CN114943074A - Process killing prevention method and device and computer equipment - Google Patents
Process killing prevention method and device and computer equipment Download PDFInfo
- Publication number
- CN114943074A CN114943074A CN202210340833.7A CN202210340833A CN114943074A CN 114943074 A CN114943074 A CN 114943074A CN 202210340833 A CN202210340833 A CN 202210340833A CN 114943074 A CN114943074 A CN 114943074A
- Authority
- CN
- China
- Prior art keywords
- target
- identification code
- determining
- file
- closing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a process killing prevention method and device and computer equipment. The method comprises the following steps: acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file; when detecting that a closing process is generated in the system, determining a target process corresponding to the closing process, and acquiring a target process file of the target process; determining a target identification code corresponding to the target process file; and if the target identification code is consistent with the identification code, stopping executing the closing process. In the scheme, if the target identification code is consistent with the identification code of the process to be protected against killing, the process closing is the same as the process to be protected against killing, namely the process to be closed currently in the system is the process needing protecting against killing, so that the process closing is prevented from being executed, and the condition that the process cannot be protected against killing due to the change of the address or name of the process is avoided.
Description
Technical Field
The present application relates to the field of process monitoring technologies, and in particular, to a process killing prevention method and apparatus, and a computer device.
Background
In recent years, along with the rapid development and popularization of computer technology, computers play more and more important value in industrial production, and by installing application software on an industrial host, the industrial production efficiency and quality are greatly improved. For example, by installing equipment detection software on the industrial host, the working condition of each industrial equipment, the operation information of the industrial equipment, the specific information of each index of the industrial equipment and the equipment fault can be detected in the first time; by installing information statistical software on the industrial host, the outgoing information of each industrial device in a certain period of time can be calculated and recorded.
But at the same time, the incidents of hacking industrial hosts occur frequently. When a hacker invades a system of the industrial host, the hacker generally closes the process of the application software for executing the monitoring task through the task manager or the malicious software, so that the process of the application software for executing the monitoring task on the industrial host is maliciously terminated, the monitoring task cannot be realized, the hacker further achieves the purposes of damaging the system and stealing system data, the operation stability of the system of the industrial host is seriously influenced, and the safety of the industrial host is seriously threatened.
At present, in a process killing prevention technology based on a Windows system, the process killing prevention is generally realized by using methods such as hookopenprocess, NtTerminateProcess, hookobferenceobjectbyhandle, and the like. However, these methods may be bypassed by methods such as clear 0, PspTerminateProcess, PspExitThread, etc., that is, if the malware modifies the name or address of the process of the application software to be protected, the traditional process killing prevention method cannot kill the application software to be protected, and the application software to be protected is still closed by the malware.
Therefore, how to avoid the process of the application software from being maliciously closed and ensure the stability and the safety of the system operation is a technical problem which needs to be solved by the technical personnel in the field at present.
Disclosure of Invention
In view of the above, it is necessary to provide a process killing method, apparatus, computer device, computer readable storage medium and computer program product capable of preventing a process of application software from being maliciously closed.
In a first aspect, the present application provides a process killing prevention method. The method comprises the following steps:
acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file;
when a closing process is detected to be generated in a system, determining a target process corresponding to the closing process, and acquiring a target process file of the target process;
determining a target identification code corresponding to the target process file;
and if the target identification code is consistent with the identification code, stopping executing the closing process.
In one embodiment, detecting the generation of the shutdown process in the system includes:
and detecting a closing process generated in the system by using a callback function.
In one embodiment, detecting the generation of the shutdown process in the system includes:
detecting whether process handle operation exists in the system;
if the process handle operation exists, determining the operation type of the process handle operation;
if the operation type is a handle creating operation, determining the creation type of the handle creating operation;
and if the creation type is the closing process handle operation, judging that the closing process generated in the system is detected.
In one embodiment, after determining that it is detected that the shutdown process is generated in the system if the creation type is the shutdown process handle operation, the method further includes:
determining whether the target object and the target execution object of the closed process belong to the same process or not according to the process handle information corresponding to the process handle closing operation;
and if the processes belong to the same process, allowing the closing process to be executed.
In one embodiment, the obtaining the target process file of the target process includes:
acquiring a target system absolute path corresponding to the target process;
and determining a target process file corresponding to the closed process according to the target system absolute path.
In one embodiment, the obtaining an absolute path of a target system corresponding to the target process includes:
acquiring a target user absolute path of the target process;
and determining a target system absolute path corresponding to the target user absolute path according to the corresponding relation between the preset user absolute path and the system absolute path.
In one embodiment, the determining the target identification code corresponding to the target process file includes:
acquiring MD5 Algorithm information corresponding to an MD5(Message-Digest Algorithm 5) Algorithm;
splicing and combining the MD5 algorithm information and the target process file to obtain a combined text;
carrying out encryption calculation on the combined text by utilizing the MD5 algorithm to obtain an encrypted character string;
and obtaining the target identification code according to the encrypted character string.
In one embodiment, the obtaining a process file of a process to be protected and killed, and determining an identification code corresponding to the process file includes:
acquiring the process files of a plurality of processes to be prevented and killed;
determining identification codes corresponding to the process files respectively;
and storing each identification code in a global array.
In a second aspect, the application further provides a process killing prevention device. The device comprises:
the first determining module is used for acquiring a process file of a process to be protected and killed and determining an identification code corresponding to the process file;
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for determining a target process corresponding to a closing process when the closing process is detected to be generated in the system and acquiring a target process file of the target process;
the second determination module is used for determining the target identification code corresponding to the target process file;
and the execution module is used for preventing the execution of the closing process if the target identification code is consistent with the identification code.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the following steps when executing the computer program:
acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file;
when a closing process is detected to be generated in a system, determining a target process corresponding to the closing process, and acquiring a target process file of the target process;
determining an object identification code corresponding to the object process file;
and if the target identification code is consistent with the identification code, stopping executing the closing process.
In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file;
when a closing process is detected to be generated in a system, determining a target process corresponding to the closing process, and acquiring a target process file of the target process;
determining a target identification code corresponding to the target process file;
and if the target identification code is consistent with the identification code, stopping executing the closing process.
In a fifth aspect, the present application further provides a computer program product. The computer program product comprising a computer program which when executed by a processor performs the steps of:
acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file;
when a closing process is detected to be generated in a system, determining a target process corresponding to the closing process, and acquiring a target process file of the target process;
determining a target identification code corresponding to the target process file;
and if the target identification code is consistent with the identification code, stopping executing the closing process.
According to the process killing prevention method, the process killing prevention device, the computer equipment, the storage medium and the computer program product, the corresponding identification code is determined according to the process file of the process to be prevented and killed, and the corresponding target identification code is determined according to the target process file of the closed process; the identification code corresponding to the process file is used for identifying each process to be protected and killed, and if the process file changes, the identification code also changes correspondingly; if the target identification code is consistent with the identification code of the process to be protected against killing, the process closing process is the same as the process to be protected against killing, namely the process to be closed currently in the system is the process needing protecting against killing, so that the process closing is prevented from being executed, and the condition that the process cannot be protected against killing due to the change of the address or the name of the process is avoided.
Drawings
FIG. 1 is a schematic flow chart of a process killing prevention method in one embodiment;
FIG. 2 is a flowchart illustrating the step of detecting a shutdown process in the system in one embodiment;
FIG. 3 is a flow chart illustrating a process killing prevention method according to another embodiment;
FIG. 4 is a block diagram of a process kill prevention device in one embodiment;
FIG. 5 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The process killing prevention method provided by the embodiment of the application can be applied to a terminal, a server and a system comprising the terminal and the server, and is realized through interaction of the terminal and the server. For example, a process file of a process to be protected and killed is obtained on a server in advance, and an identification code corresponding to the process file is determined; then the identification code is sent to the terminal, when the terminal detects that a closing process is generated in the system, a target process corresponding to the closing process is determined, and a target process file of the target process is obtained; determining a target identification code corresponding to the target process file; and comparing the calculated target identification code with the identification code sent by the server, and if the target identification code is consistent with the identification code, preventing the closing process from being executed. The terminal can be but is not limited to various industrial hosts, personal computers, notebook computers, smart phones, tablet computers, internet of things equipment, portable wearable equipment and the like; an industrial host refers to a device for monitoring and controlling machine equipment, production processes, data parameters, and the like used in a production process. The server may be implemented as a stand-alone server or as a server cluster consisting of a plurality of servers.
In an embodiment, as shown in fig. 1, a process killing method is provided, which is applied to a terminal for example, and includes the following steps:
step 102, acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file.
The process to be protected against killing refers to a process corresponding to application software which is predetermined by a user and needs to be protected against killing; the processes to be protected and killed may include a monitoring process, an execution process, and the like, and the specific type of the processes to be protected and killed is not limited in this embodiment. A process file refers to a file that describes the content or state information of a process. In actual operation, after the progress to be prevented and killed is determined, the kernel reads the progress and exe file text according to the system absolute path corresponding to the progress to be prevented and killed so as to obtain the progress file of the progress to be prevented and killed.
