CN112637146A - Method and device for preventing injection, electronic equipment and computer readable storage medium - Google Patents
Method and device for preventing injection, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN112637146A CN112637146A CN202011447685.6A CN202011447685A CN112637146A CN 112637146 A CN112637146 A CN 112637146A CN 202011447685 A CN202011447685 A CN 202011447685A CN 112637146 A CN112637146 A CN 112637146A
- Authority
- CN
- China
- Prior art keywords
- information
- dll file
- abnormal
- dll
- name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 111
- 238000002347 injection Methods 0.000 title claims abstract description 38
- 239000007924 injection Substances 0.000 title claims abstract description 38
- 230000002159 abnormal effect Effects 0.000 claims abstract description 72
- 230000008569 process Effects 0.000 claims abstract description 62
- 230000002265 prevention Effects 0.000 claims abstract description 26
- 238000001514 detection method Methods 0.000 claims abstract description 13
- 230000008676 import Effects 0.000 claims description 18
- 230000002155 anti-virotic effect Effects 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 5
- 230000006870 function Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 238000011897 real-time detection Methods 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/957—Browsing optimisation, e.g. caching or content distillation
- G06F16/9574—Browsing optimisation, e.g. caching or content distillation of access to content, e.g. by caching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application provides a method and a device for preventing injection, an electronic device and a computer readable storage medium, which comprises the steps of acquiring information of a DLL file loaded by a currently running process as first information in a preset period, acquiring a pre-generated white list, wherein the white list comprises second information, the second information is information of the DLL file configured in advance, the information of the DLL file comprises the name, encrypted character string and version information of the DLL file, and sending prompt information for detecting the abnormal DLL file by taking the DLL file meeting preset conditions as the abnormal DLL file in the preset period, wherein the preset conditions comprise: the correspondence of the name, the encryption string, and the version information in the first information is different from the record in the second information. Abnormal DLL file detection is performed periodically, and the problem of poor injection prevention capability caused by one-time detection is avoided. And the probability of finding the abnormally injected DLL file can be improved by comparing and detecting from multiple dimensions.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to an injection prevention method and apparatus, an electronic device, and a computer-readable storage medium.
Background
With the development of information technology, terminal application software is widely used, which is accompanied by the security problem of the terminal application software, and the security problem of the terminal application software is mainly that the terminal application software is injected with illegal DLL (Dynamic Link Library) files, so that the information security and property security of users face huge risks.
In order to prevent the terminal application software from being injected, some methods for preventing the terminal application software from being injected are disclosed at present, but the injection prevention capability of these injection prevention methods is poor, and is mainly represented by: on one hand, the injection prevention is only carried out when the system is started, and is one-off injection prevention, so that the detection is possibly missed; on the other hand, if the name of the injected abnormal DLL file is disguised as the name of the trusted DLL file and is placed in the designated path, the system considers that the injected abnormal DLL file is a secure DLL file. Therefore, how to improve the injection prevention capability of the terminal application software becomes a problem to be solved urgently.
Disclosure of Invention
The application provides an injection prevention method and device, electronic equipment and a computer readable storage medium, and aims to solve the problem that how to improve the injection prevention capability of terminal application software is urgent to solve.
In order to achieve the above object, the present application provides the following technical solutions:
an injection prevention method applied to a client side comprises the following steps:
acquiring information of a DLL file loaded by a currently running process as first information at a preset period; any piece of information of the DLL file at least comprises the name of the DLL file, an encryption character string uniquely corresponding to the DLL file and version information of the DLL file;
acquiring a pre-generated white list, wherein the white list comprises second information, and the second information is information of the pre-configured DLL file;
taking the DLL file meeting the preset condition as an abnormal DLL file according to the preset period, and sending prompt information for detecting the abnormal DLL file; the preset conditions include: the correspondence of the name, the encrypted character string, and the version information in the first information is different from the record in the second information.
Optionally, the obtaining information of the DLL file loaded by the currently running process includes:
acquiring a process snapshot through a dynamic link library file interface;
acquiring the loading paths of all DLL files loaded by the processes aiming at each process included in the process snapshot;
acquiring a data stream of the DLL file, the name of the DLL file, and the version information of the DLL file through the loading path of the DLL file;
and carrying out encryption calculation on the data stream of the DLL file to obtain the encrypted character string corresponding to the DLL file.
