CN1282083C - Computer memory virus monitoring method and method for operation with virus - Google Patents
Computer memory virus monitoring method and method for operation with virus Download PDFInfo
- Publication number
- CN1282083C CN1282083C CN 01142156 CN01142156A CN1282083C CN 1282083 C CN1282083 C CN 1282083C CN 01142156 CN01142156 CN 01142156 CN 01142156 A CN01142156 A CN 01142156A CN 1282083 C CN1282083 C CN 1282083C
- Authority
- CN
- China
- Prior art keywords
- virus
- function
- call
- calculator memory
- viruses
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 134
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000012544 monitoring process Methods 0.000 title description 8
- 230000006870 function Effects 0.000 claims abstract description 75
- 239000002574 poison Substances 0.000 claims description 26
- 231100000614 poison Toxicity 0.000 claims description 26
- 230000003612 virological effect Effects 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 7
- 238000012546 transfer Methods 0.000 claims description 6
- 238000011109 contamination Methods 0.000 claims description 5
- 230000006378 damage Effects 0.000 claims description 3
- 230000009385 viral infection Effects 0.000 claims description 2
- 230000002155 anti-virotic effect Effects 0.000 description 7
- 239000008186 active pharmaceutical agent Substances 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 208000015181 infectious disease Diseases 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000000052 comparative effect Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Abstract
The present invention relates to a method for finding and killing viruses for a memory of a computer, which comprises the following steps: analyzing viruses: a key operation system function invoked by the viruses is found; intercepting the invocation of the operation system function; finding the viruses: when the intercepted operation system function is invoked, a code which invokes the function is analyzed, and the viruses are identified; killing the viruses: if viruses are determined, the viruses are determined to be killed or failed according to the types of the viruses and the selection of a user, and thereby, files polluted by the viruses can continuously run; restoration: the original invoking environment is restored as required, and the original system function is invoked as required.
Description
Technical field
The present invention relates to the operation with virus technology of computer system, more particularly, relate to a kind of monitoring in the virus of moving (in internal memory) on the computer platform (comprising worm, wooden horse, rogue program etc.) with allow the method that does not activate virus with malicious running paper.This method can stop the virus part operation in the malicious application program of band, and does not influence the function of host application.
Background technology
Along with being extensive use of of computing machine, the value volume and range of product of computer virus is also more and more, and it can remove user's significant data, even destroys computer hardware, brings great harm to the computer user.
The method of removing and preventing and treating virus mainly contains two kinds at present, and a kind of is static scanning, is exactly to start antivirus software usually, and this computing machine or whole network are carried out the killing poison; Another kind method is real-time monitoring, and its ultimate principle is, when the user will operate certain file, this operation was caught by antivirus software, and antivirus software carries out the killing poison to this file.But this two kinds of methods all are based on the killing poison is carried out in the scanning of file, the needs of killing poison more and more have been difficult to satisfy, this mainly contains 2 reasons: at first, a lot of tools of compression, document bundle instrument are arranged now, these instruments have changed the due structure of file, also virus is stashed simultaneously, so just can't carry out based on killing to file; Secondly, if virus is moved before the antivirus software operation, existing antivirus software can't find viral source, can't stop the operation of virus.
In addition, the method for poison of filing for reference in a kind of is arranged at present, but also belong to static scanning.That is to say that it is when the user starts antivirus software and require the scanning internal memory, just internally deposits into capable killing.There are two problems in it: the one, and sweep time is longer, has killed a virus, and possible another moved again; The 2nd, it possibly can't be killed virus, because system is for security consideration, with the operation that can not allow some process.
But regardless of position or form that virus exists hereof, it will move then must need to be encased in the internal memory of computing machine, and it will infect or destroy, always some functions of call operation system.If we can tackle these funcalls, it will be very accurate searching virus when virus is called these functions, and very fast.At this moment, we can have two kinds of selections, virus is stopped or make the virus failure, thereby allow host program continue operation, just allow the program operation with virus.
Summary of the invention
At the problem that exists in the above-mentioned present antivirus software, the object of the present invention is to provide a kind of virus moved but do not carry out as yet infecting next time or destroy before can find virus and it is killed and allows contamination file operation with virus and do not activate viral calculator memory killing poison method.
According to calculator memory killing poison method of the present invention, may further comprise the steps: virus analysis, find that virus calls with virus infections or destroy relevant operation system function, set up virus base; Interception is called operation system function; Preserve current transfer environment; Preserve the function identification and the caller code of call function; Look into poison, when the operation system function of described interception is called, caller code and described virus base are compared, identify virus; Judge that virus is initial launch or has moved; Virus killing, for the processing of virus, if virus, and virus is initial launch, then according to the type of virus and in conjunction with user's selection, decision is that virus is killed, and still allows the virus failure, thereby makes the contamination file continue operation; If virus is moved, then executive termination operation; And recover, if do not find virus, recover original transfer environment, call original systemic-function.
According to internal memory killing poison method of the present invention, regardless of viral position or the form that exists hereof, when its operation is encased in the internal memory of computing machine, and when some functions of its call operation system infect or destroy, can both tackle these funcalls, very accurately and very fast with checking and killing virus, virus is stopped or make the virus failure, thereby allow host program continue operation, just allow the program operation with virus.
Description of drawings
By following detailed description by accompanying drawing, will more easily understand the present invention, wherein:
Fig. 1 is the process flow diagram that the monitor procedure of calculator memory killing poison method is according to the preferred embodiment of the invention set up; With
Fig. 2 is the process flow diagram of virus monitoring processing procedure according to the preferred embodiment of the invention.
Embodiment
Describe the preferred embodiments of the present invention in detail below in conjunction with accompanying drawing.
Should be noted that at this, internal memory killing poison method according to the present invention is not only applicable to WINDOWS 9X (comprising WINDOWS95, WINDOWS98, WINDOWS ME) operating system, and is applicable to other the operating system such as WINDOWS NT (comprising WINDOWS NT, WINDOWS2000).This method can realize the real-time killing of memory virus on various platforms, and can allow contamination file operation with virus, and does not activate virus.
To be each operation steps that example specifies calculator memory killing poison method of the present invention with WINDOWS 9X platform below.For the WINDOWS system, its system function call realizes by api function, so will use api function to replace system function call in the following narration.
Fig. 1 is the process flow diagram that the monitor procedure of calculator memory killing poison method is according to the preferred embodiment of the invention set up.
At first, at step S11, virus is analyzed.In this step, the various virus analysis that can move on the WINDOWS platform are carried out, find two class functions that they will call, one class is a function of judging that when moving for the first time it will call in the time of whether can initialization, if allow this function return viral unwanted results, then virus will not reruned, but the operation host, thereby accomplish operation with virus; Another kind of is the function that must call when its normal operation, by tackling this function, can before virus be carried out infecting next time or destroyed it be found and kill.This two class function may each need one for certain virus, also may need several.With these information combination together, set up a database, be called virus base.It comprises the function name that calls, the feature description of virus, the disposal route of virus etc.
For example, for CODERED virus, it will start, just must call this api function of GetProcAddressA, if when it calls this api function failure, also just say, when function returns sky, it will abandon operation, also just can not infect other computer system or this computer system is destroyed.In addition, in normal course of operation, it will infect other department of computer science file of unifying, and then must call the socket function.
Then, at step S12, operation virus monitoring program is ready to all will tackle api function.These functions are when analyzing the viral promoter that obtains in step S11 and the required systemic-function of calling of normal operation period.
Then,, tackle the function that above-mentioned analysis obtains, make the system function call function point to real-time virus monitoring processing procedure at step S13.
For WINDOWS, the address space of its each process is independently.And want virus in all processes of killing, then need to tackle the function call of all processes.For this reason, need to start a device driver of specially writing, the effect of this device driver is to make the interception of API is worked to all processes, comprises existing and will produce in the future.By to the calling of this device driver, block and carry the function that obtains in all above-mentioned analytic processes, and, function identification and caller code are passed to handling procedure for these function calls provide a unified handling procedure, use in order to the killing poison.After finishing all interception operations, this device driver just no longer cuts any ice.
Specifically, it is the handling procedure initialization that to tackle api function earlier, to prepare to receive calling of api function, the entry code of the api function that will tackle correct one by one then makes it point to predetermined code, and the effect of this section code is that the code address with the sign of API and caller is pressed in the stack, call the api function handling procedure then, after treating that the api function handling procedure returns, the original substituted instruction of reruning, the subsequent instructions that forwards this api function then to is carried out.For example:
The entry code of certain API is
PUSH?EBP
MOV?EBP,ESP
ADD?ESP,200
Subsequent instructions
The API entry instruction that these right and wrong are usually seen, we are saved in other places with this section instruction, then it are revised as
JMP?XXXX
The XXXX place is one section handling procedure, and its code is as follows:
PUSH API sign
CALL API handling procedure
ADD?ESP,4
PUSH?EBP
MOV?EBP,ESP
ADD?ESP,200
The JMP subsequent instructions
Arrive this, set up the environment that virus is monitored in real time.That is to say, when a contamination running paper, will call certain above-mentioned function of having tackled, at this moment,, will enter into predetermined handling procedure, that is, enter the virus monitoring process by the processing in step S13.
Below, with reference to virus monitoring process detailed description shown in Figure 2 processing to system function call, that is, and to the processing of the function that program with virus called.
At first, when the system call that is blocked in one section code call of step S21, then preserve current transfer environment at step S22.
Then,, function calls person and virus base are compared at step S23, thus know be what virus in operation, and to identify this be viral initial launch, that is to say that the host goes back off-duty.
Another situation is, if a virus was moved before predetermined handling procedure operation according to the present invention, that is to say that the host moves, and virus resides in the system, so, at this moment it will infect other file and maybe will destroy, also to call certain function, this function also belongs to the function of having tackled in previous step, enter described predetermined handling procedure this moment equally again, function call person and virus are compared, find be what virus in operation, and to identify this be calling in the operational process.
Code below carrying out when starting such as certain virus:
To the application 12K of system internal memory
If applied for, change the M place and carry out C:
Otherwise, get a number A
To the A negate, be B
Carry out the address that forwards the B place to.M:
To oneself copy in the internal memory of application.
Create a thread, move the copy of oneself
Changeing the C place carries out
Above code with regard to basic comprising feature that should virus, certainly for safety, get place's feature usually incessantly.
For its infection or destructive process, it must be carried out with following code:
Preserve file attribute, be saved in the F place
The revised file attribute is read-write
Open file
File 40 bytes are read the G place
Change the indicated skew of 3C and read 200 bytes
Program fetch inlet B, to being saved in the A place after the B negate,
Above code also basic comprising feature that should virus, for safety, can get more feature.
If in the caller code, found these features, then thought and found virus.
Then, in step S24, judge whether to find virus.Judge that according to the comparative result in step S23 if do not find virus, then execution in step S28 and S29 recover original transfer environment, call original system function, advance to step S30 then, funcall returns.Otherwise,, then advance to step S25 if determine to have found virus.
In step S25, according to the data and the sign of the virus base that in step S23, obtains, if viral initial launch, then execution in step S26; If virus is moved, execution in step S27 then.
At step S26, allow this function of present system return given result, this result will allow virus fail.If this function result is not enough to allow virus fail, can revises next step code that will move of virus this moment, thereby allow its failure.
Specific to top example, allow the function of application internal memory return 0 exactly, this virus just can not carried out like this, because B is the inlet of host program.That is to say that the infection of virus or destruction code have no chance to carry out at all.System just can operation with virus like this, can not influence the host normal execution, virus can not be activated yet.
Move if in step S25, judge virus, then execution in step S27.In step S27, according to the data in the virus base, decision is to stop current thread, still whole order current process.For top example, we can stop current thread.
As mentioned above, adopt internal memory killing poison method of the present invention, regardless of viral position or the form that exists hereof, can both tackle virus calling to systemic-function, very accurately and very fast in real time with checking and killing virus, virus is stopped or make the virus failure, thereby allow host program continue operation, just allow the program operation with virus.
Though with the aforementioned preferred embodiments explanation, so it is not to be used to limit the present invention in the present invention, any those of ordinary skill in the art is under the situation that does not break away from the spirit and scope of the present invention, can do various changes and modification.Therefore protection scope of the present invention is as the criterion with accompanying Claim.
Claims (9)
1. calculator memory killing poison method may further comprise the steps:
Virus analysis, find that virus calls with virus infections or destroy relevant operation system function, set up virus base;
Interception is called operation system function;
Preserve current transfer environment;
Preserve the function identification and the caller code of call function;
Look into poison, when the operation system function of described interception is called, caller code and described virus base are compared, identify virus;
Judge that virus is initial launch or has moved;
Virus killing, for the processing of virus, if virus, and virus is initial launch, then according to the type of virus and in conjunction with user's selection, decision is that virus is killed, and still allows the virus failure, thereby makes the contamination file continue operation; If virus is moved, then executive termination operation; And
Recover,, recover original transfer environment, call original systemic-function if do not find virus.
2. calculator memory killing poison method as claimed in claim 1, wherein said system refers to comprise the WINDOWS operating system of WINDOWS95, WINDOWS98, WINDOWS ME, and the WINDOWS NT operating system that comprises WINDOWS NT, WINDOWS2000.
3. calculator memory killing poison method as claimed in claim 1, wherein said virus base comprises two class functions that virus is called, one class is to judge the function that will call when virus whether can initialization when moving for the first time, by allowing this function return viral unwanted results, virus will not reruned, but the operation host, thereby accomplish operation with virus; The another kind of function that must call when being the normal operation of virus, by tackling this function, can virus carry out that infect next time or destruction before it is found and kills.
4. calculator memory killing poison method as claimed in claim 3, wherein said virus base also comprise the function name that calls, the feature description of virus, the disposal route of virus.
5. calculator memory killing poison method as claimed in claim 2, wherein for WINDOWS operating system, described system function call realizes by api function.
6. calculator memory killing poison method as claimed in claim 1 wherein further comprises the steps: in the invocation step of interception to operation system function
Start a device driver, by calling this device driver, tackle the function that obtains in all analytic processes, and provide a unified handling procedure for these function calls, function identification and caller code are passed to handling procedure, use in order to the killing poison; And after finishing all interception operations, this device driver just no longer cuts any ice.
7. calculator memory killing poison method as claimed in claim 1, wherein:
In looking into malicious step, judge that further viral initial launch has still resided in the system;
If initial launch then allows current system function return and makes the viral given result who fails; Move if judge virus, then according to the data in the virus base, decision is to stop current thread, still stops current process.
8. calculator memory killing poison method as claimed in claim 7 if the function result of wherein returning is not enough to allow virus fail, is then revised next step code that will move of virus when virus is initial launch, thereby allows its failure.
9. calculator memory killing poison method as claimed in claim 1 is wherein looked into malicious step described, for safety, obtains and the various features of virus relatively.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 01142156 CN1282083C (en) | 2001-09-14 | 2001-09-14 | Computer memory virus monitoring method and method for operation with virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 01142156 CN1282083C (en) | 2001-09-14 | 2001-09-14 | Computer memory virus monitoring method and method for operation with virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1409222A CN1409222A (en) | 2003-04-09 |
| CN1282083C true CN1282083C (en) | 2006-10-25 |
Family
ID=4676663
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 01142156 Expired - Lifetime CN1282083C (en) | 2001-09-14 | 2001-09-14 | Computer memory virus monitoring method and method for operation with virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1282083C (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100401224C (en) * | 2005-06-23 | 2008-07-09 | 福建东方微点信息安全有限责任公司 | Computer anti-virus protection system and method |
| CN100374972C (en) * | 2005-08-03 | 2008-03-12 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| CN100373287C (en) * | 2005-11-16 | 2008-03-05 | 白杰 | Method for detecting programe operation and virus programe detecting and clearing method |
| CN100465978C (en) * | 2005-11-16 | 2009-03-04 | 白杰 | Method for recovering data damaged by virus programe, apparatus and virus clearing method |
| CN100422900C (en) * | 2005-11-17 | 2008-10-01 | 珠海金山软件股份有限公司 | Computer virus checking and killing method based on data stream |
| CN100461197C (en) * | 2006-05-16 | 2009-02-11 | 北京启明星辰信息技术有限公司 | Automatic analysis system and method for malicious code |
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN101350054B (en) | 2007-10-15 | 2011-05-25 | 北京瑞星信息技术有限公司 | Method and apparatus for automatically protecting computer noxious program |
| CN101350052B (en) | 2007-10-15 | 2010-11-03 | 北京瑞星信息技术有限公司 | Method and apparatus for discovering malignancy of computer program |
| CN101350053A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for preventing web page browser from being used by leak |
| CN103455757B (en) * | 2012-05-31 | 2016-08-17 | 北京金山安全软件有限公司 | Method and device for identifying virus |
| US9325736B2 (en) * | 2013-01-10 | 2016-04-26 | Tencent Technology (Shenzhen) Company Limited | Method and device for anti-virus scanning |
| CN104008338B (en) * | 2014-05-08 | 2017-06-27 | 北京金山安全软件有限公司 | Android malicious program processing method, device and equipment |
-
2001
- 2001-09-14 CN CN 01142156 patent/CN1282083C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CN1409222A (en) | 2003-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1282083C (en) | Computer memory virus monitoring method and method for operation with virus | |
| US7340777B1 (en) | In memory heuristic system and method for detecting viruses | |
| US6029256A (en) | Method and system for allowing computer programs easy access to features of a virus scanning engine | |
| Wang et al. | Detecting stealth software with strider ghostbuster | |
| Bayer et al. | Scalable, behavior-based malware clustering. | |
| EP2452287B1 (en) | Anti-virus scanning | |
| US9230098B2 (en) | Real time lockdown | |
| EP1959367B1 (en) | Automatic extraction of signatures for Malware | |
| US7472420B1 (en) | Method and system for detection of previously unknown malware components | |
| US8584235B2 (en) | Fuzzy whitelisting anti-malware systems and methods | |
| EP1751649B1 (en) | Systems and method for computer security | |
| EP2245572B1 (en) | Detecting rootkits over a storage area network | |
| CN1943210A (en) | Source/destination operating system type-based IDS virtualization | |
| CN1773417A (en) | System and method of aggregating the knowledge base of antivirus software applications | |
| US7565695B2 (en) | System and method for directly accessing data from a data storage medium | |
| WO2019222261A1 (en) | Cloud based just in time memory analysis for malware detection | |
| JP2017527864A (en) | Patch file analysis system and analysis method | |
| CN1737722A (en) | System and method for detecting and defending computer worm | |
| KR20040089386A (en) | Curative Method for Computer Virus Infecting Memory, Recording Medium Comprising Program Readable by Computer, and The Device | |
| EP2417551B1 (en) | Providing information to a security application | |
| KR20050053401A (en) | Method for removing computer virus, and computer-readable storage medium recorded with virus-removing program | |
| CN1375775A (en) | Geteway level computer network virus preventing method and device | |
| CN101046836A (en) | System and method for removing ROOTKIT | |
| US8132164B1 (en) | System, method and computer program product for virtual patching | |
| JP2006268687A (en) | Computer virus monitoring program and computer terminal employing the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING RISING INTERNATIONAL SOFTWARE CO., LTD. Free format text: FORMER OWNER: BEIJING RUIXING SCIENCE CO., LTD. Effective date: 20080104 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20080104 Address after: Room A408, Zhongke building, 22 Zhongguancun street, Haidian District, Beijing Patentee after: Beijing Rising International Software Co., Ltd. Address before: Room 1305, Zhongke building, 22 Zhongguancun street, Haidian District, Beijing Patentee before: Ruixing Science and Technology Co., Ltd., Beijing |
|
| ASS | Succession or assignment of patent right |
Owner name: BEIJING RISING INFORMATION TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: BEIJING RISING INTERNATIONAL SOFTWARE CO., LTD. Effective date: 20101214 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100080 ROOM A408, ZHONGKE BUILDING, NO.22, ZHONGGUANCUN STREET, HAIDIAN DISTRICT, BEIJING TO: 100190 ROOM 1301, ZHONGKE BUILDING, NO.22, ZHONGGUANCUN STREET, HAIDIAN DISTRICT, BEIJING |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20101214 Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee after: Beijing Rising Information Technology Co., Ltd. Address before: 100080, A408 building, Zhongke building, 22 Zhongguancun street, Haidian District, Beijing Patentee before: Beijing Rising International Software Co., Ltd. |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee after: Beijing Rising Information Technology Co., Ltd Address before: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee before: Beijing Rising Information Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |
Address after: 100190 Zhongguancun street, Haidian District, Beijing, No. 22, A1305, 13 Patentee after: Beijing net an Technology Limited by Share Ltd Address before: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee before: Beijing Rising Information Technology Co., Ltd |
|
| CP03 | Change of name, title or address | ||
| CX01 | Expiry of patent term |
Granted publication date: 20061025 |
|
| CX01 | Expiry of patent term |