CN114238947A - Software protection method, system, equipment and medium for Windows system - Google Patents

Software protection method, system, equipment and medium for Windows system Download PDF

Info

Publication number
CN114238947A
CN114238947A CN202111450408.5A CN202111450408A CN114238947A CN 114238947 A CN114238947 A CN 114238947A CN 202111450408 A CN202111450408 A CN 202111450408A CN 114238947 A CN114238947 A CN 114238947A
Authority
CN
China
Prior art keywords
protection
driver
process information
handle
software
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111450408.5A
Other languages
Chinese (zh)
Inventor
郭正飞
胡宇轩
陈银桃
朱希成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Supcon Technology Co Ltd
Original Assignee
Zhejiang Supcon Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Supcon Technology Co Ltd filed Critical Zhejiang Supcon Technology Co Ltd
Priority to CN202111450408.5A priority Critical patent/CN114238947A/en
Publication of CN114238947A publication Critical patent/CN114238947A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention relates to a software operation protection method of a Windows system, wherein the method comprises the following steps: firstly, creating a protection driver under a Windows system; secondly, registering a callback function for monitoring and creating a process handle through a protection driver; then, acquiring target process information and/or source process information of the process handle; and finally, refusing the authority of the process handle for the process which does not conform to the preset protection strategy based on the target process information and/or the source process information. The invention relates to a software protection scheme based on a Windows platform, which is characterized in that a callback function is registered through a constructed protection driver to monitor handles associated with all processes created by a system, the authority of the handles can be changed to prevent specific access, and effective operation protection is provided for protected software in a protection strategy. The invention also provides a configuration modification function, and supports the addition of a third-party program into a protection strategy at any time and protection.

Description

Software protection method, system, equipment and medium for Windows system
Technical Field
The invention relates to the technical field of computer software security, in particular to a software operation protection method, a system, equipment and a medium of a Windows system.
Background
The Windows operating system allows software to perform operations such as debugging, modifying and the like on other running software programs, which not only provides convenience for developers, but also makes the software vulnerable. The software has risks of being maliciously debugged, injected, forcibly closed and the like during running.
At present, a target process is modified by using more protection modes, under a Windows operating system, an application program can check whether the application program is in a debugged state or not by calling a system API, and can also check whether the application program is maliciously injected or modified by some internal functions of a hook, and when the risks are detected, methods such as active exit can be adopted to protect the information from being stolen or tampered. Software code must be modified based on the protection technology of the software, so that the method cannot be used for protecting the non-modifiable software provided by a third party. The general technique cannot identify the initiator of the behavior, and is not applicable to the occasion that only the specific object is allowed to be debugged. Meanwhile, some protection technologies can identify malicious operations, but lack effective countermeasures, and usually find that a method selected when the protection technology is debugged and injected is to actively quit a program, which is unacceptable in some application occasions.
Disclosure of Invention
Technical problem to be solved
In view of the above disadvantages and shortcomings of the prior art, the present invention provides a method, a system, a device and a medium for protecting software running of a Windows system, which solves the technical problems that the existing software protection technology lacks effective protection against malicious processes, cannot identify an initiator of a behavior, and cannot reasonably protect third-party software.
(II) technical scheme
In order to achieve the purpose, the invention adopts the main technical scheme that:
in a first aspect, an embodiment of the present invention provides a software operation protection method for a Windows system, including:
creating a protection driver under a Windows system;
registering a callback function for monitoring creation of a process handle through the protection driver;
acquiring target process information and/or source process information of a process handle according to the incoming parameters of the callback function and the PsGetCurrentProcessId function;
and based on the target process information and/or the source process information, canceling the authority of the process handle for the process which does not conform to the preset protection strategy.
Optionally, after creating the protection driver under the Windows system, the method further includes:
creating an interface configuration tool that communicatively interacts with the protection driver;
after the interface configuration tool is logged in by using encryption verification, the protection strategy stored in the protection driver is checked and/or modified through the interface configuration tool;
and the interface configuration tool use binary encrypted data stream for information transmission.
Optionally, registering, by the protection driver, a callback function for monitoring creation of a process handle includes:
when the guarded driver is started, registering the callback function objectPreCallback through the guarded driver calling system api, and keeping the callback function objectPreCallback running continuously so as to monitor the creation of handles of all processes.
Optionally, the protection driver is configured to automatically boot with the Windows system booting.
Optionally, creating the process handle comprises: and creating handles which are associated with the processes and used for accessing the target program through the NtOpenProcess function.
Optionally, based on the target process information and/or the source process information, for a process that does not conform to the preset protection policy, cancelling the authority of the process handle includes:
comparing the target process information and/or the source process information of the handle with a protection strategy stored in the protection driver;
if the access is confirmed to be forbidden, the protection operation is started, and the read, write and close authority of the handle to the target process is cancelled.
Optionally, the level of the protection driver is ring0 level, and the level of the configuration tool is ring3 level.
In a second aspect, an embodiment of the present invention provides a software operation protection system for a Windows system, including:
the system comprises a program creating module, a program executing module and a software module, wherein the program creating module is used for creating a protection driving program under a Windows system and an interface configuration tool which is in communication interaction with the protection driving program;
the function registration module is used for registering a callback function for monitoring and creating a process handle through the protection driver;
the process information acquisition module is used for acquiring target process information and/or source process information of the process handle by a user according to the incoming parameters of the callback function and the PsGetCurrentProcessId function;
the authority judgment module is used for canceling the authority of the process handle for the process which does not conform to the preset protection strategy based on the target process information and/or the source process information;
the interface configuration tool and the interface configuration tool use binary encrypted data stream for information transmission; the protection driving program stores protection strategies.
In a third aspect, an embodiment of the present invention provides a software operation protection system for a Windows system, including:
at least one database;
and a memory communicatively coupled to the at least one database;
wherein the memory stores instructions executable by the at least one database, the instructions being executable by the at least one database to enable the at least one database to perform a software operation protection method for Windows systems as described above.
In a fourth aspect, an embodiment of the present invention provides a computer-readable medium, on which computer-executable instructions are stored, and when the computer-executable instructions are executed by a processor, the software operation protection method of the Windows system is implemented.
(III) advantageous effects
The invention has the beneficial effects that: the invention relates to a software protection scheme based on a Windows platform, which is characterized in that a callback function is registered through a constructed protection driver to monitor handles associated with all processes created by a system, the authority of the handles can be changed to prevent specific access, and effective operation protection is provided for protected software in a protection strategy. The invention also provides an interface configuration tool to realize the configuration modification function, and supports the addition of a third-party program into a protection strategy at any time and protection.
Drawings
Fig. 1 is a schematic flowchart of a software operation protection method for a Windows system according to an embodiment of the present invention;
fig. 2 is a schematic specific flowchart of the software operation protection method for the Windows system after step S1 according to the embodiment of the present invention;
fig. 3 is a schematic flowchart of step S4 of the software operation protection method for a Windows system according to the embodiment of the present invention;
fig. 4 is a schematic composition diagram of a software operation protection system of a Windows system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer system of a software operation protection device of a Windows system according to an embodiment of the present invention;
fig. 6 is a schematic overall flow chart of a software operation protection method for a Windows system according to an embodiment of the present invention.
[ description of reference ]
100: a software operation protection system of a Windows system; 110: a program creation module; 120: a function registration module; 130: a process information acquisition module; 140: an authority judgment module;
200: a computer system; 201: a CPU; 202: a ROM; 203: a RAM; 202: a first bus; 205: an I/O interface; 206: an input section; 207: an output section; 208: a storage section; 209: a communication section; 210: a driver; 211: a removable media.
Detailed Description
For the purpose of better explaining the present invention and to facilitate understanding, the present invention will be described in detail by way of specific embodiments with reference to the accompanying drawings.
As shown in fig. 1, a method for protecting software running of a Windows system according to an embodiment of the present invention includes: firstly, creating a protection driver under a Windows system; secondly, registering a callback function for monitoring and creating a process handle through a protection driver; then, acquiring target process information and/or source process information of the process handle according to the incoming parameters of the callback function and the PsGetCurrentProcessId function; and finally, based on the target process information and/or the source process information, canceling the authority of the process handle for the process which does not conform to the preset protection strategy.
The invention relates to a software protection scheme based on a Windows platform, which is characterized in that a callback function is registered through a constructed protection driver to monitor handles associated with all processes created by a system, the authority of the handles can be changed to prevent specific access, and effective operation protection is provided for protected software in a protection strategy. The invention also provides an interface configuration tool to realize the configuration modification function, and supports the addition of a third-party program into a protection strategy at any time and protection.
For a better understanding of the above-described technical solutions, exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Specifically, the invention provides a software operation protection method of a Windows system, which comprises the following steps:
and S1, creating a protection driver under the Windows system.
As shown in fig. 2, after step S1, the method further includes:
f11, creating an interface configuration tool for communication interaction with the protection driver.
F12, after the login interface configuration tool is verified by using the encryption, the protection strategy stored in the protection driver is viewed and/or modified through the interface configuration tool.
And the interface configuration tool use binary encrypted data stream for information transmission.
S2, registering a callback function for monitoring creation of a process handle through the protection driver.
Further, step S2 includes: the driver to be guarded is started, the callback function objectPreCallback is registered by the calling system api of the guarded driver, and the callback function objectPreCallback is kept running continuously, so that the handle creation of all processes is monitored.
Further, creating the process handle includes: and creating handles which are associated with the processes and used for accessing the target program through the NtOpenProcess function.
The protection driver is set to automatically start along with the starting of the Windows system
S3, acquiring the target process information and/or the source process information of the process handle according to the incoming parameters of the callback function and the PsGetCurrentProcessId function.
The callback function and the incoming parameter are both defined by Windows, and the incoming parameter is a structure _ OB _ PRE _ OPERATION _ INFORMATION, and the structure comprises member OPERATION, Flags, Object, objectType, CallContext and Parameters. The invention mainly uses the Operation member to judge whether the behavior is to create the handle, uses the Object member to obtain the information of the target process, and uses the Parameters member to realize the authority regulation. The PsGetCurrentProcessId function is a function provided by a Windows system, and can be directly called in the callback function.
In the above description, the handle is an identifier of an object or an instance in the Windows system, and if a program wants to access other system objects such as a process and a thread, the handle of the object must be created first and accessed through the handle; intel ranks the privileges of CPU instructions, with ring0 highest and ring3 lowest, in a Windows system, ring3 is the level at which regular software runs and ring0 is the level at which the operating system kernel runs. Preferably, the level of the protection driver is ring0 level and the level of the configuration utility is ring3 level. The invention provides effective and configurable operation protection for ring3 level software through a ring0 level protection driver.
And S4, canceling the authority of the process handle for the process which does not conform to the preset protection strategy based on the target process information and/or the source process information.
As shown in fig. 3, step S4 includes:
and S41, comparing the target process information and/or the source process information of the handle with the protection strategy stored in the protection driver.
The protection strategy includes two kinds: the list of protected programs (i.e., the list of protected programs) may access exceptions to the protected programs. The former indicates which programs are protected by the inventive scheme, and the latter indicates which programs are exceptional and still have access to the protected programs. For each access, the protection driver may obtain the information of the accessing program (i.e., "source process") and the accessed program (i.e., "target process"), and determine whether to protect by comparing the two lists. The configuration and matching of the current process list are all represented by the path of the exe file (such as C: \ folder \ process. exe) where the process is located.
And S42, if the access is confirmed to be forbidden, starting protection operation, and canceling the read, write and close authority of the handle to the target process.
As shown in fig. 4, a software operation protection system 100 of a Windows system according to an embodiment of the present invention includes:
the programmatic model 110 is used to create a protection driver under a Windows system and an interface configuration tool that communicatively interacts with the protection driver.
A function registration module 120 for registering a callback function for monitoring creation of a process handle through the protection driver.
The process information obtaining module 130 obtains the target process information and/or the source process information of the process handle by the user according to the incoming parameter of the callback function and the PsGetCurrentProcessId function.
And the permission judging module 140 is configured to, based on the target process information and/or the source process information, cancel the permission of the process handle for the process that does not conform to the preset protection policy.
The interface configuration tool and the interface configuration tool use binary encrypted data stream for information transmission; the protection driving program stores protection strategies.
Since the system/apparatus described in the above embodiments of the present invention is a system/apparatus used for implementing the method of the above embodiments of the present invention, a person skilled in the art can understand the specific structure and modification of the system/apparatus based on the method described in the above embodiments of the present invention, and thus the detailed description is omitted here. All systems/devices adopted by the methods of the above embodiments of the present invention are within the intended scope of the present invention.
In addition, an embodiment of the present invention further provides a software operation protection system for a Windows system, including: at least one database; and a memory communicatively coupled to the at least one database; the memory stores instructions executable by the at least one database, and the instructions are executed by the at least one database to enable the at least one database to execute the software operation protection method of the Windows system.
Fig. 5 is a schematic structural diagram of a computer system of a software operation protection device of a Windows system according to an embodiment of the present invention, and referring to fig. 5, it shows a schematic structural diagram of a computer system 200 suitable for implementing the software operation protection device of the Windows system according to an embodiment of the present invention. The software operation protection device of the Windows system shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 5, the computer system 200 includes a Central Processing Unit (CPU)201 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)202 or a program loaded from a storage section 208 into a Random Access Memory (RAM) 203. In the RAM 203, various programs and data necessary for the operation of the computer system 200 are also stored. The CPU 201, ROM 202, and RAM 203 are connected to each other via a bus 204. An input/output interface (I/O interface) 205 is also connected to the bus 204.
The following components are connected to the I/O interface 205: an input portion 206 including a keyboard, a mouse, and the like; an output section 207 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 208 including a hard disk and the like; and a communication section 209 including a network interface card such as a LAN card, a modem, or the like. The communication section 209 performs communication processing via a network such as the internet. A drive 210 is also connected to the I/O interface 205 as needed. A removable medium 211 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 210 as necessary, so that a computer program read out therefrom is mounted into the storage section 208 as necessary.
In particular, according to an embodiment of the present invention, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the invention include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 209 and/or installed from the removable medium 211. The above-described functions defined in the system of the present application are executed when the computer program is executed by the Central Processing Unit (CPU) 201.
Also, the present invention provides a computer-readable medium, which may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include the method steps of:
and S1, creating a protection driver under the Windows system.
S2, registering a callback function for monitoring creation of a process handle through the protection driver.
S3, acquiring the target process information and/or the source process information of the process handle according to the incoming parameters of the callback function and the PsGetCurrentProcessId function.
And S4, canceling the authority of the process handle for the process which does not conform to the preset protection strategy based on the target process information and/or the source process information.
In a specific embodiment, the protection driver is a filter. As shown in fig. 6, the present invention includes two procedures: a ring0 level protection driver and a ring3 level configuration utility. A total of e.g. 3 large processes are involved:
(1) boot-up self-start and configuration of the driver: when the protection driver is installed, the protection driver can be started along with the starting of the Windows system by setting a starting mode, and then the protection driver calls an ObRegisterCallbacks () registration callback function to start the establishment of monitoring each process handle.
(2) Configuration change operation: the protection strategy is stored in the driver, a user can check and modify the configuration through an interface configuration tool, the communication port function provided by Windows is used for completing the communication between the ring3 level configuration tool and the ring0 level driver, the data reliability is ensured through encryption, binary encrypted data streams are used for transmitting information between the interface configuration tool and the protection driver, and meanwhile, the configuration tool uses encrypted login verification to ensure that the configuration is not modified randomly.
(3) Protection execution: in the Windows operating system, if a program needs to be subjected to operations such as debugging, terminating, memory reading and writing, etc., a handle of the process must be created through NtOpenProcess (). Upon receipt of the callback, the guard driver may obtain the target process of the current handle, and the information of the source process attempting to create this handle, either through an incoming parameter or through the PsGetCurrentProcessId () function. Comparing the information with the current protection strategy, if the access is forbidden, starting the protection operation, adjusting the authority of the handle by the driver, canceling the read, write, close and other authorities of the handle to the target process, and ensuring that the user of the handle can not have the authorities, and further can not perform corresponding operation on the target process, thereby playing a role in protection.
In summary, the present invention provides a method, a system, a device, and a medium for protecting software running of a Windows system, in which a driver and a configuration program need to be installed in a computer through an installation package, and the driver is configured to boot automatically. And then selecting a program to be protected through a configuration program, adding a strategy and storing, protecting software running in the system by a driver according to the strategy, and canceling the authority of the driver for creating a process handle which is not allowed by the strategy so as to prevent the driver from accessing the protected process. Therefore, the invention adopts an external protection scheme based on the Windows system, uses the Windows kernel driver to realize the monitoring of all the process accesses in the system, and directly intercepts illegal accesses through the driver. The driver-level software protection used by the invention can provide a configurable protection strategy by combining with a configuration tool, so that the normal operation of the software is not influenced while the software is prevented from being attacked by debugging, injection and the like, and the third-party program can be effectively protected.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the terms first, second, third and the like are for convenience only and do not denote any order. These words are to be understood as part of the name of the component.
Furthermore, it should be noted that in the description of the present specification, the description of the term "one embodiment", "some embodiments", "examples", "specific examples" or "some examples", etc., means that a specific feature, structure, material or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, the claims should be construed to include preferred embodiments and all changes and modifications that fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention should also include such modifications and variations.

Claims (10)

1. A software running protection method of a Windows system is characterized by comprising the following steps:
creating a protection driver under a Windows system;
registering a callback function for monitoring creation of a process handle through the protection driver;
acquiring target process information and/or source process information of a process handle according to the incoming parameters of the callback function and the PsGetCurrentProcessId function;
and based on the target process information and/or the source process information, canceling the authority of the process handle for the process which does not conform to the preset protection strategy.
2. The software running protection method for Windows system as claimed in claim 1, further comprising, after creating the protection driver under Windows system:
creating an interface configuration tool that communicatively interacts with the protection driver;
after the interface configuration tool is logged in by using encryption verification, the protection strategy stored in the protection driver is checked and/or modified through the interface configuration tool;
and the interface configuration tool use binary encrypted data stream for information transmission.
3. The software operation protection method of Windows system as claimed in claim 1, wherein registering a callback function for monitoring creation of a process handle by said protection driver comprises:
when the guarded driver is started, registering the callback function objectPreCallback through the guarded driver calling system api, and keeping the callback function objectPreCallback running continuously so as to monitor the creation of handles of all processes.
4. The software running protection method for Windows system as claimed in claim 1, wherein the protection driver is configured to be automatically started up with the Windows system.
5. The software operation protection method of Windows system as claimed in claim 1, wherein creating the process handle includes: and creating handles which are associated with the processes and used for accessing the target program through the NtOpenProcess function.
6. The software running protection method of the Windows system according to claim 1, wherein the revoking of the authority of the process handle for the process that does not comply with the preset protection policy based on the target process information and/or the source process information comprises:
comparing the target process information and/or the source process information of the handle with a protection strategy stored in the protection driver;
if the access is confirmed to be forbidden, the protection operation is started, and the read, write and close authority of the handle to the target process is cancelled.
7. The software operation protection method for Windows system as claimed in any one of claims 1-6, wherein the protection driver is at ring0 level and the configuration tool is at ring3 level.
8. A software operation protection system of a Windows system, comprising:
the system comprises a program creating module, a program executing module and a software module, wherein the program creating module is used for creating a protection driving program under a Windows system and an interface configuration tool which is in communication interaction with the protection driving program;
the function registration module is used for registering a callback function for monitoring and creating a process handle through the protection driver;
the process information acquisition module is used for acquiring target process information and/or source process information of the process handle by a user according to the incoming parameters of the callback function and the PsGetCurrentProcessId function;
the authority judgment module is used for canceling the authority of the process handle for the process which does not conform to the preset protection strategy based on the target process information and/or the source process information;
the interface configuration tool and the interface configuration tool use binary encrypted data stream for information transmission; the protection driving program stores protection strategies.
9. A software operation protection system of a Windows system, comprising:
at least one database;
and a memory communicatively coupled to the at least one database;
wherein the memory stores instructions executable by the at least one database to enable the at least one database to perform a method of software runtime protection for Windows systems according to any of claims 1-7.
10. A computer-readable medium having stored thereon computer-executable instructions, which when executed by a processor, implement a software operation protection method for Windows systems according to any of claims 1 to 7.
CN202111450408.5A 2021-11-30 2021-11-30 Software protection method, system, equipment and medium for Windows system Pending CN114238947A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111450408.5A CN114238947A (en) 2021-11-30 2021-11-30 Software protection method, system, equipment and medium for Windows system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111450408.5A CN114238947A (en) 2021-11-30 2021-11-30 Software protection method, system, equipment and medium for Windows system

Publications (1)

Publication Number Publication Date
CN114238947A true CN114238947A (en) 2022-03-25

Family

ID=80752480

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111450408.5A Pending CN114238947A (en) 2021-11-30 2021-11-30 Software protection method, system, equipment and medium for Windows system

Country Status (1)

Country Link
CN (1) CN114238947A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114896647A (en) * 2022-05-07 2022-08-12 青矩技术股份有限公司 Method and system for automatic modeling of injection type operation modeling software

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114896647A (en) * 2022-05-07 2022-08-12 青矩技术股份有限公司 Method and system for automatic modeling of injection type operation modeling software

Similar Documents

Publication Publication Date Title
US11663323B2 (en) Process privilege escalation protection in a computing environment
US8650578B1 (en) System and method for intercepting process creation events
US9990490B2 (en) Generic privilege escalation prevention
CN105068916B (en) A kind of process behavior monitoring method based on kernel hook
US6874087B1 (en) Integrity checking an executable module and associated protected service provider module
US9183377B1 (en) Unauthorized account monitoring system and method
US7665143B2 (en) Creating secure process objects
US8621628B2 (en) Protecting user mode processes from improper tampering or termination
KR100681696B1 (en) Method for preventing from inventing data of memory in a computer application program
US7665139B1 (en) Method and apparatus to detect and prevent malicious changes to tokens
Ren et al. WindowGuard: Systematic Protection of GUI Security in Android.
US20070250927A1 (en) Application protection
US20100306851A1 (en) Method and apparatus for preventing a vulnerability of a web browser from being exploited
US20060112241A1 (en) System, method and apparatus of securing an operating system
CN103632101B (en) A kind of method and apparatus of hooking system service call
US7797702B1 (en) Preventing execution of remotely injected threads
CN107851155A (en) For the system and method across multiple software entitys tracking malicious act
US11042633B2 (en) Methods for protecting software hooks, and related computer security systems and apparatus
US20130042297A1 (en) Method and apparatus for providing secure software execution environment based on domain separation
CN106228078A (en) Method for safe operation based on enhancement mode ROST under a kind of Linux
CN112231198B (en) Malicious process debugging method and device, electronic equipment and medium
CN114238947A (en) Software protection method, system, equipment and medium for Windows system
CN109376530B (en) Process mandatory behavior control method and system based on mark
CN115879099A (en) DCS controller, operation processing method and protection subsystem
AU2005209678A1 (en) Integrated access authorization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination