WO2012034349A1 - Method and system for protecting computer safety - Google Patents

Method and system for protecting computer safety Download PDF

Info

Publication number
WO2012034349A1
WO2012034349A1 PCT/CN2011/001037 CN2011001037W WO2012034349A1 WO 2012034349 A1 WO2012034349 A1 WO 2012034349A1 CN 2011001037 W CN2011001037 W CN 2011001037W WO 2012034349 A1 WO2012034349 A1 WO 2012034349A1
Authority
WO
WIPO (PCT)
Prior art keywords
social
thread
attribute
marked
executable module
Prior art date
Application number
PCT/CN2011/001037
Other languages
French (fr)
Chinese (zh)
Inventor
胡志水
Original Assignee
Hu Zhishui
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hu Zhishui filed Critical Hu Zhishui
Publication of WO2012034349A1 publication Critical patent/WO2012034349A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Definitions

  • the invention relates to a computer security protection method and system. Background technique
  • the technical problem to be solved by the present invention is to provide a computer security protection method and system that allows an unknown executable module to be run without relying on virus database and software behavior recognition without causing damage to the operating system and secure application data.
  • a computer security protection method includes the following steps:
  • the classification identification code including a type code and a product name code
  • the social zone (which may be one or more) includes a specified directory established on the client disk, and a designated branch established in the registry;
  • the system area includes an operating system directory;
  • the work area includes a directory and a registry other than the system area and the social area;
  • the signature of the process or thread is calculated. If the signature is executed for the first time and there is no matching signature in the local, the signature is retrieved in the central server, such as the presence and the signature of the central server. Corresponding product name code, then download the corresponding product name code Have a signature, join the local module signature library;
  • the process itself file path is not a social attribute in the specified directory and parent process of the system area; or the current process or thread is automatically set as a system attribute by other policies; if it is established, the process or thread is marked as a system attribute: is marked as a system attribute Process or thread, can operate on all partitions;
  • the feature code of the process itself is a feature code in the feature library of the local module
  • the feature code of the loaded executable module is the feature code in the local module feature library; there is no access to the URL other than the secure URL;
  • the process file path itself is not in the specified directory of the social zone
  • the process file path itself is not in the specified directory of the system area
  • the parent process attribute is not a social attribute
  • a process or thread marked as a work attribute can perform all operations on the system area and the work area, and cannot view and modify social area information; otherwise, the process or thread is marked
  • For social attributes processes or threads marked as social attributes, except for the directory where the process or thread is located, do not see any information in the work area, and the registry and disk operations outside the social area are redirected to the designation of the social area. Branches and designated directories, and if there are multiple social zones, each social zone is completely isolated, and each other's information is not visible to each other.
  • the step of generating a signature corresponding to the secure executable module includes: determining a format of the executable module, and calculating a checksum; and calculating an indication of the length of the executable module.
  • the computer security protection method may further include automatically adding a signature of a new executable module generated by a process or thread marked as a work attribute to the local module feature library.
  • the computer security protection method may further include prohibiting a process or thread that is marked as a social attribute from installing an unknown module feature driver.
  • the computer security protection method may further include a process marked as a social attribute or a thread that returns a failure when the hook is applied globally.
  • the computer security protection method may further include returning a failure when the process marked as a social attribute or the thread remote thread is injected;
  • the computer security protection method may further include prohibiting a process or line marked as a social attribute The process terminates a process other than the process marked as a social attribute;
  • the computer security protection method may further include prohibiting a process or thread marked as a social attribute from directly reading and writing a disk and a memory;
  • the computer security protection method may further include prohibiting a process or thread marked as a social attribute from editing an operating system account, restarting or shutting down the machine, and formatting the disk operation.
  • a computer security protection system including: a central server, which generates a signature code and a classification identification code corresponding to a secure executable module, the classification identification code including a type code and a product name code;
  • a computer security protection client that establishes a social zone, a system zone, and a work zone at the client, the social zone including a specified directory established on the client disk, and a designated branch established in the registry;
  • the system zone includes an operating system directory
  • the work area includes directories and registries other than the system area and the social area;
  • the computer security protection client calculates a signature of the process or the thread, and if the signature is performed for the first time, and there is no matching signature in the local, the signature is retrieved in the central server by using the signature. If the central server has a product name code corresponding to the feature code, download all the feature codes corresponding to the product name code, and join the local module feature database;
  • the process itself file path is not a social attribute in the specified directory and parent process of the system area; or the current process or thread is automatically set as a system attribute by other policies; if it is established, the process or thread is marked as a system attribute: is marked as a system attribute Process or thread, can operate on all partitions;
  • the computer security client determines whether the following conditions are true:
  • the feature code of the process itself is a feature code in the feature library of the local module
  • the feature code of the loaded executable module is the feature code in the local module feature library; there is no access to the URL other than the secure URL;
  • the process file path itself is not in the specified directory of the social zone
  • the process file path itself is not in the specified directory of the system area
  • the parent process attribute is not a social attribute
  • the process or thread is marked as a work attribute: a process marked as a work attribute Or thread, can perform all operations on the system area and the work area, can not view and modify the social area information; otherwise, the process or thread is marked as a social attribute: a process or thread marked as a social attribute, except the directory where the process or thread is located , can not see any information in the work area, and the registry and disk operations outside the social area, are redirected to the designated branch and designated directory of the social area, and if there are multiple social partitions, each social partition is completely Isolated, they can't see each other's information.
  • the operating system directory can also be set manually through the software window.
  • the windows system directory is generally c: ⁇ windows, but it can also be set by software to set c: ⁇ mydata to the system directory, so that the directory is for the social area. In fact, it has read-only permissions.
  • a computer security protection method and system divides client resources into a system area, a work area, and a social area, and sets different access rights to the three areas by processes or threads marked as different running attributes, Separation of work areas and social areas, isolation between social areas. For a large number of unknown executable modules, they are marked as social attributes at runtime, processes or threads marked as social attributes, read-only operations on the system area and current directory, all other operations outside the social area are heavy Directed to the social zone operation, because the work area and other social zone information are not visible, the data separation between the social zone and the work zone data and the social zone is achieved. At the same time, the damage to the system is blocked. Therefore, even if there are a large number of virus programs, no damage to the system area, work area and other social area data or leakage of work area data will be achieved, and the effect of completely blocking the virus Trojan will be achieved.
  • the computer security protection system of the present invention includes a central server and a computer security protection client.
  • the central server generates signatures corresponding to the secure executable modules, and collects the signatures as part of the executable module identification and joins the central module signature library.
  • the format of the executable module file includes com, MZ, NE, LE, PE, and most of the executable modules are in PE format.
  • the corresponding signature construction method is as follows: 1. Calculate the checksum:
  • the checksum is generally calculated for the entire file; for the executable modules of the NE and LE formats, only the checksum calculation is performed on the DOS header and the corresponding NE header and LE header;
  • the calculated checksum and length indication are both 2 bytes, which together form the signature of the 4-byte executable module.
  • the signature is:
  • the executable module identifier of each executable module has 4 bytes of signature code, and 4 The byte identification code is generated by the central server, and the classification identification code includes a type code and a product name code.
  • Type Code Considering that 512 types should be sufficient to classify executable modules, 8 bits are arranged. For example, the type of instant messaging can be represented by 00110000.
  • Product Name Code Considering the variety of products, each type is arranged 24 bits to indicate the product name. For example, Tencent instant messaging products can be represented by 00000000 00000000 00110001.
  • each executable module identifier contains 8 bytes, of which 4 bytes are classification identification codes and the other 4 bytes are signature codes.
  • the above method of generating the signature and the classification identifier is also applicable to an executable module whose security is not determined.
  • the current operating system version and installed application software are scanned on the first run.
  • the operating system directly download the signature corresponding to the operating system version;
  • the 4-byte signature of any executable module in the installation directory can be calculated and retrieved in the central server by the signature, for example, if the central server has a product name code corresponding to the signature, Download all the signatures corresponding to the product name code and add them to the local module signature database.
  • the corresponding signature will be downloaded by the above method for the first time.
  • the social zone, system zone, and workspace are created on the client after the client is installed.
  • the system area includes the operating system directory.
  • the Windows operating system it refers to the Windows or WINNT directory and other directories customized to the system directory.
  • the social area includes the specified directory on each disk partition, that is, the social area directory, such as the HU119VMX directory in the root directory.
  • the social area directory such as the HU119VMX directory in the root directory.
  • the specified branches in the registry that is, social area branches, such as the HU119VMX branch.
  • the workspace includes all directories and registries except the system area and the social area.
  • System Attributes When a process or thread is running, if the current directory of the process is in the system area, it is marked as a system attribute, and the process or thread with system attributes can perform all operations.
  • Work attribute When the process or thread runs, if the signature of the loaded executable module is the signature in the local module signature database, and there is no access to the URL other than the secure URL (the secure URL is provided by the central server), and the current directory of the process Not in the system area and social area, it is marked as a work attribute.
  • a process or thread marked as a work attribute can perform all operations on the system area and the work area, and only the system attribute process can access the social area information.
  • a process or thread with a working attribute accesses the operating system and the operation of the file data is a real operation.
  • Social attribute When the process or thread is running, if the signature of the loaded executable module is a signature other than the local module signature, or a URL other than the secure URL is accessed, or the current directory of the process is located in the social area, it is marked as Social attributes. Processes or threads marked as social attributes, except for the current directory, do not see any information in the workspace and are virgin to the registry and disk operations outside the social zone, being redirected to the social zone branch and social zone directory , but it is completely transparent to the current process or thread.
  • the partition root directory will be assigned a social zone directory "/hul 19vmx"o
  • the process or thread is dynamically tagged with three operational attributes: system attributes, work attributes, and social attributes.
  • Processes or threads with different attributes, with different access to client resources Processes or threads of social attributes, except for their current directory, can't see the work area and other social area information; Processes and threads of work attributes, can't see Go to social zone information; processes and threads of system properties can do all the work. In this way, the data of the work area and the social area are isolated, and the process or thread of the social attribute cannot actually modify any information outside the social area, and the stability of the operating system is also ensured.
  • the following example shows access to client resources by a process or thread marked as a social property:
  • the write operation to the registry is redirected to a fixed social zone branch corresponding to the registry, and the social zone branch distribution is described in the previous section.
  • the registry filter driver will write WWRegistryWMachineWsystemWhul 19vmx ⁇ testapp; write the registry ⁇ Registry ⁇ user ⁇ HKEY_CURRENT_USER ⁇ testapp
  • the registry filter driver writes to ⁇ Registry ⁇ user ⁇ HKEY_CURRENT_USER ⁇ hu 119vmx ⁇ testapp.
  • the file filter driver is used to realize the invisibility between the work area and the social area, and the registry protection is implemented by the registry filter driver.
  • Processes or threads marked as social attributes above can also be implemented in other ways for files and registry operations:
  • the installed programs are written to the social area so that the newly installed application is not visible from the start menu without the merge process.
  • the system process performs the memory in the memory by setting the corresponding menu of the start menu, such as the corresponding menu in the social area. Merge processing, so that the operating system process can display the newly installed application on the start menu, other special processing, and so on.
  • the protection process of the computer security protection client is as follows (for convenience of description, the executable module whose feature code is recorded in the local module feature library is defined as a known module, and the feature code is not recorded in the executable module of the local module feature library. Defined as an unknown module):
  • the process itself file path is not a social attribute in the specified directory and parent process of the system area; or the current process or thread is automatically set as a system attribute by other policies; if it is established, the process or thread is marked as a system attribute: is marked as a system attribute Process or thread, can operate on all partitions;
  • the feature code of the process itself is a feature code in the feature library of the local module
  • the feature code of the loaded executable module is the feature code in the local module feature library; there is no access to the URL other than the secure URL;
  • the process file path itself is not in the specified directory of the social zone
  • the process file path itself is not in the specified directory of the system area
  • the parent process attribute is not a social attribute
  • a process or thread marked as a work attribute can perform all operations on the system area and the work area, and cannot view and modify social area information; otherwise, the process or thread is marked
  • the new executable module generated by the process or thread marked as a work attribute automatically adds the feature code of the executable module to the local module feature library.

