CN117742987A - Communication method, device, electronic equipment and storage medium - Google Patents

Communication method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117742987A
CN117742987A CN202311661055.2A CN202311661055A CN117742987A CN 117742987 A CN117742987 A CN 117742987A CN 202311661055 A CN202311661055 A CN 202311661055A CN 117742987 A CN117742987 A CN 117742987A
Authority
CN
China
Prior art keywords
message
communication component
application layer
layer
kernel layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311661055.2A
Other languages
Chinese (zh)
Inventor
孙晓骏
覃梓兴
张苏洵
刘铠文
李宜檑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Rongma Technology Beijing Co ltd
Original Assignee
Rongma Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Rongma Technology Beijing Co ltd filed Critical Rongma Technology Beijing Co ltd
Priority to CN202311661055.2A priority Critical patent/CN117742987A/en
Publication of CN117742987A publication Critical patent/CN117742987A/en
Pending legal-status Critical Current

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The embodiment of the application provides a communication method, a device, electronic equipment and a storage medium, wherein a kernel layer registers a first communication component, and an application layer registers a second communication component; the method comprises the following steps: responding to the first preset condition, a first message sending module carried in the kernel layer sends a first message to the application layer by calling an interface provided by the second communication component so that a second monitoring module of the second communication component receives the first message; the first messaging module is created based on the second communication component; responding to the second preset condition, the second message sending module carried in the application layer sends a second message to the kernel layer by calling an interface provided by the first communication component so that the first monitoring module of the first communication component receives the second message; the second messaging module is created based on the first communication component. The communication component comprises an interface which can be called by the message sending module, so that the kernel layer and the application layer can actively communicate bidirectionally.

Description

Communication method, device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a communication method, a device, an electronic apparatus, and a storage medium.
Background
As malware updates iterate, the task of security software to identify malware becomes more difficult. To ensure the safety of the use of the end user and the end system, the security software needs to acquire and analyze the activities in the system in real time, including the application program behavior of the application layer and the system call of the kernel layer. Depending on the two-way communication that can be achieved between the application layer and the kernel layer. Therefore, how to realize the bidirectional communication between the application layer and the kernel layer is a technical problem to be solved in the field.
Disclosure of Invention
An embodiment of the application aims to provide a communication method, a device, electronic equipment and a storage medium, which are used for achieving the technical effect of bidirectional communication between a kernel layer and an application layer.
The first aspect of the embodiments of the present application provides a communication method, configured to implement bidirectional communication between a kernel layer and an application layer; the kernel layer is registered with a first communication component, and the application layer is registered with a second communication component; the method comprises the following steps:
responding to the first preset condition, a first message sending module carried in the kernel layer sends a first message to the application layer by calling an interface provided by the second communication component so that a second monitoring module of the second communication component receives the first message; the first messaging module is created based on the second communication component;
Responding to the second preset condition, a second message sending module carried in the application layer sends a second message to the kernel layer by calling an interface provided by the first communication component so that a first monitoring module of the first communication component receives the second message; the second messaging module is created based on the first communication component.
In the implementation process, the communication assembly is respectively registered in the kernel layer and the application layer, and various modules required by message receiving and sending are carried, and the communication assembly comprises an interface for the message sending module to call, so that the kernel layer can actively send messages to the application layer, and the application layer can actively send messages to the kernel layer. Active bidirectional communication between the kernel layer and the application layer is realized.
Further, the first message includes a plurality of pieces; the first message sending module sends a first message to the application layer by calling an interface provided by the second communication component, and the first message sending module comprises:
dividing a plurality of the first messages into a plurality of message groups;
and the first message sending module sends the message group to the application layer by calling an interface provided by the second communication component.
In the implementation process, the plurality of first messages are divided into the plurality of message groups, and the message groups are used as units for transmission, so that the number of times of transmission from the kernel layer to the application layer is greatly reduced, the system resource consumption caused by transmission is reduced, and the system blocking is avoided.
Further, the kernel layer includes a first message queue; the dividing the plurality of the first messages into a plurality of message groups includes:
adding a plurality of the first messages to the first message queue;
and acquiring a preset number of first messages from the first message queue to be packaged into the message group until all the first messages are packaged, so as to obtain a plurality of message groups.
In the implementation process, a first message queue is maintained in a kernel layer, a first message to be sent is added into the first message queue, and then the first message is obtained and assembled into a message group batch by batch for sending. Therefore, the problem of high system resource consumption caused by sending the first message to the application layer one by one is solved, and the occurrence of system blocking is avoided.
Further, the first message sending module sends the message group to the application layer by calling an interface provided by the second communication component, including:
Under the condition that a target application program in the application layer runs, the first message sending module sends the message group to the application layer by calling an interface provided by the second communication component;
and stopping sending the message group to the application layer under the condition that the target application program exits from running.
In the implementation process, the sending of the message group is controlled according to the running condition of the target application program in the application layer, so that the blocking problem caused by the first message when the target application program exits is avoided.
Further, the first message includes an urgent type and a non-urgent type; after the second communication component receives the first message, the method further comprises:
if the first message is of an emergency type, the application layer processes the first message of the emergency type;
and if the first message is of a non-emergency type, the application layer adds the first message to a second message queue, and reads the first message from the second message queue for processing when the system resource meets the preset condition.
In the implementation process, the first message is divided into the urgent type and the non-urgent type, and is processed according to the order of the urgent type and the non-urgent type, so that the system is ensured to be smooth to operate while the safety and timely response of the system are ensured.
Further, the first communication component includes a micro filter minifilter, or a local procedure call component;
the second communication component includes the local procedure call component.
In the implementation process, an interface which can be called by an application layer is provided by registering a minifilter or a local procedure calling component in the kernel layer, so that the active sending of the information from the application layer to the kernel layer is realized. And registering a local procedure call component in the application layer to provide an interface for the kernel layer to call, so that the active message transmission from the kernel layer to the application layer is realized, and the active bidirectional communication between the kernel layer and the application layer is realized.
Further, the method is applied to security defense scenarios;
the first preset condition comprises suspicious operation in the kernel layer; the first message includes operation data of a suspicious operation;
the second preset condition comprises that the application layer requests the kernel layer to execute a defending operation; the second message includes a defensive request.
In the implementation process, a communication method is applied to a security defense scene, when suspicious operation exists in the kernel layer, the kernel layer is triggered to actively send operation data of the suspicious operation to the application layer, and when the application layer needs to request the kernel layer to execute the defense operation, the application layer is triggered to actively send a defense request to the kernel layer. Through the bidirectional communication between the kernel layer and the application layer, the effects of monitoring malicious software and defending a system can be improved, and therefore the system safety is improved.
A second aspect of the embodiments of the present application provides a communication device configured to implement bidirectional communication between a kernel layer and an application layer; the device comprises:
the first communication component is registered in the kernel layer and is used for providing an interface for the second message sending module;
the second communication component is registered in the application layer and is used for providing an interface for the first message sending module;
the first message sending module is carried on the kernel layer and is created based on the second communication component and used for sending a first message to the application layer by calling an interface provided by the second communication component in response to the first preset condition;
the second message sending module is carried on the application layer and is created based on the first communication component and used for sending a second message to the kernel layer by calling an interface provided by the first communication component in response to the second preset condition;
the first monitoring module is carried on the kernel layer and is used for receiving the second message;
and the second monitoring module is carried on the application layer and is used for receiving the first message.
A third aspect of embodiments of the present application provides an electronic device, including:
A processor;
a memory for storing processor-executable instructions;
wherein the processor, when invoking the executable instructions, performs the operations of the method of any of the first aspects.
A fourth aspect of the embodiments provides a computer readable storage medium having stored thereon computer instructions which when executed by a processor implement the steps of any of the methods of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a communication method according to an embodiment of the present application;
fig. 3 is a flow chart of another communication method according to an embodiment of the present application;
fig. 4 is a flow chart of another communication method according to an embodiment of the present application;
Fig. 5 is a hardware configuration diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
The kernel layer is the core part of the operating system for managing hardware, system resources, and low-level processes. And the application layer is used for running application programs such as a browser, office software and the like. When malware attempts to perform malicious acts in a system, execution traces tend to be left in the kernel layer and the application layer. In order to fully monitor and analyze execution traces left in the kernel layer and the application layer, the security software needs to implement bidirectional communication between the kernel layer and the application layer.
For this purpose, the application provides a communication method for realizing bidirectional communication between the kernel layer and the application layer. When the safety protection function of the system is analyzed, the bidirectional communication between the application layer and the kernel layer is found to be beneficial to monitoring and analyzing the execution trace left in the kernel layer and the application layer and the execution of the defending operation by the safety software. However, the communication method provided by the application is a general method for realizing two-way communication between the kernel layer and the application layer, and is not limited to application scenes applied to system safety protection. The method provided by the application can be used in any other scene which also needs the kernel layer to realize two-way communication with the application layer to realize specific functions. The application is not limited to application scenarios herein.
Referring to fig. 1, a communication apparatus 100 for implementing a communication method is provided. As shown in fig. 1, the kernel layer is registered with a first communication component 110, and is equipped with a first message sending module 111 and a first listening module 112. The application layer is registered with the second communication component 120 and is equipped with a second message sending module 121 and a second listening module 122.
Wherein the first communication component 110 is provided with an interface, including for example but not limited to an API (Application Programming Interface ), for the second messaging module 121 to call. The second communication component 120 is provided with an interface, including for example but not limited to an API, that can be invoked by the first messaging module 111.
Further, the first messaging module 111 in the kernel layer is created based on the second communication component 120 in the application layer. Specifically, the functional modules capable of implementing message transmission in the second communication component 120 of the application layer are assembled to obtain the first message transmission module 111. The first messaging module 111 is then piggybacked in the kernel layer.
The second messaging module 121 in the application layer is created based on the first communication component 110 in the kernel layer. Specifically, the functional modules capable of implementing message transmission in the first communication component 110 of the kernel layer are assembled to obtain the second message transmission module 121. The second messaging module 121 is then installed in the application layer.
And, a first listening module 112 in the kernel layer is created based on the first communication component 110. Specifically, the functional modules in the first communication component 110 that can implement message monitoring are assembled to obtain the first monitoring module 112, and are carried in the kernel layer.
The second listening module 122 in the application layer is created based on the second communication component 120. Specifically, the functional modules in the second communication component 120 that can implement message monitoring are assembled to obtain the second monitoring module 122, and are carried in the application layer.
Based on the software architecture as shown in fig. 1, referring to fig. 2, a communication method provided in the present application includes steps 210-220.
Step 210: and responding to the first preset condition, the first message sending module carried in the kernel layer sends a first message to the application layer by calling an interface provided by the second communication component so that a second monitoring module of the second communication component receives the first message.
Wherein the first messaging module is created based on the second communication component.
Illustratively, the first preset condition refers to a trigger condition that the kernel layer actively sends a message to the application layer. When the first preset condition is met, the kernel layer is required to actively send a message to the application layer. The first preset condition may be set according to a specific application scenario or application field of the method, and the application does not limit the first preset condition herein.
As described above, since the second communication component is provided with an interface and the first message sending module is created based on the second communication component, the first message sending module may call the interface provided by the second communication component to send the first message to the application layer. And a second monitoring module is mounted in the application layer to monitor the message from the kernel layer in real time. Whereby the first message is received by the second listening module. The active sending process of the message from the kernel layer to the application layer is realized through the second communication component and the second monitoring module in the application layer and the first message sending module in the kernel layer.
Step 220. And responding to the second preset condition, the second message sending module carried in the application layer sends a second message to the kernel layer by calling an interface provided by the first communication component so that the first monitoring module of the first communication component receives the second message.
Wherein the second messaging module is created based on the first communication component.
Illustratively, the second preset condition refers to a trigger condition that the application layer actively sends a message to the kernel layer. When the second preset condition is met, the application layer is required to actively send a message to the kernel layer. The second preset condition may be set according to a specific application scenario or application field of the method, and the application of the present application does not limit the second preset condition.
As described above, since the first communication component is provided with an interface and the second message sending module is created based on the first communication component, the second message sending module may call the interface provided by the first communication component to send the second message to the kernel layer. And a first monitoring module is mounted in the kernel layer to monitor the information from the application layer in real time. Thereby, the second message is received by the first listening module. The active sending process of the information from the application layer to the kernel layer is realized through the first communication component and the first monitoring module in the kernel layer and the second information sending module in the application layer.
Therefore, in the communication method provided in this embodiment, the communication component and the application layer are respectively registered, and various modules required for receiving and sending the message are carried, where the communication component includes an interface for the message sending module to call, so that the kernel layer can actively send the message to the application layer, and the application layer can actively send the message to the kernel layer. Active bidirectional communication between the kernel layer and the application layer is realized.
It should be noted that, by active two-way communication, it is meant that both the kernel layer and the application layer can be used as the initiator of the message, and actively send the first message to the other party. In the related art, when an application layer actively transmits a message to a kernel layer, the kernel layer feeds back a response message to the application layer in response to the message. But the response message is passively sent to the application layer by the kernel layer, instead of the first message sent to the application layer by the kernel layer as described in this embodiment.
On the basis of the above embodiment, the first message actively sent by the kernel layer to the application layer may include a plurality of pieces. I.e. the kernel layer sends a plurality of first messages to the application layer at once. As such, the process of sending the first message in step 210 may include steps 211-212 as shown in fig. 3.
Step 211: dividing a plurality of the first messages into a plurality of message groups;
step 212: and the first message sending module sends the message group to the application layer by calling an interface provided by the second communication component.
Alternatively, the number of the first messages in each message group may be set to not exceed the first preset number, so that the first messages are divided into a plurality of message groups.
Alternatively, the number of message groups may be set to not exceed the second preset number, thereby dividing the first message into a plurality of message groups.
After the plurality of first messages are divided into a plurality of message groups, the message groups are used as transmission units for transmission. Thus, when the first message sending module invokes the port provided by the second communication component, a group of message groups are sent to the application layer instead of sending the first message one by one.
It will be appreciated that the application layer will consume system resources at each message interaction. When the first messages are sent one by one, each first message generates corresponding system resource consumption, so that the total consumption of the final system resource is larger. However, in this embodiment, the plurality of first messages are divided into the plurality of message groups, and the message groups are used as units for transmission, so that the number of times of transmission from the kernel layer to the application layer is greatly reduced, and then the system resource consumption caused by transmission is reduced, and the occurrence of system blocking is avoided.
Based on the above embodiment, in order to achieve the division of the plurality of first messages, the kernel layer may maintain a first message queue. As such, the dividing process of the plurality of first messages in step 211 may specifically include steps 2111 to 2112 as shown in fig. 4.
Step 2111: adding a plurality of the first messages to the first message queue;
step 2112: and acquiring a preset number of first messages from the first message queue to be packaged into the message group until all the first messages are packaged, so as to obtain a plurality of message groups.
When the kernel layer generates a plurality of first messages to be sent to the application layer, all the first messages may be first added to the first message queue. And then acquiring a preset number of first messages from the first message queue and packaging the first messages into a message group.
Alternatively, the preset number may be the first preset number described above. I.e. the number of first messages in each group of messages does not exceed said first preset number. Thus, a first preset number of first messages can be acquired from the first message queue at a time and assembled into a message group. When the residual number of the first messages in the first message queue is less than the first preset number, all the residual first messages are assembled into the last message group.
Alternatively, the preset number may be determined according to the second preset number described above. I.e. the total amount of message groups does not exceed the second preset number. In this way, the preset number may be determined according to the number of first messages and the second preset number. The first message group with the preset number can be obtained from the first message queue every time, and the message group with the preset number is obtained.
Alternatively, after all the message groups are obtained, the message groups may be sent to the application layer one by one.
Alternatively, the division and transmission of the message groups may be performed simultaneously. I.e. a set of messages is obtained and sent to the application layer.
As can be seen, in this embodiment, a first message queue is maintained at the kernel layer, and a first message to be sent is added to the first message queue, and then is acquired and assembled into a message group for sending. Therefore, the problem of high system resource consumption caused by sending the first message to the application layer one by one is solved, and the occurrence of system blocking is avoided.
On the basis of the above embodiment, the transmission procedure of the message group in step 212 includes the following two cases.
Case 1: and under the condition that a target application program in the application layer runs, the first message sending module sends the message group to the application layer by calling an interface provided by the second communication component.
The application layer has an application running therein. The first message sent by the kernel layer to the application layer is processed by a target application program running in the application layer. That is, the target application is for processing the first message. Thus, in the case of the target application running, the kernel layer may send the first message to the application layer to cause the target application to process the first message.
Case 2: and stopping sending the message group to the application layer under the condition that the target application program exits from running.
When the target application program exits, the first message sent by the kernel layer to the application layer cannot be processed, so that a large amount of first messages are accumulated and blocked in the application layer, and the system is blocked. Thus, by stopping sending the message group to the application layer when the target application exits, the blocking problem caused by the first message when the target application exits is alleviated.
Alternatively, the first message that is not sent to the application layer may be retained in the first message queue, and sent to the target application program for processing when the target application program runs next time.
Alternatively, the first message not sent to the application layer may be discarded.
It can be known that, in this embodiment, the sending of the message group is controlled by the running condition of the target application program in the application layer, so as to avoid the blocking problem caused by the first message when the target application program exits.
Furthermore, the first message may comprise different types on the basis of any of the embodiments described above. For example, the first message may be classified into an urgent type and a non-urgent type. Thus, the second monitoring module of the application layer may further determine the processing time of the first message according to the type of the first message after receiving the first message.
Specifically, if the first message is of an emergency type, the application layer processes the first message of the emergency type.
That is, if the received first message is of an urgent type, the application layer processes the first message immediately after receiving it.
And if the first message is of a non-urgent type, the application layer adds the first message to a second message queue, and reads the first message from the second message queue for processing when the system resource meets the preset condition.
That is, the application layer may maintain a second message queue. When the received first message is of a non-urgent type, the first message is not immediately processed. But rather adds the first message to the second message queue.
Such as including, but not limited to, storage resources, computing resources, and the like. The preset condition may be, for example, that the occupation of the storage resource is less than or equal to a preset occupation proportion, and/or that the occupation of the computing resource is less than or equal to a preset occupation proportion, or the like. When the system resources meet the preset conditions, the system resources are sufficient, and the idle resources can process the first non-urgent message. At this time, the first message is read from the second message queue for processing.
It can be seen that, in this embodiment, the first message is classified into an urgent type and a non-urgent type, and the first message is processed according to the order of the urgent type and the heavy type, so that the system security and timely response are ensured, and the smooth operation of the system is ensured.
Based on any of the above embodiments, as an example, the first communication component registered by the kernel layer may be a micro filter minifilter; the second communication component of the application layer registration may be a local procedure call component.
In Windows operating system management, minifilter is a new type of file system Filter based on the Filter Manager framework. The minifilter provides a more compact and standardized way to develop and manage file system filter operations than traditional file system filter drivers (legacy file system filter drivers). A developer may use a minifilter to intercept, monitor, or modify file and volume read-write (I/O) operations in an operating system. By registering the minifilter as the first communication component in the kernel layer, an interface which can be called by the application layer is provided, so that the active sending of the information from the application layer to the kernel layer can be realized.
The local procedure call component may include an LPC (Local Procedure Call ), or ALPC (Advanced Local Procedure Call, advanced local procedure call).
Wherein, the LPC is the communication mode between internal processes in Windows system. Lightweight communication is possible by the LPC, by processes on the same computer. ALPC provides a high-speed, scalable communication mechanism, which is an inter-process communication tool for high-speed messaging. Because the LPC and the ALPC can realize inter-process communication, the LPC or the ALPC is registered in the application layer as a second communication component, an interface which can be called by the kernel layer is provided, and the active sending of the message from the kernel layer to the application layer can be realized.
As another example, the first communication component of the kernel layer registration and the second communication component of the application layer registration may both be local procedure call components, i.e., the first communication component may be an LPC or ALPC; the second communication component may be an LPC or ALPC.
It can be known that, in this embodiment, by registering a minifilter or a local procedure call component in the kernel layer, an interface that can be called by the application layer is provided, so that active sending of a message from the application layer to the kernel layer is realized. And registering a local procedure call component in the application layer to provide an interface for the kernel layer to call, so that the active message transmission from the kernel layer to the application layer is realized, and the active bidirectional communication between the kernel layer and the application layer is realized.
Based on any of the above embodiments, the communication method provided by the present application may be applied to a security defense scenario. The security defense scenario is to monitor and analyze execution traces left by the malware in the system to discover and block the operation of the malware.
In the security defense scenario, the first preset condition, that is, the triggering condition that the kernel layer actively sends the message to the application layer, may include: there are suspicious operations in the kernel layer. As such, the first message actively sent by the kernel layer to the application layer may include: operational data of the suspicious operation.
In the security defense scenario, the second preset condition, that is, the triggering condition that the application layer actively sends the message to the kernel layer, may include: the application layer requests the kernel layer to perform a defensive operation. As such, the second message actively sent by the application layer to the kernel layer may include: defending against requests.
It can be understood that in the security defense scenario, security protection software is run in the application layer, and the security protection software monitors and analyzes suspicious data, and finally makes security defense decisions. Therefore, when the kernel layer discovers the suspicious operation, the kernel layer is required to actively send the operation data of the suspicious operation to the application layer, and the application layer analyzes the suspicious operation according to the operation data. That is, the kernel layer has suspicious operation, and as a trigger condition, the kernel layer is triggered to actively send operation data of the suspicious operation to the application layer. Illustratively, the suspicious operations may include, but are not limited to, suspicious file operations.
When the application layer makes a defensive decision, some instructions in the defensive decision need to be executed at the kernel layer. For example, instructions such as process blocking, network connection disconnection, etc. need to be performed in the kernel layer. At this time, the application layer needs to request the kernel layer to execute the defending operation, and sends a defending request to the kernel layer. That is, when the application layer needs the kernel layer to perform the defending operation, it acts as a trigger condition to trigger the application layer to actively send a defending request to the kernel layer. Illustratively, the defense request is for requesting the kernel layer to perform a target defense operation to implement a security defense. The target defense operation may include, but is not limited to, deleting occupied files, deleting protected processes, disconnecting networks, and the like.
It can be seen that, in this embodiment, a communication method is applied to a security defense scenario, where when a suspicious operation exists in a kernel layer, the kernel layer is triggered to actively send operation data of the suspicious operation to an application layer, and when the application layer needs to request the kernel layer to perform a defense operation, the application layer is triggered to actively send a defense request to the kernel layer. Through the bidirectional communication between the kernel layer and the application layer, the effects of monitoring malicious software and defending a system can be improved, and therefore the system safety is improved.
In order to better understand a communication method provided in the present application, the following examples will be described.
In order to achieve bi-directional communication between the application layer and the kernel layer, a minifilter is registered in the kernel layer as a first communication component and an ALPC is registered in the application layer as a second communication component.
Then, necessary communication modules are built in the kernel layer and the application layer to realize bidirectional communication. Specifically, functional modules capable of realizing message transmission in the ALPC are assembled to obtain a first message transmission module, and the first message transmission module is mounted in a kernel layer. And assembling the functional modules capable of realizing message monitoring in the minifilter to obtain a first monitoring module and carrying the first monitoring module in a kernel layer.
And assembling functional modules capable of realizing message transmission in the minifilter to obtain a second message transmission module, and carrying the second message transmission module in an application layer. And assembling the functional modules capable of realizing message monitoring in the ALPC to obtain a second monitoring module and carrying the second monitoring module in an application layer.
After the preparation work is completed, the bidirectional communication between the application layer and the kernel layer can be realized.
Specifically, in response to a first preset condition being met, for example, when the kernel layer detects a suspicious operation, the first message sending module invokes an interface provided by the ALPC, and sends a first message (i.e., an ALPC message) to the second listening module. While the kernel layer may maintain a first message queue in order to ensure fluency in message delivery. At the time of message transmission, all the first messages to be transmitted may be added to the first message queue. And then acquiring a plurality of first messages from the first message queue according to a preset grouping rule to be packaged into a message group until all the first messages are packaged, so as to obtain a plurality of message groups.
When the target application program in the application layer runs, the first message sending sends each message group one by one to the second monitoring module by calling an interface provided by the ALPC. When the target application exits the run, the transmission of the message group is stopped. Thus, by maintaining the first message queue and packet transmission for the first message, the blocking problem caused by a large number of ALPC messages when the target application exits is alleviated.
When the application layer receives the first message from the kernel layer, the application layer is responsible for responding to and processing the first message and checking the reliability of the first message. Further, the application layer may determine a processing occasion for the first message according to the type of the first message. For first messages of a non-urgent type, the application layer may employ an asynchronous processing policy, i.e. adding the first message to a second message queue maintained by the application layer. And waiting for the system resources to meet the preset conditions, and processing the system when the system is idle so as to ensure the smooth operation of the system. For the first message of the emergency type, the application layer can adopt a synchronous processing strategy, namely the application layer processes the first message of the emergency type immediately after receiving the first message of the emergency type, so as to ensure the security and timely response of the computer.
The first message of the emergency type may be, for example, a message related to a security threat, such as a hash value of a dangerous file, a message of process dump (a process of managing credentials by a system), a file message of modifying a planning task, a message of modifying a login-related registry, and the like.
The first message of the non-urgent type may be, for example, a message unrelated to security threat, such as a time when security software records statistics are required, including file moving message, process open message, non-important registry open message, etc.
And responding to a second preset condition, such as that the application layer requests the kernel layer to execute a defending operation, and the second message sending module calls an interface provided by the minifilter to send a second message to the first monitoring module.
When the kernel layer receives the second message from the application layer, the kernel layer responds to and processes the second message and performs detailed data source verification on the second message to ensure the credibility of the second message. Including checking the integrity of the data and application token. After the processing of the second message is completed, for example, the operation indicated by the defensive request in the second message is performed, the kernel layer feeds back the result to the application layer.
It can be seen that, in the communication method provided in this embodiment, by registering a communication component in a kernel layer and an application layer respectively, and carrying various modules required for receiving and sending messages, the communication component includes a call for the message sending module to call, so that the kernel layer can actively send a message to the application layer, and the application layer can actively send a message to the kernel layer. Active bidirectional communication between the kernel layer and the application layer is realized.
Meanwhile, the communication method is applied to a security defense scene, when suspicious operation exists in the kernel layer, the kernel layer is triggered to actively send operation data of the suspicious operation to the application layer, and when the application layer needs to request the kernel layer to execute the defense operation, the application layer is triggered to actively send a defense request to the kernel layer. Through the bidirectional communication between the kernel layer and the application layer, the effects of monitoring malicious software and defending a system can be improved, and therefore the system safety is improved.
Based on any embodiment, the application further provides a communication device, which is used for realizing bidirectional communication between the kernel layer and the application layer. As shown in fig. 1, the communication apparatus 100 includes:
a first communication component 110, registered with the kernel layer, for providing an interface to a second messaging module;
A second communication component 120, registered with the application layer, for providing an interface to the first messaging module;
the first message sending module 111 is configured to be carried on the kernel layer and created based on the second communication component, and is configured to send a first message to the application layer by calling an interface provided by the second communication component in response to a first preset condition being met;
a second message sending module 121, configured to be installed in the application layer and created based on the first communication component, and configured to send a second message to the kernel layer by calling an interface provided by the first communication component in response to a second preset condition being satisfied;
the first monitoring module 112 is carried on the kernel layer and is configured to receive the second message;
the second monitoring module 122 is configured to be carried on the application layer and configured to receive the first message.
In some embodiments, the first message comprises a plurality of pieces; the first message sending module 111 is specifically configured to:
dividing a plurality of the first messages into a plurality of message groups;
and the first message sending module sends the message group to the application layer by calling an interface provided by the second communication component.
In some embodiments, the kernel layer includes a first message queue; the first message sending module 111 is specifically configured to:
adding a plurality of the first messages to the first message queue;
and acquiring a preset number of first messages from the first message queue to be packaged into the message group until all the first messages are packaged, so as to obtain a plurality of message groups.
In some embodiments, the first message sending module 111 is specifically configured to:
under the condition that a target application program in the application layer runs, the first message sending module sends the message group to the application layer by calling an interface provided by the second communication component;
and stopping sending the message group to the application layer under the condition that the target application program exits from running.
In some embodiments, the first message includes an emergency type and a non-emergency type; the communication device 100 further includes:
a first processing module for processing the first message of the emergency type;
and the second processing module is used for adding the first message of the non-emergency type to a second message queue, and reading the first message from the second message queue for processing when the system resource meets the preset condition.
In some embodiments, the first communication component comprises a microfilter minifilter, or a native procedure call component;
the second communication component includes the local procedure call component.
In some embodiments, the communication device 100 is applied to a security defense scenario; the first preset condition comprises suspicious operation in the kernel layer; the first message includes operation data of a suspicious operation;
the second preset condition comprises that the application layer requests the kernel layer to execute a defending operation; the second message includes a defensive request.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
Based on the communication method according to any of the above embodiments, the present application further provides a schematic structural diagram of an electronic device as shown in fig. 5. At the hardware level, as in fig. 5, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile storage, although it may include hardware required for other services. The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs to implement a communication method as described in any of the above embodiments.
The present application also provides a computer storage medium storing a computer program which, when executed by a processor, is operable to perform a communication method as described in any of the above embodiments.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. The communication method is characterized by being used for realizing bidirectional communication between a kernel layer and an application layer; the kernel layer is registered with a first communication component, and the application layer is registered with a second communication component; the method comprises the following steps:
responding to the first preset condition, a first message sending module carried in the kernel layer sends a first message to the application layer by calling an interface provided by the second communication component so that a second monitoring module of the second communication component receives the first message; the first messaging module is created based on the second communication component;
responding to the second preset condition, a second message sending module carried in the application layer sends a second message to the kernel layer by calling an interface provided by the first communication component so that a first monitoring module of the first communication component receives the second message; the second messaging module is created based on the first communication component.
2. The method of claim 1, wherein the first message comprises a plurality of pieces; the first message sending module sends a first message to the application layer by calling an interface provided by the second communication component, and the first message sending module comprises:
Dividing a plurality of the first messages into a plurality of message groups;
and the first message sending module sends the message group to the application layer by calling an interface provided by the second communication component.
3. The method of claim 2, wherein the kernel layer comprises a first message queue; the dividing the plurality of the first messages into a plurality of message groups includes:
adding a plurality of the first messages to the first message queue;
and acquiring a preset number of first messages from the first message queue to be packaged into the message group until all the first messages are packaged, so as to obtain a plurality of message groups.
4. A method according to claim 3, wherein the first messaging module sends the set of messages to the application layer by invoking an interface provided by the second communication component, comprising:
under the condition that a target application program in the application layer runs, the first message sending module sends the message group to the application layer by calling an interface provided by the second communication component;
and stopping sending the message group to the application layer under the condition that the target application program exits from running.
5. The method of claim 1, wherein the first message comprises an emergency type and a non-emergency type; after the second communication component receives the first message, the method further comprises:
if the first message is of an emergency type, the application layer processes the first message of the emergency type;
and if the first message is of a non-emergency type, the application layer adds the first message to a second message queue, and reads the first message from the second message queue for processing when the system resource meets the preset condition.
6. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the first communication component comprises a micro filter minifilter or a local procedure call component;
the second communication component includes the local procedure call component.
7. The method according to any of claims 1-6, wherein the method is applied to a security defense scenario;
the first preset condition comprises suspicious operation in the kernel layer; the first message includes operation data of a suspicious operation;
the second preset condition comprises that the application layer requests the kernel layer to execute a defending operation; the second message includes a defensive request.
8. A communication device, characterized by being configured to implement bidirectional communication between a kernel layer and an application layer; the device comprises:
the first communication component is registered in the kernel layer and is used for providing an interface for the second message sending module;
the second communication component is registered in the application layer and is used for providing an interface for the first message sending module;
the first message sending module is carried on the kernel layer and is created based on the second communication component and used for sending a first message to the application layer by calling an interface provided by the second communication component in response to the first preset condition;
the second message sending module is carried on the application layer and is created based on the first communication component and used for sending a second message to the kernel layer by calling an interface provided by the first communication component in response to the second preset condition;
the first monitoring module is carried on the kernel layer and is used for receiving the second message;
and the second monitoring module is carried on the application layer and is used for receiving the first message.
9. An electronic device, the electronic device comprising:
a processor;
a memory for storing processor-executable instructions;
Wherein the processor, when invoking the executable instructions, performs the operations of the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon computer instructions which when executed by a processor implement the steps of the method of any of claims 1-7.
CN202311661055.2A 2023-12-05 2023-12-05 Communication method, device, electronic equipment and storage medium Pending CN117742987A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311661055.2A CN117742987A (en) 2023-12-05 2023-12-05 Communication method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311661055.2A CN117742987A (en) 2023-12-05 2023-12-05 Communication method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117742987A true CN117742987A (en) 2024-03-22

Family

ID=90258436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311661055.2A Pending CN117742987A (en) 2023-12-05 2023-12-05 Communication method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117742987A (en)

Similar Documents

Publication Publication Date Title
US10885182B1 (en) System and method for secure, policy-based access control for mobile computing devices
US20200120120A1 (en) Techniques for network inspection for serverless functions
US10810164B2 (en) Securing access to functionality of a file-based write filter
US10057285B2 (en) System and method for auditing governance, risk, and compliance using a pluggable correlation architecture
US8819767B2 (en) Method for securing data and/or applications in a cloud computing architecture
US11188667B2 (en) Monitoring and preventing unauthorized data access
CN111049695A (en) Cloud gateway configuration method and system
CN113726683B (en) Access restriction method, device, apparatus, storage medium and computer program product
CA2485062A1 (en) Security-related programming interface
KR20140072164A (en) Privacy management for subscriber data
US10223536B2 (en) Device monitoring policy
US20200267155A1 (en) System and method for securing application behavior in serverless computing
US20210026969A1 (en) Detection and prevention of malicious script attacks using behavioral analysis of run-time script execution events
US8756701B2 (en) Data security in a multi-nodal environment
US20190266067A1 (en) Application monitoring using workload metadata
CN114189383A (en) Blocking method, device, electronic equipment, medium and computer program product
CN115510427B (en) Cross-platform process running credible monitoring method and system
CN117742987A (en) Communication method, device, electronic equipment and storage medium
CN116431344A (en) Configuration method and device of financial service resource degradation strategy and electronic equipment
CN106657054B (en) A kind of network security defence method based on virtual machine service jump
CN114039893A (en) API gateway speed limiting method and device
CN113673844A (en) Information feedback method, device and equipment
US20230334478A1 (en) Detecting anomalous transactions within an application by privileged user accounts
CN115277046B (en) 5G capability open security control method, device, equipment and storage medium
CN115589577B (en) Communication service access management method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination