Embodiment
Below in conjunction with drawings and Examples the present invention is described in further detail.Nominal definition, process: the example that is a program of moving.Rogue program: the program harmful to computer system comprised Virus, wooden horse back door and spy's program etc.Driven unit: be a driver, driver operates in the bottom of system, and there is very high control authority in system, can be regarded as the part of operating system.Main interface assembly: be main interface program, be mainly used to handle man-machine interaction, in the Windows system, main interface assembly generally is with the form of window and user interactions, and the user can use mouse and keyboard operation, finishes required task.
The method of computer safety start of the present invention, use a computer and be configured to CPU Pentium 4 00MHz or higher, more than the internal memory 64MB, the display mode that display card SVGA16 position look above, more than the hard disk 300MB, operating system is: Windows 2000/Windows XP/Windows2003, at first install main interface assembly and driven unit respectively at computer application layer and Drive Layer.Main interface assembly comprises: (1) human-computer interaction module part, as shown in Figure 8, adopt the window of Windows, by button in the window and user interactions; (2) module section that intercoms mutually with driven unit, main interface assembly and driven unit are set up message channel, with send message to the mode controlling and driving assembly of driven unit finish record the process information and interception process initiation function; (3) scanning analysis identification rogue program module section, judge by scanning whether a program is rogue program, concrete scan method has comprised digital signature authentication in sequence, the storehouse checking of security procedure signature and the analysis of static behavior condition code, use the fraction representation dangerous values in the scanning process, the mark that each scanning is obtained adds up, after scanning is finished, judge the risk factor of the program that is scanned according to final mark.
Driven unit is used to tackle the operation of all programs, and the title of the record process of move is in the list records of the running process that is arranged on hard disk, and hook procedure operation is the function realization of handling original establishment process processing in the substituting for computer by the establishment process.
As shown in Figure 1, the method for computer safety start of the present invention may further comprise the steps: one, at computer application layer and Drive Layer main interface assembly and driven unit are installed respectively; When two, starting computing machine, driven unit is noted the title of all processes of moving in the computer starting process in the name list mode, stores in the running process tabulation in the hard disk; Three, after computer starting is finished, the tab sequential of working procedure that main interface assembly is noted driven unit uses the method for digital signature authentication, the storehouse checking of security procedure signature and the analysis of static behavior condition code to carry out scanning analysis, use the method representation dangerous values of marking, each scanning analysis step all obtains a dangerous fractional value, and main interface assembly records the program that equals 0 fen in the security procedure tabulation; Four, restart computing machine, in the tabulation of security procedure, be not judged as rogue program, be driven assembly and tackle, do not carry out operation by rreturn value.
The method of computer safety start of the present invention is owing to installed driven unit in the Drive Layer of computing machine, in the computer starting process, driven unit is by the preferential load operating of the CPU of computing machine, after the operation, by replacing all new process creations of monitoring.As shown in Figure 2, in the time of computer starting, the driven unit operation, driven unit uses the establishment process of self to handle the original process of substituting for computer, when computing machine is created each new process, driven unit is noted each process title that is created, and is stored in the running process list records in the mode of tabulating.As shown in Figure 3, when restarting the computer, driven unit is called character string relatively according to the process title that is kept in the hard disk in the security procedure tabulation to the process name of new establishment, the program in starting tabulation does not all directly stop this process, do not allow to create this process by rreturn value, have only the program of process title in the security procedure tabulation just to allow the establishment process.After computer system starting was finished, the order that main interface assembly transmission stops to tackle was to driven unit, and driven unit stops to stop the operation of establishment process, and the control of computer system is given the user by letting slip the process that is prevented from.The Drive Layer of computing machine is installed after the driven unit, each computing machine that starts, driven unit can be noted the program name of operation to the running process list records, start the first time of having finished clean boot, can dispense the process that starts computing machine for the first time like this, only need to carry out secondary startup, simplified the step of user's startup safe in utilization.
The scan method that main interface assembly scanning identification rogue program uses has comprised digital signature authentication, the storehouse checking of security procedure signature and the analysis of static behavior condition code.The purpose of doing like this is: at first get rid of to be arranged on and think normal program in the computer operating system, the scan function of scanning analysis module, again according to this program of static behavior condition code comparative analysis, obtain a dangerous values, dangerous values is to calculate with mark, mark is big more, and the risk factor of this program is just high more, is dangerous values that 0 program name is stored in the security procedure tabulation of registration table then.As shown in Figure 4, the flow process of main interface assembly scanning analysis rogue program is to analyze digital signature earlier, analyzes security procedure signature storehouse again, ultimate analysis static behavior condition code.
The central processing unit of computing machine reads file to be scanned, compare by reading mode, at first verify the rogue program tabulation, the rogue program tabulation is the set that artificially collects the condition code of extraction, be kept in the hard disk, compare by the data that read in the hard disk,, illustrate that this program has been a rogue program if central processing unit reads the condition code of file to be scanned in rogue program tabulation the inside, dangerous values is given 100 fens, expression is relatively more dangerous, there is no need down to scan the end of scan again.
Digital signature is the function whether certain file of checking that Windows operating system provides contains unique definite signature.The digital signature of Microsoft is all arranged on the data of each program of Windows operating system the inside, and the value of digital signature is unique, and it can prove that this program is normal security procedure.If program to be analyzed contains the digital signature of Microsoft, just this program name is recorded security procedure tabulation the inside, the end of scan, as do not have digital signature, carry out the storehouse checking of security procedure signature.
Security procedure signature storehouse is the condition code set of passing through the security procedure of collection by artificial, mode with tabulation is stored in the security procedure signature library file, central processing unit collects software commonly used with text, crossing by analysis verification is after the normal procedure, extract the condition code of the file of these normal procedures, gather together.The scanning analysis identification rogue program module of main interface assembly compares the condition code in the condition code of program to be analyzed and the security procedure signature storehouse one by one, if identical condition code is arranged, just this program name to be analyzed is recorded the security procedure tabulation, certainly this program is a normal procedure, the end of scan.
Rule ordering below static behavior condition code analysis in the scanning rogue program method is adopted by relatively providing dangerous values, adds up dangerous values then, is final dangerous values that 0 program name records security procedure and tabulates, then the end of scan.
1, the size of the whole file to be verified of central processing unit discriminatory analysis of computing machine provides the marking value and is kept in the internal memory, adds up then, is judged as rogue program, the end of scan when score value surpasses 100.A normal program, perhaps some large-scale softwares generally can be too not little, and have only virus or the convenience of wooden horse in order to transmit, generally can be smaller.
1.1, file to be verified is during less than 1KB, adds 20 fens, charges to and be kept in the internal memory;
1.2, file to be verified is during less than 50KB, adds 15 fens;
1.3, file to be verified is during less than 100KB, adds 10 fens;
1.4, file to be verified is during less than 200KB, adds 5 fens;
1.5, file to be verified is during greater than 500KB, subtracts 5 fens;
1.6, file to be verified is during greater than 1024KB, subtracts 20 fens.
2, the resource and the date created of the central processing unit discriminatory analysis file to be verified of computing machine provide the marking value and charge to and be stored in the internal memory, add up then, are judged as rogue program, the end of scan when score value surpasses 100.General Virus does not have resources such as forms, icon and sound, even if having, is seldom yet, so here resource and the relatively more responsive information of date created are analyzed.
2.1, the number of resources of central processing unit discriminatory analysis file to be verified, the result is charged to and is stored in the internal memory, number of resources is less than and equals 5, then adds 5 fens;
2.2, central processing unit discriminatory analysis character string, when file during, subtract 10 fens less than 500K;
2.3, the date created of central processing unit discriminatory analysis file to be verified is in one day, adds 5 fens.
3, the transplantable execution body PE information of central processing unit discriminatory analysis file to be verified to determine whether file to be verified is added shell, if adding the shell dangerous values adds 50 fens, is charged to and is stored in the internal memory.
3.1, central processing unit judges the section at program entry point to be verified place, the section of standard whether.The code segment entrance of normal procedure, all at code, in the code segment of .code name, if not, think it all is to add shell;
3.2, central processing unit judges whether the code of program inlet point to be verified identical with the shell condition code.The code of the entrance that the compiler compiling back of computing machine generates all is identical, and adding the shell instrument also is so, therefore compares according to the entrance code of a program and the shell feature in the condition code storehouse, just can judge whether to be added the program of shell;
3.3, central processing unit analyzes the importing function of program to be verified, and determines whether file to be verified is added shell.As: analyze four api functions of program sensitivity to be verified, in importing table content, have only more than two, the api function below six, and be consistent with six api functions, show that program to be verified is added shell.The api function of five common sensitivities: " VirtualAlloc ", " VirtualFree ", " LoadLibraryA ", " LoadLibraryW " and " GetProcAddress ", it is commonly used that these five api functions add shell, VirtualAlloc and VirtualFree: be used to carry out the distribution and the release of internal memory, LoadLibraryA and LoadLibraryW: be used to load the DLL dynamic link library, GetProcAddress: be used for obtaining the entrance pointer of function from the DLL dynamic link library of LoadLibray loading.
4, the central processing unit of computing machine is analyzed program file version information to be verified, provides the marking value.General normal program all can have developer's version information, as exabyte, version number, copyright information and description character, most Virus does not have these information, only there is fraction virus can forge version information, central processing unit is charged to the analysis and judgement result and be stored in the internal memory, continues scanning then.
4.1, do not have version information in the program file to be verified, add 8 fens;
4.2, do not have add 2 fens of Business Name in the program file to be verified;
4.3, do not have copyright information to add 2 fens in the program file to be verified;
4.4, do not have descriptor in the program file to be verified, or describe character and be less than 5, add 2 fens;
4.5, the file Business Name is mirosoftware, and this document added shell, adds 10 fens.
5, the central processing unit of computing machine is analyzed the importing table information of the transplantable execution body PE structure of program file to be verified, dynamic link libraries DLL and its importing function are compared identification, then the analysis and judgement result is charged to and is stored in the internal memory, continue scanning then, provide the marking value.
5.1, to import table imperfect, if central processing unit reads file header or the importing table is made mistakes, judges by central processing unit, adds 50 fens directly for this program;
5.2, central processing unit analyzes DLL information, whether has the non-Microsoft mould that is less than or equals to load in the non-DLL of the Microsoft importing table more than 2, piece surpasses 2, each deducts 20 fens;
5.3, import and to have the module relevant in the table with network, add 10 fens, central processing unit is analyzed the DLL that whether exists network to be correlated with in the program file to be verified, as WPCAP, a DLL who is used for the kit of data interception bag adds 5 fens;
5.4, central processing unit analyzes the application programming interface API that whether exists file relevant in the program file to be verified, as CreateFile, adds 5 fens; If program is added shell, just do not analyze in the API importing table and do not contain dangerous interface, i.e. the interface interchange of written document, establishment process and access to netwoks, each adds 5 fens;
If 5.5 program file to be verified is VB (Visual Basic) program, whether the central processing unit analysis and judgement contains file operation, and use GetIpUpDown, add 10 fens.
6, the central processing unit of computing machine is analyzed the zone field of program file to be verified, provides the marking value.The size of the normal non-code segment of program approximately is in 10 times of code segment, if above 10 times, might be some viruses of having packed, or by the program of virus infections, central processing unit is all added up all sections except code segment, size relatively again, and promptly how many sizes of they and code segment differs, central processing unit is charged to the analysis and judgement result and be stored in the internal memory like this, continues scanning then.
6.1, segment table is imperfect, adds 10 fens;
6.2, non-code segment is more than 100 times of code segment, adds 10 fens;
6.3, non-code segment is more than 80 times of code segment, adds 8 fens;
6.4, non-code segment is more than 60 times of code segment, adds 6 fens;
6.5, non-code segment is more than 40 times of code segment, adds 4 fens;
6.6, non-code segment is more than 20 times of code segment, adds 2 fens;
6.7, non-code segment is more than 10 times of code segment, adds 1 fen.
7, the central processing unit analysis process information of computing machine is charged to the analysis and judgement result and be stored in the internal memory, continues scanning then, provides the marking value.
7.1, process title to be verified if: " svchost.exe ", " lsass.exe ", " winlogon.exe ", " services.exe ", " Msimn.exe ", one of them in " msnmsgr.exe " these six processes adds 5 fens;
7.2, program file to be verified under the installation directory of operating system, add 10 fens;
7.3, program file to be verified under the %system% catalogue, add 10 fens;
7.4, the path of program file to be verified is network path, adds 5 fens;
7.5, central processing unit analyzes the similarity of the name of process to be verified and following critical processes, reaches 80%, adds 10 fens: " conime ", " svchost ", " services ", " winlogon ", " explorer ", " lsass ", " internat ", " smss ";
7.6, whether the suffix of process title that analyze to create be " DLL ", if add 20 fens.
8, the central processing unit of computing machine is analyzed the file name of program file to be verified, provides the marking value.Name, for normal program, the generic-document name can be above 32, and wherein generally can not surpass the space that has more than 2 yet, also do not have Chinese or #, and these special characters of %, if these conditions below having met, that just illustrates that this program might be problematic program, central processing unit is charged to the analysis and judgement result and be stored in the internal memory, continues scanning then.
8.1, the filename overlength, to greater than 32 characters, add 5 fens;
8.2, contain the space more than 3 in the filename, add 5 fens;
8.3, contain special character in the filename, as Chinese symbol, each character adds 1 fen;
8.4, filename analyzes mark and is higher than 10 fens, then be made as 10 fens.
As shown in Figure 5, according to the result of computer scanning, the user can edit-modify master interface program the result of scanning, certain program that the user manually is provided with in the scanning result tabulation is rogue program or normal procedure.
As shown in Figure 6, in the computer starting process, at first the load driver assembly is given this program creation process earlier, dispatches this process then, and process is moved.Original establishment process processing capacity is the processing of driven unit itself in the driven unit replacement computing machine.When computing machine is created process, driven unit can be done following the processing to the process that is created earlier: whether 1, startup process is the operating system process, the operating system process is the process that computer starting must move, definitely can not tackle, otherwise can make the computer system cisco unity malfunction, so to allow the process operation of operating system program; 2, judge whether to be the program inside the normal procedure tabulation, if the program of normal procedure tabulation the inside just allows the establishment process; 3, forbid the direct establishment of other all processes.
Under normal circumstances, after computer system starting is finished, driven unit stops automatic interception, but consider and variety of issue to occur, cause driven unit to be in the interception state always, will cause computing machine normally to use like this, so will have one to stop the method for interception automatically at driven unit: if main interface program moves, perhaps regularly detect after the driven unit self-operating, if driven unit detected self-operating above 5 minutes, driven unit just stops interception, and computing machine can normally be moved.
As shown in Figure 7, the method for driven unit implementation process interception of the present invention is to use the establishment process to handle original establishment process processing in the substituting for computer.At first driven unit is initialized the time, the central processing unit of computing machine obtains ID number of original processing function, find the function memory address of ID correspondence, adopt the method for modified address attribute then, function address is made as and can writes, revise function address, rewriting this address is the processing function address of driven unit the inside, replaces.The processing function of driven unit begins to make judgement, and decision stops the operation that still allows this process, recovers can not writing of function address after computer starting is finished.Want the implementation process interception that several different methods can be arranged, the method that the present invention adopts is to replace the kernel processes function of ZwCreateProcess, ZwCreateProcessEx, these four establishment processes uses of ZwCreateThread, ZwResumeThread.