CN114969737A - Virus processing method, device, electronic equipment and medium - Google Patents

Virus processing method, device, electronic equipment and medium Download PDF

Info

Publication number
CN114969737A
CN114969737A CN202210583213.6A CN202210583213A CN114969737A CN 114969737 A CN114969737 A CN 114969737A CN 202210583213 A CN202210583213 A CN 202210583213A CN 114969737 A CN114969737 A CN 114969737A
Authority
CN
China
Prior art keywords
memory
virus
memory block
block
viruses
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210583213.6A
Other languages
Chinese (zh)
Inventor
周泽宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202210583213.6A priority Critical patent/CN114969737A/en
Publication of CN114969737A publication Critical patent/CN114969737A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method, a device, electronic equipment and a medium for virus processing, and relates to the technical field of computers. The method determines the condition of virus in the memory through memory scanning; and then, under the condition that the viruses exist in the memory, performing memory handling to realize the processing of the viruses. In contrast to scanning and handling viruses in static files or resident items, the present application handles viruses in memory. Because the process in the memory can decrypt and release the encrypted content in the static file, viruses in the memory are not shelled, not encrypted and the like, so that the viruses are easy to detect and process; secondly, even if the virus does not have a static file or the static file changes, the virus in the computer can be stored in a corresponding process or thread if the virus in the computer wants to play a role, so the virus can be detected and processed through memory scanning and processing, and the virus processing capacity of the computer is improved.

Description

Virus processing method, device, electronic equipment and medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, an electronic device, and a medium for virus processing.
Background
With the widespread use of computers, attackers insert viruses into computer programs that destroy computer functions or destroy data, resulting in an increasing number of viruses existing in computers. When a virus is present in a computer, computer information or systems may be corrupted. Because the virus in the computer does not exist independently but is hidden in other executable programs, after the virus exists in the computer, the running speed of the computer is influenced if the virus exists in the computer, and the computer is halted if the virus exists in the computer, so that the system is damaged; for the user, the information of the user may be stolen, thereby causing great influence or loss to the user. Therefore, computer viruses need to be treated.
In recent years, virus scanning and handling in the industry are mostly static file or resident item scanning. Firstly, in static files or resident items, virus files have various anti-detection technologies, such as shell adding, encryption, confusion and the like, so that features cannot be extracted, or the number of the features is extremely large, and the detection difficulty is increased; secondly, with the wide use of technologies such as no-file attack and process injection, viruses do not have static files, so that the viruses cannot be searched, or corresponding virus processes and/or threads cannot be found through process files, so that the computer viruses cannot be processed.
Therefore, how to treat computer viruses is an urgent problem to be solved by the technical personnel in the field.
Disclosure of Invention
The application aims to provide a virus processing method, a virus processing device, electronic equipment and a virus processing medium, which are used for processing computer viruses.
In order to solve the above technical problem, the present application provides a method for virus processing, including:
scanning a memory so as to determine the condition that viruses exist in the memory;
performing memory handling to process the virus if it is determined that the virus is present in the memory.
Preferably, the scanning the memory includes:
loading a virus library and acquiring the memory characteristics of each virus in the virus library;
acquiring attribute characteristics of each memory block corresponding to the current process;
comparing the relationship between the attribute characteristics of each memory block and the memory characteristics of each virus, and acquiring a comparison result;
and determining the virus memory blocks according to the comparison result, and returning to the step of acquiring the attribute characteristics of each memory block corresponding to the current process.
Preferably, the memory blocks include a white memory block and a gray memory block; the method further comprises the following steps:
acquiring data used for screening the memory blocks in the virus library;
determining grey memory blocks according to the relationship between the attribute characteristics of the memory blocks and the data for screening the memory blocks;
correspondingly, the comparing the relationship between the attribute characteristics of each memory block and the memory characteristics of each virus, and obtaining the comparison result includes:
and comparing the relationship between the attribute characteristics of each grey memory block and the memory characteristics of each virus, and acquiring the comparison result.
Preferably, the determining the gray memory blocks according to the relationship between the attribute characteristics of each memory block and the data used for screening the memory blocks includes:
obtaining the protection attribute, the mapping file and the feature code of the memory block;
determining that the memory block is the grey memory block when the protection attribute of the memory block, the mapping file and the data for screening the memory block are consistent, and the feature code of the memory block and the data for screening the memory block have an intersection.
Preferably, after the determining the virus memory block according to the comparison result, the method further includes:
and recording each virus memory block.
