CN112800416A - Safety protection system and method for calling chain - Google Patents
Safety protection system and method for calling chain Download PDFInfo
- Publication number
- CN112800416A CN112800416A CN202011633897.3A CN202011633897A CN112800416A CN 112800416 A CN112800416 A CN 112800416A CN 202011633897 A CN202011633897 A CN 202011633897A CN 112800416 A CN112800416 A CN 112800416A
- Authority
- CN
- China
- Prior art keywords
- encrypted
- process information
- call
- chain
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 141
- 230000008569 process Effects 0.000 claims abstract description 120
- 238000012545 processing Methods 0.000 claims abstract description 12
- 239000000284 extract Substances 0.000 claims abstract description 4
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000001514 detection method Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000010420 art technique Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Bioethics (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a safety protection system and a method for a calling chain, and belongs to the technical field of calling chain safety protection. The system of the invention comprises: the call stack module acquires the call chain, extracts the process information of the call chain and transmits the process information to the call stack encryption module; the call stack encryption module receives the process information and encrypts the process information in a preset mode; and the judgment processing module is used for comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process loading of the call chain. The invention effectively prevents the event of the program for illegally calling the process, prevents the occurrence of the intrusion event, ensures the safety of the program and has high application value.
Description
Technical Field
The present invention relates to the technical field of call chain security protection, and more particularly, to a security protection system and method for a call chain.
Background
With the continuous progress of science and technology, in the C # application program, many malicious calls of malicious software exist, illegal behaviors of a source program are damaged, and the society is seriously influenced.
Three prior art techniques are described below and the problems presented are illustrated.
In the patent with application number 201310462793.4, an intrusion detection method and device are described, which implement kernel intrusion detection in Linux system by a first obtaining module, a deriving module, a fingerprint algorithm processing module, a first comparing module and a first confirming module.
The patent application No. 201510809215.2 provides a method and an apparatus for protecting an application program, which monitor the call of a loading function of a DLL file, and if the process calling the loading function is the process of the application program to be protected, determine whether the DLL file to be loaded is a malicious DLL file, thereby preventing the application program process to be protected from loading the malicious DLL file.
The patent with the application number of 201410191624.6 discloses an active defense method and device based on a Linux system, wherein a Hook is adopted to monitor system call of a Linux kernel, if a calling program is in a white list, the calling is allowed, otherwise, the calling is forbidden, and the method can effectively detect programs and the like operated by the Linux system and intercept malicious programs operated by the Linux.
The first scheme focuses on solving the intrusion event of the kernel state of the Linux system, and the method for acquiring the call chain is to acquire a system call entry through an assembly instruction and acquire a system call linked list pointer through the system call entry, is complex and can only be applied to the Linux system; the second scheme is that a hook function is used for monitoring the calling of a loading function of a dynamic link library, and whether the loading function exists in a prestored malicious dynamic link library is judged, so that DLL is refused to be loaded; the third scheme focuses on solving the intrusion event of the Linux system, is similar to the second scheme, but adopts a white list mode to judge whether the Linux system is called, but needs to set Hook for each called system; the three schemes all realize the defense of malicious intrusion \ invocation, but all have corresponding disadvantages.
Therefore, in order to overcome the defects of the prior art, it is necessary to perform corresponding research to provide a call chain detection security protection technology for C # applications under Windows.
Disclosure of Invention
In view of the above problem, the present invention provides a safety protection system for a call chain, comprising:
the call stack module acquires the call chain, extracts the process information of the call chain and transmits the process information to the call stack encryption module;
the call stack encryption module receives the process information and encrypts the process information in a preset mode;
and the judgment processing module is used for comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process loading of the call chain.
Optionally, the judgment processing module is further configured to, when comparing the encrypted process information with encrypted data pre-stored in the encrypted file, determine that the process data does not include the process information, prohibit the process of the call chain from being loaded, and send an alarm.
Optionally, the call stack encryption module is further configured to pre-store the encrypted file.
Optionally, the encrypted file uses an asymmetric encryption algorithm to encrypt the file, and the file stores the process information of the loading call chain and the encrypted information of the process information encrypted in a preset manner;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
Optionally, the stack module is called, and the call chain is acquired by using a stack information acquisition mode built in the C #.
The invention also provides a safety protection method for the calling chain, which comprises the following steps:
acquiring a calling chain and extracting process information of the calling chain;
receiving process information, and encrypting the process information in a preset mode;
and comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process of the call chain to be loaded.
Optionally, the method further comprises: and when the encrypted process information is compared with the encrypted data prestored in the encrypted file, and when the process data does not contain the process information, the process loading of the call chain is forbidden, and an alarm is sent.
Optionally, the encrypted file uses an asymmetric encryption algorithm to encrypt the file, and the file stores the process information of the loading call chain and the encrypted information of the process information encrypted in a preset manner;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
Optionally, the acquiring call chain acquires the call chain by using a stack information acquisition mode built in C #.
The invention effectively prevents the event of the program for illegally calling the process, prevents the occurrence of the intrusion event, ensures the safety of the program and has high application value.
Drawings
FIG. 1 is a block diagram of a safety shield system for a call chain of the present invention;
FIG. 2 is a safety shield schematic of a safety shield system for a call chain of the present invention;
FIG. 3 is a flow chart of a method of security protection for a call chain of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
The invention proposes a safety protection system for a call chain, as shown in fig. 1, the principle of safety protection is shown in fig. 2, the system of the invention comprises:
the call stack module acquires the call chain, extracts the process information of the call chain and transmits the process information to the call stack encryption module;
the call stack encryption module receives the process information and encrypts the process information in a preset mode;
the calling stack encryption module is also used for prestoring an encrypted file;
and the judgment processing module is used for comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process loading of the call chain.
The judgment processing module is also used for determining that the process loading to the call chain is forbidden and giving an alarm when the process data does not contain the process information when the encrypted process information is compared with the encrypted data prestored in the encrypted file.
The method comprises the steps that an encrypted file is encrypted by using an asymmetric encryption algorithm, and process information of a loading call chain and encrypted information of the process information encrypted in a preset mode are stored in the file;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
And the calling stack module acquires the calling chain by using a stack information acquisition mode built in the C #.
The invention also proposes a safety protection method for a call chain, as shown in fig. 3, comprising:
acquiring a calling chain and extracting process information of the calling chain;
receiving process information, and encrypting the process information in a preset mode;
and comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process of the call chain to be loaded.
And when the encrypted process information is compared with the encrypted data prestored in the encrypted file, and when the process data does not contain the process information, the process loading of the call chain is forbidden, and an alarm is sent.
The method comprises the steps that an encrypted file is encrypted by using an asymmetric encryption algorithm, and process information of a loading call chain and encrypted information of the process information encrypted in a preset mode are stored in the file;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
The acquisition call chain acquires the data using a stack information acquisition method built in C #.
The invention effectively prevents the event of the program for illegally calling the process, prevents the occurrence of the intrusion event, ensures the safety of the program and has high application value.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the application can be implemented by adopting various computer languages, such as object-oriented programming language Java and transliterated scripting language JavaScript.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (9)
1. A safety shield system for a call chain, the system comprising:
the call stack module acquires the call chain, extracts the process information of the call chain and transmits the process information to the call stack encryption module;
the call stack encryption module receives the process information and encrypts the process information in a preset mode;
and the judgment processing module is used for comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process loading of the call chain.
2. The system according to claim 1, wherein the judgment processing module is further configured to, when comparing the encrypted process information with the encrypted data pre-stored in the encrypted file, determine that, when the process data does not include the process information, prohibit the process of the call chain from being loaded, and issue an alarm.
3. The system of claim 1, the call stack encryption module further to pre-store an encrypted file.
4. The system according to claim 1, wherein the encrypted file uses an asymmetric encryption algorithm to encrypt the file, the file stores the process information of the loading call chain, and the encrypted information of the process information encrypted in a preset mode;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
5. The system of claim 1, wherein the call stack module uses a stack information acquisition mode built in C #, to acquire the call chain.
6. A method of security protection for a call chain, the method comprising:
acquiring a calling chain and extracting process information of the calling chain;
receiving process information, and encrypting the process information in a preset mode;
and comparing the encrypted process information with the encrypted data prestored in the encrypted file, and if the process data contains the process information, allowing the process of the call chain to be loaded.
7. The method of claim 6, further comprising: and when the encrypted process information is compared with the encrypted data prestored in the encrypted file, and when the process data does not contain the process information, the process loading of the call chain is forbidden, and an alarm is sent.
8. The method according to claim 6, wherein the encrypted file uses an asymmetric encryption algorithm to encrypt the file, the file stores the process information of the loading call chain, and the encrypted information of the process information encrypted in a preset mode;
the process information includes: the process name of the calling chain process and the md5 value of the process counterpart program file.
9. The method of claim 6, wherein the get call chain gets using stack information get built in C #.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011633897.3A CN112800416A (en) | 2020-12-31 | 2020-12-31 | Safety protection system and method for calling chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011633897.3A CN112800416A (en) | 2020-12-31 | 2020-12-31 | Safety protection system and method for calling chain |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112800416A true CN112800416A (en) | 2021-05-14 |
Family
ID=75808467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011633897.3A Pending CN112800416A (en) | 2020-12-31 | 2020-12-31 | Safety protection system and method for calling chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112800416A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113742659A (en) * | 2021-08-09 | 2021-12-03 | 航天信息股份有限公司 | Application program protection method and device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101408917A (en) * | 2008-10-22 | 2009-04-15 | 厦门市美亚柏科资讯科技有限公司 | Method and system for detecting application program behavior legality |
| CN104992081A (en) * | 2015-06-24 | 2015-10-21 | 华中科技大学 | Security enhancement method for third-party code of Android application program |
| CN106778234A (en) * | 2015-11-19 | 2017-05-31 | 珠海市君天电子科技有限公司 | Application program protection method and device |
| CN106802821A (en) * | 2017-02-14 | 2017-06-06 | 腾讯科技(深圳)有限公司 | Recognition application installs the method and device in source |
| CN107092553A (en) * | 2017-04-20 | 2017-08-25 | 广州华多网络科技有限公司 | A kind of method, device and computer system for setting up request call chain between process |
| CN109784054A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Behavior stack information acquisition methods and device |
| CN110245464A (en) * | 2018-10-10 | 2019-09-17 | 爱信诺征信有限公司 | The method and apparatus for protecting file |
-
2020
- 2020-12-31 CN CN202011633897.3A patent/CN112800416A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101408917A (en) * | 2008-10-22 | 2009-04-15 | 厦门市美亚柏科资讯科技有限公司 | Method and system for detecting application program behavior legality |
| CN104992081A (en) * | 2015-06-24 | 2015-10-21 | 华中科技大学 | Security enhancement method for third-party code of Android application program |
| CN106778234A (en) * | 2015-11-19 | 2017-05-31 | 珠海市君天电子科技有限公司 | Application program protection method and device |
| CN106802821A (en) * | 2017-02-14 | 2017-06-06 | 腾讯科技(深圳)有限公司 | Recognition application installs the method and device in source |
| CN107092553A (en) * | 2017-04-20 | 2017-08-25 | 广州华多网络科技有限公司 | A kind of method, device and computer system for setting up request call chain between process |
| CN110245464A (en) * | 2018-10-10 | 2019-09-17 | 爱信诺征信有限公司 | The method and apparatus for protecting file |
| CN109784054A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Behavior stack information acquisition methods and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113742659A (en) * | 2021-08-09 | 2021-12-03 | 航天信息股份有限公司 | Application program protection method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101503785B1 (en) | Method And Apparatus For Protecting Dynamic Library | |
| EP2946330B1 (en) | Method and system for protecting computerized systems from malicious code | |
| EP3779745B1 (en) | Code pointer authentication for hardware flow control | |
| US7779062B2 (en) | System for preventing keystroke logging software from accessing or identifying keystrokes | |
| US7975308B1 (en) | Method and apparatus to secure user confidential data from untrusted browser extensions | |
| EP2262259A1 (en) | Method for monitoring execution of data processing program instructions in a security module | |
| CN107430650B (en) | Securing computer programs against reverse engineering | |
| CN103988467A (en) | Cryptographic system and methodology for securing software cryptography | |
| CN110188547B (en) | Trusted encryption system and method | |
| US10025954B2 (en) | Method for operating a control unit | |
| KR101064164B1 (en) | Kernel Integrity Check and Modified Kernel Data Recovery in Linux Kernel-based Smart Platform | |
| CN112231702B (en) | Application protection method, device, equipment and medium | |
| CN112613037B (en) | Code verification method and device | |
| EP2492833A1 (en) | Method and apparatus for detecting malicious software | |
| CN106650438A (en) | Method and device for detecting baleful programs | |
| Yu et al. | Access control to prevent attacks exploiting vulnerabilities of webview in android OS | |
| Ang et al. | Covid-19 one year on–security and privacy review of contact tracing mobile apps | |
| CN110245464B (en) | Method and device for protecting file | |
| CN112800416A (en) | Safety protection system and method for calling chain | |
| CN115640572A (en) | Safety detection and reinforcement method for iPhone end sandbox application | |
| KR101311367B1 (en) | Method and apparatus for diagnosing attack that bypass the memory protection | |
| KR100985071B1 (en) | Real-time Detection and Blocking of Vulnerability Attack Code Using Script Language and Its Apparatus | |
| CN113094699A (en) | Safety monitoring method, electronic equipment and computer readable storage medium | |
| JP6787841B2 (en) | Access control device, access control method and access control program | |
| CN106415565A (en) | Protecting an item of software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210514 |
|
| RJ01 | Rejection of invention patent application after publication |