Abstract

A method and a system for protecting computer safety are disclosed. The method involves generating a characteristic code and a kind identification code corresponding to the safe executable module, dividing the client machine into the social area, the system area, and the working area, computing the characteristic code of the progress or the thread when the progress or the thread is running on the client machine, and marking the progress or the thread as a working attribution or a social attribution according to that if the characteristic code of the progress or the thread is known, if the websites except the safe websites and the catalogue thereof are accessed, thereby obtaining different rights to the resources of the client machine. The method enables prevention of a customer computer from being identified by a virus base and software, to operate the unknown executable module without damaging the data of the operation system and the application progress data.

Description

一种电脑安全防护方法和系统 技术领域  Computer security protection method and system
本发明涉及一种电脑安全防护方法和系统。 背景技术  The invention relates to a computer security protection method and system. Background technique
为因应层出不穷的病毒木马, 目前不论采用被动防御还是主动防御的技 术, 病毒库均越来越庞大。 即使这样也不能完全禁止未知病毒木马对电脑系 统的破坏。 由于电脑程序的多样性、 复杂性和不断变化的特性, 决定了主动 防御技术只能识别部分程序, 无法对所有程序或模块进行身份识别, 这样还 是要依靠病毒库和软件行为进行识别, 这样就为未知病毒的活动提供了入侵 的机会,虽然也发现有文献报道采用通过建立可信特征库,禁止客户机中所有 未知程序运行, 这样理论上是无法实现的, 不可能保证所有模块是已知的, 因此也没有什么实际意义。 发明内容  In response to the emergence of endless virus Trojans, no matter whether passive or active defense technology is used, the virus database is getting larger and larger. Even this does not completely prohibit the destruction of the computer system by the unknown virus Trojan. Due to the diversity, complexity and changing characteristics of computer programs, it is decided that active defense technology can only identify some programs, and cannot identify all programs or modules. It depends on the virus database and software behavior to identify them. It provides an opportunity for the invasion of unknown virus activities. Although it has been found in the literature that it is theoretically impossible to prevent all unknown programs in the client from running by establishing a trusted signature database, it is impossible to guarantee that all modules are known. Therefore, there is no practical significance. Summary of the invention
本发明所要解决的技术问题是提供一种电脑安全防护方法和系统, 使得 无须依靠病毒库和软件行为识别, 即可运行未知的可执行模块, 而不对操作 系统和安全的应用程序数据造成破坏。  The technical problem to be solved by the present invention is to provide a computer security protection method and system that allows an unknown executable module to be run without relying on virus database and software behavior recognition without causing damage to the operating system and secure application data.
为解决上述技术问题, 本发明的技术方案如下:  In order to solve the above technical problem, the technical solution of the present invention is as follows:
一种电脑安全防护方法, 包括以下步骤:  A computer security protection method includes the following steps:
在中心服务器生成与安全的可执行模块对应的特征码和分类标识码, 该 分类标识码包括类型码和产品名称码;  Generating a feature code and a classification identification code corresponding to the secure executable module at the central server, the classification identification code including a type code and a product name code;
在客户机建立社会区、 系统区和工作区, 该社会区 (该社会区可以是一 个, 也可以是多个) 包括在客户机磁盘上建立的指定目录, 以及在注册表建 立的指定分支; 该系统区包括操作系统目录; 该工作区包括除系统区和社会 区外的目录和注册表;  Establishing a social zone, a system zone, and a work zone at the client, the social zone (which may be one or more) includes a specified directory established on the client disk, and a designated branch established in the registry; The system area includes an operating system directory; the work area includes a directory and a registry other than the system area and the social area;
客户机运行进程或线程时, 计算该进程或线程的特征码, 如是第一次执 行, 且本地没有匹配的特征码, 则通过该特征码在中心服务器中检索, 如中 心服务器存在与该特征码对应的产品名称码, 则下载该产品名称码对应的所 有特征码, 加入本地模块特征库; When the client runs a process or a thread, the signature of the process or thread is calculated. If the signature is executed for the first time and there is no matching signature in the local, the signature is retrieved in the central server, such as the presence and the signature of the central server. Corresponding product name code, then download the corresponding product name code Have a signature, join the local module signature library;
对于客户机运行的进程或线程, 判断以下条件是否成立:  For the process or thread running by the client, determine if the following conditions are true:
进程自身文件路径在系统区的指定目录和父进程不为社会属性; 或通过其他策略自动设置当前进程或线程为系统属性; 若成立, 则进程或线程被标记为系统属性: 被标记为系统属性的进程或 线程, 可以对所有分区进行操作;  The process itself file path is not a social attribute in the specified directory and parent process of the system area; or the current process or thread is automatically set as a system attribute by other policies; if it is established, the process or thread is marked as a system attribute: is marked as a system attribute Process or thread, can operate on all partitions;
对于客户机运行的进程或线程, 判断以下条件是否均成立:  For the process or thread running by the client, determine if the following conditions are true:
进程本身特征码为本地模块特征库中的特征码;  The feature code of the process itself is a feature code in the feature library of the local module;
加载的可执行模块的特征码均为本地模块特征库中的特征码; 没有访问安全网址以外的网址;  The feature code of the loaded executable module is the feature code in the local module feature library; there is no access to the URL other than the secure URL;
进程自身文件路径不在社会区的指定目录;  The process file path itself is not in the specified directory of the social zone;
进程自身文件路径不在系统区的指定目录;  The process file path itself is not in the specified directory of the system area;
父进程属性不为社会属性;  The parent process attribute is not a social attribute;
若均成立, 则进程或线程被标记为工作属性: 被标记为工作属性的进程 或线程,可以对系统区和工作区进行所有操作,无法查看和修改社会区信息; 否则,进程或线程被标记为社会属性:被标记为社会属性的进程或线程, 除进程或线程所在目录外, 看不到工作区任何信息, 而且对社会区以外的注 册表和磁盘操作, 被重定向到社会区的指定分支和指定目录, 而且如有多个 社会分区, 每个社会分区之间也是完全隔绝的, 互相看不到对方信息。  If both are true, the process or thread is marked as a work attribute: A process or thread marked as a work attribute can perform all operations on the system area and the work area, and cannot view and modify social area information; otherwise, the process or thread is marked For social attributes: processes or threads marked as social attributes, except for the directory where the process or thread is located, do not see any information in the work area, and the registry and disk operations outside the social area are redirected to the designation of the social area. Branches and designated directories, and if there are multiple social zones, each social zone is completely isolated, and each other's information is not visible to each other.
所述生成与安全的可执行模块对应的特征码的步骤包括: 判断可执行模 块的格式, 并计算校验和; 计算可执行模块的长度指示。  The step of generating a signature corresponding to the secure executable module includes: determining a format of the executable module, and calculating a checksum; and calculating an indication of the length of the executable module.
所述电脑安全防护方法还可进一步包括自动将被标记为工作属性的进程 或线程产生的新的可执行模块的特征码加入到本地模块特征库。  The computer security protection method may further include automatically adding a signature of a new executable module generated by a process or thread marked as a work attribute to the local module feature library.
所述电脑安全防护方法还可进一步包括禁止标记为社会属性的进程或线 程安装未知模块特征驱动。  The computer security protection method may further include prohibiting a process or thread that is marked as a social attribute from installing an unknown module feature driver.
所述电脑安全防护方法还可进一步包括标记为社会属性的进程或线程全 局应用钩子调用时返回失败。  The computer security protection method may further include a process marked as a social attribute or a thread that returns a failure when the hook is applied globally.
所述电脑安全防护方法还可进一步包括标记为社会属性的进程或线程远 程线程注入时返回失败;  The computer security protection method may further include returning a failure when the process marked as a social attribute or the thread remote thread is injected;
所述电脑安全防护方法还可进一步包括禁止标记为社会属性的进程或线 程终止被标记为社会属性的进程以外的进程; The computer security protection method may further include prohibiting a process or line marked as a social attribute The process terminates a process other than the process marked as a social attribute;
所述电脑安全防护方法还可进一步包括禁止标记为社会属性的进程或线 程直接读写磁盘和内存;  The computer security protection method may further include prohibiting a process or thread marked as a social attribute from directly reading and writing a disk and a memory;
所述电脑安全防护方法还可进一步包括禁止标记为社会属性的进程或线 程编辑操作系统帐号、 重启或关闭机器、 格式化磁盘操作。  The computer security protection method may further include prohibiting a process or thread marked as a social attribute from editing an operating system account, restarting or shutting down the machine, and formatting the disk operation.
根据本发明的另一方面, 提供一种电脑安全防护系统, 包括: 中心服务器, 其生成与安全的可执行模块对应的特征码和分类标识码, 该分类标识码包括类型码和产品名称码;  According to another aspect of the present invention, a computer security protection system is provided, including: a central server, which generates a signature code and a classification identification code corresponding to a secure executable module, the classification identification code including a type code and a product name code;
电脑安全防护客户端, 其在客户机建立社会区、 系统区和工作区, 该社 会区包括在客户机磁盘上建立的指定目录, 以及在注册表建立的指定分支; 该系统区包括操作系统目录; 该工作区包括除系统区和社会区外的目录和注 册表;  a computer security protection client that establishes a social zone, a system zone, and a work zone at the client, the social zone including a specified directory established on the client disk, and a designated branch established in the registry; the system zone includes an operating system directory The work area includes directories and registries other than the system area and the social area;
当客户机运行进程或线程时, 所述电脑安全防护客户端计算该进程或线 程的特征码, 如是第一次执行, 且本地没有匹配的特征码, 则通过该特征码 在中心服务器中检索, 如中心服务器存在与该特征码对应的产品名称码, 则 下载该产品名称码对应的所有特征码, 加入本地模块特征库;  When the client runs a process or a thread, the computer security protection client calculates a signature of the process or the thread, and if the signature is performed for the first time, and there is no matching signature in the local, the signature is retrieved in the central server by using the signature. If the central server has a product name code corresponding to the feature code, download all the feature codes corresponding to the product name code, and join the local module feature database;
对于客户机运行的进程或线程, 判断以下条件是否成立:  For the process or thread running by the client, determine if the following conditions are true:
进程自身文件路径在系统区的指定目录和父进程不为社会属性; 或通过其他策略自动设置当前进程或线程为系统属性; 若成立, 则进程或线程被标记为系统属性: 被标记为系统属性的进程或 线程, 可以对所有分区进行操作;  The process itself file path is not a social attribute in the specified directory and parent process of the system area; or the current process or thread is automatically set as a system attribute by other policies; if it is established, the process or thread is marked as a system attribute: is marked as a system attribute Process or thread, can operate on all partitions;
对于客户机运行的进程或线程, 所述电脑安全防护客户端判断以下条件 是否均成立:  For the process or thread running by the client, the computer security client determines whether the following conditions are true:
进程本身特征码为本地模块特征库中的特征码;  The feature code of the process itself is a feature code in the feature library of the local module;
加载的可执行模块的特征码均为本地模块特征库中的特征码; 没有访问安全网址以外的网址;  The feature code of the loaded executable module is the feature code in the local module feature library; there is no access to the URL other than the secure URL;
进程自身文件路径不在社会区的指定目录;  The process file path itself is not in the specified directory of the social zone;
进程自身文件路径不在系统区的指定目录;  The process file path itself is not in the specified directory of the system area;
父进程属性不为社会属性;  The parent process attribute is not a social attribute;
若均成立, 则进程或线程被标记为工作属性: 被标记为工作属性的进程 或线程,可以对系统区和工作区进行所有操作,无法查看和修改社会区信息; 否则,进程或线程被标记为社会属性:被标记为社会属性的进程或线程, 除进程或线程所在目录外, 看不到工作区任何信息, 而且对社会区以外的注 册表和磁盘操作, 被重定向到社会区的指定分支和指定目录, 而且如有多个 社会分区, 每个社会分区之间也是完全隔绝的, 互相看不到对方信息。 If both are true, the process or thread is marked as a work attribute: a process marked as a work attribute Or thread, can perform all operations on the system area and the work area, can not view and modify the social area information; otherwise, the process or thread is marked as a social attribute: a process or thread marked as a social attribute, except the directory where the process or thread is located , can not see any information in the work area, and the registry and disk operations outside the social area, are redirected to the designated branch and designated directory of the social area, and if there are multiple social partitions, each social partition is completely Isolated, they can't see each other's information.
操作系统目录也可以通过软件窗口人为设置, 如 windows系统目录一般 为 c:\\windows, 但也可以通过软件设置, 把 c:\\mydata也设置为系统目录, 这样一来该目录对于社会区来说, 就具备有只读的权限。  The operating system directory can also be set manually through the software window. For example, the windows system directory is generally c:\\windows, but it can also be set by software to set c:\\mydata to the system directory, so that the directory is for the social area. In fact, it has read-only permissions.
本发明的一种电脑安全防护方法和系统, 把客户机资源分为系统区、 工 作区和社会区, 通过给被标记为不同运行属性的进程或线程设置对这三个区 的不同访问权限, 实现工作区和社会区的隔离, 社会区之间的隔离。 对于大 量的未知可执行模块, 在运行时都会标记为社会属性, 被标记为社会属性的 进程或线程, 只能对系统区和当前目录进行只读操作, 所有其他对社会区以 外的操作全部重定向到社会区操作, 由于看不到工作区和其他社会区信息, 达到了社会区跟工作区数据和社会区之间数据的隔离。 同时对系统有破坏的 操作被屏蔽。 因此, 即使是有大量病毒程序, 也不会对系统区、 工作区和其 他社会区数据造成任何损坏或工作区数据的泄露, 达到彻底屏蔽病毒木马的 效果。 附图说明  A computer security protection method and system according to the present invention divides client resources into a system area, a work area, and a social area, and sets different access rights to the three areas by processes or threads marked as different running attributes, Separation of work areas and social areas, isolation between social areas. For a large number of unknown executable modules, they are marked as social attributes at runtime, processes or threads marked as social attributes, read-only operations on the system area and current directory, all other operations outside the social area are heavy Directed to the social zone operation, because the work area and other social zone information are not visible, the data separation between the social zone and the work zone data and the social zone is achieved. At the same time, the damage to the system is blocked. Therefore, even if there are a large number of virus programs, no damage to the system area, work area and other social area data or leakage of work area data will be achieved, and the effect of completely blocking the virus Trojan will be achieved. DRAWINGS
图 1是本发明的电脑安全防护客户端的防护流程图。 具体实施方式  1 is a flow chart of the protection of the computer security protection client of the present invention. detailed description
下面根据附图, 给出本发明的较佳实施例, 并予以详细描述, 使能更好 地理解本发明的功能、 特点。  DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.
本发明的电脑安全防护系统包括中心服务器和电脑安全防护客户端。 中心服务器生成与安全的可执行模块对应的特征码, 并把这些特征码收 集起来, 作为可执行模块标识的一部分, 加入中心模块特征库。  The computer security protection system of the present invention includes a central server and a computer security protection client. The central server generates signatures corresponding to the secure executable modules, and collects the signatures as part of the executable module identification and joins the central module signature library.
可执行模块文件的格式包括 com、 MZ、 NE、 LE、 PE, 绝大部分可执行 模块是 PE格式的。 相应的特征码构造方法如下: 1 . 计算校验和: The format of the executable module file includes com, MZ, NE, LE, PE, and most of the executable modules are in PE format. The corresponding signature construction method is as follows: 1. Calculate the checksum:
对于 com、 MZ格式的可执行模块, 一般对整个文件计算校验和; 对于 NE、 LE格式的可执行模块, 只对 DOS头和对应的 NE头、 LE头 进行校验和计算;  For the executable modules of the com and MZ formats, the checksum is generally calculated for the entire file; for the executable modules of the NE and LE formats, only the checksum calculation is performed on the DOS header and the corresponding NE header and LE header;
对于 PE格式的可执行模块, 只对 DOS头和对应的 PE头和节表进行校 验和计算。  For the executable module in PE format, only the DOS header and the corresponding PE header and section table are checked and calculated.
2. 计算可执行模块的长度指示- 若可执行模块的实际长度不超过 2个字节, 则以可执行模块的实际长度 作为该可执行模块的长度指示; 否则, 通过将可执行模块的实际长度跟双字 节的无符号整数相除, 从而获取 2个字节的余数, 以该余数作为该可执行模 块的长度指示。  2. Calculate the length indication of the executable module - if the actual length of the executable module does not exceed 2 bytes, the actual length of the executable module is used as the length indication of the executable module; otherwise, by the actual implementation of the executable module The length is divided by a double-byte unsigned integer to obtain a remainder of 2 bytes, with the remainder being the length indication of the executable module.
计算的校验和、 长度指示均为 2个字节, 它们一起构成 4个字节的可执 行模块的特征码。 例如, 对于可执行模块 qq.exe, 其特征码为:  The calculated checksum and length indication are both 2 bytes, which together form the signature of the 4-byte executable module. For example, for the executable module qq.exe, its signature is:
10110000 00000000 00000111 00000000  10110000 00000000 00000111 00000000
本领域的技术人员应当理解, 上述特征码可采用其他方法构造, 只要可 执行模块能与该特征码唯一对应。  It will be understood by those skilled in the art that the above feature code can be constructed by other methods as long as the executable module can uniquely correspond to the feature code.
为了在中心服务器对可执行模块进行分类管理且便于电脑安全防护客户 端下载跟当前电脑相关的特征码, 每个可执行模块的可执行模块标识除了 4 个字节的特征码外, 还有 4个字节的分类标识码, 由中心服务器生成, 该分 类标识码包括类型码和产品名称码。  In order to classify and manage the executable modules in the central server and facilitate the computer security protection client to download the feature codes associated with the current computer, the executable module identifier of each executable module has 4 bytes of signature code, and 4 The byte identification code is generated by the central server, and the classification identification code includes a type code and a product name code.
类型码: 考虑到 512个类型应该足以给可执行模块分类, 因此安排 8个 位。 例如, 可以以 00110000表示即时通信类型。  Type Code: Considering that 512 types should be sufficient to classify executable modules, 8 bits are arranged. For example, the type of instant messaging can be represented by 00110000.
产品名称码:考虑到产品的多样性,每个类型安排 24位用于表示产品名 称。 例如, 可以以 00000000 00000000 00110001表示腾讯即时通信产品。  Product Name Code: Considering the variety of products, each type is arranged 24 bits to indicate the product name. For example, Tencent instant messaging products can be represented by 00000000 00000000 00110001.
所以,每个可执行模块标识包含 8个字节,其中 4个字节是分类标识码, 另外 4个字节是特征码。  Therefore, each executable module identifier contains 8 bytes, of which 4 bytes are classification identification codes and the other 4 bytes are signature codes.
上述特征码和分类标识码的生成方法也适用于安全性未定的可执行模 块。  The above method of generating the signature and the classification identifier is also applicable to an executable module whose security is not determined.
客户端安装完毕后, 在首次运行时会对当前操作系统版本和己安装应用 软件进行扫描。 对于操作系统, 直接下载与操作系统版本对应的特征码; 对 于已安装的应用软件,可以计算安装目录下任一可执行模块的 4字节特征码, 并通过该特征码在中心服务器中检索, 如中心服务器存在与该特征码对应的 产品名称码,则下载该产品名称码对应的所有特征码,加入本地模块特征库; 对于后续安装的新的应用软件, 第一次使用时候也会通过上面的方法下载对 应的特征码。 这些特征码构成本地模块特征库。 After the client is installed, the current operating system version and installed application software are scanned on the first run. For the operating system, directly download the signature corresponding to the operating system version; For the installed application software, the 4-byte signature of any executable module in the installation directory can be calculated and retrieved in the central server by the signature, for example, if the central server has a product name code corresponding to the signature, Download all the signatures corresponding to the product name code and add them to the local module signature database. For the new application software that is subsequently installed, the corresponding signature will be downloaded by the above method for the first time. These signatures form a local module signature library.
安装完客户端后在客户机建立社会区、 系统区和工作区。  The social zone, system zone, and workspace are created on the client after the client is installed.
系统区包括操作系统目录, 对于 Windows操作系统就是指 Windows或 WINNT目录以及自定义为系统目录的其他目录。  The system area includes the operating system directory. For the Windows operating system, it refers to the Windows or WINNT directory and other directories customized to the system directory.
社会区包括在每个磁盘分区的指定目录, 即社会区目录, 例如根目录下 的 HU119VMX目录, 对于 Windows操作系统, 还包括注册表中的所有指定 分支, 即社会区分支, 例如 HU119VMX分支。  The social area includes the specified directory on each disk partition, that is, the social area directory, such as the HU119VMX directory in the root directory. For the Windows operating system, it also includes all the specified branches in the registry, that is, social area branches, such as the HU119VMX branch.
工作区包括除去系统区和社会区外的所有目录和注册表。  The workspace includes all directories and registries except the system area and the social area.
系统属性: 进程或线程运行时候, 如果进程当前目录在系统区, 则标记 为系统属性, 具有系统属性的进程或线程可以进行所有操作。  System Attributes: When a process or thread is running, if the current directory of the process is in the system area, it is marked as a system attribute, and the process or thread with system attributes can perform all operations.
工作属性: 进程或线程运行时候, 如果加载的可执行模块的特征码均为 本地模块特征库中的特征码, 同时没有访问安全网址以外的网址 (安全网址 由中心服务器提供), 同时进程当前目录不在系统区和社会区,则被标记为工 作属性。 被标记为工作属性的进程或线程, 可以对系统区和工作区进行所有 操作, 对社会区信息只有系统属性进程才可以访问。 具有工作属性的进程或 线程对操作系统的访问和文件数据的操作, 都是真实操作。  Work attribute: When the process or thread runs, if the signature of the loaded executable module is the signature in the local module signature database, and there is no access to the URL other than the secure URL (the secure URL is provided by the central server), and the current directory of the process Not in the system area and social area, it is marked as a work attribute. A process or thread marked as a work attribute can perform all operations on the system area and the work area, and only the system attribute process can access the social area information. A process or thread with a working attribute accesses the operating system and the operation of the file data is a real operation.
社会属性: 进程或线程运行时候, 如果加载的可执行模块的特征码为本 地模块特征库以外的特征码, 或访问了安全网址以外的网址, 或进程当前目 录位于社会区中, 则被标记为社会属性。 被标记为社会属性的进程或线程, 除当前目录外, 看不到工作区任何信息而且对社会区以外的注册表和磁盘操 作, 都是虚拟的, 被重定向到社会区分支和社会区目录, 但对于当前进程或 线程来说是完全透明的。  Social attribute: When the process or thread is running, if the signature of the loaded executable module is a signature other than the local module signature, or a URL other than the secure URL is accessed, or the current directory of the process is located in the social area, it is marked as Social attributes. Processes or threads marked as social attributes, except for the current directory, do not see any information in the workspace and are virgin to the registry and disk operations outside the social zone, being redirected to the social zone branch and social zone directory , but it is completely transparent to the current process or thread.
下面举例描述社会区在注册表中的分配管理。 对任一注册表操作, 反映 到核心的操作路径只有这两种情况:  The following example describes the allocation management of the social area in the registry. For any registry operation, there are only two cases that reflect the core operation path:
\\\\Registry\\Machine\\xxxxxx\\xxxxxx, 以及  \\\\Registry\\Machine\\xxxxxx\\xxxxxx, and
\\\\Registry\\USER\\xxxxxx\\xxxxxx。 社会区注册表分支固定安排在第三节后面: \\\\Registry\\USER\\xxxxxx\\xxxxxx. The social zone registry branch is fixed behind the third section:
\\\\Registry\\Machine\\xxxxxx\\hu 119vmx\\xxxxxx, 以及  \\\\Registry\\Machine\\xxxxxx\\hu 119vmx\\xxxxxx, and
\\\\Registry\\USER\\xxxxxx\\hu 119vmx\\xxxxxx。  \\\\Registry\\USER\\xxxxxx\\hu 119vmx\\xxxxxx.
所 以 标 记 为 社 会 属 性 的 进 程 或 线 程 修 改 注 册 表 \\\\Registry\\Machine\\system\\testapp 时 , 实 际 是 对 \\\\Registry\\Machine\\system\\hul 19vmx\\testapp的修改。  So when the process or thread marked as a social property modifies the registry \\\\Registry\\Machine\\system\\testapp, it is actually \\\\Registry\\Machine\\system\\hul 19vmx\\testapp modify.
下面举例描述社会区在磁盘分区中的分配管理。对任一个文件系统分区, 该分区根目录都会分配一个社会区目录 "/hul 19vmx"o  The following example describes the allocation management of social zones in disk partitions. For any file system partition, the partition root directory will be assigned a social zone directory "/hul 19vmx"o
根据进程或线程加载的可执行模块的模块特征、 网页请求方式和进程当 前目录所处的位置, 该进程或线程动态标记为三种运行属性: 系统属性、 工 作属性和社会属性。 具有不同属性的进程或线程, 具有不同的访问客户机资 源权限: 社会属性的进程或线程, 除了自身当前目录外, 看不到工作区和其 他社会区信息; 工作属性的进程和线程, 看不到社会区信息; 系统属性的进 程和线程可以做所有操作。这样就对工作区和社会区数据做到了隔离的效果, 同时社会属性的进程或线程不能实际修改社会区以外的任何信息, 也保证了 操作系统的稳定。  Depending on the module characteristics of the executable module loaded by the process or thread, the way the web page is requested, and the location of the current directory of the process, the process or thread is dynamically tagged with three operational attributes: system attributes, work attributes, and social attributes. Processes or threads with different attributes, with different access to client resources: Processes or threads of social attributes, except for their current directory, can't see the work area and other social area information; Processes and threads of work attributes, can't see Go to social zone information; processes and threads of system properties can do all the work. In this way, the data of the work area and the social area are isolated, and the process or thread of the social attribute cannot actually modify any information outside the social area, and the stability of the operating system is also ensured.
为了既保证未知程序的运行, 同时又对系统区和工作区数据没有任何破 坏作用, 因此对标记为社会属性的进程或线程权限设置如下:  In order to guarantee the operation of the unknown program without any damage to the system area and the workspace data, the process or thread permissions marked as social attributes are set as follows:
a)所有未知模块特征驱动安装被禁止;  a) All unknown module feature drive installation is prohibited;
b)全局应用钩子调用, 返回失败;  b) global application hook call, return failure;
c)远程线程注入, 返回失败;  c) remote thread injection, return failure;
d)禁止终止被标记为社会属性的进程以外的进程;  d) prohibit the termination of processes other than those marked as social attributes;
e)直接读写磁盘和内存被禁止;  e) direct reading and writing of disks and memory is prohibited;
f)除自身目录外,不能访问工作区的文件;  f) cannot access the files of the workspace except for its own directory;
g)所有对社会区以外的注册表和文件的写操作都重定向到社会区分支和 社会区目录;  g) All writes to the registry and files outside the social zone are redirected to the social zone branch and the social zone directory;
h)禁止编辑操作系统帐号、 重启或关闭机器、 格式化磁盘操作。  h) It is forbidden to edit the operating system account, restart or shut down the machine, and format the disk operation.
下面举例介绍标记为社会属性的进程或线程对客户机资源的访问: The following example shows access to client resources by a process or thread marked as a social property:
1.对社会区以外文件的写操作, 全部重定向到当前磁盘分区的社会区目 录中。 如: 要写文件 c:\\windows\\system32\\smon.dll时, 文件过滤驱动会写 入 c:\\hul l9vm\\windows\\system32\\smon.dll; 要写文件 d:\Vwtsoft ss.dat时, 文件过滤驱动会写入 d:\\hul 19vmx wtsoftWss.dat。 1. Write to files outside the social zone, all redirected to the social zone directory of the current disk partition. For example: When writing the file c:\\windows\\system32\\smon.dll, the file filter driver will write Enter c:\\hul l9vm\\windows\\system32\\smon.dll; To write the file d:\Vwtsoft ss.dat, the file filter driver will write d:\\hul 19vmx wtsoftWss.dat.
2. 对文件的读操作, 除了可以看到系统区目录外, 就只能看到程序自身 当前路径和每个磁盘分区下的社会区 (hul l9vm) 目录下的信息。 如读文件 c:\\windows\\system32\\smon.dll , 文 件 过 滤 驱 动 会 先 读 c:\\hul 19vmx\\windows\\system32\\smon.dll , 如这文件不存在, 才会去读真实 的文件 c:\\windows\\system32\\smon.dll。如读文件 d:\\wtsoft\\ss.dat,文件过滤 驱动会直接读 d:\\hul 19vmx wtsoft ss.dat, 如失败, 则直接返回失败, 因为 工作区是不让具有社会属性的进程和线程访问的, 如社会区中对应的目录不 存在, 就表示该文件不存在。  2. Read the file, except that you can see the system area directory, you can only see the current path of the program itself and the information in the social area (hul l9vm) directory under each disk partition. For example, if you read the file c:\\windows\\system32\\smon.dll, the file filter driver will read c:\\hul 19vmx\\windows\\system32\\smon.dll first. If the file does not exist, it will go. Read the real file c:\\windows\\system32\\smon.dll. If you read the file d:\\wtsoft\\ss.dat, the file filter driver will read d:\\hul 19vmx wtsoft ss.dat directly. If it fails, it will return directly because the workspace is not allowed to have social attributes. If the corresponding directory in the social zone does not exist, it means that the file does not exist.
3.对注册表的写操作,全部重定向到对应注册表的一个固定社会区分支, 社 会 区 分 支 分 配 见 前 面 介 绍 。 如 : 写 注 册 表 \\\\Registry\\Machine\\system\\testapp , 注 册 表 过 滤 驱 动 会 写 入 WWRegistryWMachineWsystemWhul 19vmx\\testapp ; 写 注 册 表 \\\\Registry\\user\\HKEY_CURRENT_USER\\testapp, 注册表过滤驱动会写入 \\\\Registry\\user\\HKEY_CURRENT_USER\\hu 119vmx\\testapp。  3. The write operation to the registry is redirected to a fixed social zone branch corresponding to the registry, and the social zone branch distribution is described in the previous section. Such as: write the registry \\\\Registry\\Machine\\system\\testapp, the registry filter driver will write WWRegistryWMachineWsystemWhul 19vmx\\testapp; write the registry \\\\Registry\\user\\HKEY_CURRENT_USER\\testapp The registry filter driver writes to \\\\Registry\\user\\HKEY_CURRENT_USER\\hu 119vmx\\testapp.
4.对注册表的读操作。如:读注册表 \\\\Registry\\Machine\\system\\testapp, 注册表过滤驱动会先读 WRegistryWMachineWsystemWhul 19vmx\\testapp, 如失 败则会读真实地方 \\\\Registry\\Machine\\system\\testapp;  4. Read the registry. Such as: read the registry \\\\Registry\\Machine\\system\\testapp, the registry filter driver will read WRegistryWMachineWsystemWhul 19vmx\\testapp first, if it fails, read the real place \\\\Registry\\Machine\\ System\\testapp;
根据上面访问文件和注册表中所述, 通过文件过滤驱动实现工作区与社 会区之间的不可见, 通过注册表过滤驱动实现对注册表的保护。  According to the access file and the registry mentioned above, the file filter driver is used to realize the invisibility between the work area and the social area, and the registry protection is implemented by the registry filter driver.
以上标记为社会属性的进程或线程对文件和注册表操作也可以有其他情 况实现:  Processes or threads marked as social attributes above can also be implemented in other ways for files and registry operations:
对于系统有多个磁盘分区的情况, 不用在每个磁盘分区建立社会分区目 录, 可以任意指定一个目录或文件, 然后在该目录或文件中实现不同磁盘区 的操作, 对于注册表也可以通过在注册表中不同位置实现, 同时社会区注册 表也可通过独立的文件实现。  For the case where the system has multiple disk partitions, it is not necessary to create a social partition directory in each disk partition, and you can arbitrarily specify a directory or file, and then implement different disk area operations in the directory or file. It is implemented in different places in the registry, and the social area registry can also be implemented through separate files.
对于以社会属性运行的安装包, 安装的程序都会写到社会区中, 这样如 不通过合并处理, 从开始菜单中就看不到刚安装的应用程序。 这时候, 系统 进程通过把开始菜单对应目录如社会区中对应的幵始菜单目录在内存中进行 合并处理, 这样操作系统进程就可以把刚安装的应用程序在幵始菜单上显示 出来, 其他特殊处理, 以此类推。 For installation packages that run with social properties, the installed programs are written to the social area so that the newly installed application is not visible from the start menu without the merge process. At this time, the system process performs the memory in the memory by setting the corresponding menu of the start menu, such as the corresponding menu in the social area. Merge processing, so that the operating system process can display the newly installed application on the start menu, other special processing, and so on.
参考图 1, 电脑安全防护客户端的防护流程如下 (为描述方便, 特征码 记录在本地模块特征库中的可执行模块定义为己知模块, 特征码未记录在本 地模块特征库中的可执行模块定义为未知模块):  Referring to FIG. 1, the protection process of the computer security protection client is as follows (for convenience of description, the executable module whose feature code is recorded in the local module feature library is defined as a known module, and the feature code is not recorded in the executable module of the local module feature library. Defined as an unknown module):
启动新进程: 先计算该可执行模块的 4字节的特征码, 计算该进程或线 程的特征码, 如是第一次执行, 且本地没有匹配的特征码, 则通过该特征码 在中心服务器中检索, 如中心服务器存在对应的产品名称码, 则下载该产品 名称码对应的所有特征码, 加入本地模块特征库;  Start a new process: first calculate the 4-byte signature of the executable module, calculate the signature of the process or thread, if it is the first execution, and there is no matching signature locally, then the signature is used in the central server. Retrieval, if the corresponding product name code exists in the central server, download all the feature codes corresponding to the product name code, and join the local module feature library;
对于客户机运行的进程或线程, 判断以下条件是否成立:  For the process or thread running by the client, determine if the following conditions are true:
进程自身文件路径在系统区的指定目录和父进程不为社会属性; 或通过其他策略自动设置当前进程或线程为系统属性; 若成立, 则进程或线程被标记为系统属性: 被标记为系统属性的进程或 线程, 可以对所有分区进行操作;  The process itself file path is not a social attribute in the specified directory and parent process of the system area; or the current process or thread is automatically set as a system attribute by other policies; if it is established, the process or thread is marked as a system attribute: is marked as a system attribute Process or thread, can operate on all partitions;
对于客户机运行的进程或线程, 判断以下条件是否均成立:  For the process or thread running by the client, determine if the following conditions are true:
进程本身特征码为本地模块特征库中的特征码;  The feature code of the process itself is a feature code in the feature library of the local module;
加载的可执行模块的特征码均为本地模块特征库中的特征码; 没有访问安全网址以外的网址;  The feature code of the loaded executable module is the feature code in the local module feature library; there is no access to the URL other than the secure URL;
进程自身文件路径不在社会区的指定目录;  The process file path itself is not in the specified directory of the social zone;
进程自身文件路径不在系统区的指定目录;  The process file path itself is not in the specified directory of the system area;
父进程属性不为社会属性;  The parent process attribute is not a social attribute;
若均成立, 则进程或线程被标记为工作属性: 被标记为工作属性的进程 或线程,可以对系统区和工作区进行所有操作,无法查看和修改社会区信息; 否则,进程或线程被标记为社会属性:被标记为社会属性的进程或线程, 除进程或线程所在目录外, 看不到工作区任何信息, 而且对社会区以外的注 册表和磁盘操作,被重定向到社会区分支和社会区目录,而且如有多个社会分 区, 每个社会分区之间也是完全隔绝的, 互相看不到对方信息。  If both are true, the process or thread is marked as a work attribute: A process or thread marked as a work attribute can perform all operations on the system area and the work area, and cannot view and modify social area information; otherwise, the process or thread is marked For social attributes: processes or threads marked as social attributes, except for the directory where the process or thread is located, do not see any information in the workspace, and are redirected to the social zone branch and registry and disk operations outside the social zone. The social zone directory, and if there are multiple social zones, each social zone is completely isolated, and each other's information is not visible to each other.
对于被标记为工作属性的进程或线程产生的新的可执行模块, 自动将该 可执行模块的特征码加入到本地模块特征库。  The new executable module generated by the process or thread marked as a work attribute automatically adds the feature code of the executable module to the local module feature library.
显然, 在上述教导下, 可能对本发明进行多种修正和变型, 并在所附权 利要求的范围内, 本发明可以以不同于具体描述的方式实施。  It is apparent that various modifications and variations of the present invention are possible in the light of the scope of the appended claims.

Claims

权 利 要 求 书 Claim
1. 一种电脑安全防护方法, 包括以下步骤: 1. A computer security protection method, comprising the following steps:
( 1-1 )在中心服务器生成与安全的可执行模块对应的特征码和分类标识 码, 该分类标识码包括类型码和产品名称码;  (1-1) generating, in the central server, a feature code and a classification identification code corresponding to the secure executable module, the classification identification code including a type code and a product name code;
( 1-2)在客户机建立社会区、 系统区和工作区, 该社会区包括在客户机 磁盘上建立的指定目录, 以及在注册表建立的指定分支; 该系统区包括操作 系统目录; 该工作区包括除系统区和社会区外的目录和注册表;  (1-2) establishing, in the client, a social zone, a system zone, and a work zone, the social zone including a specified directory established on the client disk, and a designated branch established in the registry; the system zone includes an operating system directory; The work area includes directories and registries other than the system area and the social area;
( 1-3 )客户机运行进程或线程时, 计算该进程或线程的特征码, 如是第 一次执行,且本地没有匹配的特征码,则通过该特征码在中心服务器中检索, 如中心服务器存在与该特征码对应的产品名称码, 则下载该产品名称码对应 的所有特征码, 加入本地模块特征库;  (1-3) When the client runs a process or a thread, the signature of the process or thread is calculated. If the signature is executed for the first time and there is no matching signature in the local, the signature is retrieved in the central server, such as the central server. If there is a product name code corresponding to the feature code, all the feature codes corresponding to the product name code are downloaded, and the local module feature library is added;
( 1-4) 对于客户机运行的进程或线程, 判断以下条件是否成立:  ( 1-4) For the process or thread running by the client, determine whether the following conditions are true:
进程自身文件路径在系统区的指定目录和父进程不为社会属性; 或通过其他策略自动设置当前进程或线程为系统属性; 若成立, 则进程或线程被标记为系统属性: 被标记为系统属性的进程或 线程, 可以对所有分区进行操作;  The process itself file path is not a social attribute in the specified directory and parent process of the system area; or the current process or thread is automatically set as a system attribute by other policies; if it is established, the process or thread is marked as a system attribute: is marked as a system attribute Process or thread, can operate on all partitions;
对于客户机运行的进程或线程, 判断以下条件是否均成立:  For the process or thread running by the client, determine if the following conditions are true:
进程本身特征码为本地模块特征库中的特征码;  The feature code of the process itself is a feature code in the feature library of the local module;
加载的可执行模块的特征码均为本地模块特征库中的特征码; 没有访问安全网址以外的网址;  The feature code of the loaded executable module is the feature code in the local module feature library; there is no access to the URL other than the secure URL;
进程自身文件路径不在社会区的指定目录;  The process file path itself is not in the specified directory of the social zone;
进程自身文件路径不在系统区的指定目录;  The process file path itself is not in the specified directory of the system area;
父进程属性不为社会属性;  The parent process attribute is not a social attribute;
若均成立, 则进程或线程被标记为工作属性: 被标记为工作属性的进程 或线程,可以对系统区和工作区进行所有操作,无法査看和修改社会区信息; 否则,进程或线程被标记为社会属性:被标记为社会属性的进程或线程, 除进程或线程所在目录外, 看不到工作区任何信息, 而且对社会区以外的注 册表和磁盘操作,被重定向到社会区的指定分支和指定目录,而且如有多个社 会分区, 每个社会分区之间也是完全隔绝的, 互相看不到对方信息。 If both are true, the process or thread is marked as a work attribute: A process or thread marked as a work attribute can perform all operations on the system area and the work area, and cannot view and modify the social area information; otherwise, the process or thread is Marked as a social attribute: a process or thread marked as a social attribute, except for the directory where the process or thread is located, does not see any information in the work area, and is redirected to the social area for registry and disk operations outside the social area. Specify branches and specified directories, and if there are multiple social partitions, each social partition is completely isolated, and each other's information is not visible to each other.
2. 如权利要求 1所述的方法, 所述生成与安全的可执行模块对应的特征码 的步骤包括-2. The method of claim 1, the step of generating a signature corresponding to a secure executable module comprising -
(2-1 ) 判断可执行模块的格式, 并计算校验和: (2-1) Determine the format of the executable module and calculate the checksum:
若可执行模块为 com、 MZ格式, 则对整个文件计算校验和;  If the executable module is in com or MZ format, a checksum is calculated for the entire file;
若可执行模块为 NE、 LE格式, 则只对 DOS头和对应的 NE头、 LE头 计算校验和;  If the executable module is in the NE or LE format, the checksum is calculated only for the DOS header and the corresponding NE header and LE header;
若可执行模块为 PE格式, 则只对 DOS头和对应的 PE头和节表计算校 验和;  If the executable module is in the PE format, the checksum is calculated only for the DOS header and the corresponding PE header and the section table;
(2-2) 计算可执行模块的长度指示:  (2-2) Calculate the length indication of the executable module:
若可执行模块的实际长度不超过 2个字节, 则以该实际长度作为该可执 行模块的长度指示;  If the actual length of the executable module does not exceed 2 bytes, the actual length is used as an indication of the length of the executable module;
否则,将该实际长度跟双字节的无符号整数相除,获取 2个字节的余数, 以该余数作为该可执行模块的长度指示。  Otherwise, the actual length is divided by the double-byte unsigned integer to obtain a remainder of 2 bytes, with the remainder being the length indication of the executable module.
3. 如权利要求 1所述的方法, 进一步包括自动将被标记为工作属性的进程 或线程产生的新的可执行模块的特征码加入到本地模块特征库。 3. The method of claim 1 further comprising automatically adding a signature of a new executable module generated by a process or thread marked as a work attribute to a local module feature library.
4. 如权利要求 1所述的方法, 进一步包括禁止标记为社会属性的进程或线 程安装未知模块特征驱动。 4. The method of claim 1 further comprising disabling a process or thread tagged as a social attribute to install an unknown module feature driver.
5. 如权利要求 1所述的方法, 进一步包括标记为社会属性的进程或线程全 局应用钩子调用时返回失败。 5. The method of claim 1 further comprising returning a failure when the process or thread marked as a social attribute applies a hook call globally.
6. 如权利要求 1所述的方法, 进一步包括标记为社会属性的进程或线程远 程线程注入时返回失败。 6. The method of claim 1 further comprising returning a failure when the process is marked as a social attribute or the thread is injected remotely.
7. 如权利要求 1所述的方法, 进一步包括禁止标记为社会属性的进程或线 程终止被标记为社会属性的进程以外的进程。 7. The method of claim 1 further comprising disabling processes or threads marked as social attributes from terminating processes other than processes marked as social attributes.
8. 如权利要求 1所述的方法, 进一步包括禁止标记为社会属性的进程或线 程直接读写磁盘和内存和编辑操作系统帐号、 重启或关闭机器、 格式化磁盘 操作。 8. The method of claim 1 further comprising disabling processes or lines marked as social attributes Directly read and write disk and memory and edit operating system accounts, restart or shut down the machine, format disk operations.
9. 一种电脑安全防护系统, 包括: 9. A computer security system, comprising:
中心服务器, 其生成与安全的可执行模块对应的特征码和分类标识码, 该分类标识码包括类型码和产品名称码;  a central server, which generates a signature code and a classification identifier code corresponding to the secure executable module, where the classification identifier code includes a type code and a product name code;
电脑安全防护客户端, 其在客户机建立社会区、 系统区和工作区, 该社 会区包括在客户机磁盘上建立的指定目录, 以及在注册表建立的指定分支; 该系统区包括操作系统目录和其他指定目录; 该工作区包括除系统区和社会 区外的目录和注册表;  a computer security protection client that establishes a social zone, a system zone, and a work zone at the client, the social zone including a specified directory established on the client disk, and a designated branch established in the registry; the system zone includes an operating system directory And other specified directories; the work area includes directories and registries other than the system area and the social area;
当客户机运行进程或线程时, 所述电脑安全防护客户端计算该进程或线 程的特征码, 如是第一次执行, 且本地没有匹配的特征码, 则通过该特征码 在中心服务器中检索, 如中心服务器存在与该特征码对应的产品名称码, 则 下载该产品名称码对应的所有特征码, 加入本地模块特征库;  When the client runs a process or a thread, the computer security protection client calculates a signature of the process or the thread, and if the signature is performed for the first time, and there is no matching signature in the local, the signature is retrieved in the central server by using the signature. If the central server has a product name code corresponding to the feature code, download all the feature codes corresponding to the product name code, and join the local module feature database;
对于客户机运行的进程或线程, 判断以下条件是否成立:  For the process or thread running by the client, determine if the following conditions are true:
进程自身文件路径在系统区的指定目录和父进程不为社会属性;; 或通过其他策略自动设置当前进程或线程为系统属性; 若成立, 则进程或线程被标记为系统属性: 被标记为系统属性的进程或 线程, 可以对所有分区进行操作;  The process itself file path is not a social attribute in the specified directory of the system area and the parent process; or automatically set the current process or thread as a system attribute through other policies; if established, the process or thread is marked as a system attribute: marked as a system The process or thread of the attribute, which can operate on all partitions;
对于客户机运行的进程或线程, 所述电脑安全防护客户端判断以下条件 是否均成立:  For the process or thread running by the client, the computer security client determines whether the following conditions are true:
进程本身特征码为本地模块特征库中的特征码;  The feature code of the process itself is a feature code in the feature library of the local module;
加载的可执行模块的特征码均为本地模块特征库中的特征码; 没有访问安全网址以外的网址;  The feature code of the loaded executable module is the feature code in the local module feature library; there is no access to the URL other than the secure URL;
进程自身文件路径不在社会区的指定目录;  The process file path itself is not in the specified directory of the social zone;
进程自身文件路径不在系统区的指定目录;  The process file path itself is not in the specified directory of the system area;
父进程属性不为社会属性;  The parent process attribute is not a social attribute;
若均成立, 则进程或线程被标记为工作属性: 被标记为工作属性的进程 或线程,可以对系统区和工作区进行所有操作,无法查看和修改社会区信息; 否则,进程或线程被标记为社会属性:被标记为社会属性的进程或线程, 除进程或线程所在目录外, 看不到工作区任何信息, 而且对社会区以外的注 册表和磁盘操作,被重定向到社会区的指定分支和指定目录,而且如有多个社 会分区, 每个社会分区之间也是完全隔绝的, 互相看不到对方信息。 If both are true, the process or thread is marked as a work attribute: A process or thread marked as a work attribute can perform all operations on the system area and the work area, and cannot view and modify social area information; otherwise, the process or thread is marked For social attributes: processes or threads that are marked as social attributes, Except for the directory where the process or thread is located, you can't see any information in the workspace, and the registry and disk operations outside the social zone are redirected to the designated branch and the specified directory of the social zone, and if there are multiple social zones, each The social divisions are also completely isolated, and they cannot see each other's information.
10. 如权利要求 9所述的系统,所述与安全的可执行模块对应的特征码包括 校验和与可执行模块的长度指示, 其中: 10. The system of claim 9, the signature corresponding to the secure executable module comprising a checksum and a length indication of the executable module, wherein:
若可执行模块为 com、 MZ格式, 则对整个文件计算校验和;  If the executable module is in com or MZ format, a checksum is calculated for the entire file;
若可执行模块为 NE、 LE格式, 则只对 DOS头和对应的 NE头、 LE头 计算校验和;  If the executable module is in the NE or LE format, the checksum is calculated only for the DOS header and the corresponding NE header and LE header;
若可执行模块为 PE格式, 则只对 DOS头和对应的 PE头和节表计算校 验和;  If the executable module is in the PE format, the checksum is calculated only for the DOS header and the corresponding PE header and the section table;
若可执行模块的实际长度不超过 2个字节, 则以该实际长度作为该可执 行模块的长度指示;  If the actual length of the executable module does not exceed 2 bytes, the actual length is used as an indication of the length of the executable module;
否则,将该实际长度跟双字节的无符号整数相除,获取 2个字节的余数, 以该余数作为该可执行模块的长度指示。  Otherwise, the actual length is divided by the double-byte unsigned integer to obtain a remainder of 2 bytes, with the remainder being the length indication of the executable module.
11. 如权利要求 9所述的系统,所述电脑安全防护客户端自动将被标记为工 作属性的进程或线程产生的新的可执行模块的特征码加入到本地模块特征 库。 11. The system of claim 9, the computer security client automatically adds a signature of a new executable module generated by a process or thread marked as a work attribute to a local module feature library.
PCT/CN2011/001037 2010-09-14 2011-06-21 Method and system for protecting computer safety WO2012034349A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 201010281207 CN101950339B (en) 2010-09-14 2010-09-14 Security protection method and system of computer
CN201010281207.2 2010-09-14

Publications (1)

Publication Number Publication Date
WO2012034349A1 true WO2012034349A1 (en) 2012-03-22

Family

ID=43453838

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/001037 WO2012034349A1 (en) 2010-09-14 2011-06-21 Method and system for protecting computer safety

Country Status (2)

Country Link
CN (1) CN101950339B (en)
WO (1) WO2012034349A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101950339B (en) * 2010-09-14 2012-01-25 上海置水软件技术有限公司 Security protection method and system of computer
CN102254112A (en) * 2011-06-13 2011-11-23 上海置水软件技术有限公司 Safe web browsing method
CN102945342B (en) * 2012-09-29 2015-08-05 北京奇虎科技有限公司 Progress recognizing method, device and terminal device
CN102982275A (en) * 2012-11-14 2013-03-20 北京奇虎科技有限公司 Security control method and device for running applications
CN103679024B (en) * 2013-11-19 2015-03-25 百度在线网络技术(北京)有限公司 Virus treating method and device
CN107122663B (en) * 2017-04-28 2021-04-02 北京梆梆安全科技有限公司 Injection attack detection method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1373425A (en) * 2001-03-05 2002-10-09 中国科学院计算技术研究所 Computer system with regional isolation by security classes
CN1766845A (en) * 2005-11-30 2006-05-03 吴晓栋 Method for realizing high security and recoverable file system
CN1900941A (en) * 2006-04-28 2007-01-24 傅玉生 Computer safety protective method based on software identity identifying technology
CN101950339A (en) * 2010-09-14 2011-01-19 上海置水软件技术有限公司 Security protection method and system of computer

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100481101C (en) * 2006-07-19 2009-04-22 谢朝霞 Method for computer safety start
CN101662467B (en) * 2009-09-27 2012-08-22 成都市华为赛门铁克科技有限公司 Scanning method and device thereof
CN101799751B (en) * 2009-12-02 2013-01-02 山东浪潮齐鲁软件产业股份有限公司 Method for building monitoring agent software of host machine

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1373425A (en) * 2001-03-05 2002-10-09 中国科学院计算技术研究所 Computer system with regional isolation by security classes
CN1766845A (en) * 2005-11-30 2006-05-03 吴晓栋 Method for realizing high security and recoverable file system
CN1900941A (en) * 2006-04-28 2007-01-24 傅玉生 Computer safety protective method based on software identity identifying technology
CN101950339A (en) * 2010-09-14 2011-01-19 上海置水软件技术有限公司 Security protection method and system of computer

Also Published As

Publication number Publication date
CN101950339B (en) 2012-01-25
CN101950339A (en) 2011-01-19

Similar Documents

Publication Publication Date Title
EP3123311B1 (en) Malicious code protection for computer systems based on process modification
EP3568791B1 (en) Early runtime detection and prevention of ransomware
US10291634B2 (en) System and method for determining summary events of an attack
Wei et al. Managing security of virtual machine images in a cloud environment
RU2589862C1 (en) Method of detecting malicious code in random-access memory
US7590841B2 (en) Automatic update of computer-readable components to support a trusted environment
US20050091658A1 (en) Operating system resource protection
WO2012034349A1 (en) Method and system for protecting computer safety
WO2014071867A1 (en) Program processing method and system, and client and server for program processing
CN104484625A (en) Computer with dual operating systems and implementation method thereof
CN102222189A (en) Method for protecting operating system
US9104876B1 (en) Virtual file-based tamper resistant repository
US11847222B2 (en) System and method for preventing unwanted bundled software installation
EP2341458B1 (en) Method and device for detecting if a computer file has been copied
KR102227558B1 (en) Data security method based on program protection
US20110213809A1 (en) Method, a system and a computer program product for protecting a data-storing device
Griffiths et al. Fireguard-A secure browser with reduced forensic footprint
van Gorp et al. Low-level writing to NTFS file systems
IL267854A (en) Early runtime detection and prevention of ransomware
CN104484610A (en) Method for implementing safety enhancement of Windows operation system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11824420

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11824420

Country of ref document: EP

Kind code of ref document: A1