CN113051550A - Terminal equipment, protection method and device thereof and readable storage medium - Google Patents
Terminal equipment, protection method and device thereof and readable storage medium Download PDFInfo
- Publication number
- CN113051550A CN113051550A CN202110342904.2A CN202110342904A CN113051550A CN 113051550 A CN113051550 A CN 113051550A CN 202110342904 A CN202110342904 A CN 202110342904A CN 113051550 A CN113051550 A CN 113051550A
- Authority
- CN
- China
- Prior art keywords
- target
- control
- file
- terminal device
- registry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 224
- 230000008569 process Effects 0.000 claims abstract description 171
- 238000004891 communication Methods 0.000 claims description 63
- 230000008439 repair process Effects 0.000 claims description 17
- 238000004458 analytical method Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 9
- 230000001681 protective effect Effects 0.000 claims description 3
- 238000012550 audit Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 10
- 238000012216 screening Methods 0.000 description 4
- 238000001914 filtration Methods 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 230000003313 weakening effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The invention discloses a protection method and a device of terminal equipment, the terminal equipment and a readable storage medium, wherein the method comprises the following steps: acquiring target control operation of a process; determining a target type of a control target of the target control operation based on the target control operation; wherein the target type comprises an operable target and an inoperable target; performing corresponding operation on the target control operation according to the target type; according to the method and the device, the target control operation is correspondingly operated according to the target type of the control target of the target control operation, and the hacker tool is pertinently resisted from the perspective of an attacker based on the driving resisting principle, so that the terminal equipment can be protected by three asset dimensions of a process, a file and a registry, damage to a non-driving tool and the driving tool is prevented, the protection capability of the hacker tool with the driving is improved, the system protection capability of the terminal equipment is improved, and the safety of the terminal equipment is ensured.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for protecting a terminal device, and a readable storage medium.
Background
At present, most of the protection capability of a security product on terminal equipment is simple protection, namely, the damage of a common non-drive tool (namely, malicious software which does not use a drive) and a non-driven hacker tool is prevented; however, the damage protection capability for the malicious software (or called hacking tool) using the driver is limited, and even the protection cannot be made, so that most of the current security products can be easily damaged by attackers using the hacking tool, and the system of the terminal device loses the protection capability.
Therefore, how to improve the protection capability of the hacker tool with a driver, improve the system protection capability of the terminal device, and ensure the security of the terminal device is a problem which needs to be solved urgently nowadays.
Disclosure of Invention
The invention aims to provide a protection method and device of terminal equipment, the terminal equipment and a readable storage medium, so as to improve the protection capability of a hacker tool with a driver based on the driver countermeasure, improve the system protection capability of the terminal equipment and ensure the safety of the terminal equipment.
In order to solve the above technical problem, the present invention provides a method for protecting a terminal device, including:
acquiring target control operation of a process; the target control operation comprises at least one of process creation operation, drive loading operation, process handle operation, registry operation and file operation;
determining a target type of a control target of a target control operation based on the target control operation; wherein the target types include operable targets and inoperable targets;
and performing corresponding operation on the target control operation according to the target type.
Optionally, the target control operation includes the process creation operation and/or the driver loading operation, and the determining, based on the target control operation, the target type of the control target of the target control operation includes:
detecting the control target, and judging whether the control target is a safe target; wherein the control target comprises a process created by the process creation operation control or a driver loaded by the driver loading operation control;
if yes, determining the target type of the control target as the operable target;
if not, determining that the target type of the control target is the inoperable target.
Optionally, the target control operation includes the process handle operation, the registry operation, and/or the file operation, and the determining a target type of a control target of the target control operation based on the target control operation includes:
detecting the control target, and judging whether the control target is a protected target or not; wherein the control target comprises a process controlled by the process handle operation, a registry controlled by the registry operation or a file controlled by the file operation;
if so, determining that the target type of the control target is the inoperable target;
if not, determining that the target type of the control target is the operable target.
Optionally, the target control operation includes the process handle operation, the registry operation, and/or the file operation, and the determining a target type of a control target of the target control operation based on the target control operation includes:
detecting the control target, and judging whether the control target is a protected target or not; wherein the control target comprises a process controlled by the process handle operation, a registry controlled by the registry operation or a file controlled by the file operation;
if the target is the protected target, determining that the target type of the control target is the inoperable target;
if the target is not the protected target, detecting an initiator program of the target control operation, and judging whether the control target is a safety program; wherein the initiator program comprises a process or driver that initiates the target control operation;
if the target type is the safe program, determining that the target type of the control target is the operable target;
and if the target type of the control target is not the safe program, determining that the target type of the control target is the inoperable target.
Optionally, the method further comprises:
calling a shutdown callback program at the last time in the shutdown process of the terminal equipment;
and running the shutdown callback program, and calling the stored repair process file to repair the modified protected registry and the protected file of the terminal equipment after startup.
Optionally, the last shutdown callback program is called by:
and in the process of starting up the terminal equipment, adding the linked list information corresponding to the shutdown callback program to a linked list head of the shutdown callback linked list so as to enable the terminal equipment to call the shutdown callback program at the last time in the process of shutdown.
Optionally, the method further comprises:
installing communication analysis equipment on the target driver; wherein the target drive comprises a dangerous drive;
extracting communication information of the target operation driven by the target by using the communication analysis equipment; the target operation comprises an operation on a protected process, a protected registry and/or a protected file, and the communication information comprises a communication control code and/or a request packet format;
and performing corresponding operation on the target operation by using the communication information.
Optionally, the communication information includes a communication control code and a request packet format, and the performing, by using the communication information, a corresponding operation on the target operation includes:
acquiring the current target operation of the target drive;
judging whether the current target operation adopts the communication control code or the request packet format;
and if so, intercepting the current target operation.
The invention also provides a protection device of the terminal equipment, which comprises:
the acquisition module is used for acquiring target control operation of a process; the target control operation comprises at least one of process creation operation, drive loading operation, process handle operation, registry operation and file operation;
a determination module for determining a target type of a control target of a target control operation based on the target control operation; wherein the target types include operable targets and inoperable targets;
and the control module is used for carrying out corresponding operation on the target control operation according to the target type.
The present invention also provides a terminal device, including:
a memory for storing a computer program;
a processor for implementing the steps of the method for safeguarding a terminal device as claimed in the preceding paragraph when said computer program is executed.
Furthermore, the present invention also provides a readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the method for safeguarding a terminal device as described above.
The invention provides a protection method of terminal equipment, which comprises the following steps: acquiring target control operation of a process; the target control operation comprises at least one of process creation operation, drive loading operation, process handle operation, registry operation and file operation; determining a target type of a control target of the target control operation based on the target control operation; wherein the target type comprises an operable target and an inoperable target; performing corresponding operation on the target control operation according to the target type;
therefore, the method and the device perform corresponding operation on the target control operation according to the target type of the control target of the target control operation, and based on the driving countermeasure principle, the hacker tool is countered in a targeted manner from the perspective of an attacker, so that the terminal equipment can be protected in three asset dimensions of a process, a file and a registry, damage to a non-driving tool and the driving tool is prevented, the protection capability of the hacker tool with a driver is improved, the system protection capability of the terminal equipment is improved, and the safety of the terminal equipment is ensured. In addition, the invention also provides a protective device of the terminal equipment, the terminal equipment and a readable storage medium, and the protective device, the terminal equipment and the readable storage medium also have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a method for protecting a terminal device according to an embodiment of the present invention;
fig. 2 is a schematic diagram of system components of another protection method for a terminal device according to an embodiment of the present invention;
fig. 3 is a schematic process protection diagram of another protection method for a terminal device according to an embodiment of the present invention;
fig. 4 is a schematic view of registry protection of another protection method for a terminal device according to an embodiment of the present invention;
fig. 5 is a schematic diagram of file protection of another protection method for a terminal device according to an embodiment of the present invention;
fig. 6 is a flowchart of another protection method for a terminal device according to an embodiment of the present invention;
fig. 7 is a schematic repair flow diagram of another protection method for a terminal device according to an embodiment of the present invention;
fig. 8 is a block diagram of a protection device of a terminal device according to an embodiment of the present invention
Fig. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a terminal device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart illustrating a protection method for a terminal device according to an embodiment of the present invention. The method can comprise the following steps:
step 101: acquiring target control operation of a process; the target control operation comprises at least one of a process creating operation, a drive loading operation, a process handle operation, a registry operation and a file operation.
The target control operation of the process in this step may be a control operation related to the process, such as a control operation on the process, for example, an operation for controlling creation of the process (i.e., a process creation operation) and a handle operation performed on the process (i.e., a process handle operation); and process-controlled operations such as process-controlled loading of drivers (i.e., driver loading operations), process-controlled operations on registries (i.e., registry operations), and process-controlled operations on files (i.e., file operations).
Specifically, specific content of a target control operation of a process acquired by a processor of a terminal device in this embodiment may be set by a designer according to a practical scenario and a user requirement, for example, the target control operation of the process may include a process creation operation, as shown in fig. 2 and fig. 3, in this embodiment, a process protection engine may be set in a kernel, and a process callback is installed through a kernel state to monitor creation of the process, and when the process is created, the processor may receive a notification (i.e., the process creation operation) to audit the process that needs to be created, and protect asset dimensions of the process; as shown in fig. 2 and 3, in this embodiment, a kernel may be provided with a process protection engine, and a handle callback is installed in a kernel state, so that when a created process needs to operate a target process (i.e., a control target), a processor may receive a corresponding notification (i.e., a process handle operation) to audit the target process and protect an asset dimension of the process; as shown in fig. 2 and fig. 3, in this embodiment, a process protection engine may be set in a kernel, and a driver load callback is installed, so that when a process is created and a driver is to be loaded through the driver load operation, a processor may receive a notification (i.e., the driver load operation) to audit the driver that needs to be loaded, and protect the asset dimension of the process; the target control operation of the process may further include an operation of the process on the registry (i.e., a registry operation), as shown in fig. 2 and fig. 4, in this embodiment, a registry protection engine may be set in the kernel, and by installing a registry callback, when the created process is to operate on the registry, the processor may receive a corresponding notification to audit the registry and protect the asset dimension of the registry; the target control operation of the process may further include an operation of the process on the file (i.e., a file operation), as shown in fig. 2 and fig. 5, in this embodiment, a file protection engine may be provided in the kernel, and by installing a file filter (e.g., minifilter, microsoft's file micro-filter system), when the process is to operate on the file, the processor may receive a corresponding notification to audit the file and protect the file from the asset dimension of the file.
Step 102: determining a target type of a control target of the target control operation based on the target control operation; wherein the target type comprises an operable target and an inoperable target.
It can be understood that, in this step, the control target of the target control operation may be a target to be controlled by the target control operation, for example, when the target control operation is a process creation operation or a process handle operation, the control target of the target control operation may be a target process, for example, a process controlled by the process creation operation or a process that is controlled by the process handle operation and modifies a handle; when the target control operation is a driver loading operation, the control target of the target control operation may be a driver loaded by the driver loading operation; when the target control operation is a registry operation, the control target of the target control operation can be a registry controlled by the registry operation; when the target control operation is a file operation, the control target of the target control operation may be a file controlled by the file operation.
Specifically, the target types of the control targets in this step may include an operable target that can be controlled and operated and an inoperable target that cannot be controlled and operated, that is, the target type of the control target of each target control operation may be an operable target or an inoperable target; in this step, the processor can determine whether the control target of the target control operation can be controlled and operated by determining the target type of the control target, so as to determine whether the target control operation can be executed, thereby intercepting the target control operation and ensuring the safety of the terminal device when the target type of the control target is an inoperable target.
It should be noted that, for the specific manner in which the processor determines the target type of the control target of the target control operation based on the target control operation in this step, the specific manner may be set by a designer according to a practical scenario and a user requirement, and for example, in a case where the target control operation includes a target control operation including a process creation operation and/or a drive loading operation, the processor in this step may detect the control target and determine whether the control target is a safety target; if yes, determining the target type of the control target as an operable target; if not, determining that the target type of the control target is an inoperable target; the control target comprises a process created by process creation operation control or a driver loaded by driver loading operation control; that is to say, when the target control operation is a process creation operation or a drive loading operation, the processor may audit the control target and determine whether the control target is safe, so that when the control target is not a safe target, it is determined that the target type of the control target is an inoperable target, and execution of the target control operation is avoided; as shown in fig. 2 and fig. 3, when a process is to load a driver, through an installed driver load callback, a processor may receive an event of a driver load operation through an event receiving service of a decision engine of an application layer, and obtains the drive information (such as drive name) of the drive loaded by the control of the drive loading operation through the event information extension, so that by expanding the matching result of the obtained driving information and the corresponding rule in the rule base, whether the driving is a safe target or not is audited and decided, for example, when the driver information for the driver matches the driver information in the driver blacklist in the rule base, the audit decision result may be that the driver is not a security target, that is, the driver is a dangerous driver (e.g., a driver of a hacking tool), and then a driver loading operation corresponding to the driver can be intercepted in step 103 to prevent the driver from being loaded, thereby weakening the attack capability of the hacking tool.
Correspondingly, under the condition that the target control operation comprises process handle operation, registry operation and/or file operation, the processor in the step can detect the control target and judge whether the control target is a protected target; if so, determining the target type of the control target as an inoperable target; if not, determining that the target type of the control target is an operable target; the control target comprises a process controlled by process handle operation, a registry controlled by registry operation or a file controlled by file operation; that is, when the target control operation is a process handle operation, a registry operation or a file operation, the processor identifies the control target, and determines whether the control target is a preset target to be protected (i.e. a protected target), so that when the control target is the protected target, the target type of the control target is directly determined to be an inoperable target, and execution of the target control operation is avoided.
Specifically, the embodiment does not limit the specific manner in which the processor detects the control target and determines whether the control target is the security target, for example, the processor may audit the control target by using a preset blacklist and determine whether the control target is the security target; for example, when the target control operation is a driver loading operation, the processor may match the driver information of the driver (i.e., the control target) corresponding to the driver loading operation with the driver information of the driver (e.g., the driver of the hacking tool) in the driver blacklist in the rule base, and if the driver corresponding to the driver loading operation is matched with the driver information in the driver blacklist, it is determined that the driver corresponding to the driver loading operation is not a secure target, so as to intercept the driver loading operation, directly prevent the loading of the driver, and further weaken the attack capability of the hacking tool; when the target control operation is a process creation operation, the processor may match process information (such as file information, signature information, and the like) of a target process (i.e., a control target) corresponding to the process creation operation with process information of each process in a process blacklist in the rule base, and if the target process corresponding to the process creation operation matches the process information in the process blacklist, it is determined that the target process corresponding to the process creation operation is not a security target, that is, the process to be created by the process creation operation may be a process to be created for a hacker tool to run.
