CN112800416A - Safety protection system and method for calling chain - Google Patents

Safety protection system and method for calling chain Download PDF

Info

Publication number
CN112800416A
CN112800416A CN202011633897.3A CN202011633897A CN112800416A CN 112800416 A CN112800416 A CN 112800416A CN 202011633897 A CN202011633897 A CN 202011633897A CN 112800416 A CN112800416 A CN 112800416A
Authority
CN
China
Prior art keywords
encrypted
process information
call
chain
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011633897.3A
Other languages
Chinese (zh)
Inventor
魏贺生
洒西涛
范丽
单国军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN202011633897.3A priority Critical patent/CN112800416A/en
Publication of CN112800416A publication Critical patent/CN112800416A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Bioethics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a safety protection system and a method for a calling chain, and belongs to the technical field of calling chain safety protection. The system of the invention comprises: the call stack module acquires the call chain, extracts the process information of the call chain and transmits the process information to the call stack encryption module; the call stack encryption module receives the process information and encrypts the process information in a preset mode; and the judgment processing module is used for comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process loading of the call chain. The invention effectively prevents the event of the program for illegally calling the process, prevents the occurrence of the intrusion event, ensures the safety of the program and has high application value.

Description

Safety protection system and method for calling chain
Technical Field
The present invention relates to the technical field of call chain security protection, and more particularly, to a security protection system and method for a call chain.
Background
With the continuous progress of science and technology, in the C # application program, many malicious calls of malicious software exist, illegal behaviors of a source program are damaged, and the society is seriously influenced.
Three prior art techniques are described below and the problems presented are illustrated.
In the patent with application number 201310462793.4, an intrusion detection method and device are described, which implement kernel intrusion detection in Linux system by a first obtaining module, a deriving module, a fingerprint algorithm processing module, a first comparing module and a first confirming module.
The patent application No. 201510809215.2 provides a method and an apparatus for protecting an application program, which monitor the call of a loading function of a DLL file, and if the process calling the loading function is the process of the application program to be protected, determine whether the DLL file to be loaded is a malicious DLL file, thereby preventing the application program process to be protected from loading the malicious DLL file.
The patent with the application number of 201410191624.6 discloses an active defense method and device based on a Linux system, wherein a Hook is adopted to monitor system call of a Linux kernel, if a calling program is in a white list, the calling is allowed, otherwise, the calling is forbidden, and the method can effectively detect programs and the like operated by the Linux system and intercept malicious programs operated by the Linux.
The first scheme focuses on solving the intrusion event of the kernel state of the Linux system, and the method for acquiring the call chain is to acquire a system call entry through an assembly instruction and acquire a system call linked list pointer through the system call entry, is complex and can only be applied to the Linux system; the second scheme is that a hook function is used for monitoring the calling of a loading function of a dynamic link library, and whether the loading function exists in a prestored malicious dynamic link library is judged, so that DLL is refused to be loaded; the third scheme focuses on solving the intrusion event of the Linux system, is similar to the second scheme, but adopts a white list mode to judge whether the Linux system is called, but needs to set Hook for each called system; the three schemes all realize the defense of malicious intrusion \ invocation, but all have corresponding disadvantages.
Therefore, in order to overcome the defects of the prior art, it is necessary to perform corresponding research to provide a call chain detection security protection technology for C # applications under Windows.
Disclosure of Invention
In view of the above problem, the present invention provides a safety protection system for a call chain, comprising:
the call stack module acquires the call chain, extracts the process information of the call chain and transmits the process information to the call stack encryption module;
the call stack encryption module receives the process information and encrypts the process information in a preset mode;
and the judgment processing module is used for comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process loading of the call chain.
Optionally, the judgment processing module is further configured to, when comparing the encrypted process information with encrypted data pre-stored in the encrypted file, determine that the process data does not include the process information, prohibit the process of the call chain from being loaded, and send an alarm.
Optionally, the call stack encryption module is further configured to pre-store the encrypted file.
Optionally, the encrypted file uses an asymmetric encryption algorithm to encrypt the file, and the file stores the process information of the loading call chain and the encrypted information of the process information encrypted in a preset manner;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
Optionally, the stack module is called, and the call chain is acquired by using a stack information acquisition mode built in the C #.
The invention also provides a safety protection method for the calling chain, which comprises the following steps:
acquiring a calling chain and extracting process information of the calling chain;
receiving process information, and encrypting the process information in a preset mode;
and comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process of the call chain to be loaded.
Optionally, the method further comprises: and when the encrypted process information is compared with the encrypted data prestored in the encrypted file, and when the process data does not contain the process information, the process loading of the call chain is forbidden, and an alarm is sent.
Optionally, the encrypted file uses an asymmetric encryption algorithm to encrypt the file, and the file stores the process information of the loading call chain and the encrypted information of the process information encrypted in a preset manner;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
Optionally, the acquiring call chain acquires the call chain by using a stack information acquisition mode built in C #.
The invention effectively prevents the event of the program for illegally calling the process, prevents the occurrence of the intrusion event, ensures the safety of the program and has high application value.
Drawings
FIG. 1 is a block diagram of a safety shield system for a call chain of the present invention;
FIG. 2 is a safety shield schematic of a safety shield system for a call chain of the present invention;
FIG. 3 is a flow chart of a method of security protection for a call chain of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
The invention proposes a safety protection system for a call chain, as shown in fig. 1, the principle of safety protection is shown in fig. 2, the system of the invention comprises:
the call stack module acquires the call chain, extracts the process information of the call chain and transmits the process information to the call stack encryption module;
the call stack encryption module receives the process information and encrypts the process information in a preset mode;
the calling stack encryption module is also used for prestoring an encrypted file;
and the judgment processing module is used for comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process loading of the call chain.
The judgment processing module is also used for determining that the process loading to the call chain is forbidden and giving an alarm when the process data does not contain the process information when the encrypted process information is compared with the encrypted data prestored in the encrypted file.
The method comprises the steps that an encrypted file is encrypted by using an asymmetric encryption algorithm, and process information of a loading call chain and encrypted information of the process information encrypted in a preset mode are stored in the file;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
And the calling stack module acquires the calling chain by using a stack information acquisition mode built in the C #.
The invention also proposes a safety protection method for a call chain, as shown in fig. 3, comprising:
acquiring a calling chain and extracting process information of the calling chain;
receiving process information, and encrypting the process information in a preset mode;
and comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process of the call chain to be loaded.
And when the encrypted process information is compared with the encrypted data prestored in the encrypted file, and when the process data does not contain the process information, the process loading of the call chain is forbidden, and an alarm is sent.
The method comprises the steps that an encrypted file is encrypted by using an asymmetric encryption algorithm, and process information of a loading call chain and encrypted information of the process information encrypted in a preset mode are stored in the file;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
The acquisition call chain acquires the data using a stack information acquisition method built in C #.
The invention effectively prevents the event of the program for illegally calling the process, prevents the occurrence of the intrusion event, ensures the safety of the program and has high application value.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the application can be implemented by adopting various computer languages, such as object-oriented programming language Java and transliterated scripting language JavaScript.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (9)

1. A safety shield system for a call chain, the system comprising:
the call stack module acquires the call chain, extracts the process information of the call chain and transmits the process information to the call stack encryption module;
the call stack encryption module receives the process information and encrypts the process information in a preset mode;
and the judgment processing module is used for comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process loading of the call chain.
2. The system according to claim 1, wherein the judgment processing module is further configured to, when comparing the encrypted process information with the encrypted data pre-stored in the encrypted file, determine that, when the process data does not include the process information, prohibit the process of the call chain from being loaded, and issue an alarm.
3. The system of claim 1, the call stack encryption module further to pre-store an encrypted file.
4. The system according to claim 1, wherein the encrypted file uses an asymmetric encryption algorithm to encrypt the file, the file stores the process information of the loading call chain, and the encrypted information of the process information encrypted in a preset mode;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
5. The system of claim 1, wherein the call stack module uses a stack information acquisition mode built in C #, to acquire the call chain.
6. A method of security protection for a call chain, the method comprising:
acquiring a calling chain and extracting process information of the calling chain;
receiving process information, and encrypting the process information in a preset mode;
and comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process of the call chain to be loaded.
7. The method of claim 6, further comprising: and when the encrypted process information is compared with the encrypted data prestored in the encrypted file, and when the process data does not contain the process information, the process loading of the call chain is forbidden, and an alarm is sent.
8. The method according to claim 6, wherein the encrypted file uses an asymmetric encryption algorithm to encrypt the file, the file stores the process information of the loading call chain, and the encrypted information of the process information encrypted in a preset mode;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
9. The method of claim 6, wherein the get call chain gets using stack information get built in C #.
CN202011633897.3A 2020-12-31 2020-12-31 Safety protection system and method for calling chain Pending CN112800416A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011633897.3A CN112800416A (en) 2020-12-31 2020-12-31 Safety protection system and method for calling chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011633897.3A CN112800416A (en) 2020-12-31 2020-12-31 Safety protection system and method for calling chain

Publications (1)

Publication Number Publication Date
CN112800416A true CN112800416A (en) 2021-05-14

Family

ID=75808467

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011633897.3A Pending CN112800416A (en) 2020-12-31 2020-12-31 Safety protection system and method for calling chain

Country Status (1)

Country Link
CN (1) CN112800416A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113742659A (en) * 2021-08-09 2021-12-03 航天信息股份有限公司 Application program protection method and device, electronic equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101408917A (en) * 2008-10-22 2009-04-15 厦门市美亚柏科资讯科技有限公司 Method and system for detecting application program behavior legality
CN104992081A (en) * 2015-06-24 2015-10-21 华中科技大学 Security enhancement method for third-party code of Android application program
CN106778234A (en) * 2015-11-19 2017-05-31 珠海市君天电子科技有限公司 Application program protection method and device
CN106802821A (en) * 2017-02-14 2017-06-06 腾讯科技(深圳)有限公司 Recognition application installs the method and device in source
CN107092553A (en) * 2017-04-20 2017-08-25 广州华多网络科技有限公司 A kind of method, device and computer system for setting up request call chain between process
CN109784054A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 Behavior stack information acquisition methods and device
CN110245464A (en) * 2018-10-10 2019-09-17 爱信诺征信有限公司 The method and apparatus for protecting file

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101408917A (en) * 2008-10-22 2009-04-15 厦门市美亚柏科资讯科技有限公司 Method and system for detecting application program behavior legality
CN104992081A (en) * 2015-06-24 2015-10-21 华中科技大学 Security enhancement method for third-party code of Android application program
CN106778234A (en) * 2015-11-19 2017-05-31 珠海市君天电子科技有限公司 Application program protection method and device
CN106802821A (en) * 2017-02-14 2017-06-06 腾讯科技(深圳)有限公司 Recognition application installs the method and device in source
CN107092553A (en) * 2017-04-20 2017-08-25 广州华多网络科技有限公司 A kind of method, device and computer system for setting up request call chain between process
CN110245464A (en) * 2018-10-10 2019-09-17 爱信诺征信有限公司 The method and apparatus for protecting file
CN109784054A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 Behavior stack information acquisition methods and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113742659A (en) * 2021-08-09 2021-12-03 航天信息股份有限公司 Application program protection method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US9703954B2 (en) Method and system for protecting computerized systems from malicious code
KR101503785B1 (en) Method And Apparatus For Protecting Dynamic Library
EP3779745B1 (en) Code pointer authentication for hardware flow control
CN104335220B (en) For preventing and detecting the method and system of security threat
US7779062B2 (en) System for preventing keystroke logging software from accessing or identifying keystrokes
KR101739125B1 (en) Apparatus and method for analysing a permission of application for mobile device and detecting risk
US7975308B1 (en) Method and apparatus to secure user confidential data from untrusted browser extensions
EP2262259A1 (en) Method for monitoring execution of data processing program instructions in a security module
CN107430650B (en) Securing computer programs against reverse engineering
CN110188547B (en) Trusted encryption system and method
US10025954B2 (en) Method for operating a control unit
CN103065072A (en) Method and device to improve Java software jailbreak difficulty and copyright verification method
KR101064164B1 (en) Kernel integrity inspection and the recovery method on linux kernel based smart platform
EP2492833A1 (en) Method and apparatus for detecting malicious software
CN105512548A (en) Method for protecting mirror image codes based on executable mirror image hiding and dll injection
CN107330328A (en) Defend method, device and the server of virus attack
Yu et al. Access control to prevent attacks exploiting vulnerabilities of webview in android OS
CN115640572A (en) Safety detection and reinforcement method for iPhone end sandbox application
CN110245464B (en) Method and device for protecting file
CN112800416A (en) Safety protection system and method for calling chain
Ang et al. Covid-19 one year on–security and privacy review of contact tracing mobile apps
KR101311367B1 (en) Method and apparatus for diagnosing attack that bypass the memory protection
KR100985071B1 (en) Method and Apparatus for detection and prevention malicious code using script languages for computer system
JP6787841B2 (en) Access control device, access control method and access control program
CN111222122A (en) Application authority management method and device and embedded equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210514

RJ01 Rejection of invention patent application after publication