The identification code refers to information for uniquely identifying the process file, and the specific type of the identification code is not limited in this embodiment. In addition, because the process file uniquely corresponds to the process to be protected and killed, the identification code is information for uniquely identifying the process to be protected and killed.
The process of determining the identification code uniquely corresponding to the process file can be to calculate according to the text content of the process file by using a preset algorithm to obtain the identification code corresponding to the process file; the preset Algorithm may include an MD5 Algorithm (Message-Digest Algorithm 5, information-Digest Algorithm 5).
And step 104, when the closing process generated in the system is detected, determining a target process corresponding to the closing process, and acquiring a target process file of the target process.
Here, the closing process refers to a process for performing a closing operation. The system generates a corresponding closing process by responding to the operations of clicking, inputting and the like of the user. When detecting that a closing process is generated in a system, firstly determining a target process corresponding to the closing process, namely the target process is a closing object of the closing process; thus, the target process corresponding to the closing process is determined. And then, determining a corresponding target process file according to the target process.
And step 106, determining the target identification code corresponding to the target process file.
Specifically, the target identification code is also information capable of uniquely and correspondingly identifying the target process file; and because the target process file corresponds to the target process, the target identification code is also information uniquely identifying the target process. And after the target process file corresponding to the target process is determined, calculating the target identification code corresponding to the target process file of the target process according to the same preset algorithm for determining the identification code of the process to be protected and killed.
And 108, if the target identification code is consistent with the identification code, stopping executing the closing process.
Specifically, after the target identification code corresponding to the target process is determined, whether the target identification code is consistent with the identification code of the process to be protected and killed is compared. If the target identification code is consistent with the identification code, the target process is consistent with the process to be protected against killing, namely the target process to be closed by the process is closed, and the process to be protected against killing needs to be closed, so that the process is prevented from being closed, namely the closed process is prevented from closing the target process.
According to the process anti-killing method, the corresponding identification code is determined according to the process file of the process to be prevented and killed, and the corresponding target identification code is determined according to the target process file of the closed process; the identification code corresponding to the process file is used for identifying each process to be protected and killed, and if the process file changes, the identification code also changes correspondingly; if the target identification code is consistent with the identification code of the process to be protected against killing, the target process is the same as the process to be protected against killing, namely the target process to be closed in the system is the process needing protecting against killing, so that the process is prevented from being executed, and the condition that the process cannot be protected against killing due to the change of the address or the name of the process is avoided.
On the basis of the foregoing embodiment, the present embodiment further describes and optimizes the technical solution, and specifically, in the present embodiment, detecting that a shutdown process is generated in the system includes:
and detecting a closing process generated in the system by using the callback function.
The callback function refers to a function passed as a parameter. By registering the callback function obRegisterCallbacks in the DriverEntry of the driver of the system; when the system responds to the operation of a user to generate a corresponding process, a callback function is triggered to intercept the process, and information corresponding to the process is acquired; and analyzing the parameter information in the callback function to determine whether the process is a closing process.
Therefore, in the embodiment, the closing process generated in the system is detected by using the callback function, so that the closing process in the system can be detected conveniently and quickly.
FIG. 2 is a flowchart illustrating steps of detecting a shutdown process in the system according to an embodiment. On the basis of the foregoing embodiment, the present embodiment further describes and optimizes the technical solution, and specifically, in the present embodiment, detecting that a shutdown process is generated in the system includes:
step 202, detecting whether a process handle operation exists in the system.
The process handle operation refers to operation on a handle corresponding to a process; handles are unique integer values in the system that are used to identify different objects and different instances of the same type of object, such as windows, buttons, icons, scroll bars, output devices, controls, or files.
It should be noted that, when a process handle operation exists in the system, a callback function is triggered; that is, by determining whether to trigger the callback function, it is determined whether a process operation handle exists in the system.
In step 204, if the process handle operation exists, the operation type of the process handle operation is determined.
After the process handle operation exists in the system, the operation type of the process handle operation is determined by analyzing the parameter information of the callback function. Specifically, the operation type of the process handle operation includes a create operation, a select operation, and the like.
In this embodiment, the POB _ PRE _ OPERATION _ INFORMATION corresponding to the member OPERATION member in the member OB _ OPERATION _ REGISTRATION structure in the POB _ CALLBACK _ REGISTRATION structure in the CALLBACK function obregistercalbacks is determined;
according to whether the value of member OPERATION in the POB _ PRE _ OPERATION _ INFORMATION structure is OB _ OPERATION _ HANDLE _ CREATE or not; it is determined whether the operation type of the process handle operation is a create handle operation. If the member OPERATION in the POB _ PRE _ OPERATION _ INFORMATION structure is OB _ OPERATION _ HANDLE _ CREATE, the OPERATION type of the process HANDLE OPERATION is determined to be a HANDLE creating OPERATION; otherwise, judging the operation type of the process handle operation is not the handle creating operation.
In step 206, if the operation type is a create handle operation, the create type of the create handle operation is determined.
And if the operation type of the process handle operation is judged to be the handle creating operation, further determining the creating type of the handle creating operation. The creation type of the handle creating operation comprises closing the process handle operation, pausing the process handle operation and the like.
In this embodiment, whether the OPERATION type of the process handle OPERATION is a process handle closing OPERATION is judged through the originaldesistance parameter INFORMATION of the createhandleformat object pointed by the Paramters object of the POB _ PRE _ OPERATION _ INFORMATION, that is, whether the process is a process closing OPERATION is judged; if the OriginalDesireAccess parameter information is PROCESS _ TERMINATE, judging that the creation type of the handle creation operation is a PROCESS handle closing operation; otherwise, judging that the creation type of the handle creating operation is not the process handle closing operation.
In step 208, if the creation type is a handle operation for closing the process, it is determined that a closing process is generated in the system.
Specifically, if it is determined that the creation type of the handle creation operation is the process closing handle operation, it indicates that a closing process is generated in the system according to the operation of the user, and therefore it is detected that the closing process is generated in the system.
Therefore, according to the method of the embodiment, the closing process generated in the system can be detected conveniently and accurately.
As a preferred embodiment, after determining that it is detected that a closing process is generated in the system if the creation type is a closing process handle operation, the method further includes:
determining whether a target object of the closed process and a target execution object belong to the same process or not according to process handle information corresponding to the process handle closing operation;
and if the processes belong to the same process, allowing the closing process to be executed.
Specifically, the process handle information refers to information corresponding to a close process handle operation. The target object for closing the process refers to the process to be closed when the process is closed; the target execution object of the closing process refers to an object corresponding to the closing process. In this embodiment, according to process handle information corresponding to a process handle closing operation, a target object and a target execution object of a process to be closed are determined, and whether the target object and the target execution object belong to the same process is determined; if the target object and the target execution object belong to the same process, the closing process is indicated to close the self process, or the target process closes the self process, so the closing process is executed and executed; otherwise the closing process is prevented from being executed.
Therefore, in the embodiment, whether the closing process is executed or not is determined by further judging whether the closing process and the target process belong to the same process, so that the influence on the normal closing of the target process is avoided.
On the basis of the foregoing embodiment, this embodiment further describes and optimizes the technical solution, and specifically, in this embodiment, acquiring the target process file of the target process includes:
acquiring a target system absolute path corresponding to a target process;
and determining a target process file corresponding to the closed process according to the target system absolute path.
The system absolute path is also called a complete path and refers to a path from the root directory to a position corresponding to a file position, and the target system absolute path refers to a path from the root directory to a position corresponding to a target process file corresponding to a target process, that is, a target process file of the corresponding target process can be found according to the target system path.
Therefore, according to the method of the embodiment, the target process file of the target process can be quickly and conveniently acquired.
As a preferred embodiment, acquiring an absolute path of a target system corresponding to a target process includes:
acquiring a target user absolute path of a target process;
and determining a target system absolute path corresponding to the target user absolute path according to the preset corresponding relation between the user absolute path and the system absolute path.
The user absolute path is also called a relative path and is a path corresponding to the position of a file from a directory where the program is currently located; the target user absolute path refers to a user absolute path corresponding to the target process. Generally, there is a corresponding relationship between the user absolute path and the system absolute path, that is, the corresponding system absolute path can be obtained according to the mapping of the user absolute path.
In the embodiment, after the target process is determined, a user absolute path of the target process is obtained through an OpenObjectByPointer function and a zwQueryInformationProcess function; and determining a target system absolute path corresponding to the target user absolute path of the target process according to the corresponding relation between the user absolute path and the system absolute path. More specifically, the openobjectbypointer function obtains a pointer PHANDLE pointing to a variable allocated by a caller through a pointer of a target process provided by POB _ PRE _ OPERATION _ INFORMATION, where the variable receives a handle of an object; the ZwQueryINformationProcess function requests the type of process imagefilenam (retrieves UNICODE _ STRING value containing process image file name) through the PHANDLE, thereby obtaining the target user absolute path of the target process.
Therefore, according to the method of the embodiment, the target process file of the target process can be quickly and conveniently acquired.
On the basis of the foregoing embodiment, this embodiment further describes and optimizes the technical solution, and specifically, in this embodiment, determining the target identification code corresponding to the target process file includes:
acquiring MD5 algorithm information corresponding to the MD5 algorithm;
splicing and combining the MD5 algorithm information and the target process file to obtain a combined text;
carrying out encryption calculation on the combined text by using an MD5 algorithm to obtain an encrypted character string;
and obtaining the target identification code according to the encrypted character string.
The MD5 Algorithm (fifth version of Message Digest Algorithm) is a hash function widely used in the field of computer security to provide integrity protection for messages. The MD5 algorithm has the following characteristics:
compressibility: the length of the MD5 code calculated for data of any length is fixed;
easy to calculate: the process of calculating the MD5 code according to the data is simple;
resistance to modification: the obtained MD5 code is very different when the data is changed by only 1 byte;
strong collision resistance: it is very difficult to forge data having the same MD5 code.
Therefore, the MD5 algorithm is preferably used for the encryption calculation in this embodiment.
Specifically, MD5 algorithm information corresponding to the MD5 algorithm is obtained first, and the MD5 algorithm information is information used for characterizing the algorithm; splicing and combining the MD5 algorithm information and the target process file to obtain a combined text; then, carrying out encryption calculation on the combined text obtained by combination by utilizing an MD5 algorithm to obtain an encryption character string with a fixed length; the encrypted character string is used as an object identification code for identifying the object process file.
It should be noted that the way of calculating the process file to obtain the corresponding identification code is the same as the way of calculating the target identification code for the target process file, and this embodiment does not describe this process again.
Therefore, the target identification code for identifying the target process is calculated by utilizing the MD5 algorithm, the calculation mode is convenient and fast, and the safety is high.
On the basis of the foregoing embodiment, this embodiment further describes and optimizes the technical solution, and specifically, in this embodiment, acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file includes:
acquiring process files of a plurality of processes to be protected and killed; determining identification codes respectively corresponding to the process files; each identification code is stored in a global array.
It will be appreciated that in practice there may be a number of courses to be protected against killing that require protection against killing. Therefore, in this embodiment, process files corresponding to a plurality of processes to be protected and killed are obtained; respectively calculating corresponding identification codes for the process files; and storing each calculated identification code in a preset global array.
It will be appreciated that the scope of the global array is global and exists with the beginning of the program and disappears at the end of the program. The identification codes of the processes to be prevented and killed are arranged in the global array, so that the identification codes can be conveniently acquired subsequently, and the convenience of preventing and killing the processes is improved.
In other embodiments, a global variable for identifying the number of the identification codes in the global array may be further set, that is, the currently set number of the processes to be protected against killing that need to be protected against killing is identified by using the global variable. When the identification codes corresponding to the processes to be prevented and killed are added or deleted in the global array, the global variables corresponding to the global array need to be correspondingly changed, so that the number of the processes to be prevented and killed can be conveniently and intuitively determined.
In order to make those skilled in the art better understand the technical solutions in the present application, the following describes the technical solutions in the embodiments of the present application in detail with reference to practical application scenarios. With reference to fig. 3, a flow chart of another process killing prevention method is shown; in the embodiment of the present application, the identification code is an MD5 code, which is explained as an example, and the specific steps are as follows:
step 302, setting a process anti-killing white list; the process anti-killing white list comprises identification information of the process to be prevented and killed;
step 304, reading a process file corresponding to the process to be protected and killed through a kernel according to the identification information of the process to be protected and killed in the process protection and killing white list, calculating a corresponding MD5 code based on the text content of the process file, and using the MD5 code as the identification of the corresponding process file; the MD5 code is an encrypted character string consisting of 32 characters; applying for a global array for storing MD5 codes corresponding to each program to be prevented and killed in a process anti-killing white list; applying for a global variable, and recording the number of processes to be prevented and killed in a process prevention and killing white list, namely recording the number of MD5 codes in a global array;
step 308, determining POB _ PRE _ OPERATION _ INFORMATION corresponding to the member OB _ OPERATION _ INFORMATION in the member OB _ OPERATION _ INFORMATION structure in the POB _ CALLBACK _ INFORMATION structure in the CALLBACK function obregistercalbacks; wherein, POB _ PRE _ OPERATION _ INFORMATION provides INFORMATION about process or thread handle OPERATION; acquiring a process structure body pointer according to the OBJECT pointed by the POB _ PRE _ OPERATION _ INFORMATION, namely determining a target process;
step 310, determining whether the operation type of the process handle operation is a handle creating operation; judging whether the value of member OPERATION (type of HANDLE OPERATION) in the POB _ PRE _ OPERATION _ INFORMATION structure body is OB _ OPERATION _ HANDLE _ CREATE or not; if the OPERATION type is OB _ OPERATION _ HANDLE _ CREATE, the OPERATION type of the process HANDLE OPERATION is determined to be a HANDLE creation OPERATION, and the process enters step 312; if not, determining that the OPERATION type of the process HANDLE OPERATION is not the HANDLE creation OPERATION, and entering step 324;
step 312, determining whether the creation type of the handle creation operation is a handle closing operation; judging whether the OPERATION is the process handle closing OPERATION or not through the originaldesitrescess parameter INFORMATION of the createHandleInformation object pointed by the Paramters object of the POB _ PRE _ OPERATION _ INFORMATION; if the OriginalDesireAccess parameter information is PROCESS _ TERMINATE, judging that the creation type is a closing PROCESS handle operation, namely judging that a closing PROCESS is generated in the system; step 314 is entered; otherwise, judging that the creation type is not the operation of closing the process handle, and entering step 324;
step 314, determining whether the target object and the target execution object for closing the process belong to the same process according to the process handle information; if not, go to step 316; if the processes belong to the same process, go to step 324;
step 316, according to the target process obtained in step 308, obtaining a target user absolute path of the target process through an openobjectbypointerfunction and a zwqueryinformation process function; determining a target system absolute path corresponding to the target user absolute path according to a preset corresponding relation between the user absolute path and the system absolute path;
step 318, acquiring a target process file of the target process according to the target system absolute path, and calculating a target MD5 code corresponding to the target process in the kernel according to the target process file;
step 320, acquiring a target MD5 code, and judging whether an MD5 code identical to the target MD5 code exists in the global array, namely judging whether a target process corresponding to the target MD5 code is a to-be-prevented and killed process in a process anti-killing white list; if so, go to step 322; if not, go to step 324;
step 322, set DesireAccessvalue of CreateHandleInformation object pointed by Parameters object of POB _ PRE _ OPERATION _ INFORMATION to-PROCESS _ TERMINATE; after the setting is successful, the operation of closing the process handle cannot be executed by the system, and the system receives non-closing information; thereby preventing the target process from being shut down.
In step 324, the shutdown process is allowed to execute, returning to the state OB _ PREOP _ SUCCESS.
According to the process anti-killing method, the corresponding identification code is determined according to the process file of the process to be prevented and killed, and the corresponding target identification code is determined according to the target process file of the closed process; the identification code corresponding to the process file is used for identifying each process to be protected and killed, and if the process file changes, the identification code is correspondingly changed; if the target identification code is consistent with the identification code of the process to be protected against killing, the process closing process is the same as the process to be protected against killing, namely the process to be closed currently in the system is the process needing protecting against killing, so that the process closing is prevented from being executed, and the condition that the process cannot be protected against killing due to the change of the address or the name of the process is avoided, so that the scheme can more accurately and comprehensively protect against killing of the process; and the method can quickly and conveniently realize the protection of the progress.
It should be understood that, although the steps in the flowcharts related to the above embodiments are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the application also provides a process killing prevention device for realizing the process killing prevention method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme recorded in the method, so that specific limitations in one or more process killing prevention device embodiments provided below can be referred to the limitations of the process killing prevention method in the foregoing, and details are not described herein.
In one embodiment, as shown in fig. 4, there is provided a process killing apparatus, including: a first determining module 402, an obtaining module 404, a second determining module 406, and an executing module 408, wherein:
a first determining module 402, configured to acquire a process file of a process to be protected and killed, and determine an identification code corresponding to the process file;
an obtaining module 404, configured to determine, when it is detected that a closing process is generated in the system, a target process corresponding to the closing process, and obtain a target process file of the target process;
a second determining module 406, configured to determine an object identification code corresponding to the object process file;
and an executing module 408, configured to prevent the closing process from being executed if the target identifier is identical to the identifier.
The process killing prevention device provided by the embodiment of the application has the same beneficial effect as the process killing prevention method.
In one embodiment, the obtaining module comprises:
and the process acquisition submodule is used for detecting a closing process generated in the system by utilizing the callback function.
In one embodiment, the obtaining module comprises:
the detection submodule is used for detecting whether process handle operation exists in the system;
the first determining submodule is used for determining the operation type of the process handle operation if the process handle operation exists;
the second determining submodule is used for determining the creation type of the handle creation operation if the operation type is the handle creation operation;
and the third determining submodule is used for judging that the generation of the closing process in the system is detected if the creating type is the operation of closing the process handle.
In one embodiment, a process killing prevention apparatus further comprises:
a fourth determining submodule, configured to determine whether a target object and a target execution object of a closed process belong to the same process according to process handle information corresponding to a process handle closing operation; if the processes belong to the same process, the closing process is allowed to be executed.
In one embodiment, the obtaining module comprises:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a target system absolute path corresponding to a target process;
and the determining unit is used for determining a target process file corresponding to the closed process according to the target system absolute path.
In one embodiment, the obtaining unit includes:
the acquiring subunit is used for acquiring the target user absolute path of the target process;
and the determining subunit is used for determining a target system absolute path corresponding to the target user absolute path according to the preset corresponding relationship between the user absolute path and the system absolute path.
In one embodiment, the second determining module comprises:
the information acquisition submodule is used for acquiring MD5 algorithm information corresponding to the MD5 algorithm;
the splicing submodule is used for splicing and combining the MD5 algorithm information and the target process file to obtain a combined text;
the calculation submodule is used for carrying out encryption calculation on the combined text by utilizing an MD5 algorithm to obtain an encrypted character string;
and the identification code acquisition submodule is used for acquiring the target identification code according to the encrypted character string.
In one embodiment, the first determining module comprises:
the file acquisition submodule is used for acquiring process files of a plurality of processes to be protected and killed;
the identification code determining submodule is used for determining identification codes corresponding to the process files respectively;
and the identification code storage submodule is used for storing each identification code in the global array.
The modules in the process control device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 5. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a process killing prevention method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 5 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory having a computer program stored therein and a processor that when executing the computer program performs the steps of:
acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file;
when detecting that a closing process is generated in the system, determining a target process corresponding to the closing process, and acquiring a target process file of the target process;
determining a target identification code corresponding to the target process file;
and if the target identification code is consistent with the identification code, stopping executing the closing process.
The computer equipment provided by the embodiment of the application has the same beneficial effect as the process killing prevention method.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file;
when detecting that a closing process is generated in the system, determining a target process corresponding to the closing process, and acquiring a target process file of the target process;
determining a target identification code corresponding to the target process file;
and if the target identification code is consistent with the identification code, stopping executing the closing process.
The computer-readable storage medium provided by the embodiment of the application has the same beneficial effects as the process killing prevention method.
In one embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, performs the steps of:
acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file;
when detecting that a closing process is generated in the system, determining a target process corresponding to the closing process, and acquiring a target process file of the target process;
determining a target identification code corresponding to the target process file;
and if the target identification code is consistent with the identification code, stopping executing the closing process.
The computer program product provided by the embodiment of the application has the same beneficial effects as the process killing prevention method.
It should be noted that, the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by hardware instructions of a computer program, which may be stored in a non-volatile computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, databases, or other media used in the embodiments provided herein can include at least one of non-volatile and volatile memory. The nonvolatile Memory may include a Read-Only Memory (ROM), a magnetic tape, a floppy disk, a flash Memory, an optical Memory, a high-density embedded nonvolatile Memory, a resistive Random Access Memory (ReRAM), a Magnetic Random Access Memory (MRAM), a Ferroelectric Random Access Memory (FRAM), a Phase Change Memory (PCM), a graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
All possible combinations of the technical features in the above embodiments may not be described for the sake of brevity, but should be considered as being within the scope of the present disclosure as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A process killing prevention method, comprising:
acquiring a process file of a process to be protected and killed, and determining an identification code corresponding to the process file;
when a closing process is detected to be generated in a system, determining a target process corresponding to the closing process, and acquiring a target process file of the target process;
determining a target identification code corresponding to the target process file;
and if the target identification code is consistent with the identification code, stopping executing the closing process.
2. The method of claim 1, wherein detecting generation of the shutdown process in the system comprises:
and detecting a closing process generated in the system by using a callback function.
3. The method of claim 1, wherein detecting generation of the shutdown process in the system comprises:
detecting whether process handle operation exists in the system;
if the process handle operation exists, determining the operation type of the process handle operation;
if the operation type is a handle creating operation, determining the creation type of the handle creating operation;
and if the creation type is the operation of closing the process handle, judging that the closing process generated in the system is detected.
4. The method according to claim 3, wherein after determining that the generation of the shutdown process in the system is detected if the creation type is the shutdown process handle operation, further comprising:
determining whether the target object and the target execution object of the closed process belong to the same process or not according to the process handle information corresponding to the process handle closing operation;
and if the processes belong to the same process, allowing the closing process to be executed.
5. The method of claim 1, wherein obtaining the target process file of the target process comprises:
acquiring a target system absolute path corresponding to the target process;
and determining a target process file corresponding to the closed process according to the target system absolute path.
6. The method of claim 5, wherein obtaining the target system absolute path corresponding to the target process comprises:
acquiring a target user absolute path of the target process;
and determining a target system absolute path corresponding to the target user absolute path according to the corresponding relation between the preset user absolute path and the system absolute path.
7. The method of claim 1, wherein determining the target identification code corresponding to the target process file comprises:
acquiring MD5 algorithm information corresponding to the MD5 algorithm;
splicing and combining the MD5 algorithm information and the target process file to obtain a combined text;
carrying out encryption calculation on the combined text by utilizing the MD5 algorithm to obtain an encrypted character string;
and obtaining the target identification code according to the encrypted character string.
8. The method according to any one of claims 1 to 7, wherein the acquiring a process file of the process to be protected and killed, and determining an identification code corresponding to the process file, comprises:
acquiring the process files of a plurality of processes to be prevented and killed;
determining identification codes corresponding to the process files respectively;
and storing each identification code in a global array.
9. A process killing prevention apparatus, the apparatus comprising:
the first determining module is used for acquiring a process file of a process to be protected and killed and determining an identification code corresponding to the process file;
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for determining a target process corresponding to a closing process when the closing process is detected to be generated in the system and acquiring a target process file of the target process;
the second determination module is used for determining the target identification code corresponding to the target process file;
and the execution module is used for preventing the closing process from being executed if the target identification code is consistent with the identification code.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210340833.7A CN114943074A (en) | 2022-04-02 | 2022-04-02 | Process killing prevention method and device and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210340833.7A CN114943074A (en) | 2022-04-02 | 2022-04-02 | Process killing prevention method and device and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114943074A true CN114943074A (en) | 2022-08-26 |
Family
ID=82907523
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210340833.7A Pending CN114943074A (en) | 2022-04-02 | 2022-04-02 | Process killing prevention method and device and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114943074A (en) |
-
2022
- 2022-04-02 CN CN202210340833.7A patent/CN114943074A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11645383B2 (en) | Early runtime detection and prevention of ransomware | |
| CN107480527B (en) | Lesso software prevention method and system | |
| US9054865B2 (en) | Cryptographic system and methodology for securing software cryptography | |
| US9152784B2 (en) | Detection and prevention of installation of malicious mobile applications | |
| US8479017B2 (en) | System and method for N-ary locality in a security co-processor | |
| US11593473B2 (en) | Stack pivot exploit detection and mitigation | |
| CN115248919A (en) | Method and device for calling function interface, electronic equipment and storage medium | |
| CN108985096B (en) | Security enhancement and security operation method and device for Android SQLite database | |
| CN114943074A (en) | Process killing prevention method and device and computer equipment | |
| CN105975860B (en) | A kind of trust file management method, device and equipment | |
| CN113569246B (en) | Vulnerability detection method, vulnerability detection device, computer equipment and storage medium | |
| US11899782B1 (en) | Preserving DLL hooks | |
| CN116204855A (en) | Anti-cracking application program running method, device, computer equipment and medium | |
| US20240176874A1 (en) | Preserving dll hooks | |
| CN110324150B (en) | Data storage method and device, computer readable storage medium and electronic equipment | |
| CN116738382A (en) | Code processing method, device, computer equipment and storage medium | |
| CN115738238A (en) | Method and device for detecting serial number, computer equipment and storage medium | |
| CN115017543A (en) | Flash memory data reading method and device, computer equipment and storage medium | |
| CN117034283A (en) | Container risk detection method, apparatus, device, medium and program product | |
| CN116932139A (en) | Container mirror image detection method, system and computer equipment | |
| CN115766166A (en) | Log processing method, log processing device and storage medium | |
| CN115906015A (en) | Website source code access control method, device, equipment and storage medium | |
| CN114625614A (en) | Log processing method and device, computer equipment and storage medium | |
| CN113569246A (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| CN116226841A (en) | Intrusion detection method, intrusion detection device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |