CN112182558A - Process protection method, marking method, device and equipment - Google Patents
Process protection method, marking method, device and equipment Download PDFInfo
- Publication number
- CN112182558A CN112182558A CN202011043749.6A CN202011043749A CN112182558A CN 112182558 A CN112182558 A CN 112182558A CN 202011043749 A CN202011043749 A CN 202011043749A CN 112182558 A CN112182558 A CN 112182558A
- Authority
- CN
- China
- Prior art keywords
- file
- extended attribute
- acquiring
- protected
- processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 372
- 230000006870 function Effects 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 12
- 238000002372 labelling Methods 0.000 claims 1
- 230000000694 effects Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000000354 decomposition reaction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006798 recombination Effects 0.000 description 2
- 238000005215 recombination Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a process protection method, a marking method, a device and equipment, wherein the process protection method comprises the following steps: under the condition that the termination of the first process is detected, acquiring the extended attribute of a process file corresponding to the first process; and under the condition that the extended attribute contains a preset identifier, determining that the first process is a protected process, and preventing the first process from being closed. The invention utilizes the preset mark in the extended attribute of the process file to mark the protected process, not only can accurately distinguish the protected process from the common process, but also does not need to repeatedly configure the strategy list, thereby bringing great convenience to the strategy configuration of a user and being convenient and flexible to use.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a process protection method, a process marking method, an apparatus, and a device.
Background
The operating system is the main pipe of computer software and hardware resources and data, and is responsible for important functions of the computer system, such as huge resource management, frequent input and output control, uninterrupted communication between a user and the operating system and the like, and the safety problem of the operating system cannot be ignored. At present, more and more attacking sections aiming at an operating system are provided, and the modes are complex and various. The operating system is maliciously damaged by utilizing the loopholes of the operating system, and the normal functions of the operating system are damaged by killing important processes such as service processes, log processes and the like in the system, so that malicious programs such as viruses, trojans and the like can take advantage of the normal functions. The problem of continuous service capability protection of core processes has become an important topic of operating system security.
Conventional Process protection methods distinguish a protected Process from a normal Process by the Process Identification number (PID) of the Process or the absolute path of the Process file. And collecting PID or absolute path of the process at a user layer to form a strategy list, loading the strategy list to a kernel, and distinguishing the protected process from the normal process by the kernel through matching the strategy list.
The traditional process protection method has some problems: the PID of the process is dynamically changed, and is different for each start, which means that the process needs to be reconfigured after restarting, and is very inconvenient to use. Although the problem can be solved by using the process file absolute path, it is difficult to reversely acquire the absolute path of the process file from the kernel state, and in some specific scenes, the acquired path is not accurate, which results in failure of the policy.
Disclosure of Invention
The invention provides a process protection method, a marking method, a device and equipment, and solves the problems that a strategy list needs to be repeatedly reconfigured and a protected process cannot be accurately acquired in a traditional process protection method.
In a first aspect, an embodiment of the present invention provides a process protection method, including:
under the condition that the termination of the first process is detected, acquiring the extended attribute of a process file corresponding to the first process;
and under the condition that the extended attribute contains a preset identifier, determining that the first process is a protected process, and preventing the first process from being closed.
In a second aspect, an embodiment of the present invention provides a process marking method, including:
acquiring a preset identifier of a target process, wherein the preset identifier is used for indicating that the target process is a protected process;
and obtaining the extended attribute of the process file corresponding to the target process according to the preset identification.
In a third aspect, an embodiment of the present invention provides a process protection device, including: a transceiver, a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the process protection method according to the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present invention provides a process protection apparatus, including:
the first obtaining module is used for obtaining the extended attribute of the process file corresponding to the first process under the condition of detecting the target operation of closing the first process;
and the processing module is used for determining the first process as a protected process and preventing the first process from being closed under the condition that the extended attribute contains a preset identifier.
In a fifth aspect, an embodiment of the present invention provides a process marking apparatus, including:
the second acquisition module is used for acquiring a preset identifier input by a user aiming at a target process, wherein the preset identifier is used for indicating that the target process is a protected process;
and the third acquisition module is used for acquiring the extended attribute of the process file corresponding to the target process according to the preset identification.
In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the process protection method according to the first aspect or the steps of the process marking method according to the second aspect.
The technical scheme of the invention has the beneficial effects that:
according to the scheme, the protected process is identified by the preset identification in the extended attribute of the process file, so that the protected process and the common process can be accurately distinguished, a policy list does not need to be configured repeatedly, great convenience is brought to policy configuration of a user, and the use is convenient and flexible.
