The basic principle of the entry point similarity comparison is that the Trojan horse virus covers malicious codes in the process A, the process possibly causes the current PE file characteristics of the process A to be changed, detection can be carried out through the comparison PE file attribute characteristic set in the step B), while part of the Trojan horse virus possibly only covers the malicious codes in code nodes, and the PE file attribute characteristics in the PE structure body cannot be changed, and under the condition, detection can be carried out through the code data at the comparison PE entry point in the step C).

The acquisition of the entry point code data is divided into two parts, namely the acquisition of entry point data of a process and the acquisition of entry point data of a disk file.

The detected process A entry point data reading process is as follows:

1) locating an entry point address of the current process a (S99), the process imagebase + entry point offset AddressOfEntryPoint being the entry point address;

2) reading data of X bytes from the memory address (ProcessImageBase + AddressOfEntryPoint) to the buffer buf1 (S910);

optionally, the number X of bytes read is 200 bytes.

And obtaining the PE entry point data of the disk file of the detected process A:

1) first, the PE entry point address of the disk file in the current process a is located, that is, the node table of the disk file in the current process is traversed, the node where the entry point is located is found, and the offset position of the entry point is obtained as the offset of the entry point relative to the node where the entry point is located + the offset PointerToRawData of the node where the entry point is located relative to the file (S911).

2) After the entry point position is determined, X bytes of data are read from the offset position of the determined entry point to the buffer buf2(S912), and the number X of bytes read is also 200 bytes.

The entry point data similarity detection procedure may be as follows:

1) and (3) calculating the similarity: the current entry point data buf1 of the detected process a and the original entry point data buf2 of the disk file of the process a are obtained in the above steps. Optionally, buf1 and buf2 are char type arrays and have a length of len (i.e. 200 bytes). Sequentially comparing the data in buf1 and buf2 to obtain the similarity of the data in buf1 and buf2 (S913), for example, sequentially comparing the data in buf1 and buf2, if the data are equal, the count is increased by 1, and the similarity is equal to count/len; the pseudo code may be expressed as follows:

2) judging whether the similarity is greater than a threshold value (S914), and if the similarity count/len is not greater than the set threshold value, reporting a risk (S98); otherwise, the process is ended.

Because a few parts of code data loaded into a memory by a process file are changed under normal conditions, most data of a process covered by malicious codes are changed. The threshold value is 80% in the embodiment of the application, and the detection has a good detection rate and a low false alarm rate.

D) And risk processing, wherein the risk processing step can be executed by user selection.

After the risk process is detected, the risk process information is reported, the risk details comprise a process file path, description information and the like, and a user can choose to process immediately or temporarily.

After the risk is reported, the processing of the risk process depends on the interaction selection of the user.

1) And (4) immediately processing the user point, and only finishing the risk process if the process file corresponding to the risk process is in the white list, and not deleting the process file. And if the process file corresponding to the risk process is not in the white list, ending the risk process, and deleting the process file.

Optionally, the deleted process file has a record in the isolation area, and the user can select to recover the process file.

2) If the user does not process the point for the moment, the risk process is not ended, and the process file is not deleted.

Referring to fig. 10, a block diagram of a process processing apparatus for virus killing according to an exemplary embodiment of the present application is shown, where the process processing apparatus for virus killing may be implemented as all or part of a computer device through hardware or a combination of hardware and software to implement all or part of the steps in the embodiments shown in fig. 1 or fig. 3. As shown in fig. 10, the process processing apparatus in virus killing includes:

a first file feature obtaining module 1001, configured to extract, from a currently running target process, a portable executable PE file feature of the target process;

a second file feature obtaining module 1002, configured to extract, from the disk file corresponding to the target process, a PE file feature of the disk file;

a type obtaining module 1003, configured to obtain a process type of the target process according to the PE file characteristics of the target process and the PE file characteristics of the disk file; the process type is used for indicating whether a corresponding process has a security risk or not;

and the process processing module 1004 is configured to, in response to that the process type of the target process indicates that the target process has a security risk, perform risk processing on the target process.

acquiring a file path of a disk file corresponding to the target process;

In one possible implementation manner, the process processing module 1004 includes:

In one possible implementation, the apparatus further includes:

In summary, in the solution provided in the embodiment of the present application, the PE file feature of the target process and the PE file feature of the disk file corresponding to the target process are respectively extracted, and then the type of the target process is identified according to the PE file feature of the target process and the PE file feature of the disk file corresponding to the target process, so as to determine whether the target process has a security risk, and perform risk processing on the target process having the security risk.

FIG. 11 is a block diagram illustrating a computer device in accordance with an exemplary embodiment. The computer device 1100 includes a central processing unit 1101, a system memory 1104 including a random access memory 1102 and a read only memory 1103, and a system bus 1105 connecting the system memory 1104 and the central processing unit 1101. The computer device 1100 also includes a basic input/output system 1106, which facilitates transfer of information between devices within the computer, and a mass storage device 1107 for storing an operating system 1113, application programs 1114, and other program modules 1115.

The basic input/output system 1106 includes a display 1108 for displaying information and an input device 1109 such as a mouse, keyboard, etc. for user input of information. Wherein the display 1108 and input device 1109 are connected to the central processing unit 1101 through an input output controller 1110 connected to the system bus 1105. The basic input/output system 1106 may also include an input/output controller 1110 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input-output controller 1110 also provides output to a display screen, a printer, or other type of output device.

The mass storage device 1107 is connected to the central processing unit 1101 through a mass storage controller (not shown) that is connected to the system bus 1105. The mass storage device 1107 and its associated computer-readable media provide non-volatile storage for the computer device 1100. That is, the mass storage device 1107 may include a computer-readable medium (not shown) such as a hard disk.

Without loss of generality, the computer-readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. The system memory 1104 and mass storage device 1107 described above may be collectively referred to as memory.

The computer device 1100 may connect to the internet or other network devices through the network interface unit 1111 that is connected to the system bus 1105.

The memory further includes one or more programs, the one or more programs are stored in the memory, and the central processing unit 1101 implements all or part of the steps of the method shown in fig. 1 or fig. 3 by executing the one or more programs.

In an exemplary embodiment, a non-transitory computer readable storage medium including instructions, such as a memory including at least one instruction, at least one program, set of codes, or set of instructions, executable by a processor to perform all or part of the steps of the method shown in the corresponding embodiments of fig. 1 or 3 is also provided.

Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.

It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A process processing method in virus killing is characterized by comprising the following steps:

2. The method of claim 1, wherein in response to the PE file features comprising PE file attribute features, the extracting portable executable PE file features of the target process from a currently running target process comprises:

3. The method according to claim 1, wherein in response to that the PE file features include PE file attribute features, the extracting, from the disk file corresponding to the target process, the PE file features of the process created by the disk file includes:

acquiring a file path of a disk file corresponding to the target process;

4. The method of claim 1, wherein in response to the PE file features comprising PE entry point data, the extracting portable executable PE file features of the target process from a currently running target process comprises:

5. The method as claimed in claim 1, wherein in response to the PE file characteristics including PE entry point data, the extracting PE file characteristics of the process created by the disk file from the disk file corresponding to the target process includes:

6. The method according to claim 1, wherein in response to the PE file characteristics including PE file attribute characteristics, the obtaining the process type of the target process according to the PE file characteristics of the target process and the PE file characteristics of the disk file includes:

7. The method of claim 6, wherein in response to the PE file characteristics further including PE entry point data, the obtaining the process type of the target process according to the PE file characteristics of the target process and the PE file characteristics of the disk file further comprises:

8. The method of claim 1, wherein in response to the PE file characteristics including PE entry point data, the obtaining the process type of the target process according to the PE file characteristics of the target process and the PE file characteristics of the disk file comprises:

9. The method according to claim 8, wherein in response to the PE file characteristics further including PE file attribute characteristics, the obtaining the process type of the target process according to the PE file characteristics of the target process and the PE file characteristics of the disk file further includes:

10. The method according to claim 7 or 9,

the PE entry point data includes code data of a specified length starting from a PE entry point address.

11. The method of claim 1, wherein the risk processing the target process in response to the process type of the target process indicating that the target process is at a security risk comprises:

responding to the process type of the target process to indicate that the target process has a safety risk, and displaying risk prompt information, wherein the risk prompt information is used for prompting whether to carry out risk processing on the target process;

and stopping the target process in response to receiving the operation of risk processing on the target process.

12. The method of claim 11, wherein in response to receiving the operation to risk-treat the target process, the method further comprises:

responding to the fact that the disk file is located in a white list, and reserving the disk file;

and responding to the fact that the disk file is in the blacklist, and isolating the disk file.

13. A process processing apparatus in virus killing, the apparatus comprising:

14. A computer device comprising a processor and a memory, the memory having stored therein instructions for execution by the processor to implement the method of process handling in virus antivirus killing of any of claims 1 to 12.

15. A computer-readable storage medium having stored thereon instructions for execution by a processor of a computer device to implement the method for processing a process in virus antivirus killing according to any of claims 1 to 12.