In the method, optionally, the process snapshot is obtained at least according to an import address table, where the import address table includes a memory address of the DLL file loaded by the process.
The foregoing method, optionally, after taking the second DLL file meeting the preset condition as an abnormal DLL file, further includes: ending the process of loading the exception DLL file.
Optionally, the above method, where the DLL file meeting the preset condition is used as an abnormal DLL file, includes:
determining whether the name in the first information is the same as the name in the second information;
if not, the DLL file is used as the abnormal DLL file; if the first information and the second information are the same, judging whether the encrypted character string in the first information is the same as the encrypted character string corresponding to the name in the second information;
if not, the DLL file is used as the abnormal DLL file; if the version information in the first information is the same as the version information corresponding to the name in the second information, judging whether the version information in the first information is the same as the version information in the second information; and if not, taking the DLL file as the abnormal DLL file.
Optionally, the method described above includes:
and calling a preset antivirus program or an input method program to obtain the information of the preset DLL file, and generating the white list by taking the information of the preset DLL file as the information included in the white list.
The method described above, optionally, the DLL file in the second information includes:
the application program comprises the client and other clients.
An anti-injection device comprising:
the first obtaining unit is used for obtaining information of the DLL file loaded by the currently running process as first information in a preset period; any piece of information of the DLL file at least comprises the name of the DLL file, an encryption character string uniquely corresponding to the DLL file and version information of the DLL file;
a second obtaining unit, configured to obtain a pre-generated white list, where the white list includes second information, and the second information is information of the DLL file configured in advance;
the detection unit is used for taking the DLL file meeting the preset condition as an abnormal DLL file according to the preset period and sending prompt information for detecting the abnormal DLL file; the preset conditions include: the correspondence of the name, the encrypted character string, and the version information in the first information is different from the record in the second information.
An apparatus, comprising: a processor and a memory for storing a program; the processor is used for running the program to realize the injection prevention method.
A computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the above-described method of preventing injection.
According to the method and the device, information of the DLL file loaded by the currently running process is acquired as first information in a preset period; acquiring a pre-generated white list, wherein the white list comprises second information, and the second information is information of pre-configured DLL files, and the information of any one DLL file at least comprises the name of the DLL file, a unique encryption character string corresponding to the DLL file, and version information of the DLL file; with a preset period, taking the DLL file meeting the preset conditions as an abnormal DLL file, and sending prompt information for detecting the abnormal DLL file, wherein the preset conditions comprise: the correspondence of the name, the encryption string, and the version information in the first information is different from the record in the second information. According to the scheme, the abnormal DLL file is detected in the preset period, the prompt message for detecting the abnormal DLL file is sent out after the abnormal DLL file is detected, the method belongs to the real-time detection of multiple times of circulation, and the problem that the injection prevention capability is poor due to one-time detection can be solved. On the other hand, according to the preset condition, as long as the name, the encryption string, or the version information in the first information does not exist in the second information, the correspondence relationship between the name, the encryption string, and the version information in the first information is naturally different from the record in the second information, and even if the name, the encryption string, and the version information in the first information all exist in the second information, the abnormally injected DLL file can be found as long as the correspondence relationship between the name, the encryption string, and the version information in the first information is different from the record in the second information. Namely, the method is equivalent to comparison detection from multiple dimensions, so that the probability of finding the abnormally injected DLL file can be greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for preventing injection according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a method for acquiring information of a DLL file loaded by a currently running process according to an embodiment of the present disclosure;
fig. 3 is a flowchart of a method for using a DLL file meeting a preset condition as an abnormal DLL file according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an injection prevention device according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to provide security of terminal application software, it is necessary to prevent the terminal application software from being injected into illegal DLL files, and some methods for preventing the terminal application software from being injected have been disclosed previously, but these injection prevention methods have poor injection prevention capability, which is mainly reflected in: on one hand, the injection prevention is only carried out when the system is started, and the injection prevention belongs to disposable injection prevention, so that the detection is possibly missed; on the other hand, if the name of the injected abnormal DLL file is disguised as the name of the trusted DLL file and is placed in the designated path, the system considers that the injected abnormal DLL file is a secure DLL file.
In order to solve the above problems, the present application provides an injection prevention method, which is applied to a client (i.e., terminal application software), and after the client is started, the injection prevention method provided by the present application is executed, and the DLL file loaded by a client process is detected through multiple detections periodically, and multiple dimensions such as the name of the DLL file, an encrypted character string corresponding to the DLL file, and version information of the DLL file, so that an injected abnormal DLL file can be discovered in time.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 is a method for preventing injection according to an embodiment of the present application, and the method may include the following steps:
s101, acquiring information of the DLL file loaded by the currently running process as first information in a preset period.
The information of any one DLL file at least comprises the name of the DLL file, an encryption character string uniquely corresponding to the DLL file and the version information of the DLL file. The encryption string of the DLL file may be an MD5 value, or of course, other encryption algorithms may be adopted to obtain the encryption string corresponding to the DLL file. It should be noted that, because the unique encryption string corresponds to the DLL file, that is, the DLL file includes different data contents, the encryption string is also different.
The preset period may be set in combination with the demand, and may be optionally set to 1 minute, for example.
The specific implementation of this step can refer to the flowchart shown in fig. 2.
S102, acquiring a pre-generated white list.
The white list comprises second information, wherein the second information is information of the pre-configured DLL file, namely the white list at least comprises the name of the DLL file, the encrypted character string uniquely corresponding to the DLL file and the version information of the DLL file. In the white list, the name of the DLL file corresponding to any DLL file, the encrypted character string of the DLL file, and the version information of the DLL file are stored in correspondence.
The white list may not be periodically acquired, and may be re-acquired when receiving an instruction for updating the white list, or may be periodically acquired, where the acquisition period may be the preset period or another period.
The process of generating the white list in advance may be: and calling a preset antivirus program or an input method program to acquire the information of the preset DLL file, and generating a white list by taking the information of the preset DLL file as the information included in the white list. For example, the information of the DLL file configured in advance is checked by executing a query instruction of the information of the DLL file of the antivirus program or the input method program, and the information of the DLL file is correspondingly written into a preset data table, so that a white list is obtained.
The preset DLL file comprises a DLL file of an application program and a DLL file of an operating system operated by the application program, and the application program comprises the client and other clients.
It should be noted that the white list can be updated in real time according to the client and a valid DLL file subsequently injected by the operating system, and the client can obtain the latest white list in time by sending a white list update instruction to the client under the condition of updating the white list.
And S103, taking the DLL file meeting the preset condition as an abnormal DLL file in a preset period.
In this step, the preset period is the same as the preset period in S101.
The preset conditions include: the correspondence of the name, the encryption string, and the version information in the first information is different from the record in the second information. That is, as long as the name, the encryption string, or the version information in the first information of the DLL file does not exist in the second information, the correspondence relationship between the name, the encryption string, and the version information in the first information of the DLL file is naturally different from the record in the second information, and the DLL file is regarded as the abnormal file. Even if the name, the encryption string, and the version information in the first information of the DLL file all exist in the second information, the DLL file is regarded as an abnormal file as long as the correspondence among the name, the encryption string, and the version information in the first information is not the same as the record in the second information.
The specific implementation of this step can refer to the flowchart shown in fig. 3.
And S104, sending out prompt information for detecting the abnormal DLL file, and ending the process of loading the abnormal DLL file.
After the abnormal DLL file is found, prompt information for detecting the abnormal DLL file is sent out, so that operation and maintenance personnel can find the abnormal DLL file in time, the process of loading the abnormal DLL file is finished, and the safety of the running system is guaranteed.
In the method provided by this embodiment, information of a DLL file loaded by a currently running process is acquired as first information in a preset period, and a pre-generated white list is acquired, where the white list includes second information, and the second information is information of a pre-configured DLL file, where the information of any one DLL file at least includes a name of the DLL file, a unique encryption character string corresponding to the DLL file, and version information of the DLL file; with a preset period, taking the DLL file meeting the preset conditions as an abnormal DLL file, and sending prompt information for detecting the abnormal DLL file, wherein the preset conditions comprise: the correspondence of the name, the encryption string, and the version information in the first information is different from the record in the second information. According to the scheme, the abnormal DLL file is detected in the preset period, the prompt message for detecting the abnormal DLL file is sent out after the abnormal DLL file is detected, the method belongs to the real-time detection of multiple times of circulation, and the problem that the injection prevention capability is poor due to one-time detection can be solved. On the other hand, the preset condition is equivalent to that the information of the DLL file loaded by the process and the information of the DLL file configured in advance are compared in multiple dimensions, so that the probability of finding the abnormally injected DLL file can be greatly improved.
It should be noted that the injection prevention method provided by the foregoing embodiment is pre-packaged as a thread, and after the client runs, the thread is executed in a loop according to a preset period. In the running process of the client, once the thread is abnormally stopped, for example, the thread is abnormally stopped due to malicious attack of hackers, the client automatically exits to prevent the client from being injected into an abnormal DLL file after the thread is abnormally stopped.
Fig. 2 is a specific embodiment of acquiring information of a DLL file loaded by a currently running process in S101 in fig. 1, and includes the following steps:
s201, acquiring a process snapshot through a dynamic link library file interface.
For example, the information of the running process of the terminal client is obtained through a dynamic link library file interface CreateToolhelp32 Snapshot.
It should be noted that, in this step, the process snapshot is obtained at least according to the import address table, and the prior art may be referred to specifically obtain the process snapshot. The import address table includes the memory address of the DLL file loaded by the running process.
The memory address of the DLL file included in the import address table is obtained by operating an operating system of the client and writing the memory address of the DLL file loaded by the process into the import address table. The method specifically comprises the following steps: when the running process calls the import function of the DLL file, the operating system can automatically determine the memory address corresponding to the import function of the DLL file according to the relocation table, and update the memory address of the import function into the preset import address table. The memory address of the import function of the DLL file is the memory address of the import function of the DLL file.
S202, aiming at each process in the process snapshot, obtaining the loading path of all DLL files loaded by the process.
For example, the Module32First obtains the load paths of all DLL files in the process and the load path of the DLL file. And the loading path of the DLL file is the memory address of the DLL file.
S203, acquiring the data stream of the DLL file, the name of the DLL file and the version information of the DLL file through the loading path of the DLL file.
Through the loading path of the DLL file, the data stream of the LL file, the name of the DLL file and the version information of the DLL file can be searched.
S204, carrying out encryption calculation on the data stream of the DLL file to obtain an encryption character string corresponding to the DLL file.
For example, the MD5 calculation is performed on the DLL file to obtain an MD5 value corresponding to the DLL file, and the MD5 value is used as the encrypted string of the DLL file.
At present, in order to improve the success rate of injecting the abnormal DLL files, some abnormal DLL files are often injected into a program in a hidden injection mode.
Because the operating system can automatically update the memory address of the DLL file loaded by the process into the import address table, and the process snapshot is obtained at least according to the import address table, in the scheme, the loading paths (namely the memory addresses of the DLL file) of all the DLL files loaded by the process are obtained by using each process in the process snapshot, the information of the abnormal DLL file is obtained through the loading paths of the DLL file, and finally the abnormal DLL file which is hidden and injected can be found by comparing with the second information in the comparison white list. Therefore, the method provided by the scheme can detect the abnormal DLL file injected in a non-hidden mode, can find the abnormal DLL file injected in a hidden mode, and has good practicability.
Fig. 3 is a specific embodiment mode of a DLL file that will satisfy a preset condition in S103 in fig. 1 provided by an example of the present application as an abnormal DLL file. It should be noted that, in the second information included in the white list, the name of the DLL file, the encrypted string of the DLL file, and the version information are stored correspondingly. The present embodiment may include the following steps:
s301, judging whether the name in the first information is the same as the name of the record in the second information, if so, executing S302, and if not, executing S305.
S302, whether the encrypted character string in the first information is the same as the encrypted character string corresponding to the name in the second information is judged. If the two are the same, S303 is executed, and if the two are not the same, S305 is executed.
S303, judging whether the version information in the first information is the same as the version information corresponding to the name in the second information, if so, executing S304, and if not, executing S305.
S304, the DLL file corresponding to the first information is a normal DLL file.
S305, the DLL file corresponding to the first information is an abnormal DLL file.
It should be noted that, in this embodiment, the comparison is performed according to the order of the name of the DLL file, the encrypted character string of the DLL file, and the version information of the DLL file, because the name of the DLL file, the encrypted character string of the DLL file, and the version information are stored correspondingly in the second information, other comparison orders may also be adopted, and the specific implementation of the scheme is not affected by the comparison order.
The preset condition provided by the embodiment is that the information of the DLL file loaded by the process is compared with the information of the pre-configured DLL file from a plurality of different dimensions, so that the abnormal DLL file can be found more generally.
Fig. 4 is a schematic structural diagram of an injection prevention device 400 according to an embodiment of the present application, including:
a first obtaining unit 401, configured to obtain, as first information, information of a DLL file loaded by a currently running process in a preset period; the information of any one DLL file at least comprises the name of the DLL file, an encryption character string uniquely corresponding to the DLL file and the version information of the DLL file.
A second obtaining unit 402, configured to obtain a pre-generated white list, where the white list includes second information, and the second information is information of a pre-configured DLL file.
A detecting unit 403, configured to use, in a preset period, a DLL file meeting a preset condition as an abnormal DLL file, and send a prompt message for detecting the abnormal DLL file; the preset conditions include: the correspondence of the name, the encryption string, and the version information in the first information is different from the record in the second information.
Optionally, the apparatus 400 further includes a generating unit 404, configured to invoke a preset antivirus program or an input method program to obtain information of a preconfigured DLL file, and generate a white list by using the information of the preconfigured DLL file as information included in the white list.
Optionally, the DLL file in the second information includes: the application program comprises the client and other clients.
Optionally, a specific implementation manner of the first obtaining unit 401 obtaining the information of the DLL file loaded by the currently running process is as follows:
acquiring a process snapshot through a dynamic link library file interface;
acquiring the loading paths of all DLL files loaded by the processes aiming at each process in the process snapshot;
acquiring a data stream of the DLL file, the name of the DLL file and version information of the DLL file through a loading path of the DLL file;
and carrying out encryption calculation on the data stream of the DLL file to obtain an encrypted character string corresponding to the DLL file.
Optionally, the process snapshot is obtained at least according to an import address table, where the import address table includes a memory address of a DLL file loaded by the process.
Optionally, the detecting unit 403 is further configured to end the process of loading the abnormal DLL file.
Optionally, the specific implementation manner of the detection unit 403 using the DLL file meeting the preset condition as the abnormal DLL file is as follows:
judging whether the name in the first information is the same as the name in the second information;
if not, the DLL file is used as an abnormal DLL file; if the name is the same as the name in the first information, judging whether the encrypted character string in the first information is the same as the encrypted character string corresponding to the name in the second information;
if not, the DLL file is used as an abnormal DLL file; if the first information is the same as the second information, judging whether the version information in the first information is the same as the version information corresponding to the name in the second information; and if not, taking the DLL file as an abnormal DLL file.
In the device provided by the embodiment, information of a DLL file loaded by a currently running process is acquired as first information in a preset period; acquiring a pre-generated white list, wherein the white list comprises second information, and the second information is information of pre-configured DLL files, and the information of any one DLL file at least comprises the name of the DLL file, a unique encryption character string corresponding to the DLL file, and version information of the DLL file; with a preset period, taking the DLL file meeting the preset conditions as an abnormal DLL file, and sending prompt information for detecting the abnormal DLL file, wherein the preset conditions comprise: the correspondence of the name, the encryption string, and the version information in the first information is different from the record in the second information. According to the scheme, the abnormal DLL file is detected in the preset period, the prompt message for detecting the abnormal DLL file is sent out after the abnormal DLL file is detected, the method belongs to the real-time detection of multiple times of circulation, and the problem that the injection prevention capability is poor due to one-time detection can be solved. On the other hand, according to the preset condition, as long as the name, the encryption string, or the version information in the first information does not exist in the second information, the correspondence relationship between the name, the encryption string, and the version information in the first information is naturally different from the record in the second information, and even if the name, the encryption string, and the version information in the first information all exist in the second information, the abnormally injected DLL file can be found as long as the correspondence relationship between the name, the encryption string, and the version information in the first information is different from the record in the second information. Namely, the method is equivalent to comparison detection from multiple dimensions, so that the probability of finding the abnormally injected DLL file can be greatly improved.
The present application further provides an electronic device 500, a schematic structural diagram of which is shown in fig. 5, including: a processor 501 and a memory 502, the memory 502 is used for storing application programs, and the processor 501 is used for executing the application programs to realize the injection prevention method of the application, namely, the following steps are executed:
acquiring information of a DLL file loaded by a currently running process as first information at a preset period; the information of any one DLL file at least comprises the name of the DLL file, an encryption character string uniquely corresponding to the DLL file and the version information of the DLL file.
And acquiring a pre-generated white list, wherein the white list comprises second information, and the second information is information of a pre-configured DLL file.
Taking the DLL file meeting the preset condition as an abnormal DLL file in a preset period, and sending prompt information for detecting the abnormal DLL file; the preset conditions include: the correspondence of the name, the encryption string, and the version information in the first information is different from the record in the second information.
The present application also provides a computer-readable storage medium having stored therein instructions, which when run on a computer, cause the computer to perform the method of the present application for preventing injection, i.e. to perform the steps of:
acquiring information of a DLL file loaded by a currently running process as first information at a preset period; the information of any one DLL file at least comprises the name of the DLL file, an encryption character string uniquely corresponding to the DLL file and the version information of the DLL file.
And acquiring a pre-generated white list, wherein the white list comprises second information, and the second information is information of a pre-configured DLL file.
Taking the DLL file meeting the preset condition as an abnormal DLL file in a preset period, and sending prompt information for detecting the abnormal DLL file; the preset conditions include: the correspondence of the name, the encryption string, and the version information in the first information is different from the record in the second information.
The functions described in the method of the embodiment of the present application, if implemented in the form of software functional units and sold or used as independent products, may be stored in a storage medium readable by a computing device. Based on such understanding, part of the contribution to the prior art of the embodiments of the present application or part of the technical solution may be embodied in the form of a software product stored in a storage medium and including several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. An injection prevention method applied to a client, the method comprising:
acquiring information of a DLL file loaded by a currently running process as first information at a preset period; any piece of information of the DLL file at least comprises the name of the DLL file, an encryption character string uniquely corresponding to the DLL file and version information of the DLL file;
acquiring a pre-generated white list, wherein the white list comprises second information, and the second information is information of the pre-configured DLL file;
taking the DLL file meeting the preset condition as an abnormal DLL file according to the preset period, and sending prompt information for detecting the abnormal DLL file; the preset conditions include: the correspondence of the name, the encrypted character string, and the version information in the first information is different from the record in the second information.
2. The method of claim 1, wherein the obtaining information of the DLL file loaded by the currently running process comprises:
acquiring a process snapshot through a dynamic link library file interface;
acquiring the loading paths of all DLL files loaded by the processes aiming at each process included in the process snapshot;
acquiring a data stream of the DLL file, the name of the DLL file, and the version information of the DLL file through the loading path of the DLL file;
and carrying out encryption calculation on the data stream of the DLL file to obtain the encrypted character string corresponding to the DLL file.
3. The method of claim 2, wherein the process snapshot is derived from at least an import address table, the import address table comprising memory addresses of the DLL file loaded by the process.
4. The method of claim 1, wherein after the second DLL file satisfying the preset condition is regarded as an abnormal DLL file, the method further comprises: ending the process of loading the exception DLL file.
5. The method of claim 1, wherein the step of regarding the DLL file satisfying the preset condition as an abnormal DLL file comprises:
determining whether the name in the first information is the same as the name in the second information;
if not, the DLL file is used as the abnormal DLL file; if the first information and the second information are the same, judging whether the encrypted character string in the first information is the same as the encrypted character string corresponding to the name in the second information;
if not, the DLL file is used as the abnormal DLL file; if the version information in the first information is the same as the version information corresponding to the name in the second information, judging whether the version information in the first information is the same as the version information in the second information; and if not, taking the DLL file as the abnormal DLL file.
6. The method of claim 1, wherein the white list generation process comprises:
and calling a preset antivirus program or an input method program to obtain the information of the preset DLL file, and generating the white list by taking the information of the preset DLL file as the information included in the white list.
7. The method of claim 6, wherein the DLL file in the second information comprises:
the application program comprises the client and other clients.
8. An anti-injection device, comprising:
the first obtaining unit is used for obtaining information of the DLL file loaded by the currently running process as first information in a preset period; any piece of information of the DLL file at least comprises the name of the DLL file, an encryption character string uniquely corresponding to the DLL file and version information of the DLL file;
a second obtaining unit, configured to obtain a pre-generated white list, where the white list includes second information, and the second information is information of the DLL file configured in advance;
the detection unit is used for taking the DLL file meeting the preset condition as an abnormal DLL file according to the preset period and sending prompt information for detecting the abnormal DLL file; the preset conditions include: the correspondence of the name, the encrypted character string, and the version information in the first information is different from the record in the second information.
9. An electronic device, comprising: a processor and a memory for storing a program; the processor is configured to execute the program to implement the method for preventing injection according to any one of claims 1 to 7.
10. A computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the method of preventing injection of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011447685.6A CN112637146A (en) | 2020-12-09 | 2020-12-09 | Method and device for preventing injection, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011447685.6A CN112637146A (en) | 2020-12-09 | 2020-12-09 | Method and device for preventing injection, electronic equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112637146A true CN112637146A (en) | 2021-04-09 |
Family
ID=75310291
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011447685.6A Pending CN112637146A (en) | 2020-12-09 | 2020-12-09 | Method and device for preventing injection, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637146A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110185417A1 (en) * | 2010-01-28 | 2011-07-28 | Bank Of America Corporation | Memory Whitelisting |
| CN107665306A (en) * | 2017-09-06 | 2018-02-06 | 武汉斗鱼网络科技有限公司 | A kind of method, apparatus, client and server for detecting illegal file injection |
| CN110688661A (en) * | 2019-08-30 | 2020-01-14 | 深圳壹账通智能科技有限公司 | Method and device for preventing dynamic link library file hijacking and computer equipment |
| CN111159707A (en) * | 2020-04-07 | 2020-05-15 | 北京安博通科技股份有限公司 | Malicious DLL injection detection method and device |
-
2020
- 2020-12-09 CN CN202011447685.6A patent/CN112637146A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110185417A1 (en) * | 2010-01-28 | 2011-07-28 | Bank Of America Corporation | Memory Whitelisting |
| CN107665306A (en) * | 2017-09-06 | 2018-02-06 | 武汉斗鱼网络科技有限公司 | A kind of method, apparatus, client and server for detecting illegal file injection |
| CN110688661A (en) * | 2019-08-30 | 2020-01-14 | 深圳壹账通智能科技有限公司 | Method and device for preventing dynamic link library file hijacking and computer equipment |
| CN111159707A (en) * | 2020-04-07 | 2020-05-15 | 北京安博通科技股份有限公司 | Malicious DLL injection detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10032025B1 (en) | Behavior-based ransomware detection | |
| US9596257B2 (en) | Detection and prevention of installation of malicious mobile applications | |
| CN101783801B (en) | Software protection method based on network, client side and server | |
| WO2016084073A1 (en) | Systems and methods for malicious code detection | |
| KR20060046261A (en) | Method and system for single reactivation of software product licenses | |
| EP3270317B1 (en) | Dynamic security module server device and operating method thereof | |
| CN106845208B (en) | Abnormal application control method and device and terminal equipment | |
| CN111800405A (en) | Detection method, detection device and storage medium | |
| CN114417335A (en) | Malicious file detection method and device, electronic equipment and storage medium | |
| CN112099904A (en) | Nested page table management method and device for virtual machine, processor chip and server | |
| CN108229162B (en) | Method for realizing integrity check of cloud platform virtual machine | |
| CN112422527B (en) | Threat assessment system, method and device for substation power monitoring system | |
| CN100521687C (en) | Method and apparatus for identifying module of accessing network | |
| CN106682512B (en) | Method, device and system for preventing program from being modified | |
| CN112241529B (en) | Malicious code detection method, device, storage medium and computer equipment | |
| CN112637146A (en) | Method and device for preventing injection, electronic equipment and computer readable storage medium | |
| CN111711656A (en) | Network edge storage device with safety function | |
| CN108197475B (en) | Malicious so module detection method and related device | |
| WO2020000753A1 (en) | Device security monitoring method and apparatus | |
| CN110941825A (en) | Application monitoring method and device | |
| CN108629197B (en) | File access control method and system for integrated environment | |
| CN114039779A (en) | Method and device for safely accessing network, electronic equipment and storage medium | |
| CN114035812A (en) | Application software installation and/or operation method, device, electronic equipment and storage medium | |
| US20200244461A1 (en) | Data Processing Method and Apparatus | |
| CN114491661A (en) | Log tamper-proofing method and system based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210409 |