Preferably, the performing memory handling includes:
acquiring a process and/or a thread corresponding to the current virus memory block;
and suspending the process and/or the thread and emptying the virus memory block.
Preferably, when there is multiprocess and/or multithreading daemon on the process and/or thread corresponding to the current viral memory block, the memory handling includes:
acquiring all the processes and/or threads corresponding to the current virus memory block;
suspending each process and/or thread and emptying the virus memory block;
and uniformly killing the processes and/or the threads.
In order to solve the above technical problem, the present application further provides a virus processing apparatus, including:
the memory scanning module is used for scanning the memory so as to determine the condition that the virus exists in the memory;
and the memory handling module is used for handling the memory so as to process the virus under the condition that the virus exists in the memory.
In order to solve the above technical problem, the present application further provides an electronic device, including:
a memory for storing a computer program;
and the processor is used for realizing the steps of virus processing when the computer program is executed.
In order to solve the above technical problem, the present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program realizes the above steps of virus processing when being executed by a processor.
According to the virus processing method, the situation that viruses exist in the memory is determined through memory scanning; and then, under the condition that the viruses exist in the memory, performing memory handling to realize the processing of the viruses. Therefore, the virus is processed in the memory. Compared with the method for scanning and disposing the virus in the static file or the resident item, the method for scanning and disposing the virus in the memory provided by the application has the advantages that the process can decrypt and release the encrypted content in the static file in the memory, so that the virus in the memory is not enveloped, encrypted and the like, and the virus is easy to detect and dispose; secondly, even if the virus does not have a static file or the static file changes, the virus in the computer can be stored in a corresponding process or thread if the virus in the computer is required to play a role, so that the virus can be detected and processed through memory scanning and processing, and the virus processing capacity of the computer is improved.
In addition, the application also provides a virus processing device, an electronic device and a computer readable storage medium, which correspond to the above mentioned virus processing method and have the same effects.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
FIG. 1 is a flow chart of a method of virus processing provided herein;
fig. 2 is a flowchart of memory scanning according to an embodiment of the present disclosure;
FIG. 3 is a flow chart illustrating filtering of memory blocks according to an embodiment of the present application;
fig. 4 is a flowchart of a memory transaction according to an embodiment of the present disclosure;
FIG. 5 is a block diagram of an apparatus for virus processing according to an embodiment of the present application;
fig. 6 is a block diagram of an electronic device according to another embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
The core of the application is to provide a virus processing method, a virus processing device, electronic equipment and a virus processing medium, which are used for processing computer viruses.
For ease of understanding, the hardware structure used in the technical solution of the present application is described below. The hardware architecture for computer virus processing provided by the application mainly comprises a processor, a memory, a disk, a display and the like. At present, most of computer virus scanning and processing is in static files or resident items, the virus files have various anti-detection technologies, such as shell adding, encryption, confusion and other technologies, so that the difficulty of virus detection is increased, and in addition, with the wide use of technologies such as file attack free, process injection and the like, viruses do not have static files, so that the viruses cannot be detected or corresponding virus processes or threads cannot be found through process files. In order to improve the capability of processing computer viruses, the method scans and processes the viruses in the memory. In the memory, the process decrypts and releases the encrypted content in the static file, so that viruses in the memory are not shelled, not encrypted and the like, and the processor can easily detect and process the viruses. When the condition that viruses exist in the memory is determined, the memory feature codes need to be matched, at the moment, memory pages on a large number of disks in the process are replaced into the memory, when the memory feature codes accord with the memory features of the viruses, the memory is determined to be a virus memory, and then the virus memory is processed. After the virus is found or the virus processing is completed, the virus information can be recorded and stored in the memory or displayed by the display and the virus processing result can be displayed.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. Fig. 1 is a flowchart of a method for virus processing provided in the present application, and as shown in fig. 1, the method includes:
s10: the memory is scanned to determine the presence of a virus in the memory.