Similarly, the embodiment does not limit the specific manner in which the processor detects the control target and determines whether the control target is the protected target, for example, the processor may detect the control target by using a preset protected list and determine whether the control target is the protected target; for example, when the target control operation is a process handle operation, the processor may identify whether a target process (i.e., a control target) corresponding to the process handle operation is a process in a protected list, and determine that the target process corresponding to the process handle operation is a protected target if the target process corresponding to the process handle operation is in the protected list.
Further, in the case that the target control operation includes a process handle operation, a registry operation, and/or a file operation, in this step, when detecting the control target and determining that the control target is a protected target, the processor may not directly determine that the target type of the control target is an inoperable target, but through detecting an initiator program (such as a process or a driver) of the target control operation, and when the initiator program is not a secure program, determine that the target type of the control target is an inoperable target, so as to further detect the use of the hacking tool. That is, in the case that the target control operation includes a process handle operation, a registry operation, and/or a file operation, the processor in this step may detect the control target and determine whether the control target is a protected target; if the target is the protected target, determining the target type of the control target as an inoperable target; if the target is not a protected target, detecting an initiator program of target control operation, and judging whether the control target is a safety program; if the target type is the safe program, determining that the target type of the control target is an operable target; if the target type is not the safe program, determining that the target type of the control target is an inoperable target; the initiation equation of the target control operation may be a process, for example, a created process that initiates a process handle operation; the initiator program of the target control operation may also be a driver, such as a process-controlled driver (e.g., a driver of a hacking tool) that initiates the registry operation.
Step 103: and performing corresponding operation on the target control operation according to the target type.
It is understood that, in this step, the processor may correspondingly control the operation performed on the target control operation according to the target type of the control target of the target control operation. Specifically, the embodiment does not limit the specific manner in which the processor performs the corresponding operation on the target control operation according to the target type, for example, when the target type of the control target of the target control operation is an inoperable target, the processor may intercept the target control operation, and avoid the execution of the target control operation, thereby implementing the protection on the terminal device; the processor may normally execute the target control operation when the target type of the control target of the target control operation is the operable target. Further, when the target control operation is a process handle operation of the created process on the target process, the processor may intercept the process handle operation and erase the write memory permission of the created process when the target type of the control target (i.e., the target process) of the process handle operation is an inoperable target, so that the created process is harmless to the protected process.
In the embodiment of the invention, the target control operation is correspondingly operated according to the target type of the control target of the target control operation, and the hacker tool is pertinently resisted from the perspective of an attacker based on the driving resisting principle, so that the terminal equipment can be protected by three asset dimensions of a process, a file and a registry, damage to a non-driving tool and the driving tool is prevented, the protection capability of the hacker tool with the driving is improved, the system protection capability of the terminal equipment is improved, and the safety of the terminal equipment is ensured.
Based on the above embodiment, the method provided by this embodiment may further perform reverse analysis on the hacking tool, so as to intercept the communication rule by analyzing and extracting, so as to further improve the protection capability of the terminal device. Specifically, referring to fig. 6, fig. 6 is a flowchart of another method for protecting a terminal device according to an embodiment of the present invention, where the method includes:
step 201: installing communication analysis equipment on the target driver; wherein the target drive comprises a dangerous drive.
It is understood that the target driver in this step may be a driver that needs to be analyzed reversely; the target driver may include a driver that is not detected as a safe program (i.e., a dangerous driver) in the embodiments described above, such as a driver in a blacklist of drivers. The communication analysis device in this step may be a virtual device (i.e., a program) installed on the target driver for analyzing the communication information of the target driver. As shown in fig. 3 to fig. 5, due to the inherent limitation of the 64-bit system, in this embodiment, an efficient and available scheme of device communication filtering may be adopted, and by creating a communication analysis device to be attached to a target driver (such as a driver of a hacking tool), a communication manner (i.e., communication information) in which the target driver operates a process, a file, and a registry may be found by using the driving principle of the communication analysis device against the target driver, so as to implement interception of a target operation of the target driver.
Specifically, the target driver in this step may be a dangerous driver, for example, the processor of the terminal device audits the driver in the above embodiment, and when it is determined that the driver is not a security program, the communication analysis device may be installed on the driver in this step, so that the target operation of the driver may be intercepted through the extracted communication information.
Step 202: extracting communication information of target operation driven by a target by utilizing communication analysis equipment; the target operation comprises an operation on a protected process, a protected registry and/or a protected file, and the communication information comprises a communication control code and/or a request packet format.
It can be understood that, in this step, the processor may find, by using a communication analysis device created and attached to the target driver, a control code (IoControlCode) for the target driver to operate the process, the file, and the registry by using a driving principle of a reverse target driver, and analyze a format of a request packet (i.e., a request packet format) of the target driver, so as to extract a screening rule of the target operation, for example, when the processor obtains the target operation transmitted by using the extracted control code and/or the request packet format in a communication manner, the processor may directly intercept and return operation failure information, thereby achieving a protection purpose.
Specifically, the target operation in this step may include an operation on the protected process, such as an operation for controlling the end of the protected process; the target operation may also include an operation on a protected registry; the target operations may also include operations on protected files. The request packet format in this step may be format information of a request packet of a target operation driven by a target, such as location information (e.g., offset) of the content of a protected target (e.g., a protected process, a protected registry, or a protected file) in the request packet.
Step 203: and performing corresponding operation on the target operation by using the communication information.
It should be noted that, in this step, the processor may correspondingly control the target operation driven by the target according to the extracted communication information; for example, when the target driver adopts the extracted communication information to perform target operation, the target operation is intercepted, so that the target operation of a hacker tool, such as ending the operation of the protected process, the operation of the protected registry and the protected file, and the like, can be intercepted more quickly.
It can be understood that, for this embodiment, the specific manner in which the processor performs corresponding operation on the target operation by using the communication information is not limited, for example, when the communication information includes a communication control code and a request packet format, after the processor obtains the current target operation of the target driver, it may determine whether the current target operation adopts the extracted communication control code or the extracted request packet format; if yes, intercepting the current target operation; if not, the current target operation may be performed or step 102 may be entered. If the communication information includes the communication control code and the request packet format, the processor may also intercept the current target operation when the current target operation adopts the extracted communication control code and request packet format. The present embodiment does not set any limit to this.
Specifically, as shown in fig. 2 to 5, in this embodiment, an equipment communication filtering unit may be further installed in the kernel setup process protection engine, the file protection engine, and the registry protection engine, so as to perform screening and interception on the target operation by using a screening rule issued by the rule management unit of the decision engine in the application layer, where the screening rule may be a rule for intercepting the target operation in the extracted communication control code or request packet format, that is, in this step, the processor may intercept the current target operation by using the communication filtering unit set in the kernel when it is determined that the current target operation adopts the extracted communication control code or request packet format.
Further, as shown in fig. 7, the method provided in this embodiment may further include a repair process for the terminal device, so as to repair and restore the protected registry and file before the terminal device is powered off.
Specifically, the method provided by this embodiment may further include that the processor of the terminal device calls a shutdown callback program last in the shutdown process of the terminal device; and running a shutdown callback program, and calling the stored repair process file to repair the modified protected registry and the protected file of the terminal equipment after startup.
That is, in the present embodiment, by ensuring that the call-driven shutdown callback program is called last in the shutdown process of the terminal device, the registry (i.e., the protected registry) and the file (i.e., the protected file) to be protected can be repaired before shutdown, and cannot be modified and destroyed again.
The stored repair process file may be a file which is driven to be saved in a memory of the terminal device and used for performing the repair of the protected registry and the protected file, for example, a repair process file which is driven to be saved in the memory when the terminal device is powered on in the prior art and corresponds to the protected registry and the protected file.
Specifically, the specific manner for ensuring that the processor calls the shutdown callback program last in the shutdown process of the terminal device in this embodiment may be set by the designer, and if the processor can add the linked list information corresponding to the shutdown callback program to the head of the shutdown callback linked list in the startup process of the terminal device, the shutdown callback program corresponding to the linked list information at the head of the linked list of the shutdown callback linked list can be called last in the shutdown process of the terminal device. As shown in fig. 2 and 7, the processor may start a repair process when the terminal device is powered on, add the linked list information corresponding to the shutdown callback program to the linked list header of the shutdown callback linked list enumerated during power on, so that the processor may call and run the shutdown callback program last in the subsequent power off process, thereby implementing the functions of the registry repair engine and the file recovery engine in the state repair engine to repair and restore the protected registry and the protected file.
Corresponding to the above method embodiment, an embodiment of the present invention further provides a protection device for a terminal device, and the protection device for the terminal device described below and the protection method for the terminal device described above may be referred to in a corresponding manner.
Referring to fig. 8, fig. 8 is a block diagram of a protection device of a terminal device according to an embodiment of the present invention. The apparatus may include:
an obtaining module 10, configured to obtain a target control operation of a process; the target control operation comprises at least one of process creation operation, drive loading operation, process handle operation, registry operation and file operation;
a determination module 20, configured to determine a target type of a control target of a target control operation based on the target control operation; wherein the target type comprises an operable target and an inoperable target;
and the control module 30 is used for performing corresponding operation on the target control operation according to the target type.
Optionally, the target control operation includes a process creation operation and/or a driver loading operation, and the determining module 20 may include:
the audit judgment submodule is used for detecting the control target and judging whether the control target is a safety target; if yes, determining the target type of the control target as an operable target; if not, determining that the target type of the control target is an inoperable target; the control target comprises a process created by the process creation operation control or a driver loaded by the driver loading operation control.
Optionally, the target control operation includes a process handle operation, a registry operation and/or a file operation, and the determining module 20 may include:
the identification and judgment submodule is used for detecting the control target and judging whether the control target is a protected target or not; if so, determining the target type of the control target as an inoperable target; if not, determining that the target type of the control target is an operable target; the control target comprises a process controlled by process handle operation, a registry controlled by registry operation or a file controlled by file operation.
Optionally, the identification judgment sub-module may include:
the identification judging unit is used for detecting the control target and judging whether the control target is a protected target or not; if the target is not the protected target, determining the target type of the control target as an operable target;
the audit judging unit is used for detecting an initiator program of target control operation if the target is a protected target, and judging whether the control target is a safety program; if the target type is the safe program, determining that the target type of the control target is an operable target; if the target type is not the safe program, determining that the target type of the control target is an inoperable target; wherein the initiating equation sequence includes a process or a driver that initiates the target control operation.
Optionally, the apparatus may further include:
the repair calling module is used for calling a shutdown callback program at the last time in the shutdown process of the terminal equipment;
and the restoration module is used for operating the shutdown callback program and calling the stored restoration process file to restore the target registry and the target file modified after the terminal equipment is started.
Optionally, the apparatus may further include:
and the linked list adding module is used for adding the linked list information corresponding to the shutdown callback program to the linked list head of the shutdown callback linked list in the startup process of the terminal equipment.
Optionally, the apparatus may further include:
the installation module is used for installing communication analysis equipment on the target driver; wherein the target drive comprises a dangerous drive;
the extraction module is used for extracting the communication information of the target operation driven by the target by utilizing the communication analysis equipment; the target operation comprises the operation on a protected process, a protected registry and/or a protected file, and the communication information comprises a communication control code and/or a request packet format;
and the communication control module is used for carrying out corresponding operation on the target operation by utilizing the communication information.
Optionally, the communication information includes a communication control code and a request packet format, and the communication intercepting module may include:
the target operation obtaining submodule is used for obtaining the current target operation driven by a target;
the communication interception judgment submodule is used for judging whether the current target operation adopts a communication control code or a request packet format; and if so, intercepting the current target operation.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a terminal device, and a terminal device described below and a protection method of the terminal device described above may be referred to in correspondence.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present invention. The terminal device may include:
a memory D3 for storing computer programs;
the processor D4 is configured to, when executing the computer program, implement the steps of the method for securing a terminal device according to the above-mentioned method embodiment.
Specifically, referring to fig. 10, fig. 10 is a schematic diagram of a specific structure of a terminal device provided in this embodiment, the terminal device may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing an application 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored in the storage medium 330 may include one or more modules (not shown), and each module may include a series of instruction operations for the terminal device. Still further, the central processor 322 may be configured to communicate with the storage medium 330, and execute a series of instruction operations in the storage medium 330 on the terminal device 310.
Terminal device 310 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341. Such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
The terminal device 310 may be embodied as a server or a firewall device (FW), among others.
The steps in the above-described method for safeguarding a terminal device may be implemented by the structure of the terminal device.
Corresponding to the above method embodiment, an embodiment of the present invention further provides a readable storage medium, and a readable storage medium described below and a protection method for a terminal device described above may be referred to in correspondence with each other.
A readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the method for protecting a terminal device of the above-described method embodiments.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device, the terminal device and the readable storage medium disclosed by the embodiments correspond to the method disclosed by the embodiments, so that the description is relatively simple, and the relevant points can be referred to the description of the method part.
The method and the device for protecting the terminal device, the terminal device and the readable storage medium provided by the invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Claims (11)
1. A protection method for terminal equipment is characterized by comprising the following steps:
acquiring target control operation of a process; the target control operation comprises at least one of process creation operation, drive loading operation, process handle operation, registry operation and file operation;
determining a target type of a control target of a target control operation based on the target control operation; wherein the target types include operable targets and inoperable targets;
and performing corresponding operation on the target control operation according to the target type.
2. The protection method for the terminal device according to claim 1, wherein the target control operation includes the process creation operation and/or the driver loading operation, and the determining the target type of the control target of the target control operation based on the target control operation includes:
detecting the control target, and judging whether the control target is a safe target; wherein the control target comprises a process created by the process creation operation control or a driver loaded by the driver loading operation control;
if yes, determining the target type of the control target as the operable target;
if not, determining that the target type of the control target is the inoperable target.
3. The protection method for the terminal device according to claim 1, wherein the target control operation includes the process handle operation, the registry operation, and/or the file operation, and the determining the target type of the control target of the target control operation based on the target control operation includes:
detecting the control target, and judging whether the control target is a protected target or not; wherein the control target comprises a process controlled by the process handle operation, a registry controlled by the registry operation or a file controlled by the file operation;
if so, determining that the target type of the control target is the inoperable target;
if not, determining that the target type of the control target is the operable target.
4. The protection method for the terminal device according to claim 1, wherein the target control operation includes the process handle operation, the registry operation, and/or the file operation, and the determining the target type of the control target of the target control operation based on the target control operation includes:
detecting the control target, and judging whether the control target is a protected target or not; wherein the control target comprises a process controlled by the process handle operation, a registry controlled by the registry operation or a file controlled by the file operation;
if the target is the protected target, determining that the target type of the control target is the inoperable target;
if the target is not the protected target, detecting an initiator program of the target control operation, and judging whether the control target is a safety program; wherein the initiator program comprises a process or driver that initiates the target control operation;
if the target type is the safe program, determining that the target type of the control target is the operable target;
and if the target type of the control target is not the safe program, determining that the target type of the control target is the inoperable target.
5. The method for protecting a terminal device according to claim 1, further comprising:
calling a shutdown callback program at the last time in the shutdown process of the terminal equipment;
and running the shutdown callback program, and calling the stored repair process file to repair the modified protected registry and the protected file of the terminal equipment after startup.
6. The method for protecting a terminal device according to claim 5, wherein the last call of the shutdown callback program is performed by:
and in the process of starting up the terminal equipment, adding the linked list information corresponding to the shutdown callback program to a linked list head of the shutdown callback linked list so as to enable the terminal equipment to call the shutdown callback program at the last time in the process of shutdown.
7. The method for protecting a terminal device according to any one of claims 1 to 6, further comprising:
installing communication analysis equipment on the target driver; wherein the target drive comprises a dangerous drive;
extracting communication information of the target operation driven by the target by using the communication analysis equipment; the target operation comprises an operation on a protected process, a protected registry and/or a protected file, and the communication information comprises a communication control code and/or a request packet format;
and performing corresponding operation on the target operation by using the communication information.
8. The method for protecting a terminal device according to claim 7, wherein when the communication information includes a communication control code and a request packet format, the performing, by using the communication information, a corresponding operation on the target operation includes:
acquiring the current target operation of the target drive;
judging whether the current target operation adopts the communication control code or the request packet format;
and if so, intercepting the current target operation.
9. A protective device for a terminal device, comprising:
the acquisition module is used for acquiring target control operation of a process; the target control operation comprises at least one of process creation operation, drive loading operation, process handle operation, registry operation and file operation;
a determination module for determining a target type of a control target of a target control operation based on the target control operation; wherein the target types include operable targets and inoperable targets;
and the control module is used for carrying out corresponding operation on the target control operation according to the target type.
10. A terminal device, comprising:
a memory for storing a computer program;
processor for implementing the steps of the method of safeguarding a terminal device according to any one of claims 1 to 8 when executing said computer program.
11. A readable storage medium, characterized in that it has stored thereon a computer program which, when being executed by a processor, carries out the steps of the method of safeguarding a terminal device according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110342904.2A CN113051550A (en) | 2021-03-30 | 2021-03-30 | Terminal equipment, protection method and device thereof and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110342904.2A CN113051550A (en) | 2021-03-30 | 2021-03-30 | Terminal equipment, protection method and device thereof and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113051550A true CN113051550A (en) | 2021-06-29 |
Family
ID=76516909
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110342904.2A Pending CN113051550A (en) | 2021-03-30 | 2021-03-30 | Terminal equipment, protection method and device thereof and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113051550A (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101231682A (en) * | 2007-01-26 | 2008-07-30 | 李贵林 | Computer information safe method |
| US20120079594A1 (en) * | 2010-09-27 | 2012-03-29 | Hyun Cheol Jeong | Malware auto-analysis system and method using kernel callback mechanism |
| CN104036191A (en) * | 2014-06-11 | 2014-09-10 | 上海睿海信息技术有限公司 | Control method based on file filter driver and characteristic code of file format |
| CN105045605A (en) * | 2015-08-28 | 2015-11-11 | 成都卫士通信息产业股份有限公司 | Method and system for injecting DLL into target process |
| CN105653681A (en) * | 2015-12-29 | 2016-06-08 | 北京金山安全软件有限公司 | File deletion method and device |
| CN105930739A (en) * | 2016-04-14 | 2016-09-07 | 北京金山安全软件有限公司 | Method and terminal for preventing file from being deleted |
| CN107563192A (en) * | 2017-08-10 | 2018-01-09 | 北京神州绿盟信息安全科技股份有限公司 | A kind of means of defence for extorting software, device, electronic equipment and storage medium |
| GB201802241D0 (en) * | 2018-02-12 | 2018-03-28 | Avecto Ltd | Managing registry access on a computer device |
| WO2018108051A1 (en) * | 2016-12-15 | 2018-06-21 | 腾讯科技(深圳)有限公司 | Method and device for system administration, and storage medium |
| CN109711169A (en) * | 2018-05-04 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Means of defence and device, system, storage medium, the electronic device of system file |
| CN109815696A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Terminal device system protection method and device |
| CN110688653A (en) * | 2019-09-29 | 2020-01-14 | 北京可信华泰信息技术有限公司 | Client security protection method and device and terminal equipment |
| CN110753060A (en) * | 2019-10-25 | 2020-02-04 | 深信服科技股份有限公司 | Process operation control method and device, electronic equipment and storage medium |
| CN110851831A (en) * | 2019-11-12 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Virus processing method and device, computer equipment and computer readable storage medium |
-
2021
- 2021-03-30 CN CN202110342904.2A patent/CN113051550A/en active Pending
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101231682A (en) * | 2007-01-26 | 2008-07-30 | 李贵林 | Computer information safe method |
| US20120079594A1 (en) * | 2010-09-27 | 2012-03-29 | Hyun Cheol Jeong | Malware auto-analysis system and method using kernel callback mechanism |
| CN104036191A (en) * | 2014-06-11 | 2014-09-10 | 上海睿海信息技术有限公司 | Control method based on file filter driver and characteristic code of file format |
| CN105045605A (en) * | 2015-08-28 | 2015-11-11 | 成都卫士通信息产业股份有限公司 | Method and system for injecting DLL into target process |
| CN105653681A (en) * | 2015-12-29 | 2016-06-08 | 北京金山安全软件有限公司 | File deletion method and device |
| CN105930739A (en) * | 2016-04-14 | 2016-09-07 | 北京金山安全软件有限公司 | Method and terminal for preventing file from being deleted |
| WO2018108051A1 (en) * | 2016-12-15 | 2018-06-21 | 腾讯科技(深圳)有限公司 | Method and device for system administration, and storage medium |
| CN107563192A (en) * | 2017-08-10 | 2018-01-09 | 北京神州绿盟信息安全科技股份有限公司 | A kind of means of defence for extorting software, device, electronic equipment and storage medium |
| GB201802241D0 (en) * | 2018-02-12 | 2018-03-28 | Avecto Ltd | Managing registry access on a computer device |
| CN109711169A (en) * | 2018-05-04 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Means of defence and device, system, storage medium, the electronic device of system file |
| CN109815696A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Terminal device system protection method and device |
| CN110688653A (en) * | 2019-09-29 | 2020-01-14 | 北京可信华泰信息技术有限公司 | Client security protection method and device and terminal equipment |
| CN110753060A (en) * | 2019-10-25 | 2020-02-04 | 深信服科技股份有限公司 | Process operation control method and device, electronic equipment and storage medium |
| CN110851831A (en) * | 2019-11-12 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Virus processing method and device, computer equipment and computer readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 姚东红: "《局域网组建与维护标准教材》", 30 September 2002, pages: 161 - 167 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8621628B2 (en) | Protecting user mode processes from improper tampering or termination | |
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| US8397292B2 (en) | Method and device for online secure logging-on | |
| EP2637121A1 (en) | A method for detecting and removing malware | |
| US9659173B2 (en) | Method for detecting a malware | |
| US8495741B1 (en) | Remediating malware infections through obfuscation | |
| CN101136044A (en) | Software watchdog system and method | |
| CN107463856B (en) | Anti-attack data processor based on trusted kernel | |
| CN109753796B (en) | Big data computer network safety protection device and use method | |
| CN109815700B (en) | Application program processing method and device, storage medium and computer equipment | |
| CN113632432A (en) | Method and device for judging attack behavior and computer storage medium | |
| GB2510641A (en) | Detecting suspicious code injected into a process if function call return address points to suspicious memory area | |
| CN113051034A (en) | Container access control method and system based on kprobes | |
| JP6918269B2 (en) | Attack estimator, attack control method, and attack estimator program | |
| CN100462990C (en) | Method and device for monitoring suspicious file start | |
| CN109583206B (en) | Method, device, equipment and storage medium for monitoring access process of application program | |
| CN113051550A (en) | Terminal equipment, protection method and device thereof and readable storage medium | |
| US20090144821A1 (en) | Auxiliary method for investigating lurking program incidents | |
| CN109785537B (en) | Safety protection method and device for ATM | |
| RU2708355C1 (en) | Method of detecting malicious files that counteract analysis in isolated environment | |
| CN112395593A (en) | Instruction execution sequence monitoring method and device, storage medium and computer equipment | |
| CN115544503A (en) | File-free attack detection method, device, equipment and storage medium | |
| CN104573417A (en) | UEFI (Unified Extensible Firmware Interface)-based software whole-process protection system and UEFI-based software whole-process protection method | |
| CN113760393A (en) | Protection method, device, equipment and medium for dynamic link library | |
| CN113761537A (en) | Method, system, equipment and storage medium for preventing container from escaping |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |