CN114138369A - Progress protection method and system for windows whole system - Google Patents
Progress protection method and system for windows whole system Download PDFInfo
- Publication number
- CN114138369A CN114138369A CN202111464016.4A CN202111464016A CN114138369A CN 114138369 A CN114138369 A CN 114138369A CN 202111464016 A CN202111464016 A CN 202111464016A CN 114138369 A CN114138369 A CN 114138369A
- Authority
- CN
- China
- Prior art keywords
- windows
- function
- current
- current process
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 161
- 238000012545 processing Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a process protection method and system for a windows whole system. The method comprises the following steps: constructing a trusted process list; when the process is started, entering a custom HookResumeThread function; acquiring an id, a hash value and a size of a current process according to a thread handle in a HookResumeThread function; according to the id, the hash value and the size of the current process, inquiring whether the current process exists in a trusted process list; if the current process does not exist, performing interception operation on the current process; if so, the current process starts normally. The process protection method and system for the windows whole system can realize the process protection function of all systems in and after windows XP, intercept the process of an untrusted program, ensure that the system has no prompt popup window and does not influence the normal use of a user.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a process protection method and system for a windows whole system.
Background
The security of operating systems has been a concern in the industry. As a classic operating system, the security problem of windows operating systems has also been a point of concern. In windows operating systems, processes often become targets or intermediaries for hackers to perform attacks. Therefore, the security of the process is very important in windows systems.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a process protection method and system aiming at a windows whole system, which can realize the process protection function of all systems in and after windows XP, intercept the process of an untrusted program, ensure that the system has no prompt popup window and do not influence the normal use of a user.
In order to solve the technical problem, the invention provides a process protection method for a windows whole system, which comprises the following steps: constructing a trusted process list; when the process is started, entering a custom HookResumeThread function; acquiring an id, a hash value and a size of a current process according to a thread handle in a HookResumeThread function; according to the id, the hash value and the size of the current process, inquiring whether the current process exists in a trusted process list; if the current process does not exist, performing interception operation on the current process; if so, the current process starts normally.
In some embodiments, the current process starts normally, including: normal boot up is done by calling the NtResumedThread function.
In some embodiments, further comprising: if the NtResumedThread function of the interception system service descriptor table is unsuccessful, the interface for registering thread callback provided by Microsoft is used.
In some embodiments, the interface using microsoft provided register thread callbacks includes: calling PsSetCreateThreadNotifyRoute (CreateThreadNotifify) to register a thread callback; when the process is started, it enters createthreadnotifiy (HANDLE Process Id, HANDLEThreadID, BOOLCreate); when monitoring the process starting, acquiring a hash value and a size of a current process according to a process Id (process id) parameter in a CreateThreadNote (HANDLEThreadId, BOOLCreate); and inquiring whether the hash value and the size of the current process exist in a trusted process list in the strategy, if not, indicating that the process is an untrusted process, and entering into an interception operation.
In some embodiments, the intercepting operation comprises: the following function is performed: TerminatePro process (ProcessId, 0).
In some embodiments, the interface using microsoft provided register thread callback further comprises: if the hash value and the size of the current process exist in the trusted process list, the process is directly returned without any processing.
In some embodiments, further comprising: for windows operating systems after XP, a registered thread callback interface provided by Microsoft is used.
In addition, the invention also provides a process protection system aiming at the windows whole system, which comprises the following steps: one or more processors; a storage device, configured to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the process protection method for windows-wide system according to the foregoing description.
After adopting such design, the invention has at least the following advantages:
1. the comprehensive protection means realizes the protection of the whole system process of the windows;
2. the process interception is realized only in the kernel without depending on an application layer, the normal operation of the system is not influenced, the popup window of the system is not triggered, and the use of a user is not influenced;
3. the HOOK mode is not used.
Drawings
The foregoing is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood, the present invention is further described in detail below with reference to the accompanying drawings and the detailed description.
FIG. 1 is a flow chart of a method.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
One, the realization function:
the method realizes the process protection function of all systems in Windows XP and the future, intercepts the process of the untrusted program, ensures that the system has no prompt popup window, and does not influence the normal use of the user.
Secondly, the technical implementation scheme is as follows:
(1) an interception process starting technology:
1. overview of the function
The starting of the process is monitored in the driver, when the process starting is monitored, the process starting information transmitted by the system can be compared with the trusted process list in the strategy, and if the current process is found to be an untrusted process, the process starting information can be modified or the process is ended at the moment, so that the purpose of intercepting the process starting is achieved.
2. Technical scheme
The method comprises the steps of firstly calculating a hash value through a feature code of a trusted process, then storing the hash value of the trusted process and the size of the trusted process in a trusted process list in a strategy, and then acquiring a system version number in a driver. Different processing is carried out according to the system version number, and the rule for intercepting the starting of the untrusted process is as follows:
XP and previous systems, including XP systems;
if the current system is a system before XP (including XP), when the process starts, it enters into the NtResumedThread function in the system service descriptor table (hereinafter ssdt). Thus, if the contents of the buffer in ssdt holding the NtResumedThread function address are modified to the address of another function, the other function will be entered when the process starts, and not the original NtResumedThread function. Therefore, I save the address of the original NtResumedThread function first, and then modify the content of the buffer area for saving the NtResumedThread function address in ssdt into the address of the HookResumedThread function (HookResumedThread is a function self-defined by I). Thus, when the process starts, it enters into the hookresumerthread (pending) function defined by me. When monitoring the process starting, i acquire id (processid), hash value and size of the current process according to thread handle parameters in hookresumlead (loading _ previous _ suspend _ count), query whether the hash value and size of the current process exist in a trusted process list in the policy, if not, that indicates that the process is an untrusted process, and enter into an interception logic, where the interception operation is as follows:
TerminateProcess(ProcessId,0);
the function returns STATUS _ ACCESS _ DENIED;
thus, the process is directly ended, so that the process fails to start; if not, then the process is a trusted process, then the original NtResumedThread (pendlethandle, pulongpreviousssuspenscount) is called to let the process start normally, and the operation is as follows:
NTSTATUSStatus=NtResumedThread(HANDLEThreadHandle,PULONG PreviousSuspendCount);
the function returns Status.
If the NtResumedThread function intercepting the system service descriptor table is unsuccessful, then the Microsoft provided interface for registered thread callback is used, because the Microsoft provided interface for registered thread callback can monitor the start of the process, as follows:
calls PsSetCreateThreadNotifyRoute (CreateThreadNotifify) to register a thread callback. Wherein createthreadroot is a thread callback function i defined in the driver.
(1) Thus, when the process is started, it enters createthreadroot (HANDLE Process Id, HANDLEThreadID, BOOLCreate). When the process is monitored to be started, acquiring a hash value and a size of a current process according to a process id parameter in createthreadroot (portable process id, portable, and BOOLCreate), and inquiring whether the hash value and the size of the current process exist in a trusted process list in a policy, if the hash value and the size of the current process do not exist, the process is an untrusted process, and entering an interception logic, wherein the interception operation is as follows:
TerminateProcess(ProcessId,0);
thus, the process is directly ended, so that the process fails to start; if not, then the function is returned directly without any processing.
System after XP:
if the current system is a system behind XP, the interface of registration process callback provided by Microsoft is directly used, because the interface of registration process callback provided by Microsoft can monitor the starting of the process, and the steps are as follows:
calls PsSetCreateProcessNotifyRouteeEx (& ProcessCreateNetifeEx, FALSE) register a process callback, which is a process callback function defined by I. Thus, when the process is started, it will enter into the ProcessCreateNetifyEx (PEPROTESSPROCESS, HANDLEProcessId, PPS _ CREATE _ NOTIFY _ INFOCreateInfo).
When the process is monitored to be started, i acquire the hash value and the size of the current process according to an eprocess (process kernel object) parameter in a processcreaterethifox (persistent process, hash process id, PPS _ CREATE _ NOTIFY _ INFOCreateInfo). Inquiring whether the hash value and the size of the current process exist in a trusted process list in the strategy, if not, indicating that the process is an untrusted process, and entering into an interception logic, wherein the interception operation is as follows:
CreateInfo->CreationStatus=STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY;
thus the process fails to start.
If the function does not exist, the process is started normally, no processing is performed, and the function returns directly.
Software builds a trusted process list and intercepts processes which are not in the list and are considered to be untrusted.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the present invention in any way, and it will be apparent to those skilled in the art that the above description of the present invention can be applied to various modifications, equivalent variations or modifications without departing from the spirit and scope of the present invention.
Claims (8)
1. A process protection method for a windows whole system is characterized by comprising the following steps:
constructing a trusted process list;
when the process is started, entering a custom HookResumeThread function;
acquiring an id, a hash value and a size of a current process according to a thread handle in a HookResumeThread function;
according to the id, the hash value and the size of the current process, inquiring whether the current process exists in a trusted process list;
if the current process does not exist, performing interception operation on the current process;
if so, the current process starts normally.
2. The method for protecting the process of the windows whole system according to claim 1, wherein the normal starting of the current process comprises:
normal boot up is done by calling the NtResumedThread function.
3. The method for windows-wide process protection according to claim 2, further comprising:
if the NtResumedThread function of the interception system service descriptor table is unsuccessful, the interface for registering thread callback provided by Microsoft is used.
4. The method of claim 3, wherein the interface for registering thread callbacks provided by Microsoft comprises:
calling PsSetCreateThreadNotifyRoute (CreateThreadNotifify) to register a thread callback;
when the process is started, it enters createthreadnotifiy (HANDLE Process Id, HANDLE ThreadID, BOOL Create);
when monitoring the process starting, acquiring a hash value and a size of a current process according to a process Id (process id) parameter in a CreateThreadNote (HANDLE Process Id, HANDLE ThreadID, BOOL Create);
and inquiring whether the hash value and the size of the current process exist in a trusted process list in the strategy, if not, indicating that the process is an untrusted process, and entering into an interception operation.
5. The method for protecting the progress of the windows whole system according to the claim 1 or 4, wherein the intercepting operation comprises:
the following function is performed:
TerminateProcess(ProcessId,0)。
6. the method of claim 4, wherein the interface for registering thread callbacks provided by Microsoft is used, and further comprising:
if the hash value and the size of the current process exist in the trusted process list, the process is directly returned without any processing.
7. The method for windows-wide process protection according to claim 1, further comprising:
for windows operating systems after XP, a registered thread callback interface provided by Microsoft is used.
8. A system for protecting a process of a windows-wide system, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of process protection for windows-wide systems of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111464016.4A CN114138369A (en) | 2021-12-02 | 2021-12-02 | Progress protection method and system for windows whole system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111464016.4A CN114138369A (en) | 2021-12-02 | 2021-12-02 | Progress protection method and system for windows whole system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114138369A true CN114138369A (en) | 2022-03-04 |
Family
ID=80387395
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111464016.4A Pending CN114138369A (en) | 2021-12-02 | 2021-12-02 | Progress protection method and system for windows whole system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114138369A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115577347A (en) * | 2022-11-24 | 2023-01-06 | 摩尔线程智能科技(北京)有限责任公司 | Driver protection method and device |
| CN117473487A (en) * | 2023-10-24 | 2024-01-30 | 联通(广东)产业互联网有限公司 | Data processing method, electronic equipment and computer readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102147845A (en) * | 2011-04-18 | 2011-08-10 | 北京思创银联科技股份有限公司 | Process monitoring method |
| CN102831355A (en) * | 2011-12-30 | 2012-12-19 | 中国科学院软件研究所 | Method for establishing trusted path in secure operating system |
| CN106096402A (en) * | 2016-06-22 | 2016-11-09 | 北京金山安全软件有限公司 | Information interception method and device |
| CN106203092A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Method and device for intercepting shutdown of malicious program and electronic equipment |
-
2021
- 2021-12-02 CN CN202111464016.4A patent/CN114138369A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102147845A (en) * | 2011-04-18 | 2011-08-10 | 北京思创银联科技股份有限公司 | Process monitoring method |
| CN102831355A (en) * | 2011-12-30 | 2012-12-19 | 中国科学院软件研究所 | Method for establishing trusted path in secure operating system |
| CN106096402A (en) * | 2016-06-22 | 2016-11-09 | 北京金山安全软件有限公司 | Information interception method and device |
| CN106203092A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Method and device for intercepting shutdown of malicious program and electronic equipment |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115577347A (en) * | 2022-11-24 | 2023-01-06 | 摩尔线程智能科技(北京)有限责任公司 | Driver protection method and device |
| CN115577347B (en) * | 2022-11-24 | 2023-03-24 | 摩尔线程智能科技(北京)有限责任公司 | Driver protection method and device |
| CN117473487A (en) * | 2023-10-24 | 2024-01-30 | 联通(广东)产业互联网有限公司 | Data processing method, electronic equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5094928B2 (en) | Method and apparatus for intelligent bot using fake virtual machine information | |
| US9824215B2 (en) | System, method, and computer program product for monitoring and/or analyzing at least one aspect of an invocation of an interface | |
| US8413230B2 (en) | API checking device and state monitor | |
| US11645390B2 (en) | Cloud-based method to increase integrity of a next generation antivirus (NGAV) security solution in a virtualized computing environment | |
| US8484739B1 (en) | Techniques for securely performing reputation based analysis using virtualization | |
| KR102075372B1 (en) | Exception handling in a data processing apparatus having a secure domain and a less secure domain | |
| US9703957B2 (en) | Atomic detection and repair of kernel memory | |
| CN114138369A (en) | Progress protection method and system for windows whole system | |
| US20160232347A1 (en) | Mitigating malware code injections using stack unwinding | |
| US10891389B2 (en) | Information processing apparatus, information processing method, and computer program product | |
| US8347380B1 (en) | Protecting users from accidentally disclosing personal information in an insecure environment | |
| US8893306B2 (en) | Resource management and security system | |
| US20140289851A1 (en) | Malware Discovery Method and System | |
| CN113051034B (en) | Container access control method and system based on kprobes | |
| WO2016033966A1 (en) | Protection method and device for application data | |
| WO2020024424A1 (en) | Dynamic library information acquisition method and apparatus for application program | |
| JP2001337864A (en) | Access control system | |
| JP7113887B2 (en) | Trusted kernel-based attack resistant data processor | |
| US9733976B2 (en) | Method and apparatus for SYSRET monitoring of system interactions | |
| US8887302B2 (en) | System, method and computer program product for utilizing code stored in a protected area of memory for securing an associated system | |
| CN111372077A (en) | Camera control method and device, terminal equipment and storage medium | |
| CN113467895A (en) | Docker operation method, device, server and storage medium | |
| CN114896592B (en) | Universal detection method, device, equipment and storage medium for WMI malicious codes | |
| CN113312623B (en) | Process detection method and device in access control, electronic equipment and storage medium | |
| WO2022093186A1 (en) | Code execution using trusted code record |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220304 |