In order to process computer viruses, the positions of the viruses are determined firstly. Since the virus in the computer can only play a role in the existence of the corresponding process or thread, and the process is a running program, and can store self-running instructions and data in the memory space, and the instructions and data are non-shelled, non-encrypted, non-obfuscated and the like, the virus can be very easily and conveniently processed in the memory. In implementation, viruses are discovered by memory scanning. The virus memory characteristics are the basis for identifying the virus memory, instructions and data of the virus in the memory are stable, and the instructions or the data characteristics are extracted as the characteristics of the virus in the memory by identifying the behavior of the virus, so that the determination can be performed according to the memory characteristics of the virus when determining whether the virus exists in the computer and determining the type of the virus. In the memory of the system, the information of the virus is stored through the file with the custom format, and the file storing the information of the virus is called as a virus library. Two parts of data exist in the virus library, one part of data is the memory characteristic data of the virus, and the other part of data is the data for screening the memory block. With the development of computer technology, the types of viruses are increasing, and therefore, in order to process various computer viruses as much as possible, in implementation, the virus library is continuously updated, so that the information types and contents of the viruses contained in the virus library are more complete and rich.
The virus is identified by scanning the memory, i.e. by reading the memory of all processes in the memory and comparing with the signature codes in the virus library. When the memories corresponding to all the processes in the memory are read, the memories of all the processes can be read one by one until the memories corresponding to all the processes are read; the memories of a plurality of processes can be read simultaneously until the memories corresponding to all the processes are read; the memory corresponding to all processes may also be acquired at the same time, which is not limited herein. In implementation, when the memories corresponding to all processes or multiple processes are read simultaneously, the Central Processing Unit (CPU) occupies a large space, thereby increasing the load of the system. There are usually three levels of abstract Memory management in an operating system, including Memory Set (Memory Set), Memory Pool (Memory Pool), and Memory Block (Memory Block). In the process running process, a Memory Pool may have a plurality of Memory blocks for satisfying the Memory application request, and the Memory Block may be composed of a Memory Block structure and a plurality of Memory units available for allocation, all the Memory blocks constitute a Memory Block linked list, and pBlock of the Memory Pool is a head of the linked list. For each Memory Block, the Memory Block immediately behind it can be accessed by the pNext member of the Memory Block structure at its head. Each Memory Block consists of two parts, namely a Memory Block structure and a plurality of Memory allocation units. The memory scanning and memory handling of the present application uses the memory blocks as basic objects, and determines the virus condition in the computer by traversing all the memory blocks of all processes. The finally determined virus may be the case that no virus exists in the memory or the case that a virus exists in the memory. When the attribute features of the memory block are matched with the memory features of the viruses, the memory block is determined to be the virus memory block, namely, the existence of the viruses in the memory and the accurate positioning of the viruses are determined. The virus memory block identified here is obtained by comparing memory characteristics of viruses already described in the virus library, and for memory characteristics of viruses not described in the virus library, it is necessary to further determine, in implementation, a memory block that is not a virus memory block.
S11: in the event that a virus is determined to be present in the memory, a memory transaction is performed to process the virus.
In the above steps, the presence of a virus in the memory is determined through memory scanning, including the absence of a virus and the presence and location of a virus. For the condition that no virus exists in the memory, the virus does not need to be processed; in the case of a virus existing in the memory, the virus may affect the normal operation of the system, and therefore, the virus needs to be processed. In the present application, the processing of viruses is implemented by using memory handling. Memory handling is through the processing of processes or threads that contain blocks of viral memory. In the processing process, the processes or threads corresponding to the virus memory can be suspended and killed, and the like, so that the influence of the virus on the system is prevented. In implementation, when no multithreading and/or multiprocessing daemon exists in the virus process, the process and/or the thread corresponding to the virus memory block can be directly suspended, and then the virus memory is emptied; when there are multiple processes and/or threads for virus processes, if the processes and/or threads corresponding to the virus memory block are killed directly, there will be other processes to protect them, resulting in invalid operation for killing virus.
In the method for processing viruses provided by this embodiment, the method determines the condition of viruses in the memory through memory scanning; and then, under the condition that the viruses exist in the memory, performing memory handling to realize the processing of the viruses. Therefore, the virus is processed in the memory. Compared with the method for scanning and handling the virus in the static file or the resident item, in the method for scanning and handling the virus in the memory provided by the embodiment, because the process decrypts and releases the encrypted content in the static file in the memory, the virus in the memory is not enveloped, encrypted and the like, so that the virus is easily detected and processed; secondly, even if the virus does not have a static file or the static file changes, the virus in the computer can be stored in a corresponding process or thread if the virus in the computer is required to play a role, so that the virus can be detected and processed through memory scanning and processing, and the virus processing capacity of the computer is improved.
On the basis of the above embodiments, in order to be able to determine the situation of all viruses existing in the system as much as possible and reduce the occupation of the CPU, in implementation, the scanning of the memory specifically includes:
loading a virus library and acquiring the memory characteristics of each virus in the virus library;
acquiring attribute characteristics of each memory block corresponding to the current process;
comparing the relationship between the attribute characteristics of each memory block and the memory characteristics of each virus, and acquiring a comparison result;
and determining the virus memory blocks according to the comparison result, and returning to the step of acquiring the attribute characteristics of each memory block corresponding to the current process.
Since it is determined that the virus exists in the memory by comparing all the memory blocks corresponding to the processes with the memory characteristics of the virus, the memory characteristics of the virus and the attribute characteristics of the memory blocks corresponding to the processes need to be acquired. The obtaining of the memory characteristics of the viruses is to load a virus library, that is, to read a file storing the viruses, and analyze the virus file through a custom structure to obtain the feature codes corresponding to the viruses recorded in the virus library, where the feature codes are the memory characteristics of the viruses.
The attribute characteristics of each memory block corresponding to the process are obtained, that is, the attributes such as the protection authority of each memory block, the corresponding mapping file, the matching range of the feature code, and the like are obtained. The protection authority of the memory block refers to the readable, writable, executable and other authorities of the memory block; in a process, a mapping file corresponding to a memory block usually exists, such as a loaded dll file or exe file, the dll file or the exe file is loaded into a memory, a memory block is allocated in the memory to record and store the file, the memory blocks have corresponding mapping files, and for example, the mapping file corresponding to the dll file is a module file, and the mapping file corresponding to the exe file is a process file. When the mapping file exists in the system, a path corresponding to the mapping file can be directly obtained through an Application Programming Interface (API) of the system; when the process memory is large, if each memory block is scanned, the matching time is too long or the memory pages on a large number of disks in the current process are replaced into the memory, so that the memory occupancy of the current process is increased rapidly, and the matching time and the memory occupancy are reduced by determining the range of the feature codes in the memory. If the feature code appears between the addresses of 0x100 to 0x200, the feature code does not appear in other addresses, so that only the address segment is read from the memory, and then the character string matching is carried out. It should be noted that, since there may be multiple processes in the memory, and each process corresponds to multiple memory blocks, in order to reduce the CPU occupation, in the implementation, the attribute characteristics of the corresponding memory blocks are acquired process by process. In addition, the order of the two steps of obtaining the memory characteristics of each virus in the virus library and obtaining the attribute characteristics of each memory block corresponding to the current process is not limited, and the two steps are obtained before comparing the relationship between the attribute characteristics of the memory blocks and the memory characteristics of the viruses.
After the attribute features of each memory block of the current process and the memory features of each virus are obtained, the attribute features of each memory block and the memory features of each virus are compared, whether the attribute features of each memory block accord with the virus features or not is judged, if yes, the corresponding memory block is a virus memory block, otherwise, the corresponding memory block is not a virus memory block. In order to determine the situation that viruses exist in the system as completely as possible, all the memory blocks corresponding to all the processes in the memory need to be judged, and therefore after judging whether each memory block of the current process is a virus memory block, all the memory blocks of the other processes need to be continuously judged, that is, the step of obtaining the attribute characteristics of each memory block corresponding to the current process is returned. When all memory blocks of each process are traversed, the system API automatically returns the result. When comparing the relationship between each memory block of the current process and the memory characteristics of the virus, the attribute characteristics of each memory block may be compared with the memory characteristics of the virus, or the attribute characteristics of a plurality of memory blocks may be compared with the memory characteristics of the virus at the same time, which is not limited herein.
In the memory scanning method provided in this embodiment, the situation that viruses exist in the system is determined as completely as possible by judging whether the memory block corresponding to each process is a virus memory block; secondly, whether the corresponding memory block is a virus memory block or not is judged one by one, so that the occupation of a CPU (Central processing Unit) can be reduced.
On the basis of the above embodiment, in order to reduce the memory scanning time and increase the memory scanning speed, in implementation, the memory block includes a white memory block and a gray memory block; the method of virus treatment further comprises:
acquiring data for screening memory blocks in a virus library;
determining grey memory blocks according to the relationship between the attribute characteristics of the memory blocks and the data for screening the memory blocks;
correspondingly, comparing the relationship between the attribute characteristics of each memory block and the memory characteristics of each virus, and obtaining the comparison result includes:
and comparing the relationship between the attribute characteristics of each grey memory block and the memory characteristics of each virus, and acquiring a comparison result.
Because the virus library includes two parts of data, one part of the data is the memory characteristics of viruses, and the other part of the data is the data for screening the memory blocks, in order to reduce the memory scanning time and improve the memory scanning speed, the memory blocks can be screened through the data for screening the memory blocks, white memory blocks, namely normal memory blocks, are screened, and only grey memory blocks, namely suspected virus memory blocks, are reserved, so as to reduce the number of memory blocks compared with the memory characteristics of viruses. Fig. 2 is a flowchart of memory scanning according to an embodiment of the present disclosure. As shown in fig. 2, the method includes:
s12: loading a virus library;
s13: acquiring a memory of a current process;
s14: judging that all the memory blocks are traversed and ended, if so, ending, otherwise, entering a step S15;
s15: judging whether the memory block is a grey memory block, if not, returning to the step S14, and if so, entering the step S16;
s16: judging whether the virus memory characteristics are met; if not, returning to the step S14; if yes, go to step S17;
s17: and recording the virus memory and returning to the step S14.
As can be seen from fig. 2, in the process of performing memory scanning, the attribute features of all memory blocks of the current process are obtained first, the attribute features of each memory block are compared with the data used for screening the memory blocks in the virus library, when the attribute features of the memory blocks conform to the data used for screening the memory blocks, white memory blocks are filtered out, the compared part of the remaining gray memory blocks is read and compared with the memory features of viruses recorded in the virus library, and when the attribute features of the memory blocks conform to the memory features of the viruses, the memory blocks are virus memory blocks.
In the method provided by this embodiment, by screening the memory blocks, only the attribute features of the grey memory blocks are compared with the memory features of the viruses, and compared with all the memory blocks of each process, the method does not completely read and match the feature codes, thereby reducing the memory scanning time and increasing the memory scanning speed.
In the foregoing embodiment, in step S15, to determine whether the memory block is a gray memory block, in order to accurately determine the gray memory block, it is preferable that determining the gray memory block according to the relationship between the attribute characteristics of each memory block and the data used for screening the memory blocks includes:
obtaining the protection attribute of the memory block, the mapping file and the matching range of the feature code;
and determining the memory block as a gray memory block under the condition that the protection attribute and the mapping file of the memory block are consistent with the data for screening the memory block and the matching range of the feature codes and the data for screening the memory block have intersection.
Fig. 3 is a flowchart of memory block filtering according to an embodiment of the present application. As shown in fig. 3, the process includes:
s151: acquiring attribute characteristics of the memory block;
s152: judging whether the protection attribute of the memory block is consistent with the data for screening the memory block; if not, go to step S155; if yes, go to step S153;
s153: judging whether the mapping file is consistent with the data for screening the memory blocks; if not, go to step S155; if yes, go to step S154;
s154: judging whether the feature code matching range of the memory block and the data for screening the memory block have intersection or not; if not, go to step S155; if yes, go to step S156;
s155: determining the memory block as a white memory block;
s156: and determining the memory block as a grey memory block.
As can be seen from fig. 3, when determining the gray memory block, when the matching ranges of the protection attribute, the mapping file, and the feature code are all consistent with the intersection of the data used for screening the memory block, the memory block is determined to be the gray memory block. When one of the data blocks does not conform to the preset data block, the data block is determined to be a white memory block. It should be noted that, in implementation, in the process of determining the gray memory block, the order of the steps of S152, S153, and S154 is not limited, and when one requirement is met, it is continuously determined whether the remaining two requirements are met. In addition, the attribute features of the memory block listed in the present application are the protection attribute of the memory block, the mapping file, and the feature code matching range of the memory block, but in implementation, the remaining attribute features of the memory block may be further determined, and the specific attribute features of the memory block are not limited herein. The protection attribute of the memory block, the mapping file, and the matching range of the feature code have been described in detail in the above embodiments, and are not described herein again.
In the method for filtering a memory block provided in this embodiment, when each attribute feature of the memory block is matched with a memory feature of a virus, the memory block is determined to be a grey memory block. Compared with the method for determining the grey memory block according to one attribute in the attribute features of the memory block, the grey memory block is determined according to the attributes in the attribute features of the memory block, so that the grey memory block can be determined more accurately, and the memory block is screened and filtered.
In order to facilitate the user to view and understand the situation of the virus memory chunks and to process the virus memory chunks, in an implementation, it is preferable that, after determining the virus memory chunks according to the comparison result, the method further includes:
and recording each virus memory block.
Such as recording the virus memory in step S17 of fig. 2. The method of recording each virus memory block, the content of recording, the frequency of recording, and the like are not limited. The attribute characteristics of the virus memory block may be recorded, and the start address, the end address, and the like of the process corresponding to the virus memory block may be recorded, or the data of the whole virus memory may be copied. The recording frequency may be a fixed frequency, or a non-fixed frequency, or may be a frequency at which one virus memory block is determined and then immediately recorded, or may be a frequency at which a plurality of virus memory blocks are simultaneously recorded. By recording the virus memory block, viruses can be processed according to the recorded information of the virus memory block.
In the embodiment, after the virus memory blocks are determined, the virus memory blocks are recorded, and when a user needs to know the conditions of the virus memory blocks, the user can check the virus memory blocks according to the records. In addition, viruses can be processed according to the recorded virus memory blocks, so that the normal operation of the system is ensured as much as possible.
In the above embodiment, the case that a virus exists in the memory is determined through memory scanning, and the virus needs to be processed in order to prevent the virus from affecting the system. In an implementation, performing memory handling includes:
acquiring a process and/or a thread corresponding to a current virus memory block;
and suspending the process and/or the thread and emptying the virus memory block.
The current way of processing the virus is that after the virus is found, the virus process is processed by directly killing the process corresponding to the virus, although the method can process the virus, the virus can be processed by the method, the normal work of a user can be interfered while the process is killed, even the computer needs to be restarted, the work of the user is seriously influenced, and the time of the whole process of finding the virus and killing the virus is also prolonged. In the process of processing the virus, the process and/or the thread corresponding to the virus memory block are obtained first, then the process and/or the thread are suspended, and the virus memory block is emptied. Suspending a process and/or thread is to disable the virus temporarily and not run, thereby reducing the effect of the virus on the system, while suspending the process and/or thread only, and therefore has less impact on the user's work than killing the process and/or thread directly. It should be noted that there may be a plurality of processes in the system, and there may be a plurality of virus memory blocks in the plurality of processes, and when a plurality of virus memory blocks of a plurality of processes are simultaneously processed, the CPU occupation increases, so in implementation, each virus memory block in each process may be separately processed.
Compared with the method for processing the virus by suspending the process and/or the thread corresponding to the virus memory block and then emptying the virus memory block, which is provided by the embodiment, by directly killing the corresponding process after the virus is found, the method provided by the embodiment can alleviate the influence of the virus on the system and the work of the user.
In the above embodiment, the process and/or the thread corresponding to the virus memory block is suspended, and then the virus memory is emptied. However, in practice, there may be protection of multiple processes and/or multiple threads of a virus process, that is, when an exception occurs in one virus process, there may be a situation that the rest of the processes will include the process to pull up, so that the operation of killing the process and/or the thread is invalid, and therefore, in implementation, in the case that there is multiple processes and/or thread protection in the process and/or the thread corresponding to the current virus memory block, in order to effectively process the virus, it is preferable that the memory handling includes:
acquiring all processes and/or threads corresponding to the current virus memory block;
suspending each process and/or thread and emptying the virus memory block;
and uniformly killing processes and/or threads.
Fig. 4 is a flowchart of a memory handling according to an embodiment of the present disclosure. As shown in fig. 4, the method includes:
s18: loading a virus library;
s19: obtaining a memory scanning result;
s20: judging whether the handling of the virus memory block is finished, if so, entering the step S23; if not, go to step S21;
s21: acquiring all processes and/or threads corresponding to the current virus memory block;
s22: suspending each process and/or thread, and clearing the virus memory;
s23: and killing virus processes and/or threads uniformly.
In fig. 4, loading the virus library, that is, reading the file where the virus is located, and obtaining the memory scanning result according to the recorded virus memory block. In order to avoid performing invalidation processing on viruses under the condition that multiple processes and/or threads exist in the processes and/or threads corresponding to the virus memory block, all processes and/or threads corresponding to the current virus memory block need to be acquired, then, each process and/or thread is suspended, the virus memory is emptied, and finally, the virus processes and/or threads are killed in a unified manner. If the process A and the process B are mutually guarded, when the virus is processed, the two processes are firstly suspended, and then the two processes are killed in a unified way.
According to the embodiment, under the condition that the processes and/or threads corresponding to the virus memory block have multi-process and/or multi-process daemon, the virus processes and/or threads are killed uniformly, and operation invalidation of the killed processes and/or threads is prevented.
In the foregoing embodiments, a method for virus processing is described in detail, and the present application also provides embodiments corresponding to a device for virus processing and an electronic device. It should be noted that the present application describes the embodiments of the apparatus portion from two perspectives, one from the perspective of the function module and the other from the perspective of the hardware.
Fig. 5 is a block diagram of a virus processing apparatus according to an embodiment of the present application. The present embodiment is based on the angle of the function module, including:
a memory scanning module 10, configured to scan a memory to determine a situation that a virus exists in the memory;
and the memory handling module 11 is configured to, if it is determined that a virus exists in the memory, perform memory handling so as to process the virus.
Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.
In the apparatus for processing viruses provided in this embodiment, a memory scan module is first used to scan a memory to determine that a virus exists in the memory, and then a memory handling module is used to handle the virus when the virus exists in the memory. Compared with the scanning and handling of the virus in the static file or the resident item, in the device for processing the virus in the memory provided by the embodiment, because the process decrypts and releases the encrypted content in the static file in the memory, the virus in the memory is not enveloped, encrypted and the like, so that the virus is easy to detect and process; secondly, even if the virus does not have a static file or the static file changes, the virus in the computer can exist in a corresponding process or thread if the virus in the computer wants to play a role, so the virus can be detected and processed by processing the virus in the memory, and the capability of processing the computer virus is improved.
Fig. 6 is a block diagram of an electronic device according to another embodiment of the present application. This embodiment is based on a hardware perspective, and as shown in fig. 6, the electronic device includes:
a memory 20 for storing a computer program;
a processor 21 for implementing the steps of the method of virus handling as mentioned in the above embodiments when executing the computer program.
The electronic device provided by the embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer, or a desktop computer.
The processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The Processor 21 may be implemented in hardware using at least one of a Digital Signal Processor (DSP), a Field-Programmable Gate Array (FPGA), and a Programmable Logic Array (PLA). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor, also called a CPU, for processing data in an awake state; a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a Graphics Processing Unit (GPU) which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 21 may further include an Artificial Intelligence (AI) processor for processing computational operations related to machine learning.
The memory 20 may include one or more computer-readable storage media, which may be non-transitory. Memory 20 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 20 is at least used for storing the following computer program 201, wherein after being loaded and executed by the processor 21, the computer program can implement the relevant steps of the method for processing viruses disclosed in any one of the foregoing embodiments. In addition, the resources stored in the memory 20 may also include an operating system 202, data 203, and the like, and the storage manner may be a transient storage manner or a permanent storage manner. Operating system 202 may include, among others, Windows, Unix, Linux, and the like. Data 203 may include, but is not limited to, data related to the above-mentioned methods of virus handling, and the like.
In some embodiments, the electronic device may further include a display 22, an input/output interface 23, a communication interface 24, a power supply 25, and a communication bus 26.
Those skilled in the art will appreciate that the configuration shown in fig. 6 does not constitute a limitation of the electronic device and may include more or fewer components than those shown.
The electronic device provided by the embodiment of the application comprises a memory and a processor, and when the processor executes a program stored in the memory, the following method can be realized: the virus treatment method has the same effects as the virus treatment method
Finally, the application also provides a corresponding embodiment of the computer readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps as set forth in the above-mentioned method embodiments.
It is to be understood that if the method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods described in the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.
The computer-readable storage medium provided by the application comprises the above-mentioned virus processing method, and the effects are the same as above.
The methods, apparatuses, electronic devices, and media for virus processing provided by the present application are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed in the embodiment corresponds to the method disclosed in the embodiment, so that the description is simple, and the relevant points can be referred to the description of the method part. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A method of virus processing, comprising:
scanning a memory so as to determine the condition that viruses exist in the memory;
performing memory handling to process the virus if it is determined that the virus is present in the memory.
2. The virus handling method of claim 1, wherein the scanning the memory comprises:
loading a virus library and acquiring the memory characteristics of each virus in the virus library;
acquiring attribute characteristics of each memory block corresponding to the current process;
comparing the relationship between the attribute characteristics of each memory block and the memory characteristics of each virus, and acquiring a comparison result;
and determining the virus memory blocks according to the comparison result, and returning to the step of acquiring the attribute characteristics of each memory block corresponding to the current process.
3. The virus processing method according to claim 2, wherein the memory chunks include white memory chunks and grey memory chunks; the method further comprises the following steps:
acquiring data used for screening the memory blocks in the virus library;
determining grey memory blocks according to the relationship between the attribute characteristics of the memory blocks and the data for screening the memory blocks;
correspondingly, the comparing the relationship between the attribute characteristics of each memory block and the memory characteristics of each virus, and obtaining the comparison result includes:
and comparing the relationship between the attribute characteristics of each grey memory block and the memory characteristics of each virus, and acquiring the comparison result.
4. The virus processing method according to claim 3, wherein the determining a gray memory chunk according to the relationship between the attribute characteristics of each memory chunk and the data for filtering the memory chunks comprises:
obtaining the protection attribute, the mapping file and the feature code of the memory block;
determining that the memory block is the grey memory block when the protection attribute of the memory block, the mapping file and the data for screening the memory block are consistent, and the feature code of the memory block and the data for screening the memory block have an intersection.
5. The virus processing method according to any one of claims 1 to 4, further comprising, after the determining the virus memory chunks according to the comparison result:
and recording each virus memory block.
6. The method of any of claims 1 to 4, wherein the performing memory handling comprises:
acquiring a process and/or a thread corresponding to the current virus memory block;
and suspending the process and/or the thread and emptying the virus memory block.
7. The virus processing method according to any one of claims 1 to 4, wherein in a case where there is multiprocess and/or multithreaded daemon for the process and/or thread corresponding to the current virus memory block, the memory handling includes:
acquiring all the processes and/or threads corresponding to the current virus memory block;
suspending each process and/or thread and emptying the virus memory block;
and uniformly killing the processes and/or the threads.
8. An apparatus for virus processing, comprising:
the memory scanning module is used for scanning the memory so as to determine the condition that the virus exists in the memory;
and the memory handling module is used for handling the memory so as to process the virus under the condition that the virus exists in the memory.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of virus processing according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, carries out the steps of virus handling according to any one of claims 1 to 7.
CN202210583213.6A 2022-05-26 2022-05-26 Virus processing method, device, electronic equipment and medium Pending CN114969737A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210583213.6A CN114969737A (en) 2022-05-26 2022-05-26 Virus processing method, device, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210583213.6A CN114969737A (en) 2022-05-26 2022-05-26 Virus processing method, device, electronic equipment and medium

Publications (1)

Publication Number Publication Date
CN114969737A true CN114969737A (en) 2022-08-30

Family

ID=82955307

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210583213.6A Pending CN114969737A (en) 2022-05-26 2022-05-26 Virus processing method, device, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN114969737A (en)

Similar Documents

Publication Publication Date Title
US10977370B2 (en) Method of remediating operations performed by a program and system thereof
US10810309B2 (en) Method and system for detecting kernel corruption exploits
US20240152618A1 (en) Method of remediating operations performed by a program and system thereof
US7251735B2 (en) Buffer overflow protection and prevention
EP3362937B1 (en) Method of remediating a program and system thereof by undoing operations
KR102534334B1 (en) Detection of software attacks on processes in computing devices
IL267241B2 (en) System and methods for detection of cryptoware
US20170364679A1 (en) Instrumented versions of executable files
US11675905B2 (en) System and method for validating in-memory integrity of executable files to identify malicious activity
US20210342445A1 (en) Systems and Methods for Identifying Malware Injected into a Memory of a Computing Device
US11170077B2 (en) Validating the integrity of application data using secure hardware enclaves
US10664594B2 (en) Accelerated code injection detection using operating system controlled memory attributes
CN107122663B (en) Injection attack detection method and device
CN115688106A (en) Method and device for detecting Java agent non-file-injection memory horse
US10929536B2 (en) Detecting malware based on address ranges
US7783849B2 (en) Using trusted user space pages as kernel data pages
US11816217B2 (en) Decoy memory allocation
KR100762973B1 (en) Method and apparatus for detecting and deleting a virus code, and information storage medium storing a program thereof
CN114969737A (en) Virus processing method, device, electronic equipment and medium
KR20210039212A (en) Efficient ransomware detection method and system using bloom-filter
US20240012790A1 (en) Logical blocks analysis in an electronic file system volume
US20240202337A1 (en) Techniques for tracking executable images across forking operations
CN114707149A (en) Puppet process detection method and device, electronic device and storage medium
CN117744082A (en) Method and device for detecting malicious software in operating system and storage medium
CN116432173A (en) Method, device and medium for preventing malicious encryption of object storage

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination