CN1641516A - Method for ensuring system safety for window operating system - Google Patents

Method for ensuring system safety for window operating system Download PDF

Info

Publication number
CN1641516A
CN1641516A CN 200410002154 CN200410002154A CN1641516A CN 1641516 A CN1641516 A CN 1641516A CN 200410002154 CN200410002154 CN 200410002154 CN 200410002154 A CN200410002154 A CN 200410002154A CN 1641516 A CN1641516 A CN 1641516A
Authority
CN
China
Prior art keywords
executable program
file
program
monitor
establishment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200410002154
Other languages
Chinese (zh)
Other versions
CN100349084C (en
Inventor
陈�峰
夏泉源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2004100021540A priority Critical patent/CN100349084C/en
Publication of CN1641516A publication Critical patent/CN1641516A/en
Application granted granted Critical
Publication of CN100349084C publication Critical patent/CN100349084C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

This invention discloses a method of ensuring the system security in the Windows operating system. The method is: spring the system monitoring program when the Windows operating system is preparing to found tenor for the executable program put forward a request of executing the program; the system monitoring program obtains the check file corresponding to the mentioned executable program. If there is no check file or the file is vacancy, confirm the mentioned executable program is illegal and terminate initializtion work of founding tenor. Otherwise judge whether the executable program is legal. If it's illegal, terminate initializtion work of founding tenor, or else found tenor as the normal flow.

Description

A kind of method that in Windows, guarantees security of system
Technical field
The present invention relates to computer security technique, relate in particular to a kind of method that in Windows (Windows), guarantees security of system.
Background technology
Along with popularizing of computing machine and network, the challenge of safety is increasingly serious.Virus is as one of two security threats that cause the most extensive attention (another is the invador), and its fabricator and the struggle between removing person also grow in intensity.
Virus is attached to the head or the afterbody of executable program, perhaps adopts alternate manner to embed.When calling by the program of virus infections, at first carry out viral code, and then the original code of executive routine.Specifically, the principle of work of virus infections is as follows: first line code is a redirect to main Virus; Second row is a special marking, is used for determining whether the potential program of being injured has been crossed by this virus infections.When this program was called, control passed to main Virus at once.Virus is at first found out not to be had infected executable file and infects them; Next step, virus may be carried out certain action, normally harmful to system action, for example deleted file; At last, virus is given original program with control, the difference that allows the imperceptible infection of user front and back program carry out.
According to above virus mechanism, it is to have mark governed to the infection of executable program, as the variation of file size, the check and variation, identical structure and bit mode, promptly the signature etc.
The flow process of traditional Antivirus program can be summed up as trilogy:
Detect: the periodic scanning executable program, search the signature of virus or the change of program length, whether the affirmation program is infected.
Identification:, then determine to have infected which type of virus according to the signature storehouse in case detect unusually.
Remove: in case discerned specific virus, from infected program, remove all vestiges of virus, program recovery is arrived original state.
Though traditional Antivirus program can be removed known virus, have following several significant disadvantages:
1, it is a kind of post factum, wait just go behind the virus infections to detect, identification and removing.It can not prevent by the virus infections program implementation, also just can't prevent the propagation of virus and carry out harmful action.Therefore, it is cured the symptoms, not the disease.
2, its detection depends on the signature storehouse, can only detect known virus, to not at signature viral powerless in the storehouse.When a kind of new virus occurring, need in the signature storehouse, increase new signature, Here it is causes this class software frequently to be upgraded.
3, its detects one and removes one, might one program just be eliminated and infected, that is to say its whole shortage immunocompetence.
Summary of the invention
The object of the present invention is to provide a kind of method that in Windows, guarantees security of system, to solve the problem that can not fundamentally guarantee security of system in the prior art.
For solving problem, the invention provides following technical scheme:
A kind of method that guarantees security of system in Windows comprises step:
A, Windows (Windows operating system) triggering system watchdog routine when being prepared as the executable program establishment process that proposes the executive routine request;
B, system monitor obtain described executable program corresponding check file, if do not have verification file or file for empty, determine that then described executable program is illegal, and stop the initial work of establishment process, otherwise continue step C;
C, judge according to verification file whether described executable program is legal; If illegal, then stop the initial work of establishment process, otherwise create process by normal flow.
According to said method:
System monitor is by registering the system-level process activity that (Callback) function comes surveillance of returning, the triggering system watchdog routine when calling this function when the system creation process called in advance in Windows operating system.Described triggering system watchdog routine is meant the address of revising establishment process service routine in the system service distributing list (SSDT), makes system monitor obtain to carry out control.
System monitor is caught the process activity that (API Hook) program is come surveillance by register a system-level application programming interface in advance in Windows operating system, call when creating process function triggering system watchdog routine when perhaps calling load libraries (LoadLibary) function and dynamically packing dynamic link libraries (DLL) into when the system creation process.Described triggering system watchdog routine is meant Import Address Table (the Import Address Table of modification process, IAT) and input namelist (Import Name Table, INT) content in, perhaps revise the address that obtains process address (GetProcAddress) function, make system monitor obtain to carry out control.
Described triggering system watchdog routine is meant revises the value of interrupting description list, makes system monitor obtain to carry out control.
Described verification file comprises verification file summary info, source file size and checking data.
Step C comprises:
(1) checks whether the verification file summary info is correct,, otherwise determine that described executable program is illegal, stop the initial work of establishment process if correctly then carry out step (2);
(2) whether the size of checking executable program is identical with the source file size that writes down in the verification file, if identical then carry out step (3), otherwise determine that described executable program is illegal, stop the initial work of establishment process;
(3) call the checking data generating algorithm, generate the checking data of described executable program and compare,, determine that then described executable program is legal, creates process by normal flow if two checking datas are identical with checking data in the verification file; Otherwise, determine that described executable program is illegal, stop the initial work of establishment process.
When described executable program is installed in system, generates the corresponding check file and install with executable program by system monitor.
For already present executable program in the system before the installation system watchdog routine, then generate the verification file of this executable program according to configuration file by guard process.
When the present invention is prepared as executable program establishment process in system, the intercepting system service comes the program of carrying out is carried out validity checking, and when discovery procedure is illegal, in time stop the initial work of establishment process, stoped illegal process or by the startup of virus infections process, because interception opportunity early, also just fundamentally stop viral propagation and carried out harmful action, guaranteed the safety of system; According to principle as can be seen, have only the program that generates verification file just to be allowed to operation, otherwise, even not by virus infections, be not allowed to operation yet, promptly guaranteed the special use of system simultaneously.The present invention does not rely on the feature of concrete virus, and is effective to the parasitic virus of any infection executable program.
Description of drawings
Fig. 1 is the structural representation of computing machine;
Fig. 2 is the mutual relationship synoptic diagram of system monitor and Windows operating system;
Fig. 3 is a process flow diagram of the present invention.
Embodiment
It is the protection of application software system of Windows operating system (being Windows NT, 2000, XP etc., inapplicable to Windows98) of core that system monitor of the present invention goes for NT.Process creation by surveillance comes the quiescing system to move unauthorized program or by the virus infections program, to guarantee the safety of application software system.
Consult Fig. 1, shown the basic structure of a computing machine among the figure, implement method of the present invention with it.The processor of computing machine is connected with storer by bus, also connects IO interface by bus simultaneously, and storer comprises internal memory and external memory, basic external memory such as hard disk etc.; IO interface attended operation keyboard and display device, communication interface is connected to network or other communication facilities through connection.
Store Windows operating system program and other executable program in storer, at first load the Windows operating system program during computer starting, other executable program operates on this operating system.When other executable program need move, send request to Windows operating system, be that executable program is created new process by the kernel module of operating system, and be this new course allocation resource.
In the present invention, also store system monitor in the storer, this program is that executable program is used to check whether executable program is legal when creating new process at the kernel module of operating system, relation between system monitor and operating system as shown in Figure 2, executable program (comprises specialized application software, and other system software or application software) to Windows operating system " executive routine request " proposed when carrying out, after Windows operating system receives " executive routine request ", carry out some initial work, prepare to create and reporting system watchdog routine " the establishment process is prepared by system ", whether the program that inspection will be carried out after system monitor received and notifies is legal.If legal, then allow Windows operating system continue to finish the initial work of process creation; Otherwise stop the initial work of the process creation of Windows operating system.
Each legal procedure in the system all has the corresponding check file, and this verification file can adopt MD5 algorithm (also can adopt other algorithms) that legal procedure is carried out the calculation check data by system monitor and generate.For existing legal procedure in the system before system monitor is installed, system monitor generates corresponding checking file according to the appointment of configuration file when mounted.For the legal procedure that install the back being installed, must generating its checking file before installing with the kit of system monitor, and install together in company with legal procedure at system monitor.
The verification file form is:
Sequence number Space (byte number) Effect Explanation
1 16 Verification file sign, character string are " _ PPT_FILE_ ". The verification file summary info
2 4 The byte number of checking data, nonnegative integer.
3 64 Retaining space is preserved other information of verification file when being used for from now on expanded function.
4 4 The source file size, nonnegative integer.
5 64 Retaining space is preserved other information of source file when being used for expanding from now on.
6 Byte number is determined by the checking data generating algorithm Preserve checking data. Checking data
It is as follows to consult treatment scheme shown in Figure 3, main:
Step 10:Windows operating system is the triggering system watchdog routine when being prepared as the executable program establishment process that proposes the executive routine request, obtains control by system monitor.
Step 20: system monitor obtains described executable program corresponding check file, if do not have verification file or file for empty, then carry out step 80, otherwise continues step 30.
Step 30: check whether the verification file summary info is the verification file of correct format, if not, then carry out step 80, otherwise carry out step 40.
There are two conditions all to satisfy to be only whether " the verification file sign " of correct verification file: A, verification file summary info is " _ PPT_FILE_ "; Whether " byte number of checking data "+152 in B, the verification file summary info equal the size of verification file.
Step 40: the size of checking described executable program whether with verification file in the source file preserved big or small identical, if different, then this executable code modification mistake carry out step 80, otherwise carry out step 50.
Step 50: call the checking data generating algorithm, regenerate the checking data of described executable program.
Step 60: newly-generated checking data and the checking data in the verification file are compared; If two checking datas are inequality, then carry out step 80; Otherwise carry out step 70.
Step 70: judge that this executable program is legal, give system module, and create process by normal flow with control.
Step 80: determine that described executable program is illegal, and stop the initial work of establishment process, do not carry out this executable program.
Because unauthorized illegal program, it does not have the verification file of compliance with system watchdog routine; By the program that virus infections is crossed, newly-generated verification and be not inconsistent with verification file, so the two all can not move.
In the present invention, the realization of Windows operating system triggering system watchdog routine when being prepared as the executable program that proposes the executive routine request and creating process can have multiple mode, below mainly three kinds of modes is wherein described in detail:
Mode one:
1, creates the process informing mechanism
Windows operating system is in the process of establishment, and kernel module can after these resources allocations are good, can be notified the WIN32 subsystem for new some resources of course allocation.And can allowing one of user installation call, the WIN32 subsystem returns the process activity that (Callback) function comes surveillance.In this Callback function, just can carry out the action of appointment, implementation is as follows:
At first, the kernel function of going calling program NTOSKRNL.EXE to provide by a core schema (KM) driver.Program NTOSKRNL.EXE module has derived a series of Processing Structure programs (Process Structure Routine) function under Windows operating system, wherein there is one to be used to register a system-level Callback function, when operating system (OS) is created, withdrawed from or stops process, all can call this Callback function.Because user model (UM) program can not be called kernel function, provide a KM driver.
Then, provide a UM program, this UM program is communicated by letter with the KM driver, to start and to stop the service of KM.In the time of the process activity, the KM program is notified UM program by a notice (Notify) incident.
2, revise Windows system service distributing list (System Service Dispatch Table, SSDT)
This utilizes these characteristics of NT system layer mechanism to realize.
WIN32 API is generally provided by KERNEL32.DLL and these two modules of ADVAPI32.DLL, and when calling WIN32 API, OS at first can be converted to Unicode to the string argument in the function automatically.Subsequently, OS can find corresponding function in the NTDLL.DLL module, and the function that finds can call NTOSKRNL.EXE and serve accordingly.Each service all has unique sign in NTOSKRNL be service ID.NTDLL is put into this service ID in the eax register, and the parameter stack address is put among the EDX, then uses INT 2EH instruction that system running pattern is become kernel mode, begins to carry out by specifying corresponding handling procedure among the IDT.
When NTOSKRNL was initialized, it can set up a SSDT, and each is the address of a service (Service) handling procedure in the table, and each Service handling procedure all can reside in the kernel (Kernel).Also has the parameter that table is used for preserving Service.
In this is used, can be by revising the SSDT table content of NTOSKRNL, allow the code of address pointing system watchdog routine of establishment process service, realize system monitoring.
When program start, this Callback function of system call, this Callback function is carried out verification.If verification is not passed through, then process stops; If pass through, then the default Callback of calling system carries out normal program start process.
Mode two:
The method that adopts application programming interface (API) to catch (Hook)
Each process of moving in the Windows system all has an Import Address Table (Import AddressTable, IAT) and input namelist (Import Name Table, INT), these two tables can write down all importing functions of this process, and the establishment process can only be used limited several functions.If program is static the connection, its process necessarily has record and creates process function in these two tables so.If the function of the establishment process of certain DLL of dynamic call, in these two tables, just do not create the record of process function, but it must call load libraries (LoadLibary) the function DLL that packs into dynamically, so the record of LoadLibary function is necessarily arranged in these two tables.
At first, a system-level HOOK program is installed in system, in this HOOK program of installation, enumerates processes all in the system, and in the IAT and INT of these processes, search and whether use the record of creating process function; If have, then the address among IAT and the INT is preserved, be used for system monitor particular code sector address then and cover this record; If do not have, this process can not directly use the establishment process function to come the establishment process, then search the record that whether uses this class dynamic call of LoadLibary DLL function: if having, then revising the address that obtains process address (GetProcAddress) function is watchdog routine particular code sector address; If any operation that no, just it goes without doing.
Monitored process is used when creating process function or this class function of LoadLibary, because revised IAT and INT, so system monitor obtains carrying out control, and the action of appointment in the then first executive system watchdog routine; If use the function of the DLL that packs into, when using GetProcAddress, judge whether the parameter of GetProcAddress creates the function C reateProcess of process, if then go the action of executive system watchdog routine appointment; If not, any processing that just it goes without doing.
Mode three:
The Interrupt Service Routine table of retouching operation system
Under protected mode, (Interrupt Descriptor Table IDT) describes to interrupt using the interruption description list.(Interrupt Descriptor Table Register IDTR) keeps the address of IDT and the record number of table to interrupt the description list register.IDT can be retained in the physical memory always, and an interrupt gate is arranged in IDT, and it preserves the selector switch (Selector) and the side-play amount (Offset) of this interrupt handling program code segment.When interrupting occurring, the interrupt number that processor is shown by IDT finds the processing routine of this interruption, then relevant interrupt handling routine is just carried out in the stacked back of relevant register.
At first obtain the value of IDTR, obtain wanting to revise the Selector and the Offset of interrupt handling routine, these two values are preserved, and then the value of IDT is revised as the Selector and the Offset of system monitor by the SIDT instruction.
The executive subsystem of Windows NT comprises subsystems such as Win32, Win16, POSIX.These subsystems have function creation process separately.But finally still to call kernel the service of establishment process is provided.Any of client layer calls, finally the service of all calling system kernel.System service has and has only unique processing routine in OS, unique routine is tackled, and the possibility of mistakes and omissions can not occur.Thereby the present invention adopts the intercepting system service, is a kind of scheme very reliably.The scheme of system service interception also has a benefit, is exactly item in each service corresponding with service parameter list, can be accurate and find the information that needs fast.And system is not any resource of new course allocation, and the establishment that stop process also more fast, thoroughly.
The present invention stops by the operation of virus infections program from the source, prevents the propagation of virus and carries out harmful action.It does not rely on the feature of concrete virus, and is effective to the parasitic virus of any infection executable program.It can stop unauthorized program implementation simultaneously.

Claims (10)

1, a kind of method that guarantees security of system in Windows is characterized in that comprising step:
A, Windows (Windows operating system) triggering system watchdog routine when being prepared as the executable program establishment process that proposes the executive routine request;
B, system monitor obtain described executable program corresponding check file, if do not have verification file or file for empty, determine that then described executable program is illegal, and stop the initial work of establishment process, otherwise continue step C;
C, judge according to verification file whether described executable program is legal; If illegal, then stop the initial work of establishment process, otherwise create process by normal flow.
2, the method for claim 1, it is characterized in that, system monitor is by registering the system-level process activity that (Callback) function comes surveillance of returning, the triggering system watchdog routine when calling this function when the system creation process called in advance in Windows operating system.
3, method as claimed in claim 1 or 2 is characterized in that, described triggering system watchdog routine is meant the address of revising establishment process service routine in the system service distributing list (SSDT), makes system monitor obtain to carry out control.
4, the method for claim 1, it is characterized in that, system monitor is caught the process activity that (API Hook) program is come surveillance by register a system-level application programming interface in advance in Windows operating system, call when creating process function triggering system watchdog routine when perhaps calling load libraries (LoadLibary) function and dynamically packing dynamic link libraries (DLL) into when the system creation process.
5, as claim 1 or 4 described methods, it is characterized in that, described triggering system watchdog routine is meant Import Address Table (the Import Address Table of modification process, IAT) and input namelist (ImportName Table, INT) content in, perhaps revise the address that obtains process address (GetProcAddress) function, make system monitor obtain to carry out control.
6, the method for claim 1 is characterized in that, described triggering system watchdog routine is meant revises the value of interrupting description list, makes system monitor obtain to carry out control.
7, the method for claim 1 is characterized in that, described verification file comprises verification file summary info, source file size and checking data.
8, the method for claim 1 is characterized in that, step C comprises:
(1) checks whether the verification file summary info is correct,, otherwise determine that described executable program is illegal, stop the initial work of establishment process if correctly then carry out step (2);
(2) whether the size of checking executable program is identical with the source file size that writes down in the verification file, if identical then carry out step (3), otherwise determine that described executable program is illegal, stop the initial work of establishment process;
(3) call the checking data generating algorithm, generate the checking data of described executable program and compare,, determine that then described executable program is legal, creates process by normal flow if two checking datas are identical with checking data in the verification file; Otherwise, determine that described executable program is illegal, stop the initial work of establishment process.
9, the method for claim 1 is characterized in that, when described executable program is installed in system, is generated the corresponding check file and is installed with executable program by system monitor.
10, the method for claim 1 is characterized in that, for already present executable program in the system before the installation system watchdog routine, is then generated the verification file of this executable program according to configuration file by guard process.
CNB2004100021540A 2004-01-05 2004-01-05 Method for ensuring system safety for window operating system Expired - Fee Related CN100349084C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100021540A CN100349084C (en) 2004-01-05 2004-01-05 Method for ensuring system safety for window operating system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100021540A CN100349084C (en) 2004-01-05 2004-01-05 Method for ensuring system safety for window operating system

Publications (2)

Publication Number Publication Date
CN1641516A true CN1641516A (en) 2005-07-20
CN100349084C CN100349084C (en) 2007-11-14

Family

ID=34867304

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100021540A Expired - Fee Related CN100349084C (en) 2004-01-05 2004-01-05 Method for ensuring system safety for window operating system

Country Status (1)

Country Link
CN (1) CN100349084C (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102034047A (en) * 2010-12-21 2011-04-27 姚志浩 Automatic protection method for computer virus
CN102651060A (en) * 2012-03-31 2012-08-29 北京奇虎科技有限公司 Method and system for detecting vulnerability
CN103970540A (en) * 2014-05-15 2014-08-06 北京华为数字技术有限公司 Method and device for safely calling key function
CN106228066A (en) * 2016-07-13 2016-12-14 北京金山安全软件有限公司 The process address space prevents malicious modification method, device and terminal

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996024894A1 (en) * 1995-02-08 1996-08-15 Sega Enterprises, Ltd. Information processor having security check function
US6205551B1 (en) * 1998-01-29 2001-03-20 Lucent Technologies Inc. Computer security using virus probing
US6330670B1 (en) * 1998-10-26 2001-12-11 Microsoft Corporation Digital rights management operating system
US6697948B1 (en) * 1999-05-05 2004-02-24 Michael O. Rabin Methods and apparatus for protecting information

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102034047A (en) * 2010-12-21 2011-04-27 姚志浩 Automatic protection method for computer virus
CN102034047B (en) * 2010-12-21 2012-10-17 姚志浩 Automatic protection method for computer virus
CN102651060A (en) * 2012-03-31 2012-08-29 北京奇虎科技有限公司 Method and system for detecting vulnerability
CN102651060B (en) * 2012-03-31 2015-05-06 北京奇虎科技有限公司 Method and system for detecting vulnerability
CN103970540A (en) * 2014-05-15 2014-08-06 北京华为数字技术有限公司 Method and device for safely calling key function
CN103970540B (en) * 2014-05-15 2018-02-06 北京华为数字技术有限公司 Key Functions secure calling method and device
CN106228066A (en) * 2016-07-13 2016-12-14 北京金山安全软件有限公司 The process address space prevents malicious modification method, device and terminal
CN106228066B (en) * 2016-07-13 2019-12-03 珠海豹趣科技有限公司 The process address space prevents malicious modification method, apparatus and terminal

Also Published As

Publication number Publication date
CN100349084C (en) 2007-11-14

Similar Documents

Publication Publication Date Title
US8010667B2 (en) On-access anti-virus mechanism for virtual machine architecture
US7802300B1 (en) Method and apparatus for detecting and removing kernel rootkits
US8719935B2 (en) Mitigating false positives in malware detection
US9411743B2 (en) Detecting memory corruption
US9135443B2 (en) Identifying malicious threads
EP2461264B1 (en) Apparatus and method for runtime integrity verification
KR102206115B1 (en) Behavioral malware detection using interpreter virtual machine
US10460099B2 (en) System and method of detecting malicious code in files
CN1896903A (en) Virtual-machine system for supporting trusted evaluation and method for realizing trusted evaluation
JP2010262609A (en) Efficient technique for dynamic analysis of malware
WO2014071867A1 (en) Program processing method and system, and client and server for program processing
CN101042719A (en) System and method for killing ROOTKIT
US9177149B2 (en) Method of detecting malware in an operating system kernel
US8402539B1 (en) Systems and methods for detecting malware
CN105117649A (en) Anti-virus method and anti-virus system for virtual machine
KR101563059B1 (en) Anti-malware system and data processing method in same
Weisberg et al. Enhancing Transportation System Networks Reliability by Securer Operating System
CN1581088A (en) Method and device for preventing computer virus
CN1641516A (en) Method for ensuring system safety for window operating system
Oyama et al. Detecting malware signatures in a thin hypervisor
EP3079057B1 (en) Method and device for realizing virtual machine introspection
CN1282083C (en) Computer memory virus monitoring method and method for operation with virus
CN1010511B (en) Signaling attempted transfer to protected entry point bios routine
US9787699B2 (en) Malware detection
US9756069B1 (en) Instant raw scan on host PC with virtualization technology

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20071114

Termination date: 20180105

CF01 Termination of patent right due to non-payment of annual fee