Drawings
FIG. 1 is a flow chart illustrating a process protection method according to an embodiment of the present invention;
FIG. 2 is a flow chart of a process marking method according to an embodiment of the present invention;
FIG. 3 is a block diagram of a process protection device according to an embodiment of the present invention;
FIG. 4 is a block diagram of a process marking apparatus according to an embodiment of the present invention;
fig. 5 is a block diagram showing the structures of a process protection apparatus and a process marking apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments. In the following description, specific details such as specific configurations and components are provided only to help the full understanding of the embodiments of the present invention. Thus, it will be apparent to those skilled in the art that various changes and modifications may be made to the embodiments described herein without departing from the scope and spirit of the invention. In addition, descriptions of well-known functions and constructions are omitted for clarity and conciseness.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
In various embodiments of the present invention, it should be understood that the sequence numbers of the following processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
In addition, the terms "system" and "network" are often used interchangeably herein.
In the embodiments provided herein, it should be understood that "B corresponding to a" means that B is associated with a from which B can be determined. It should also be understood that determining B from a does not mean determining B from a alone, but may be determined from a and/or other information.
Specifically, embodiments of the present invention provide a process protection method and a process marking method, which solve the problems that a policy list needs to be repeatedly reconfigured and a protected process cannot be accurately obtained in a conventional process protection method.
First embodiment
As shown in fig. 1, an embodiment of the present invention provides a process protection method, which is applied to a terminal or a server, and specifically includes the following steps:
step 101: and under the condition that the termination of the first process is detected, acquiring the extended attribute of the process file corresponding to the first process.
In this step, the first process may be any one of the processes. The first process termination is triggered by the initiation of the second process. The second process and the second process are two different processes.
Step 102: and under the condition that the extended attribute contains a preset identifier, determining that the first process is a protected process, and preventing the first process from being closed.
The preset identifier may be a preset specific identifier. And identifying whether the process is a protected process or not through the preset identification.
The process protection method of the embodiment of the invention identifies the protected process by using the preset identification in the extended attribute of the process file, not only can accurately distinguish the protected process from the common process, but also does not need to repeatedly configure the strategy list, brings great convenience to the strategy configuration of a user, and is convenient and flexible to use.
Optionally, the process file is a binary executable file.
In the embodiment of the application, under the condition that the termination of the first process is detected, the extended attribute of the binary executable file of the first process is obtained. And distinguishing whether the first process is a protected process by judging whether the extended attribute of the binary executable file contains a preset identifier.
Optionally, the obtaining the extended attribute of the process file corresponding to the first process includes:
and acquiring the extension attribute of the process file corresponding to the first process by ending the process hook function.
For example, an extended attribute of the process file is obtained through a task _ kill hook function, so that whether the first process is a protected process or not is determined according to the extended attribute subsequently.
Further optionally, the obtaining the extended attribute of the process file corresponding to the first process by ending the process hook function includes:
acquiring a process structure of a first process by ending a process hook function;
acquiring file structure information of a process file from a process structure of a first process by calling a file acquisition function;
and acquiring the extended attribute of the process file according to the file structure information of the process file.
Illustratively, a task _ struct of a first process is obtained through a task _ kill hook function, then a get _ task _ exe _ file function is called, file structure information (file structure) of a process file is obtained from the process structure, and finally an extended attribute of the process file is obtained according to the file structure information.
Optionally, after the obtaining the extended attribute of the process file corresponding to the first process, the method further includes:
and in the case that the extended attribute does not contain the preset identification, allowing the process to be terminated.
And under the condition that the extended attribute does not contain the preset identification, determining that the first process is not the first process, and allowing the process to be terminated.
The process protection method of the embodiment of the application is a kernel-level process protection method, and is realized based on a kernel Linux Security Module (LSM). Hook functions killed in kernel-mode hook processes. When a kill operation occurs in the kernel, a get _ task _ exe _ file function is called to obtain a file structure of a process for a binary file (binary executable file) from a task _ struct of a killed process. And reading a preset identifier of the binary file extension attribute based on the file structure, and judging whether the killed process is a protected process or not through the preset identifier. If the process is protected, the current kill operation is prevented, otherwise, no control is made. The method can accurately and unmistakably distinguish the protected process from the normal process, and can safely and effectively prevent the protected process from being killed.
According to the technical scheme, the key process in the operating system can be safely and effectively guaranteed not to be killed, meanwhile, the protected process and the common process can be accurately and inerrably distinguished, the operation system is convenient and flexible to use, damage to the operating system can not be caused, the performance of the system is not affected, and the system can be widely applied to various fields such as a network server, a data center, industrial control and a personal desktop.
Second embodiment
As shown in fig. 2, an embodiment of the present invention provides a process marking method, which is applied to a terminal or a server, and specifically includes:
step 201: the method comprises the steps of obtaining a preset identification of a target process, wherein the preset identification is used for indicating that the target process is a protected process.
The preset identifier herein specifically refers to a preset identifier written in an extended attribute of a process file of a target process, where the target process is a protected process set by a user.
Optionally, the user writes the preset identifier into the extended attribute by calling an interface provided by the file extended attribute; or, the user writes the preset identifier into a file header of the binary executable file in the ELF format.
Step 202: and obtaining the extended attribute of the process file corresponding to the target process according to the preset identification.
The process file corresponding to the target process may be specifically a binary executable file.
Here, the extended attribute with the preset identifier is used as the extended attribute of the process file corresponding to the target process file.
In the embodiment of the application, a protected process list can be formulated by a user, the protected process list comprises at least one protected process, and a preset identifier is written in the extended attribute of a process file of the protected process. The purpose of distinguishing the protected process from the common process is achieved through the preset identification. Once the extended attribute is written into the preset identifier, the protection will take effect immediately no matter the process is in a running state or an un-started state.
According to the process marking method, the protected process is identified through the preset identification in the extended attribute of the process file, so that the protected process and the common process can be accurately and unmistakably distinguished, and great convenience is brought to strategy configuration of a user. The user wants to protect a certain process to prevent illegal termination, only needs to write a specific identifier into the extended attribute of the binary executable file corresponding to the process, and simultaneously, the user wants to cancel the protection control of the certain process, only needs to delete the specific identifier of the extended attribute of the binary executable file of the process.
Third embodiment
As shown in fig. 3, an embodiment of the present invention provides a process protection apparatus 300, including:
a first obtaining module 301, configured to obtain an extended attribute of a process file corresponding to a first process when a target operation for closing the first process is detected;
a processing module 302, configured to determine that the first process is a protected process when the extended attribute includes a preset identifier, and prevent closing of the first process.
Optionally, in the process protection apparatus according to the embodiment of the present invention, the process file is a binary executable file.
Optionally, in the process protection apparatus according to the embodiment of the present invention, the first obtaining module is configured to obtain the extended attribute of the process file corresponding to the first process by ending the process hook function.
Optionally, in the process protection apparatus according to the embodiment of the present invention, the first obtaining module includes:
the first obtaining submodule is used for obtaining a process structure body of a first process by ending the process hook function;
the second obtaining submodule is used for obtaining the file structure information of the process file from the process structure of the first process by calling a file obtaining function;
and the third obtaining submodule is used for obtaining the extended attribute of the process file according to the file structure body information of the process file.
Optionally, the process protection device according to the embodiment of the present invention further includes:
and the closing module is used for allowing the process to be terminated when the extended attribute does not contain the preset identifier after the first acquisition module acquires the extended attribute of the process file corresponding to the first process.
The process protection device according to the embodiment of the present invention is a device corresponding to the first embodiment of the method, and all implementation means in the first embodiment are applicable to the embodiment of the process protection device, and can achieve the same technical effect, which is not described herein again.
Fourth embodiment
As shown in fig. 4, an embodiment of the present invention provides a process marking apparatus 400, applied to a terminal or a server, including:
a second obtaining module 401, configured to obtain a preset identifier input by a user for a target process, where the preset identifier is used to indicate that the target process is a protected process;
a third obtaining module 402, configured to obtain, according to the preset identifier, an extended attribute of the process file corresponding to the target process.
Optionally, the process file is a binary executable file.
The process marking device of the present invention is a device corresponding to the second embodiment, and all implementation means in the second embodiment are applicable to the embodiment of the process marking device, and can achieve the same technical effect, and are not described herein again.
Fifth embodiment
In order to better achieve the above object, as shown in fig. 5, an embodiment of the present invention further provides a process protection device, where the process protection device may be a terminal or a server, and the process protection device includes: a processor 500; and a memory 520 connected to the processor 500 through a bus interface, wherein the memory 520 is used for storing programs and data used by the processor 500 in executing operations, and the processor 500 calls and executes the programs and data stored in the memory 520.
Wherein, the transceiver 510 is connected with the bus interface for receiving and transmitting data under the control of the processor 500; the processor 500 is configured to read the program in the memory 520 and execute the following steps:
under the condition that the termination of the first process is detected, acquiring the extended attribute of a process file corresponding to the first process; and under the condition that the extended attribute contains a preset identifier, determining that the first process is a protected process, and preventing the first process from being closed.
Wherein in fig. 5, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 500, and various circuits, represented by memory 520, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 510 may be a number of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. For different terminals, the user interface 530 may also be an interface capable of interfacing with a desired device, including but not limited to a keypad, display, speaker, microphone, joystick, etc. The processor 500 is responsible for managing the bus architecture and general processing, and the memory 520 may store data used by the processor 500 in performing operations.
Optionally, the process file is a binary executable file.
Optionally, when acquiring the extended attribute of the process file corresponding to the first process, the processor 500 is specifically configured to:
and acquiring the extension attribute of the process file corresponding to the first process by ending the process hook function.
Optionally, when the processor 500 obtains the extended attribute of the process file corresponding to the first process by ending the process hook function, the processor is specifically configured to:
acquiring a process structure of a first process by ending a process hook function; acquiring file structure information of a process file from a process structure of a first process by calling a file acquisition function; and acquiring the extended attribute of the process file according to the file structure information of the process file.
Optionally, the processor 500 is further configured to:
and in the case that the extended attribute does not contain the preset identification, allowing the process to be terminated.
The fifth embodiment corresponds to the first embodiment of the method, and all the implementation means in the first embodiment are applicable to the first optional implementation manner, so that the same technical effects can be achieved.
Sixth embodiment
In order to better achieve the above object, as shown in fig. 5, an embodiment of the present invention further provides a process marking device, where the process marking device may be a terminal or a server, and the process marking device includes: a processor 500; and a memory 520 connected to the processor 500 through a bus interface, wherein the memory 520 is used for storing programs and data used by the processor 500 in executing operations, and the processor 500 calls and executes the programs and data stored in the memory 520.
Wherein, the transceiver 510 is connected with the bus interface for receiving and transmitting data under the control of the processor 500; the processor 500 is configured to read the program in the memory 520 and execute the following steps:
acquiring a preset identifier of a target process, wherein the preset identifier is used for indicating that the target process is a protected process; and obtaining the extended attribute of the process file corresponding to the target process according to the preset identification.
Optionally, the process file is a binary executable file.
The sixth embodiment is corresponding to the second embodiment, and all the implementation means in the second embodiment are applicable to the sixth embodiment, and the same technical effect can be achieved, and will not be described herein again.
Those skilled in the art will appreciate that all or part of the steps for implementing the above embodiments may be performed by hardware, or may be instructed to be performed by associated hardware by a computer program that includes instructions for performing some or all of the steps of the above methods; and the computer program may be stored in a readable storage medium, which may be any form of storage medium.
Embodiments of the present application also provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the process protection method as described above, or the steps of the process marking method as described above.
Furthermore, it is to be noted that in the device and method of the invention, it is obvious that the individual components or steps can be decomposed and/or recombined. These decompositions and/or recombinations are to be regarded as equivalents of the present invention. Also, the steps of performing the series of processes described above may naturally be performed chronologically in the order described, but need not necessarily be performed chronologically, and some steps may be performed in parallel or independently of each other. It will be understood by those skilled in the art that all or any of the steps or elements of the method and apparatus of the present invention may be implemented in any computing device (including processors, storage media, etc.) or network of computing devices, in hardware, firmware, software, or any combination thereof, which can be implemented by those skilled in the art using their basic programming skills after reading the description of the present invention.
Thus, the objects of the invention may also be achieved by running a program or a set of programs on any computing device. The computing device may be a general purpose device as is well known. The object of the invention is thus also achieved solely by providing a program product comprising program code for implementing the method or the apparatus. That is, such a program product also constitutes the present invention, and a storage medium storing such a program product also constitutes the present invention. It is to be understood that the storage medium may be any known storage medium or any storage medium developed in the future. It is further noted that in the apparatus and method of the present invention, it is apparent that each component or step can be decomposed and/or recombined. These decompositions and/or recombinations are to be regarded as equivalents of the present invention. Also, the steps of executing the series of processes described above may naturally be executed chronologically in the order described, but need not necessarily be executed chronologically. Some steps may be performed in parallel or independently of each other.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (12)
1. A process protection method, comprising:
under the condition that the termination of the first process is detected, acquiring the extended attribute of a process file corresponding to the first process;
and under the condition that the extended attribute contains a preset identifier, determining that the first process is a protected process, and preventing the first process from being closed.
2. The process protection method of claim 1, wherein the process file is a binary executable file.
3. The process protection method according to claim 1, wherein the obtaining the extended attribute of the process file corresponding to the first process includes:
and acquiring the extension attribute of the process file corresponding to the first process by ending the process hook function.
4. The process protection method according to claim 3, wherein the obtaining the extended attribute of the process file corresponding to the first process by ending the process hook function comprises:
acquiring a process structure of a first process by ending a process hook function;
acquiring file structure information of a process file from a process structure of a first process by calling a file acquisition function;
and acquiring the extended attribute of the process file according to the file structure information of the process file.
5. The process protection method according to claim 1, wherein after obtaining the extended attribute of the process file corresponding to the first process, the method further comprises:
and in the case that the extended attribute does not contain the preset identification, allowing the process to be terminated.
6. A process marking method, comprising:
acquiring a preset identifier of a target process, wherein the preset identifier is used for indicating that the target process is a protected process;
and obtaining the extended attribute of the process file corresponding to the target process according to the preset identification.
7. The process marking method of claim 6, wherein the process file is a binary executable file.
8. A process protection device, comprising: transceiver, memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the process protection method according to any of claims 1 to 5 when executing the computer program.
9. A process marking apparatus comprising: transceiver, memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the process labeling method of any of claims 6 to 7 when executing the computer program.
10. A process protection apparatus, comprising:
the first obtaining module is used for obtaining the extended attribute of the process file corresponding to the first process under the condition of detecting the target operation of closing the first process;
and the processing module is used for determining the first process as a protected process and preventing the first process from being closed under the condition that the extended attribute contains a preset identifier.
11. A process marking apparatus, comprising:
the second acquisition module is used for acquiring a preset identifier input by a user aiming at a target process, wherein the preset identifier is used for indicating that the target process is a protected process;
and the third acquisition module is used for acquiring the extended attribute of the process file corresponding to the target process according to the preset identification.
12. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the process protection method according to one of claims 1 to 5 or the steps of the process marking method according to one of claims 6 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011043749.6A CN112182558A (en) | 2020-09-28 | 2020-09-28 | Process protection method, marking method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011043749.6A CN112182558A (en) | 2020-09-28 | 2020-09-28 | Process protection method, marking method, device and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112182558A true CN112182558A (en) | 2021-01-05 |
Family
ID=73947177
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011043749.6A Pending CN112182558A (en) | 2020-09-28 | 2020-09-28 | Process protection method, marking method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112182558A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203093A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Process protection method and device and terminal |
| WO2020107104A1 (en) * | 2018-11-30 | 2020-06-04 | BicDroid Inc. | Personalized and cryptographically secure access control in operating systems |
-
2020
- 2020-09-28 CN CN202011043749.6A patent/CN112182558A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203093A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Process protection method and device and terminal |
| WO2020107104A1 (en) * | 2018-11-30 | 2020-06-04 | BicDroid Inc. | Personalized and cryptographically secure access control in operating systems |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6907396B1 (en) | Detecting computer viruses or malicious software by patching instructions into an emulator | |
| US9619346B2 (en) | Virtual machine introspection facilities | |
| EP3761208B1 (en) | Trust zone-based operating system and method | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| US10853483B2 (en) | Identification device, identification method, and identification program | |
| US10176327B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| US8782615B2 (en) | System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing | |
| WO2016033966A1 (en) | Protection method and device for application data | |
| US7802089B2 (en) | Analyzing interpretable code for harm potential | |
| US20130042297A1 (en) | Method and apparatus for providing secure software execution environment based on domain separation | |
| US20240143739A1 (en) | Intelligent obfuscation of mobile applications | |
| CN106997313B (en) | Signal processing method and system of application program and terminal equipment | |
| CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
| CN109376530B (en) | Process mandatory behavior control method and system based on mark | |
| WO2022001944A1 (en) | Method for modifying linux kernel, and terminal device and storage medium | |
| CN105868634A (en) | Interception method and device | |
| CN113792294B (en) | Malicious class detection method, system, device, equipment and medium | |
| CN112182558A (en) | Process protection method, marking method, device and equipment | |
| US10599845B2 (en) | Malicious code deactivating apparatus and method of operating the same | |
| KR100846123B1 (en) | Method for keyboard security and storage medium recording keyboard security driver using the method | |
| US11709937B2 (en) | Inactivating basic blocks of program code to prevent code reuse attacks | |
| KR100999666B1 (en) | Apparatus and method for information security management of wireless terminal | |
| CN112948241B (en) | Anti-debugging method and device for application program, electronic equipment and storage medium | |
| CN117425877A (en) | Access method and device for web application program | |
| KR20210133352A (en) | A method for interception of hacker |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |