WO2021036322A1 - Method and apparatus for preventing dynamic link library file hijacking, and computer device - Google Patents

Method and apparatus for preventing dynamic link library file hijacking, and computer device Download PDF

Info

Publication number
WO2021036322A1
WO2021036322A1 PCT/CN2020/088014 CN2020088014W WO2021036322A1 WO 2021036322 A1 WO2021036322 A1 WO 2021036322A1 CN 2020088014 W CN2020088014 W CN 2020088014W WO 2021036322 A1 WO2021036322 A1 WO 2021036322A1
Authority
WO
WIPO (PCT)
Prior art keywords
dll file
driver
application
running
dll
Prior art date
Application number
PCT/CN2020/088014
Other languages
French (fr)
Chinese (zh)
Inventor
芦永胜
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2021036322A1 publication Critical patent/WO2021036322A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • This application relates to the field of computer security technology, and in particular to a method, device and computer equipment for preventing hijacking of dynamic link library files.
  • DLL Dynamic Link Library, dynamic link library file hijacking is generally to hijack system DLL files necessary for applications such as usp1.dll, ws2_32.dll, lpk.dll, etc. It is mainly based on the loading sequence of the DLL search path. The specified directory in the application corresponding to the above loading sequence is released and a DLL file with the same name is released. The DLL file with the same name is usually a Trojan virus with the same name as any system DLL file, which makes the application into a malicious DLL loading. Device.
  • the DLL file with the same name is not checked and killed in time, it will preemptively load the DLL file with the same name disguised by a Trojan virus when the application is started, which will eventually cause the application to be destroyed and the system where the application is located is infected by the virus.
  • the inventor found that the existing way to prevent DLL file hijacking is generally to verify all DLL files that need to be loaded when the application is started, and then perform the application after checking and killing all DLL files that fail the verification.
  • the normal start of the program If there are dozens of DLL files that need to be loaded to start the application, the application needs to verify these dozens of DLL files every time it starts. The verification process is tedious and time-consuming, which makes the application start-up. The time is greatly increased, and the user experience is not good.
  • the main purpose of this application is to provide a method, device and computer equipment for preventing hijacking of dynamic link library files, which are suitable for the field of blockchain technology and aim to solve the cumbersome and complicated verification process in the existing methods of preventing DLL file hijacking. It takes a long time, which greatly increases the startup time of the application, and is a technical problem that the user experience is not good.
  • This application proposes a method for preventing the hijacking of a dynamic link library file.
  • the method includes the steps of: before starting the application for the first time, creating a driver corresponding to the application; judging whether an external first DLL file pair is received A copy request issued by a designated directory of the application program, wherein the copy request is in the form of an I/O request; if the copy request is received, the first name of the first DLL file is extracted from the copy request Read the preset white list by the driver, and determine whether the first name exists in the white list, wherein a plurality of designated names are stored in the white list; if the white list exists in the With the first name, the first DLL file is verified and signed according to the first preset rule to obtain the corresponding verification result; according to the verification result, the copy request is processed correspondingly.
  • This application also provides a device for preventing hijacking of dynamic link library files, including: a creation module for creating a driver corresponding to the application before starting the application for the first time; a first judgment module for judging whether Receive a copy request from an external first DLL file to the specified directory of the application program, wherein the copy request is in the form of an I/O request; the extraction module is used to extract the copy request if the copy request is received The first name of the first DLL file; the second judgment module is used to read the preset white list through the driver and judge whether the first name exists in the white list, wherein the white list is stored There are multiple designated names; the verification module is used to verify and sign the first DLL file according to the first preset rule if the first name exists in the whitelist to obtain the corresponding verification result ; The first processing module is configured to perform corresponding processing on the copy request according to the verification result.
  • the present application also provides a computer device, which includes: one or more processors; a memory; one or more computer programs, wherein the one or more computer programs are stored in the memory and configured to be
  • the one or more processors execute, the one or more computer programs are configured to execute a method for preventing the hijacking of a dynamic link library file, wherein the method for preventing the hijacking of a dynamic link library file includes the following steps: Before starting the application program, create a driver corresponding to the application program; determine whether a copy request from the external first DLL file to the specified directory of the application program is received, wherein the form of the copy request is I/ O request; if the copy request is received, extract the first name of the first DLL file from the copy request; read the preset white list through the driver, and determine whether the white list exists The first name, wherein a plurality of designated names are stored in the white list; if the first name exists in the white list, verify and sign the first DLL file according to a first preset rule , Obtain the corresponding
  • the present application also provides a computer-readable storage medium having a computer program stored on the computer-readable storage medium, and when the computer program is executed by a processor, a method for preventing the hijacking of a dynamic link library file is implemented, wherein the preventing
  • the method of dynamic link library file hijacking includes the following steps: before starting the application for the first time, creating a driver corresponding to the application; judging whether an external first DLL file is sent to the specified directory of the application A copy request, where the copy request is in the form of an I/O request; if the copy request is received, the first name of the first DLL file is extracted from the copy request; the preset is read by the driver And determine whether the first name exists in the white list, wherein multiple designated names are stored in the white list; if the first name exists in the white list, follow the first preset Suppose that rules are used to verify and sign the first DLL file to obtain a corresponding verification result; according to the verification result, the copy request is processed correspondingly.
  • the method, device, computer equipment, and storage medium for preventing the hijacking of dynamic link library files provided in this application effectively improve the processing efficiency of copy requests, simplify the processing flow of verifying signatures, and effectively prevent the application program from being hijacked.
  • the DLL file appears to be hijacked, which improves the security and stability of the application, and also effectively improves the startup rate of the application.
  • FIG. 1 is a schematic flowchart of a method for preventing hijacking of a dynamic link library file according to an embodiment of the present application
  • FIG. 2 is a schematic structural diagram of a device for preventing hijacking of dynamic link library files according to an embodiment of the present application
  • Fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present application.
  • the method for preventing the hijacking of a dynamic link library file includes:
  • S4 Read a preset white list through the driver, and determine whether the first name exists in the white list, where a plurality of designated names are stored in the white list;
  • the execution subject of the embodiment of the present application is a device for preventing hijacking of dynamic link library files, which may specifically be a Windows file system with a driver installed.
  • This embodiment completes the verification of the first DLL file by creating a driver corresponding to the application, and does not require the application to verify all the DLL files that need to be loaded during startup, which improves the startup rate of the application.
  • a driver corresponding to the application program is first created.
  • the above-mentioned driver is a filter driver, and the corresponding driver can be created at the same time during the installation of the above-mentioned application program.
  • the driver can be used to perform anti-hijacking processing for the first external DLL file .
  • the first name corresponding to the first DLL file in the copy request is extracted.
  • the copy request mentioned above may refer to the first DLL file used to cover, add, modify, or replace the DLL file in the application program, and the form of the copy request is I/O (input/output , Input/output) request.
  • the I/O request is generally packaged into IRP (I/O Request Package, input output request package) information, and then sent to the Windows file system for processing.
  • IRP I/O Request Package, input output request package
  • the IPR corresponding to the I/O request will not be directly The information is released directly, but the first DLL file corresponding to the I/O request will be verified, and the verification process first needs to obtain the first name of the first DLL file.
  • the IPR information corresponding to the I/O request is intercepted first to obtain the IRP information, and then the IPR information is parsed to obtain the first name corresponding to the first DLL file.
  • the pre-configured white list is read through the driver to determine whether the first name exists in the white list
  • the specified directory can be an application The directory where the program is currently loaded, that is, the installation directory of the application, or the system directory, and so on.
  • a plurality of designated names are stored in the whitelist, and these designated names are the names corresponding to the DLL files that need to be verified and signed by the application program.
  • a matching result can be obtained by matching the name of the first DLL file with all specified names in the whitelist, and it can be determined whether the first name exists in the whitelist according to the matching result.
  • the aforementioned first name does not exist in the whitelist, it indicates that the first DLL file is a resource that is not needed by the application, such as a windows system DLL file forged by a virus and Trojan horse, and the driver will directly refuse to process the aforementioned copy Request, that is, return a rejection message to the IPR information to prohibit copying the first DLL file into the specified directory, thereby effectively preventing the application from being damaged.
  • the first DLL file with the risk of DLL hijacking can also be detected and killed. Specifically, the information of the first DLL file is first uploaded to the server, and then the first DLL file is uploaded through the server. Checking and killing ensures that the original file resources in the application will not be modified, curbs the proliferation of DLL files with the risk of DLL hijacking, and effectively prevents the application from being damaged by resources from unknown sources.
  • the first name exists in the white list, it indicates that the first DLL file is a resource required by the application, but the first DLL file needs to be further verified and signed.
  • To detect the legitimacy of the first DLL file that is, verify and sign the first DLL file according to the first preset rule to obtain the verification result, and perform corresponding processing on the copy request according to the verification result.
  • the above-mentioned first preset rule refers to adopting a corresponding verification signature method according to the data source of the first DLL file.
  • the above verification result includes the first DLL file passing the verification and the first DLL file not passing the verification.
  • the step of performing corresponding processing on the copy request according to the verification result may specifically include: when the verification result is the first
  • the verification of a DLL file can prove that the copy request is a normal file processing operation, and that the first DLL file is a resource required by the application program.
  • the first DLL file is a file generated during the application program upgrade process.
  • the above-mentioned first DLL file is a file generated during the testing process of the developer testing the application program, then the above-mentioned copy request is allowed to be processed, so as to complete the update or test processing of the application program.
  • the copy request is an abnormal file processing operation, that is, the first DLL file is not a resource required by the application.
  • the first DLL file may be a Trojan horse. Viruses or files used for DLL hijacking will refuse to process the above copy request to avoid DLL hijacking caused by copying the first DLL file into the designated directory of the application.
  • the first DLL file only when the first DLL file exists in the whitelist, will the first DLL file be verified and signed, so there is no need to verify and sign DLL files that are not in the whitelist, which effectively improves
  • the processing efficiency of the copy request simplifies the processing flow of verifying the signature.
  • the verification and signature processing of the first DLL file is carried out by the driver, that is, it is completed before the application is started, so there is no need for the application to verify and sign every internal DLL file when it is started, which is effective Improved the startup rate of applications.
  • the method before the above step S4, the method includes:
  • S400 Receive designated names corresponding to multiple designated DLL files input by the user;
  • S402 Perform encryption processing on the first list to obtain the white list.
  • the step of creating a white list may also be included, which may specifically include: receiving user input
  • the multiple designated DLL files corresponding to the designated names respectively, and the above designated DLL files are resources required by the application. Then input all the aforementioned designated names into the aforementioned pre-created first list, and further encrypt the first list to form the aforementioned encrypted white list.
  • the corresponding secret key will be sent to the above-mentioned driver, and the driver needs to decrypt the encrypted white list with the secret key to read all the white lists in the white list.
  • step S5 includes:
  • S500 Obtain the resource source of the first DLL file, and determine whether the first DLL file is a resource issued by a third party;
  • the resource of the first DLL file can be determined by determining whether the first DLL file has a secondary signature.
  • Source if there is a secondary signature, it is determined that the first DLL file is not a resource issued by a third party, and if there is no secondary signature, it is determined that the first DLL file is a resource issued by a third party.
  • the first DLL file is a resource issued by a third party, it is further judged whether the first DLL file contains a corresponding agency signature certificate.
  • the first DLL file is a resource digitally signed with a Microsoft certificate
  • the agency signature certificate is Microsoft certificate
  • the first DLL file contains the above-mentioned agency signature certificate, it is necessary to identify its legitimacy by judging the validity of the agency signature certificate. Specifically, obtain the latest version of the certificate revocation list (CRL) of the certification authority corresponding to the above-mentioned agency signature certificate, and determine whether the above-mentioned agency signature certificate is included in the certificate revocation list, and if the above-mentioned agency signature certificate is not included, it indicates that the agency If the signature certificate is still in the validity period, it can be determined that the first DLL file passes the verification, and then the copy request for the first DLL file will be allowed to be processed.
  • CTL certificate revocation list
  • the agency signature certificate it indicates that the agency signature certificate has expired, that is, the first DLL file corresponding to the agency signature certificate is an illegal third-party resource, and it can be determined that the first DLL file has not passed the verification. It will refuse to process the copy request of the first DLL file mentioned above, avoid the situation of DLL hijacking caused by copying the first DLL file into the designated directory of the application program, and effectively ensure the safety and stability of the application program.
  • the first DLL file belonging to a third-party publishing resource does not contain an agency signature certificate, it indicates that the first DLL file is an illegal third-party resource. In this case, the first DLL file will be directly rejected and processed.
  • a copy request of a DLL file effectively prevents the copying of the first DLL file into the designated directory of the application program from causing DLL hijacking, which ensures the safety and stability of the application program.
  • the method includes:
  • S507 Invoke the pre-stored public key in the driver to decrypt the first digital signature to obtain the first hash value
  • S508 Perform a hash calculation on the body content of the first DLL file to obtain a second hash value
  • S509 Determine whether the first hash value is the same as the second hash value
  • the first DLL file is not a resource issued by a third party
  • another signature verification method that is different from when the first DLL file is a resource issued by a third party needs to be adopted.
  • the first DLL file is not a resource released by a third party, it is a resource encrypted and released by the developer himself, but this kind of resource cannot be guaranteed to be completely safe, and there may be the possibility of the first DLL file being tampered with, so It is also necessary to perform a verification signature on the first DLL file to verify the legitimacy of the DLL.
  • the signature processing process specifically includes: using a hash algorithm to the first DLL file Perform a hash operation to obtain a digital fingerprint, and then use the elliptic curve digital signature algorithm to generate a public key and a private key key pair, and then use the private key to encrypt the digital fingerprint and obtain the first digital signature, and finally the first digital signature Write it into the resource section of the first DLL file, and store the above public key in the drive.
  • a hash calculation is performed on the body content of the first DLL file to obtain a second hash value. Then, the first hash value and the second hash value are compared to determine whether the first hash value is the same as the second hash value. If the first hash value is the same as the above-mentioned second hash value, it indicates that the first digital signature verification is successful, and the first DLL file is legal and has not been tampered with. Therefore, it is determined that the first DLL file has passed the verification. It will be allowed to process the copy request of the first DLL file mentioned above. If the first hash value is not the same as the second hash value, it indicates that the first digital signature verification failed and the first DLL file is illegal.
  • the first DLL file is determined If the verification is not passed, then it will refuse to process the copy request of the first DLL file to avoid the DLL hijacking caused by copying the first DLL file into the specified directory of the application program, which effectively guarantees the safety and security of the application program. stable.
  • the method includes:
  • S601 Obtain the running data generated during the running of the application, and evaluate the running data according to a second preset rule to obtain a corresponding evaluation result, where the evaluation result includes the driver and the application The program is compatible or the driver is not compatible with the application program;
  • installing the driver corresponding to the above application can be regarded as an upgrade process for the application, but this upgrade process may have the risk of loopholes or errors, for example, the driver may appear Incompatibility with the application. If the installed driver is not compatible with the above application, it may affect the normal operation of the application or some normal functions. Therefore, this embodiment needs to further verify the compatibility between the two to avoid the normal operation of the application. Be disturbed. Specifically, after processing the copy request in this embodiment, the application program is first run, and then the operating data generated by the application program during the running process is obtained, and the obtained operating data is processed according to the second preset rule. Evaluation to get the corresponding evaluation results.
  • the above-mentioned evaluation of the operation data obtained according to the second preset rule may include multiple evaluation methods.
  • the evaluation may be performed by analyzing the operation log of the application; or the operation process corresponding to the application may be evaluated.
  • the evaluation is performed by analyzing the process identifier PI of the application program; the evaluation can also be performed by analyzing the database data of the application program.
  • the above database data includes user data, and/or default data, and/or data such as configuration files.
  • the aforementioned evaluation result includes that the aforementioned driver is compatible with the application program and the aforementioned driver is incompatible with the application program.
  • the aforementioned evaluation result is that the aforementioned driver is compatible with the application program, it indicates that the installation of the driver will not affect the normal operation of the application program, and subsequent processing of the application program or the driver will not be performed.
  • the aforementioned evaluation result is that the aforementioned driver is incompatible with the application program
  • the created driver and the application program are evaluated for compatibility verification to obtain the corresponding evaluation result, which is conducive to the subsequent corresponding processing of the application program or the driver based on the evaluation result, thereby effectively ensuring the application’s performance normal operation.
  • the operation data includes an operation log
  • the above step S601 includes:
  • S6011 Determine whether there are error data and/or abnormal data in the operation log
  • the above running data may be a running log.
  • the above running log can specifically be the current running environment of the application, CPU and memory.
  • Logs of operating system status This embodiment first obtains the running log generated during the running of the application program, where the running log is stored in the form of a file. Then further determine whether the operation log generates error data and/or abnormal data. If error data and/or abnormal data are generated in the above operation log, it indicates that the application program after installation of the driver upgrade process has unstable problems.
  • This embodiment can intelligently detect the running status of the application after the upgrade process of installing the driver by judging whether there is error data and/or abnormal data in the running log generated after the application is running, and then can quickly according to the Run conditions to get the corresponding evaluation results.
  • the running data includes the process identifier of the running process
  • the above step S601 includes:
  • S6015 Determine whether the PID of the designated running process has changed within the first preset time period, where the designated running process is one or more running processes among all the running processes;
  • the application program after running is composed of multiple running processes, and the operating system where the application program is located will assign multiple corresponding process identifiers (PID) to these processes.
  • PID process identifiers
  • Unique identification number When some specified running process has changed, for example, the specified running process disappears or the process identifier PID of the specified running process has changed, it can be determined that the specified running process has crashed, and then the specified running process can be determined.
  • the application corresponding to the running process has a problem or malfunction.
  • the above-mentioned running data may be the running process PID.
  • the process identifier PIDs of all running processes corresponding to the application program are first acquired.
  • the designated running process is one or more running processes among all the running processes.
  • the designated running process is all the running processes mentioned above. Some resident processes in. If the PID of the specified running process has changed, that is, the PID of the above resident process has changed, such as disappeared, it can indicate that the application program is abnormal and the application program cannot run normally. Therefore, it can be determined that the above driver and the application The program is not compatible, that is, the above evaluation result is that the driver is not compatible with the application.
  • the above-mentioned first preset time can be set according to actual needs, for example, it can be set to 5 minutes, which is not specifically limited here.
  • the PID of the running process does not change, it indicates that the application program can still run normally after the driver is installed and upgraded, and it can be determined that the driver is compatible with the application program, that is, the above evaluation result is that the driver is compatible with the application program.
  • the process identifier PID of the running process corresponding to the application program has changed within a preset time period, it can intelligently detect the running status of the application program after the driver is installed and upgraded. According to the operation situation, the corresponding evaluation result is obtained.
  • an embodiment of the present application also provides a device for preventing hijacking of dynamic link library files, including:
  • the creation module 1 is used to create a driver corresponding to the application before starting the application for the first time;
  • the first judgment module 2 is used to judge whether a copy request from an external first DLL (Dynamic Link Library) file to the specified directory of the application program is received, wherein the form of the copy request is an I/O request;
  • DLL Dynamic Link Library
  • the extraction module 3 is configured to extract the first name of the first DLL file if the copy request is received;
  • the second judgment module 4 is configured to read a preset white list through the driver, and determine whether the first name exists in the white list, wherein the white list stores a plurality of designated names;
  • the verification module 5 is configured to verify and sign the first DLL file according to a first preset rule if the first name exists in the white list, to obtain a corresponding verification result;
  • the first processing module 6 is configured to perform corresponding processing on the copy request according to the verification result.
  • the implementation process of the functions and roles of the creation module, the first judgment module, the extraction module, the second judgment module, the verification module and the first processing module in the above-mentioned device for preventing the hijacking of dynamic link library files is detailed in The implementation process of corresponding steps S1-S6 in the above method for preventing the hijacking of dynamic link library files will not be repeated here.
  • the above-mentioned device for preventing hijacking of dynamic link library files includes:
  • the receiving module is used to receive the designated names corresponding to multiple designated DLL files input by the user;
  • the input module is used to input all the specified names into the pre-created first list
  • the encryption module is used to perform encryption processing on the first list to obtain the white list.
  • the implementation process of the functions and functions of the receiving module, input module, and encryption module in the device for preventing hijacking of dynamic link library files is detailed in the corresponding steps S400-S402 in the method for preventing hijacking of dynamic link library files. The realization process will not be repeated here.
  • the above-mentioned verification module includes:
  • the first obtaining unit is configured to obtain the resource source of the first DLL file, and determine whether the first DLL file is a resource issued by a third party;
  • the first determining unit is configured to determine whether the first DLL file contains a corresponding agency signature certificate if the first DLL file is a resource issued by a third party;
  • the second obtaining unit is configured to obtain the latest version of the certificate revocation list of the certification authority corresponding to the agency signature certificate if the first DLL file contains the agency signature certificate;
  • the second determining unit is configured to determine whether the certificate revocation list contains the institution-signed certificate
  • the first determining unit is configured to determine that the first DLL file passes the verification if the first certificate is not included in the certificate revocation list;
  • the second determining unit is configured to determine that the first DLL file fails the verification if the first certificate is included in the certificate revocation list.
  • the first acquisition unit, the first judgment unit, the second acquisition unit, the second judgment unit, the first judgment unit, and the second judgment included in the verification module in the device for preventing hijacking of dynamic link library files For the implementation process of the function and role of the unit, please refer to the implementation process of corresponding steps S500-S505 in the above method for preventing the hijacking of dynamic link library files, which will not be repeated here.
  • the above-mentioned verification module includes:
  • An extracting unit configured to extract the first digital signature of the first DLL file if the first DLL file is not a resource issued by a third party;
  • a calling unit for calling a public key pre-stored in the driver to decrypt the first digital signature to obtain a first hash value
  • a calculation unit configured to perform a hash calculation on the text content of the first DLL file to obtain a second hash value
  • the third judging unit is used to judge whether the first hash value and the second hash value are the same;
  • a third determining unit configured to determine that the first DLL file passes the verification if the first hash value is the same as the second hash value
  • the fourth determining unit is configured to determine that the first DLL file fails the verification if the first hash value is not the same as the second hash value.
  • the functions and effects of the extraction unit, the calling unit, the calculation unit, the third judgment unit, the third judgment unit, and the fourth judgment unit included in the verification module in the above-mentioned device for preventing the hijacking of dynamic link library files For the specific implementation process, please refer to the implementation process of corresponding steps S506-S511 in the above method for preventing hijacking of dynamic link library files, which will not be repeated here.
  • the device for preventing dynamic link library file hijacking includes:
  • the running module is used to run the application program
  • the evaluation module is used to obtain the operating data generated during the running of the application program, and to evaluate the operating data according to a second preset rule to obtain a corresponding evaluation result, wherein the evaluation result includes the driver and The application program is compatible or the driver is incompatible with the application program;
  • the second processing module is configured to perform corresponding processing on the driver or the application program according to the evaluation result.
  • the implementation process of the functions and roles of the running module, the evaluation module and the second processing module in the device for preventing hijacking of dynamic link library files is detailed in the corresponding step S600- in the method for preventing hijacking of dynamic link library files.
  • the implementation process of S602 will not be repeated here.
  • the operation data includes an operation log
  • the above evaluation module includes:
  • the third obtaining unit is configured to obtain the running log generated during the running of the application program
  • the fourth judging unit is used to judge whether there are error data and/or abnormal data in the operation log;
  • the fifth determining unit is configured to determine that the driver is not compatible with the application program if it is so;
  • the sixth determining unit is configured to determine that the driver is compatible with the application program if not.
  • the implementation process of the functions and functions of the third acquisition unit, the fourth judgment unit, the fifth judgment unit, and the sixth judgment unit included in the evaluation module in the above-mentioned device for preventing the hijacking of dynamic link library files is detailed in The implementation process of corresponding steps S6010-S6013 in the above method for preventing the hijacking of dynamic link library files will not be repeated here.
  • the running data includes the process identifier of the running process
  • the above evaluation module includes:
  • the fourth acquiring unit is used to acquire PIDs (process identifiers) of all running processes corresponding to the application program;
  • the fifth judgment unit is used to judge whether the PID of the designated running process has changed within the first preset time period, wherein the designated running process is one or more running processes among all the running processes;
  • the seventh determining unit is configured to, if yes, determine that the driver is not compatible with the application program
  • the eighth determining unit is configured to determine that the driver is compatible with the application program if not.
  • the implementation process of the functions and functions of the fourth acquisition unit, the fifth judgment unit, the seventh judgment unit and the eighth judgment unit included in the evaluation module in the above-mentioned device for preventing the hijacking of dynamic link library files is detailed in The implementation process of corresponding steps S6014-S6017 in the above method for preventing the hijacking of dynamic link library files will not be repeated here.
  • an embodiment of the present application also provides a computer device.
  • the computer device may be a server, and its internal structure may be as shown in FIG. 3.
  • the computer equipment includes a processor, a memory, a network interface, and a database connected through a system bus. Among them, the processor designed for the computer equipment is used to provide calculation and control capabilities.
  • the memory of the computer device includes a non-volatile storage medium and an internal memory.
  • the non-volatile storage medium stores an operating system, a computer program, and a database.
  • the internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage medium.
  • the database of the computer equipment is used for data such as copy requests and whitelists.
  • the network interface of the computer device is used to communicate with an external terminal through a network connection.
  • the step of the method for preventing the hijacking of a dynamic link library file is to start the Before the application, create a driver corresponding to the application; determine whether a copy request from an external first DLL file to the specified directory of the application is received, wherein the copy request is in the form of an I/O request; If the copy request is received, extract the first name of the first DLL file from the copy request; read the preset white list through the driver, and determine whether the first name exists in the white list A name, where multiple designated names are stored in the white list; if the first name exists in the white list, the first DLL file is verified and signed according to the first preset rule to obtain the corresponding According to the verification result, corresponding processing is performed on the copy request.
  • FIG. 3 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation on the devices and computer equipment to which the solution of the present application is applied.
  • An embodiment of the present application also provides a computer-readable storage medium.
  • the storage medium is a volatile storage medium or a non-volatile storage medium, and a computer program is stored thereon.
  • the computer program is executed by one or more processors. During execution, one or more processors are executed to implement the steps in the embodiment of the method for preventing dynamic link library file hijacking; wherein, the method for preventing dynamic link library file hijacking is specifically: when the application is started for the first time Before the program, create a driver corresponding to the application program; determine whether a copy request from an external first DLL file to the specified directory of the application program is received, wherein the copy request is in the form of an I/O request; if After receiving the copy request, extract the first name of the first DLL file from the copy request; read the preset white list through the driver, and determine whether the first name exists in the white list Name, wherein multiple designated names are stored in the white list; if the first name exists in the white list, the first DLL file is verified and signed according to
  • the method, device, and computer equipment for preventing the hijacking of dynamic link library files create a driver corresponding to the application program before starting the application program for the first time; determine whether an external device is received The copy request sent by the first DLL file to the specified directory of the application program, wherein the copy request is in the form of an I/O request; if the copy request is received, the first copy request is extracted from the copy request The first name of the DLL file; read the preset white list through the driver, and determine whether the first name exists in the white list, wherein a plurality of designated names are stored in the white list; if the If the first name exists in the whitelist, the first DLL file is verified and signed according to the first preset rule to obtain the corresponding verification result; according to the verification result, the copy request is corresponded ⁇ Treatment.
  • the first DLL file In this application, only when the first DLL file exists in the whitelist, will the first DLL file be verified and signed, so there is no need to verify and sign the DLL files that are not in the whitelist, which effectively improves
  • the processing efficiency of the copy request simplifies the processing flow of verifying the signature. And only after the first DLL file has passed the verification signature, can the copy request be processed, which effectively prevents the DLL file in the application from being hijacked, and improves the security and stability of the application.
  • the verification and signature processing of the first DLL file is carried out by the driver, that is, it is completed before the application is started, so there is no need for the application to verify and sign every internal DLL file when it is started, which is effective Improved the startup rate of applications.
  • Non-volatile memory may include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory may include random access memory (RAM) or external cache memory.
  • RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual-rate SDRAM (SSRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.

Abstract

Disclosed in the present application are a method and apparatus for preventing dynamic link library (DLL) file hijacking, and a computer device. The method comprises: before starting up an application for the first time, creating a drive corresponding to the application; determining whether a copy request from an external first DLL file for a specified directory of the application is received; if yes, extracting first name of the first DLL file from the copy request; reading a preset whitelist by means of the drive, and determining whether the first name exists in the whitelist; if yes, verifying and signing the first DLL file according to a first preset rule to obtain a corresponding verification result; and performing corresponding processing on the copy request according to the verification result. The present application can effectively prevent hijacking of a DLL file in an application. Moreover, the verification and signing of the first DLL file are performed by the drive, thereby effectively improving the application startup rate.

Description

防止动态链接库文件劫持的方法、装置和计算机设备Method, device and computer equipment for preventing dynamic link library file hijacking
本申请要求于2019年8月30日提交中国专利局、申请号为201910817923.9,发明名称为“防止动态链接库文件劫持的方法、装置和计算机设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on August 30, 2019, the application number is 201910817923.9, and the invention title is "Methods, Apparatus and Computer Equipment for Preventing the Hijacking of Dynamic Link Library Files", the entire content of which is approved The reference is incorporated in this application.
技术领域Technical field
本申请涉及计算机安全技术领域,具体涉及一种防止动态链接库文件劫持的方法、装置和计算机设备。This application relates to the field of computer security technology, and in particular to a method, device and computer equipment for preventing hijacking of dynamic link library files.
背景技术Background technique
DLL(Dynamic Link Library,动态链接库)文件劫持一般是对usp1.dll,ws2_32.dll,lpk.dll等应用程序所必需的系统DLL文件进行劫持,主要是根据DLL搜索路径方式的加载顺序,在与上述加载顺序对应的应用程序内的指定目录释放与一个同名DLL文件,该同名DLL文件通常是一个与任一系统DLL文件名称相同的木马病毒,进而使得应用程序变成了一个恶意DLL的加载器。如果不及时对上述同名DLL文件进行查杀处理,则在应用程序启动时会抢先加载由木马病毒伪装得到的上述同名DLL文件,最终造成应用程序被破坏,应用程序所在系统受到病毒感染的后果。DLL (Dynamic Link Library, dynamic link library) file hijacking is generally to hijack system DLL files necessary for applications such as usp1.dll, ws2_32.dll, lpk.dll, etc. It is mainly based on the loading sequence of the DLL search path. The specified directory in the application corresponding to the above loading sequence is released and a DLL file with the same name is released. The DLL file with the same name is usually a Trojan virus with the same name as any system DLL file, which makes the application into a malicious DLL loading. Device. If the DLL file with the same name is not checked and killed in time, it will preemptively load the DLL file with the same name disguised by a Trojan virus when the application is started, which will eventually cause the application to be destroyed and the system where the application is located is infected by the virus.
发明人发现现有的防止DLL文件劫持的方式一般为在应用程序启动时对所有需要加载的DLL文件进行验签,并在对所有验签不通过的DLL文件进行查杀处理后,再进行应用程序的正常启动。如果启动应用程序所需要加载的DLL文件有几十个,则应用程序在每次启动时都需要对这几十个DLL文件进行验签,验签过程繁琐且消耗时间长,使得应用程序的启动时间大大增加,用户的使用体验不好。The inventor found that the existing way to prevent DLL file hijacking is generally to verify all DLL files that need to be loaded when the application is started, and then perform the application after checking and killing all DLL files that fail the verification. The normal start of the program. If there are dozens of DLL files that need to be loaded to start the application, the application needs to verify these dozens of DLL files every time it starts. The verification process is tedious and time-consuming, which makes the application start-up. The time is greatly increased, and the user experience is not good.
技术问题technical problem
本申请的主要目的为提供一种防止动态链接库文件劫持的方法、装置和计算机设备,适用于区块链技术领域,旨在解决现有的防止DLL文件劫持的方式中的验签过程繁琐且消耗时间长,使得应用程序的启动时间大大增加,用户的使用体验不好的技术问题。The main purpose of this application is to provide a method, device and computer equipment for preventing hijacking of dynamic link library files, which are suitable for the field of blockchain technology and aim to solve the cumbersome and complicated verification process in the existing methods of preventing DLL file hijacking. It takes a long time, which greatly increases the startup time of the application, and is a technical problem that the user experience is not good.
技术解决方案Technical solutions
本申请提出一种防止动态链接库文件劫持的方法,所述方法包括步骤:在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;若接收到所述拷贝请求,从所述拷贝请求内提取所述第一DLL文件的第一名称;通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;根据所述校验结果,对所述拷贝请求进行对应的处理。This application proposes a method for preventing the hijacking of a dynamic link library file. The method includes the steps of: before starting the application for the first time, creating a driver corresponding to the application; judging whether an external first DLL file pair is received A copy request issued by a designated directory of the application program, wherein the copy request is in the form of an I/O request; if the copy request is received, the first name of the first DLL file is extracted from the copy request Read the preset white list by the driver, and determine whether the first name exists in the white list, wherein a plurality of designated names are stored in the white list; if the white list exists in the With the first name, the first DLL file is verified and signed according to the first preset rule to obtain the corresponding verification result; according to the verification result, the copy request is processed correspondingly.
本申请还提供一种防止动态链接库文件劫持的装置,包括:创建模块,用于在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;第一判断模块,用于判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;提取模块,用于若接收到所述拷贝请求,提取所述第一DLL文件的第一名称;第二判断模块,用于通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;校验模块,用于若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;第一处理模块,用于根据所述校验结果,对所述拷贝请求进行对应的处理。This application also provides a device for preventing hijacking of dynamic link library files, including: a creation module for creating a driver corresponding to the application before starting the application for the first time; a first judgment module for judging whether Receive a copy request from an external first DLL file to the specified directory of the application program, wherein the copy request is in the form of an I/O request; the extraction module is used to extract the copy request if the copy request is received The first name of the first DLL file; the second judgment module is used to read the preset white list through the driver and judge whether the first name exists in the white list, wherein the white list is stored There are multiple designated names; the verification module is used to verify and sign the first DLL file according to the first preset rule if the first name exists in the whitelist to obtain the corresponding verification result ; The first processing module is configured to perform corresponding processing on the copy request according to the verification result.
本申请还提供一种计算机设备,其包括:一个或多个处理器;存储器;一个或多个计算机程序,其中所述一个或多个计算机程序被存储在所述存储器中并被配置为由所述一个或多个处理器执行,所述一个或多个计算机程序配置用于执行一种防止动态链接库文件劫持的方法,其中,所述防止动态链接库文件劫持的方法包括以下步骤:在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;若接收到所述拷贝请求,从所述拷贝请求内提取所述第一DLL文件的第一名称;通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;根据所述校验结果,对所述拷贝请求进行对应的处理。The present application also provides a computer device, which includes: one or more processors; a memory; one or more computer programs, wherein the one or more computer programs are stored in the memory and configured to be The one or more processors execute, the one or more computer programs are configured to execute a method for preventing the hijacking of a dynamic link library file, wherein the method for preventing the hijacking of a dynamic link library file includes the following steps: Before starting the application program, create a driver corresponding to the application program; determine whether a copy request from the external first DLL file to the specified directory of the application program is received, wherein the form of the copy request is I/ O request; if the copy request is received, extract the first name of the first DLL file from the copy request; read the preset white list through the driver, and determine whether the white list exists The first name, wherein a plurality of designated names are stored in the white list; if the first name exists in the white list, verify and sign the first DLL file according to a first preset rule , Obtain the corresponding verification result; according to the verification result, perform corresponding processing on the copy request.
本申请还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,该计算机程序被处理器执行时实现一种防止动态链接库文件劫持的方法,其中,所述防止动态链接库文件劫持的方法包括以下步骤:在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;若接收到所述拷贝请求,从所述拷贝请求内提取所述第一DLL文件的第一名称;通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;根据所述校验结果,对所述拷贝请求进行对应的处理。The present application also provides a computer-readable storage medium having a computer program stored on the computer-readable storage medium, and when the computer program is executed by a processor, a method for preventing the hijacking of a dynamic link library file is implemented, wherein the preventing The method of dynamic link library file hijacking includes the following steps: before starting the application for the first time, creating a driver corresponding to the application; judging whether an external first DLL file is sent to the specified directory of the application A copy request, where the copy request is in the form of an I/O request; if the copy request is received, the first name of the first DLL file is extracted from the copy request; the preset is read by the driver And determine whether the first name exists in the white list, wherein multiple designated names are stored in the white list; if the first name exists in the white list, follow the first preset Suppose that rules are used to verify and sign the first DLL file to obtain a corresponding verification result; according to the verification result, the copy request is processed correspondingly.
有益效果Beneficial effect
本申请中提供的防止动态链接库文件劫持的方法、装置、计算机设备和存储介质,具有以下有益效果:The method, device, computer equipment and storage medium for preventing the hijacking of dynamic link library files provided in this application have the following beneficial effects:
本申请中提供的防止动态链接库文件劫持的方法、装置、计算机设备和存储介质,有效的提高了对拷贝请求的处理效率,简化了校验签名的处理流程;并且有效的防止了应用程序内的DLL文件出现被劫持的情况,提高了应用程序的安全稳定性,此外还有效提高了应用程序的启动速率。The method, device, computer equipment, and storage medium for preventing the hijacking of dynamic link library files provided in this application effectively improve the processing efficiency of copy requests, simplify the processing flow of verifying signatures, and effectively prevent the application program from being hijacked. The DLL file appears to be hijacked, which improves the security and stability of the application, and also effectively improves the startup rate of the application.
附图说明Description of the drawings
图1 是本申请一实施例的防止动态链接库文件劫持的方法的流程示意图;FIG. 1 is a schematic flowchart of a method for preventing hijacking of a dynamic link library file according to an embodiment of the present application;
图2是本申请一实施例的防止动态链接库文件劫持的装置的结构示意图;FIG. 2 is a schematic structural diagram of a device for preventing hijacking of dynamic link library files according to an embodiment of the present application;
图3是本申请一实施例的计算机设备的结构示意图。Fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present application.
本发明的最佳实施方式The best mode of the present invention
参照图1,本申请一实施例的防止动态链接库文件劫持的方法,包括:1, the method for preventing the hijacking of a dynamic link library file according to an embodiment of the present application includes:
S1:在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;S1: Before starting the application for the first time, create a driver corresponding to the application;
S2:判断是否接收到外部的第一DLL(动态链接库)文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;S2: Determine whether a copy request from an external first DLL (Dynamic Link Library) file to the specified directory of the application program is received, wherein the form of the copy request is an I/O request;
S3:若接收到所述拷贝请求,从所述拷贝请求内提取所述第一DLL文件的第一名称;S3: If the copy request is received, extract the first name of the first DLL file from the copy request;
S4:通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;S4: Read a preset white list through the driver, and determine whether the first name exists in the white list, where a plurality of designated names are stored in the white list;
S5:若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;S5: If the first name exists in the whitelist, verify and sign the first DLL file according to the first preset rule to obtain a corresponding verification result;
S6:根据所述校验结果,对所述拷贝请求进行对应的处理。S6: Perform corresponding processing on the copy request according to the verification result.
如上述步骤S1和S2所述,本申请实施例的执行主体为防止动态链接库文件劫持的装置,具体可为安装有驱动的Windows文件系统。本实施例通过创建与应用程序对应的驱动来完成对第一DLL文件的验签,而不需要应用程序在启动时对所有的需要加载的DLL文件进行验签,提高了应用程序的启动速率。具体地,在上述应用程序安装完成后,且在首次启动该应用程序之前,首先创建与该应用程序对应的驱动,其中,上述驱动为过滤驱动,可在上述应用程序安装的过程中同时创建对应的驱动,或者在上述应用程序安装成功且首次启动之前的任意时间段内创建对应的驱动,使得在该驱动创建完成之后,便可以通过该驱动来进行对于外部的第一DLL文件的防劫持处理。当接收到外部的第一DLL文件对上述应用程序的指定目录内的拷贝请求时,则提取出该拷贝请求内的第一DLL文件对应的第一名称。其中,上述拷贝请求可指第一DLL文件用于对应用程序内的DLL文件进行覆盖、新增、修改或替换等处理,且拷贝请求的形式为由用户操作产生的I/O(input/output,输入/输出)请求。另外,当用户发出I/O请求时,该I/O请求一般会被打包成IRP(I/O Request Package, 输入输出请求包)信息,再发送至Windows文件系统进行处理。在本实施例,当接收到I/O请求形式的拷贝请求时时,由于可能存在木马病毒入侵或对应用程序内的DLL文件进行劫持的情况,因此不会直接对该I/O请求对应的IPR信息直接进行放行,而是会对该I/O请求对应的第一DLL文件进行验签处理,且验签处理首先需要获取该第一DLL文件的第一名称。具体地,首先对与上述I/O请求对应的IPR信息进行拦截处理,得到上述IRP信息,然后对上述IPR信息进行解析,得到与上述第一DLL文件对应的上述第一名称。As described in the above steps S1 and S2, the execution subject of the embodiment of the present application is a device for preventing hijacking of dynamic link library files, which may specifically be a Windows file system with a driver installed. This embodiment completes the verification of the first DLL file by creating a driver corresponding to the application, and does not require the application to verify all the DLL files that need to be loaded during startup, which improves the startup rate of the application. Specifically, after the installation of the above-mentioned application program is completed and before the application program is started for the first time, a driver corresponding to the application program is first created. The above-mentioned driver is a filter driver, and the corresponding driver can be created at the same time during the installation of the above-mentioned application program. , Or create the corresponding driver in any time period before the application program is installed successfully and start for the first time, so that after the driver is created, the driver can be used to perform anti-hijacking processing for the first external DLL file . When receiving a copy request from the external first DLL file to the designated directory of the application program, the first name corresponding to the first DLL file in the copy request is extracted. Wherein, the copy request mentioned above may refer to the first DLL file used to cover, add, modify, or replace the DLL file in the application program, and the form of the copy request is I/O (input/output , Input/output) request. In addition, when a user sends an I/O request, the I/O request is generally packaged into IRP (I/O Request Package, input output request package) information, and then sent to the Windows file system for processing. In this embodiment, when a copy request in the form of an I/O request is received, because there may be a Trojan horse virus intrusion or hijacking of the DLL file in the application, the IPR corresponding to the I/O request will not be directly The information is released directly, but the first DLL file corresponding to the I/O request will be verified, and the verification process first needs to obtain the first name of the first DLL file. Specifically, the IPR information corresponding to the I/O request is intercepted first to obtain the IRP information, and then the IPR information is parsed to obtain the first name corresponding to the first DLL file.
如上述步骤S3和S4所述,在得到上述第一名称后,然后通过上述驱动对预先配置的白名单进行读取,来判断白名单内是否存在上述第一名称,其中上述指定目录可为应用程序当前加载的目录,即应用程序的安装目录,还可为系统目录,等等。上述白名单内存储有多个指定名称,且这些指定名称为应用程序所需要进行校验签名的DLL文件所分别对应的名称。具体地,可通过将上述第一DLL文件的名称与上述白名单内的所有指定名称进行匹配,得到匹配结果,并可根据该匹配结果得出上述白名单是否存在上述第一名称。进一步地,如果白名单内不存在上述第一名称,则表明该第一DLL文件为应用程序不需要的资源,例如是由病毒木马所伪造的windows系统DLL文件,则驱动会直接拒绝处理上述拷贝请求,即对上述IPR信息返回拒绝消息,来禁止将上述第一DLL文件拷贝进入上述指定目录,从而可以有效的防止应用程序被破坏。在另一个实施例中,还可对该具有DLL劫持风险的第一DLL文件进行查杀处理,具体地,首先将上述第一DLL文件的信息上传至服务器,再通过服务器对该第一DLL文件进行查杀,保证了应用程序内原有的文件资源不会被修改,遏制了具有DLL劫持风险的DLL文件的扩散,有效的防止应用程序被来源不明的资源破坏。As described in the above steps S3 and S4, after the first name is obtained, the pre-configured white list is read through the driver to determine whether the first name exists in the white list, and the specified directory can be an application The directory where the program is currently loaded, that is, the installation directory of the application, or the system directory, and so on. A plurality of designated names are stored in the whitelist, and these designated names are the names corresponding to the DLL files that need to be verified and signed by the application program. Specifically, a matching result can be obtained by matching the name of the first DLL file with all specified names in the whitelist, and it can be determined whether the first name exists in the whitelist according to the matching result. Further, if the aforementioned first name does not exist in the whitelist, it indicates that the first DLL file is a resource that is not needed by the application, such as a windows system DLL file forged by a virus and Trojan horse, and the driver will directly refuse to process the aforementioned copy Request, that is, return a rejection message to the IPR information to prohibit copying the first DLL file into the specified directory, thereby effectively preventing the application from being damaged. In another embodiment, the first DLL file with the risk of DLL hijacking can also be detected and killed. Specifically, the information of the first DLL file is first uploaded to the server, and then the first DLL file is uploaded through the server. Checking and killing ensures that the original file resources in the application will not be modified, curbs the proliferation of DLL files with the risk of DLL hijacking, and effectively prevents the application from being damaged by resources from unknown sources.
如上述步骤S5和S6所述,如果上述白名单内存在上述第一名称,则表明该第一DLL文件为应用程序需要的资源,但还要进一步对该第一DLL文件进行校验签名的处理来检测第一DLL文件的合法性,即按照第一预设规则对上述第一DLL文件进行校验签名,得到校验结果,并根据校验结果,对上述拷贝请求进行对应的处理。其中,上述第一预设规则是指根据第一DLL文件的资料来源来采用对应的校验签名方式。另外,上述校验结果包括第一DLL文件通过校验与第一DLL文件未通过校验,上述根据校验结果,对拷贝请求进行对应的处理的步骤,具体可包括:当校验结果为第一DLL文件通过校验,可证明上述拷贝请求是正常的文件处理操作,且上述第一DLL文件是应用程序所需的资源,例如上述第一DLL文件是在应用程序升级过程中生成的文件,或者上述第一DLL文件时在开发人员对应用程序进行测试的测试过程中生成的文件,则允许处理上述拷贝请求,以完成对应用程序的更新或测试处理。而当校验结果为第一DLL文件未通过校验,可证明上述拷贝请求是非正常的文件处理操作,即上述第一DLL文件不是应用程序所需要的资源,例如上述第一DLL文件可能是木马病毒或者用于DLL劫持的文件,则拒绝处理上述拷贝请求,避免出现由于将第一DLL文件拷贝进应用程序的指定目录内而造成DLL劫持的情况。本实施例只有当第一DLL文件存在于白名单之内,才会对该第一DLL文件进行校验签名处理,从而不需要对不在白名单内的DLL文件进行校验签名,有效的提高了对拷贝请求的处理效率,简化了校验签名的处理流程。并且只有在第一DLL文件通过校验签名,才允许处理上述拷贝请求,有效的防止了应用程序内的DLL文件出现被劫持的情况,提高了应用程序的安全稳定性。另外,对于第一DLL文件的校验签名处理是由驱动进行的,即是在应用程序启动之前完成的,因而不需要应用程序在启动时对内部的每一个DLL文件进行校验签名,有效的提高了应用程序的启动速率。As described in the above steps S5 and S6, if the first name exists in the white list, it indicates that the first DLL file is a resource required by the application, but the first DLL file needs to be further verified and signed. To detect the legitimacy of the first DLL file, that is, verify and sign the first DLL file according to the first preset rule to obtain the verification result, and perform corresponding processing on the copy request according to the verification result. Wherein, the above-mentioned first preset rule refers to adopting a corresponding verification signature method according to the data source of the first DLL file. In addition, the above verification result includes the first DLL file passing the verification and the first DLL file not passing the verification. The step of performing corresponding processing on the copy request according to the verification result may specifically include: when the verification result is the first The verification of a DLL file can prove that the copy request is a normal file processing operation, and that the first DLL file is a resource required by the application program. For example, the first DLL file is a file generated during the application program upgrade process. Or the above-mentioned first DLL file is a file generated during the testing process of the developer testing the application program, then the above-mentioned copy request is allowed to be processed, so as to complete the update or test processing of the application program. When the verification result is that the first DLL file fails the verification, it can be proved that the copy request is an abnormal file processing operation, that is, the first DLL file is not a resource required by the application. For example, the first DLL file may be a Trojan horse. Viruses or files used for DLL hijacking will refuse to process the above copy request to avoid DLL hijacking caused by copying the first DLL file into the designated directory of the application. In this embodiment, only when the first DLL file exists in the whitelist, will the first DLL file be verified and signed, so there is no need to verify and sign DLL files that are not in the whitelist, which effectively improves The processing efficiency of the copy request simplifies the processing flow of verifying the signature. And only when the first DLL file passes the verification signature, can the copy request be processed, which effectively prevents the DLL file in the application from being hijacked, and improves the security and stability of the application. In addition, the verification and signature processing of the first DLL file is carried out by the driver, that is, it is completed before the application is started, so there is no need for the application to verify and sign every internal DLL file when it is started, which is effective Improved the startup rate of applications.
进一步地,本申请一实施例中,上述步骤S4之前,包括:Further, in an embodiment of the present application, before the above step S4, the method includes:
S400:接收用户输入的多个指定DLL文件分别对应的指定名称;S400: Receive designated names corresponding to multiple designated DLL files input by the user;
S401:将所有所述指定名称输入至预创建的第一名单内;S401: Input all the specified names into the pre-created first list;
S402:对所述第一名单进行加密处理,得到所述白名单。S402: Perform encryption processing on the first list to obtain the white list.
如上述步骤S400至S402所述,在通过上述驱动读取预设的白名单并判断白名单内是否存在上述第一名称的步骤之前,还包括创建白名单的步骤,具体可包括:接收用户输入的多个指定DLL文件分别对应的指定名称,上述指定DLL文件为应用程序需要的资源。然后将所有上述指定名称输入至上述预创建的第一名单内,并进一步对该第一名单进行加密处理,以形成加密的上述白名单。另外,在对第一名单进行加密得到白名单之后,会将对应的秘钥发送给上述驱动,且该驱动需要凭借该秘钥来对加密的白名单进行解密来读取该白名单内的所有指定名称的数据。本实施例通过设置包含对应的秘钥的驱动才具有读取白名单的权限,可以有效的防止白名单被篡改,进而有效的规避由于白名单被篡改而导致后续出现校验签名处理出现问题的情况。As described in the above steps S400 to S402, before the step of reading the preset white list by the above driver and determining whether the first name exists in the white list, the step of creating a white list may also be included, which may specifically include: receiving user input The multiple designated DLL files corresponding to the designated names respectively, and the above designated DLL files are resources required by the application. Then input all the aforementioned designated names into the aforementioned pre-created first list, and further encrypt the first list to form the aforementioned encrypted white list. In addition, after encrypting the first list to obtain the white list, the corresponding secret key will be sent to the above-mentioned driver, and the driver needs to decrypt the encrypted white list with the secret key to read all the white lists in the white list. Specify the name of the data. In this embodiment, only the driver that contains the corresponding secret key has the permission to read the white list, which can effectively prevent the white list from being tampered with, and effectively avoid subsequent problems in the verification and signature processing caused by the tampering of the white list. Happening.
进一步地,本申请一实施例中,上述步骤S5,包括:Further, in an embodiment of the present application, the above step S5 includes:
S500:获取所述第一DLL文件的资源来源,并判断所述第一DLL文件是否为第三方发布的资源;S500: Obtain the resource source of the first DLL file, and determine whether the first DLL file is a resource issued by a third party;
S501:若所述第一DLL文件是第三方发布的资源,则判断所述第一DLL文件是否包含对应的机构签名证书;S501: If the first DLL file is a resource issued by a third party, determine whether the first DLL file contains a corresponding agency signature certificate;
S502:若所述第一DLL文件包含所述机构签名证书,则获取与所述机构签名证书对应的认证机构的最新版本的证书吊销列表;S502: If the first DLL file contains the agency signature certificate, obtain the latest version of the certificate revocation list of the certification agency corresponding to the agency signature certificate;
S503:判断所述证书吊销列表内是否包含所述机构签名证书;S503: Determine whether the certificate revocation list contains the institution-signed certificate;
S504:若所述证书吊销列表内不包含所述第一证书,则判定所述第一DLL文件通过校验;S504: If the first certificate is not included in the certificate revocation list, determine that the first DLL file passes the verification;
S505:若所述证书吊销列表内包含所述第一证书,则判定所述第一DLL文件未通过校验。S505: If the first certificate is included in the certificate revocation list, determine that the first DLL file fails the verification.
如上述步骤S500至S505所述,当第一DLL文件的第一名称存在于白名单内,还需要根据该第一DLL文件的资源来源来采用对应的校验签名方式,并得到对应的校验结果。当第一DLL文件是第三方的资源,由于第三方的资源是通过其他的方式进行了数字签名,且研发人员无法对其进行二次签名,因而Windows文件系统需要对第一DLL文件的校验签名处理进行统一管理。具体地,首先获取第一DLL文件的资源来源,并判断上述第一DLL文件是否为第三方发布的资源,其中,可通过判断第一DLL文件是否存在二次签名来确定第一DLL文件的资源来源,如果存在二次签名则判定第一DLL文件不是第三方发布的资源,而如果不存在二次签名则判定第一DLL文件是第三方发布的资源。当第一DLL文件为第三方发布的资源时,则进一步判断第一DLL文件是否包含对应的机构签名证书,例如上述第一DLL文件为使用微软证书进行了数字签名的资源,上述机构签名证书为微软证书;如果第一DLL文件包含上述机构签名证书,则需要通过判断该机构签名证书的有效性来识别出其合法性。具体地,获取与上述机构签名证书对应的认证机构的最新版本的证书吊销列表(CRL),并判断该证书吊销列表内是否包含上述机构签名证书,如果不包含上述机构签名证书,则表明该机构签名证书还处于有效期,则可判定第一DLL文件通过校验,之后便会允许处理上述第一DLL文件的拷贝请求。而如果包含上述机构签名证书,则表明该机构签名证书已经处于失效期,即与机构签名证书对应的第一DLL文件是非法的第三方资源,则可判定第一DLL文件未通过校验,之后便会拒绝处理上述第一DLL文件的拷贝请求,避免出现由于将第一DLL文件拷贝进应用程序的指定目录内而造成DLL劫持的情况,有效的保证了应用程序的安全与稳定。在另一个实施例中,如果属于第三方的发布资源的上述第一DLL文件不包含机构签名证书,则表明该第一DLL文件是非法的第三方资源,此时则会直接拒接处理上述第一DLL文件的拷贝请求,有效的防止将第一DLL文件拷贝进应用程序的指定目录内而导致形成DLL劫持,保证了应用程序的安全与稳定。As described in the above steps S500 to S505, when the first name of the first DLL file exists in the whitelist, it is also necessary to adopt the corresponding verification signature method according to the resource source of the first DLL file, and obtain the corresponding verification result. When the first DLL file is a third-party resource, because the third-party resource is digitally signed by other means, and the developer cannot sign it a second time, the Windows file system needs to verify the first DLL file The signature processing is managed in a unified manner. Specifically, first obtain the resource source of the first DLL file, and determine whether the above-mentioned first DLL file is a resource issued by a third party. Among them, the resource of the first DLL file can be determined by determining whether the first DLL file has a secondary signature. Source, if there is a secondary signature, it is determined that the first DLL file is not a resource issued by a third party, and if there is no secondary signature, it is determined that the first DLL file is a resource issued by a third party. When the first DLL file is a resource issued by a third party, it is further judged whether the first DLL file contains a corresponding agency signature certificate. For example, the first DLL file is a resource digitally signed with a Microsoft certificate, and the agency signature certificate is Microsoft certificate; if the first DLL file contains the above-mentioned agency signature certificate, it is necessary to identify its legitimacy by judging the validity of the agency signature certificate. Specifically, obtain the latest version of the certificate revocation list (CRL) of the certification authority corresponding to the above-mentioned agency signature certificate, and determine whether the above-mentioned agency signature certificate is included in the certificate revocation list, and if the above-mentioned agency signature certificate is not included, it indicates that the agency If the signature certificate is still in the validity period, it can be determined that the first DLL file passes the verification, and then the copy request for the first DLL file will be allowed to be processed. And if the above-mentioned agency signature certificate is included, it indicates that the agency signature certificate has expired, that is, the first DLL file corresponding to the agency signature certificate is an illegal third-party resource, and it can be determined that the first DLL file has not passed the verification. It will refuse to process the copy request of the first DLL file mentioned above, avoid the situation of DLL hijacking caused by copying the first DLL file into the designated directory of the application program, and effectively ensure the safety and stability of the application program. In another embodiment, if the first DLL file belonging to a third-party publishing resource does not contain an agency signature certificate, it indicates that the first DLL file is an illegal third-party resource. In this case, the first DLL file will be directly rejected and processed. A copy request of a DLL file effectively prevents the copying of the first DLL file into the designated directory of the application program from causing DLL hijacking, which ensures the safety and stability of the application program.
进一步地,本申请一实施例中,上述步骤S500之后,包括:Further, in an embodiment of the present application, after the above step S500, the method includes:
S506:若所述第一DLL文件不是第三方发布的资源,则提取所述第一DLL文件的第一数字签名;S506: If the first DLL file is not a resource issued by a third party, extract the first digital signature of the first DLL file;
S507:调用所述驱动内预存储的公钥对所述第一数字签名进行解密,得到第一哈希值;S507: Invoke the pre-stored public key in the driver to decrypt the first digital signature to obtain the first hash value;
S508:对所述第一DLL文件的正文内容进行哈希计算,得到第二哈希值;S508: Perform a hash calculation on the body content of the first DLL file to obtain a second hash value;
S509:判断所述第一哈希值与所述第二哈希值是否相同;S509: Determine whether the first hash value is the same as the second hash value;
S510:若所述第一哈希值与所述第二哈希值相同,则判定所述第一DLL文件通过校验;S510: If the first hash value is the same as the second hash value, determine that the first DLL file passes the verification;
S511:若所述第一哈希值与所述第二哈希值不相同,则判定所述第一DLL文件未通过校验。S511: If the first hash value is not the same as the second hash value, determine that the first DLL file fails the verification.
如上述步骤S506至S511所述,如果第一DLL文件不是第三方发布的资源时,则还需要采用与第一DLL文件是第三方发布的资源时不相同的另一种校验签名方式。当第一DLL文件不是第三方发布的资源时,而是研发人员自己自身进行加密发布的资源,但这种资源也不能确保是完全安全的,且可能存在第一DLL文件被篡改的可能,因此还需要对该第一DLL文件进行校验签名来验证DLL的合法性。具体地,当第一DLL文件不是第三方发布的资源时,首先从该第一DLL文件的资源段中提取第一DLL文件的第一数字签名,然后采用上述驱动内预存储的公钥对上述第一数字签名进行解密,得到第一哈希值,其中,上述第一DLL文件是由研发人员进行加签处理后得到的,上述加签处理过程具体包括:利用哈希算法对第一DLL文件进行哈希运算,获取到数字指纹,然后利用椭圆曲线数字签名算法生成公钥及私钥密钥对,再利用私钥对数字指纹进行加密并获得第一数字签名,最后将该第一数字签名写入到第一DLL文件的资源段内,以及将上述公钥存储到驱动内。在得到上述第一哈希值后,再对上述第一DLL文件的正文内容进行哈希计算,得到第二哈希值。然后对上述第一哈希值和上述第二哈希值进行比较,来判断上述第一哈希值与上述第二哈希值是否相同。如果第一哈希值与上述第二哈希值相同,则表明第一数字签名校验成功,第一DLL文件是合法的且没有被篡改过,因此判定第一DLL文件通过校验,之后便会允许处理上述第一DLL文件的拷贝请求。而如果第一哈希值与上述第二哈希值不相同,则表明第一数字签名校验失败,第一DLL文件是不合法的,例如出现了被篡改的情况,则判定第一DLL文件未通过校验,之后便会拒绝处理第一DLL文件的拷贝请求,避免出现由于将第一DLL文件拷贝进应用程序的指定目录内而造成DLL劫持的情况,有效的保证了应用程序的安全与稳定。As described in steps S506 to S511 above, if the first DLL file is not a resource issued by a third party, another signature verification method that is different from when the first DLL file is a resource issued by a third party needs to be adopted. When the first DLL file is not a resource released by a third party, it is a resource encrypted and released by the developer himself, but this kind of resource cannot be guaranteed to be completely safe, and there may be the possibility of the first DLL file being tampered with, so It is also necessary to perform a verification signature on the first DLL file to verify the legitimacy of the DLL. Specifically, when the first DLL file is not a resource issued by a third party, first extract the first digital signature of the first DLL file from the resource section of the first DLL file, and then use the public key pre-stored in the driver to The first digital signature is decrypted to obtain the first hash value, where the first DLL file is obtained by the research and development personnel after the signature processing, the signature processing process specifically includes: using a hash algorithm to the first DLL file Perform a hash operation to obtain a digital fingerprint, and then use the elliptic curve digital signature algorithm to generate a public key and a private key key pair, and then use the private key to encrypt the digital fingerprint and obtain the first digital signature, and finally the first digital signature Write it into the resource section of the first DLL file, and store the above public key in the drive. After the first hash value is obtained, a hash calculation is performed on the body content of the first DLL file to obtain a second hash value. Then, the first hash value and the second hash value are compared to determine whether the first hash value is the same as the second hash value. If the first hash value is the same as the above-mentioned second hash value, it indicates that the first digital signature verification is successful, and the first DLL file is legal and has not been tampered with. Therefore, it is determined that the first DLL file has passed the verification. It will be allowed to process the copy request of the first DLL file mentioned above. If the first hash value is not the same as the second hash value, it indicates that the first digital signature verification failed and the first DLL file is illegal. For example, if it has been tampered with, the first DLL file is determined If the verification is not passed, then it will refuse to process the copy request of the first DLL file to avoid the DLL hijacking caused by copying the first DLL file into the specified directory of the application program, which effectively guarantees the safety and security of the application program. stable.
进一步地,本申请一实施例中,上述步骤S6之后,包括:Further, in an embodiment of the present application, after the above step S6, the method includes:
S600:运行所述应用程序;S600: Run the application program;
S601:获取所述应用程序在运行过程中生成的运行数据,并按照第二预设规则对所述运行数据进行评测,得到对应的评测结果,其中所述评测结果包括所述驱动与所述应用程序相兼容或所述驱动与所述应用程序不兼容;S601: Obtain the running data generated during the running of the application, and evaluate the running data according to a second preset rule to obtain a corresponding evaluation result, where the evaluation result includes the driver and the application The program is compatible or the driver is not compatible with the application program;
S602:根据所述评测结果,对所述驱动或所述应用程序进行对应的处理。S602: Perform corresponding processing on the driver or the application program according to the evaluation result.
如上述步骤S600至S602所述,安装与上述应用程序对应的驱动可视作为对该应用程序的一种升级处理,但这种升级处理可能会有出现漏洞或错误的风险,例如可出现了驱动与应用程序之间不兼容的情况。如果安装的驱动与上述应用程序不兼容,则可能会对应用程序的正常运行或者某些正常功能造成影响,所以本实施例还需要进一步验证两者之间的兼容性,避免应用程序的正常运作受到干扰。具体地,本实施例在通过对上述拷贝请求进行处理之后,首先会运行上述应用程序,然后获取该应用程序在运行过程中生成的运行数据,并且按照第二预设规则对得到的运行数据进行评测,来得到对应的评测结果。其中,上述按照第二预设规则对得到的运行数据进行评测可包括多种评测方法,举例地,可通过对应用程序的运行日志进行分析来进行评测;也可以通过对应用程序对应的运行进程的进程标记符PI进行分析来进行评测;还可以通过对应用程序的数据库数据进行分析来进行评测,上述数据库数据包括用户数据,和/或默认数据,和/或配置文件等数据。另外,上述评测结果包括上述驱动与应用程序相兼容与上述驱动与应用程序不兼容。当上述评测结果为上述驱动与应用程序相兼容时,则表明该驱动的安装不会影响应用程序的正常运作,则不会对应用程序或驱动进行后续的处理。在另一个实施例中,当上述评测结果为上述驱动与应用程序不兼容时,还需要根据上述运行数据来分析出驱动与应用程序不兼容的兼容信息,然后根据该兼容信息对上述应用程序进行维护处理,或者直接对上述驱动进行更换处理,以解决两者不兼容的问题。本实施例通过对创建的驱动与应用程序进行兼容性验证的评测,来得到对应的评测结果,有利于后续根据该评测结果对应用程序或驱动进行对应的处理,进而可以有效的保证应用程序的正常运行。As described in the above steps S600 to S602, installing the driver corresponding to the above application can be regarded as an upgrade process for the application, but this upgrade process may have the risk of loopholes or errors, for example, the driver may appear Incompatibility with the application. If the installed driver is not compatible with the above application, it may affect the normal operation of the application or some normal functions. Therefore, this embodiment needs to further verify the compatibility between the two to avoid the normal operation of the application. Be disturbed. Specifically, after processing the copy request in this embodiment, the application program is first run, and then the operating data generated by the application program during the running process is obtained, and the obtained operating data is processed according to the second preset rule. Evaluation to get the corresponding evaluation results. Wherein, the above-mentioned evaluation of the operation data obtained according to the second preset rule may include multiple evaluation methods. For example, the evaluation may be performed by analyzing the operation log of the application; or the operation process corresponding to the application may be evaluated. The evaluation is performed by analyzing the process identifier PI of the application program; the evaluation can also be performed by analyzing the database data of the application program. The above database data includes user data, and/or default data, and/or data such as configuration files. In addition, the aforementioned evaluation result includes that the aforementioned driver is compatible with the application program and the aforementioned driver is incompatible with the application program. When the aforementioned evaluation result is that the aforementioned driver is compatible with the application program, it indicates that the installation of the driver will not affect the normal operation of the application program, and subsequent processing of the application program or the driver will not be performed. In another embodiment, when the aforementioned evaluation result is that the aforementioned driver is incompatible with the application program, it is also necessary to analyze the compatibility information of the driver and the application program based on the aforementioned operating data, and then perform the evaluation on the aforementioned application program according to the compatibility information. Maintenance treatment, or directly replace the above-mentioned driver, to solve the problem of incompatibility between the two. In this embodiment, the created driver and the application program are evaluated for compatibility verification to obtain the corresponding evaluation result, which is conducive to the subsequent corresponding processing of the application program or the driver based on the evaluation result, thereby effectively ensuring the application’s performance normal operation.
进一步地,本申请一实施例中,所述运行数据包括运行日志,上述步骤S601,包括:Further, in an embodiment of the present application, the operation data includes an operation log, and the above step S601 includes:
S6010:获取所述应用程序在运行过程中生成的运行日志;S6010: Obtain a running log generated during the running of the application program;
S6011:判断所述运行日志是否存在错误数据和/或异常数据;S6011: Determine whether there are error data and/or abnormal data in the operation log;
S6012:若是,则判定所述驱动与所述应用程序不兼容;S6012: If yes, determine that the driver is not compatible with the application program;
S6013:若否,则判定所述驱动与所述应用程序相兼容。S6013: If not, determine that the driver is compatible with the application program.
如上述步骤S6010至S6013所述,上述运行数据可为运行日志,当上述应用程序处于运行状态后,会生成对应的运行日志,其中,上述运行日志具体可为应用程序的当前运行环境CPU、内存、操作系统状况的日志。本实施例首先获取应用程序在运行过程中生成的运行日志,其中上述运行日志以文件的形式存储。然后进一步判断该运行日志是否产生错误数据和/或异常数据,如果上述运行日志内生成了错误数据和/或异常数据,则表明经过安装驱动的升级处理后的应用程序出现了不稳定的问题,还存在错误和异常,应用程序无法正常运行,因此可判定驱动与应用程序不兼容,即上述评测结果为驱动与应用程序不兼容。而如果上述运行日志内没有生成错误数据和/或异常数据,则表明经过安装驱动的升级处理后的应用程序还是可以正常运行,进而可判定驱动与应用程序相兼容,即上述评测结果为驱动与应用程序相兼容。本实施例可通过判断应用程序运行后生成的运行日志中是否存在错误数据和/或异常数据,来智能的检测出经过安装驱动的升级处理后的应用程序的运行情况,进而可快速的根据该运行情况来得出对应的评测结果。As described in the above steps S6010 to S6013, the above running data may be a running log. When the above application is in a running state, a corresponding running log will be generated. The above running log can specifically be the current running environment of the application, CPU and memory. , Logs of operating system status. This embodiment first obtains the running log generated during the running of the application program, where the running log is stored in the form of a file. Then further determine whether the operation log generates error data and/or abnormal data. If error data and/or abnormal data are generated in the above operation log, it indicates that the application program after installation of the driver upgrade process has unstable problems. There are also errors and exceptions, and the application cannot run normally, so it can be determined that the driver is incompatible with the application, that is, the above evaluation result is that the driver is incompatible with the application. And if no error data and/or abnormal data are generated in the above operation log, it indicates that the application program after the installation of the driver upgrade processing can still run normally, and then it can be determined that the driver is compatible with the application program, that is, the above evaluation result is that the driver and Compatible with applications. This embodiment can intelligently detect the running status of the application after the upgrade process of installing the driver by judging whether there is error data and/or abnormal data in the running log generated after the application is running, and then can quickly according to the Run conditions to get the corresponding evaluation results.
进一步地,本申请一实施例中,所述运行数据包括运行进程的进程标记符,上述步骤S601,包括:Further, in an embodiment of the present application, the running data includes the process identifier of the running process, and the above step S601 includes:
S6014:获取所述应用程序对应的所有运行进程的PID(进程标记符);S6014: Obtain the PIDs (process identifiers) of all running processes corresponding to the application program;
S6015:判断在第一预设时间段内,指定运行进程的PID是否发生变化,其中所述指定运行进程为所有所述运行进程中的一个或多个运行进程;S6015: Determine whether the PID of the designated running process has changed within the first preset time period, where the designated running process is one or more running processes among all the running processes;
S6016:若是,则判定所述驱动与所述应用程序不兼容;S6016: If yes, determine that the driver is not compatible with the application program;
S6017:若否,则判定所述驱动与所述应用程序相兼容。S6017: If not, determine that the driver is compatible with the application program.
如上述步骤S6014至S6017所述,运行后的应用程序是由多个运行进程组成的,且应用程序所处的操作系统会为这些进程分配对应的多个进程标记符PID(process identification,进程的唯一标识号)。而当某些指定运行进程产生了变化,例如该指定运行进程消失了或者该指定运行进程的进程标记符PID发生了变化,则可判定该指定运行进程出现了崩溃的情况,进而可以判定上述指定运行进程对应的应用程序出现了问题或故障。在本实施例,上述运行数据可为运行进程PID,当上述应用程序处于运行状态后,首先获取该应用程序对应的所有运行进程的进程标记符PID。然后判断在第一预设时间内,指定运行进程的PID是否发生变化,其中上述指定运行进程为所有上述运行进程中的一个或多个运行进程,举例地,上述指定运行进程为上述所有运行进程中的某些常驻进程。如果该指定运行进程的PID发生了变化,即上述常驻进程的PID发生了变化,例如消失了,则可表明应用程序出现了异常,应用程序无法正常运行,因此可判定上述驱动与所述应用程序不兼容,即上述评测结果为驱动与应用程序不兼容。另外,上述第一预设时间可根据实际需求进行设置,例如可设为5分钟,在此不作具体限定。而如果上述运行进程的PID没有发生变化,则表明经过安装驱动的升级处理后的应用程序还是可以正常运行,进而可判定驱动与应用程序相兼容,即上述评测结果为驱动与应用程序相兼容。本实施例可通过判断在预设的时间段内,应用程序对应的运行进程的进程标记符PID是否发生变化,来智能的检测出经过安装驱动的升级处理后的应用程序的运行情况进而可快速的根据该运行情况来得出对应的评测结果。As described in the above steps S6014 to S6017, the application program after running is composed of multiple running processes, and the operating system where the application program is located will assign multiple corresponding process identifiers (PID) to these processes. Unique identification number). When some specified running process has changed, for example, the specified running process disappears or the process identifier PID of the specified running process has changed, it can be determined that the specified running process has crashed, and then the specified running process can be determined. The application corresponding to the running process has a problem or malfunction. In this embodiment, the above-mentioned running data may be the running process PID. When the above-mentioned application program is in the running state, the process identifier PIDs of all running processes corresponding to the application program are first acquired. Then it is judged whether the PID of the designated running process has changed within the first preset time, wherein the designated running process is one or more running processes among all the running processes. For example, the designated running process is all the running processes mentioned above. Some resident processes in. If the PID of the specified running process has changed, that is, the PID of the above resident process has changed, such as disappeared, it can indicate that the application program is abnormal and the application program cannot run normally. Therefore, it can be determined that the above driver and the application The program is not compatible, that is, the above evaluation result is that the driver is not compatible with the application. In addition, the above-mentioned first preset time can be set according to actual needs, for example, it can be set to 5 minutes, which is not specifically limited here. If the PID of the running process does not change, it indicates that the application program can still run normally after the driver is installed and upgraded, and it can be determined that the driver is compatible with the application program, that is, the above evaluation result is that the driver is compatible with the application program. In this embodiment, by judging whether the process identifier PID of the running process corresponding to the application program has changed within a preset time period, it can intelligently detect the running status of the application program after the driver is installed and upgraded. According to the operation situation, the corresponding evaluation result is obtained.
参照图2,本申请一实施例中还提供了一种防止动态链接库文件劫持的装置,包括:2, an embodiment of the present application also provides a device for preventing hijacking of dynamic link library files, including:
创建模块1,用于在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;The creation module 1 is used to create a driver corresponding to the application before starting the application for the first time;
第一判断模块2,用于判断是否接收到外部的第一DLL(动态链接库)文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;The first judgment module 2 is used to judge whether a copy request from an external first DLL (Dynamic Link Library) file to the specified directory of the application program is received, wherein the form of the copy request is an I/O request;
提取模块3,用于若接收到所述拷贝请求,提取所述第一DLL文件的第一名称;The extraction module 3 is configured to extract the first name of the first DLL file if the copy request is received;
第二判断模块4,用于通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;The second judgment module 4 is configured to read a preset white list through the driver, and determine whether the first name exists in the white list, wherein the white list stores a plurality of designated names;
校验模块5,用于若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;The verification module 5 is configured to verify and sign the first DLL file according to a first preset rule if the first name exists in the white list, to obtain a corresponding verification result;
第一处理模块6,用于根据所述校验结果,对所述拷贝请求进行对应的处理。The first processing module 6 is configured to perform corresponding processing on the copy request according to the verification result.
本实施例中,上述防止动态链接库文件劫持的装置中的创建模块、第一判断模块、提取模块、第二判断模块、校验模块与第一处理模块的功能和作用的实现过程具体详见上述防止动态链接库文件劫持的方法中对应步骤S1-S6的实现过程,在此不再赘述。In this embodiment, the implementation process of the functions and roles of the creation module, the first judgment module, the extraction module, the second judgment module, the verification module and the first processing module in the above-mentioned device for preventing the hijacking of dynamic link library files is detailed in The implementation process of corresponding steps S1-S6 in the above method for preventing the hijacking of dynamic link library files will not be repeated here.
进一步地,本申请一实施例中,上述防止动态链接库文件劫持的装置,包括:Further, in an embodiment of the present application, the above-mentioned device for preventing hijacking of dynamic link library files includes:
接收模块,用于接收用户输入的多个指定DLL文件分别对应的指定名称;The receiving module is used to receive the designated names corresponding to multiple designated DLL files input by the user;
输入模块,用于将所有所述指定名称输入至预创建的第一名单内;The input module is used to input all the specified names into the pre-created first list;
加密模块,用于对所述第一名单进行加密处理,得到所述白名单。The encryption module is used to perform encryption processing on the first list to obtain the white list.
本实施例中,上述防止动态链接库文件劫持的装置中的接收模块、输入模块与加密模块的功能和作用的实现过程具体详见上述防止动态链接库文件劫持的方法中对应步骤S400-S402的实现过程,在此不再赘述。In this embodiment, the implementation process of the functions and functions of the receiving module, input module, and encryption module in the device for preventing hijacking of dynamic link library files is detailed in the corresponding steps S400-S402 in the method for preventing hijacking of dynamic link library files. The realization process will not be repeated here.
进一步地,本申请一实施例中,上述校验模块,包括:Further, in an embodiment of the present application, the above-mentioned verification module includes:
第一获取单元,用于获取所述第一DLL文件的资源来源,并判断所述第一DLL文件是否为第三方发布的资源;The first obtaining unit is configured to obtain the resource source of the first DLL file, and determine whether the first DLL file is a resource issued by a third party;
第一判断单元,用于若所述第一DLL文件是第三方发布的资源,则判断所述第一DLL文件是否包含对应的机构签名证书;The first determining unit is configured to determine whether the first DLL file contains a corresponding agency signature certificate if the first DLL file is a resource issued by a third party;
第二获取单元,用于若所述第一DLL文件包含所述机构签名证书,则获取与所述机构签名证书对应的认证机构的最新版本的证书吊销列表;The second obtaining unit is configured to obtain the latest version of the certificate revocation list of the certification authority corresponding to the agency signature certificate if the first DLL file contains the agency signature certificate;
第二判断单元,用于判断所述证书吊销列表内是否包含所述机构签名证书;The second determining unit is configured to determine whether the certificate revocation list contains the institution-signed certificate;
第一判定单元,用于若所述证书吊销列表内不包含所述第一证书,则判定所述第一DLL文件通过校验;The first determining unit is configured to determine that the first DLL file passes the verification if the first certificate is not included in the certificate revocation list;
第二判定单元,用于若所述证书吊销列表内包含所述第一证书,则判定所述第一DLL文件未通过校验。The second determining unit is configured to determine that the first DLL file fails the verification if the first certificate is included in the certificate revocation list.
本实施例中,上述防止动态链接库文件劫持的装置中的校验模块内包括的第一获取单元、第一判断单元、第二获取单元、第二判断单元、第一判定单元与第二判定单元的功能和作用的实现过程具体详见上述防止动态链接库文件劫持的方法中对应步骤S500-S505的实现过程,在此不再赘述。In this embodiment, the first acquisition unit, the first judgment unit, the second acquisition unit, the second judgment unit, the first judgment unit, and the second judgment included in the verification module in the device for preventing hijacking of dynamic link library files For the implementation process of the function and role of the unit, please refer to the implementation process of corresponding steps S500-S505 in the above method for preventing the hijacking of dynamic link library files, which will not be repeated here.
进一步地,本申请一实施例中,上述校验模块,包括:Further, in an embodiment of the present application, the above-mentioned verification module includes:
提取单元,用于若所述第一DLL文件不是第三方发布的资源,则提取所述第一DLL文件的第一数字签名;An extracting unit, configured to extract the first digital signature of the first DLL file if the first DLL file is not a resource issued by a third party;
调用单元,用于调用所述驱动内预存储的公钥对所述第一数字签名进行解密,得到第一哈希值;A calling unit for calling a public key pre-stored in the driver to decrypt the first digital signature to obtain a first hash value;
计算单元,用于对所述第一DLL文件的正文内容进行哈希计算,得到第二哈希值;A calculation unit, configured to perform a hash calculation on the text content of the first DLL file to obtain a second hash value;
第三判断单元,用于判断所述第一哈希值与所述第二哈希值是否相同;The third judging unit is used to judge whether the first hash value and the second hash value are the same;
第三判定单元,用于若所述第一哈希值与所述第二哈希值相同,则判定所述第一DLL文件通过校验;A third determining unit, configured to determine that the first DLL file passes the verification if the first hash value is the same as the second hash value;
第四判定单元,用于若所述第一哈希值与所述第二哈希值不相同,则判定所述第一DLL文件未通过校验。The fourth determining unit is configured to determine that the first DLL file fails the verification if the first hash value is not the same as the second hash value.
本实施例中,上述防止动态链接库文件劫持的装置中的校验模块内包括的提取单元、调用单元、计算单元、第三判断单元、第三判定单元与第四判定单元的功能和作用的实现过程具体详见上述防止动态链接库文件劫持的方法中对应步骤S506-S511的实现过程,在此不再赘述。In this embodiment, the functions and effects of the extraction unit, the calling unit, the calculation unit, the third judgment unit, the third judgment unit, and the fourth judgment unit included in the verification module in the above-mentioned device for preventing the hijacking of dynamic link library files For the specific implementation process, please refer to the implementation process of corresponding steps S506-S511 in the above method for preventing hijacking of dynamic link library files, which will not be repeated here.
进一步地,本申请一实施例中,防止动态链接库文件劫持的装置,包括:Further, in an embodiment of the present application, the device for preventing dynamic link library file hijacking includes:
运行模块,用于运行所述应用程序;The running module is used to run the application program;
评测模块,用于获取所述应用程序在运行过程中生成的运行数据,并按照第二预设规则对所述运行数据进行评测,得到对应的评测结果,其中所述评测结果包括所述驱动与所述应用程序相兼容或所述驱动与所述应用程序不兼容;The evaluation module is used to obtain the operating data generated during the running of the application program, and to evaluate the operating data according to a second preset rule to obtain a corresponding evaluation result, wherein the evaluation result includes the driver and The application program is compatible or the driver is incompatible with the application program;
第二处理模块,用于根据所述评测结果,对所述驱动或所述应用程序进行对应的处理。The second processing module is configured to perform corresponding processing on the driver or the application program according to the evaluation result.
本实施例中,上述防止动态链接库文件劫持的装置中的运行模块、评测模块与第二处理模块的功能和作用的实现过程具体详见上述防止动态链接库文件劫持的方法中对应步骤S600-S602的实现过程,在此不再赘述。In this embodiment, the implementation process of the functions and roles of the running module, the evaluation module and the second processing module in the device for preventing hijacking of dynamic link library files is detailed in the corresponding step S600- in the method for preventing hijacking of dynamic link library files. The implementation process of S602 will not be repeated here.
进一步地,本申请一实施例中,所述运行数据包括运行日志,上述评测模块,包括:Further, in an embodiment of the present application, the operation data includes an operation log, and the above evaluation module includes:
第三获取单元,用于获取所述应用程序在运行过程中生成的运行日志;The third obtaining unit is configured to obtain the running log generated during the running of the application program;
第四判断单元,用于判断所述运行日志是否存在错误数据和/或异常数据;The fourth judging unit is used to judge whether there are error data and/or abnormal data in the operation log;
第五判定单元,用于若是,则判定所述驱动与所述应用程序不兼容;The fifth determining unit is configured to determine that the driver is not compatible with the application program if it is so;
第六判定单元,用于若否,则判定所述驱动与所述应用程序相兼容。The sixth determining unit is configured to determine that the driver is compatible with the application program if not.
本实施例中,上述防止动态链接库文件劫持的装置中的评测模块内包括的第三获取单元、第四判断单元、第五判定单元与第六判定单元的功能和作用的实现过程具体详见上述防止动态链接库文件劫持的方法中对应步骤S6010-S6013的实现过程,在此不再赘述。In this embodiment, the implementation process of the functions and functions of the third acquisition unit, the fourth judgment unit, the fifth judgment unit, and the sixth judgment unit included in the evaluation module in the above-mentioned device for preventing the hijacking of dynamic link library files is detailed in The implementation process of corresponding steps S6010-S6013 in the above method for preventing the hijacking of dynamic link library files will not be repeated here.
进一步地,本申请一实施例中,所述运行数据包括运行进程的进程标记符,上述评测模块,包括:Further, in an embodiment of the present application, the running data includes the process identifier of the running process, and the above evaluation module includes:
第四获取单元,用于获取所述应用程序对应的所有运行进程的PID(进程标记符);The fourth acquiring unit is used to acquire PIDs (process identifiers) of all running processes corresponding to the application program;
第五判断单元,用于判断在第一预设时间段内,指定运行进程的PID是否发生变化,其中所述指定运行进程为所有所述运行进程中的一个或多个运行进程;The fifth judgment unit is used to judge whether the PID of the designated running process has changed within the first preset time period, wherein the designated running process is one or more running processes among all the running processes;
第七判定单元,用于若是,则判定所述驱动与所述应用程序不兼容;The seventh determining unit is configured to, if yes, determine that the driver is not compatible with the application program;
第八判定单元,用于若否,则判定所述驱动与所述应用程序相兼容。The eighth determining unit is configured to determine that the driver is compatible with the application program if not.
本实施例中,上述防止动态链接库文件劫持的装置中的评测模块内包括的第四获取单元、第五判断单元、第七判定单元与第八判定单元的功能和作用的实现过程具体详见上述防止动态链接库文件劫持的方法中对应步骤S6014-S6017的实现过程,在此不再赘述。In this embodiment, the implementation process of the functions and functions of the fourth acquisition unit, the fifth judgment unit, the seventh judgment unit and the eighth judgment unit included in the evaluation module in the above-mentioned device for preventing the hijacking of dynamic link library files is detailed in The implementation process of corresponding steps S6014-S6017 in the above method for preventing the hijacking of dynamic link library files will not be repeated here.
参照图3,本申请实施例中还提供一种计算机设备,该计算机设备可以是服务器,其内部结构可以如图3所示。该计算机设备包括通过系统总线连接的处理器、存储器、网络接口和数据库。其中,该计算机设备设计的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统、计算机程序和数据库。该内存储器为非易失性存储介质中的操作系统和计算机程序的运行提供环境。该计算机设备的数据库用于拷贝请求以及白名单等数据。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机程序被处理器执行时以实现上述任一个示例性实施例所示出的防止动态链接库文件劫持的方法; 其中,所述防止动态链接库文件劫持的方法的步骤:在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;若接收到所述拷贝请求,从所述拷贝请求内提取所述第一DLL文件的第一名称;通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;根据所述校验结果,对所述拷贝请求进行对应的处理。Referring to FIG. 3, an embodiment of the present application also provides a computer device. The computer device may be a server, and its internal structure may be as shown in FIG. 3. The computer equipment includes a processor, a memory, a network interface, and a database connected through a system bus. Among them, the processor designed for the computer equipment is used to provide calculation and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage medium. The database of the computer equipment is used for data such as copy requests and whitelists. The network interface of the computer device is used to communicate with an external terminal through a network connection. When the computer program is executed by the processor to implement the method for preventing the hijacking of a dynamic link library file shown in any of the above exemplary embodiments; wherein, the step of the method for preventing the hijacking of a dynamic link library file is to start the Before the application, create a driver corresponding to the application; determine whether a copy request from an external first DLL file to the specified directory of the application is received, wherein the copy request is in the form of an I/O request; If the copy request is received, extract the first name of the first DLL file from the copy request; read the preset white list through the driver, and determine whether the first name exists in the white list A name, where multiple designated names are stored in the white list; if the first name exists in the white list, the first DLL file is verified and signed according to the first preset rule to obtain the corresponding According to the verification result, corresponding processing is performed on the copy request.
本领域技术人员可以理解,图3中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的装置、计算机设备的限定。Those skilled in the art can understand that the structure shown in FIG. 3 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation on the devices and computer equipment to which the solution of the present application is applied.
本申请一实施例还提供一种计算机可读存储介质,所述存储介质为易失性存储介质或非易失性存储介质,其上存储有计算机程序,该计算机程序被一个或多个处理器执行时,使得一个或多个处理器执行时实现上述防止动态链接库文件劫持的方法实施例中的步骤;其中,所述防止动态链接库文件劫持的方法,具体为:在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;若接收到所述拷贝请求,从所述拷贝请求内提取所述第一DLL文件的第一名称;通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;根据所述校验结果,对所述拷贝请求进行对应的处理。An embodiment of the present application also provides a computer-readable storage medium. The storage medium is a volatile storage medium or a non-volatile storage medium, and a computer program is stored thereon. The computer program is executed by one or more processors. During execution, one or more processors are executed to implement the steps in the embodiment of the method for preventing dynamic link library file hijacking; wherein, the method for preventing dynamic link library file hijacking is specifically: when the application is started for the first time Before the program, create a driver corresponding to the application program; determine whether a copy request from an external first DLL file to the specified directory of the application program is received, wherein the copy request is in the form of an I/O request; if After receiving the copy request, extract the first name of the first DLL file from the copy request; read the preset white list through the driver, and determine whether the first name exists in the white list Name, wherein multiple designated names are stored in the white list; if the first name exists in the white list, the first DLL file is verified and signed according to the first preset rule to obtain the corresponding Verification result; according to the verification result, corresponding processing is performed on the copy request.
综上所述,本申请实施例中提供的防止动态链接库文件劫持的方法、装置和计算机设备,在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;若接收到所述拷贝请求,从所述拷贝请求内提取所述第一DLL文件的第一名称;通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;根据所述校验结果,对所述拷贝请求进行对应的处理。本申请通过只有当第一DLL文件存在于白名单之内,才会对该第一DLL文件进行校验签名处理,从而不需要对不在白名单内的DLL文件进行校验签名,有效的提高了对拷贝请求的处理效率,简化了校验签名的处理流程。并且只有在第一DLL文件通过校验签名后,才允许处理上述拷贝请求,有效的防止了应用程序内的DLL文件出现被劫持的情况,提高了应用程序的安全稳定性。另外,对于第一DLL文件的校验签名处理是由驱动进行的,即是在应用程序启动之前完成的,因而不需要应用程序在启动时对内部的每一个DLL文件进行校验签名,有效的提高了应用程序的启动速率。In summary, the method, device, and computer equipment for preventing the hijacking of dynamic link library files provided in the embodiments of the present application create a driver corresponding to the application program before starting the application program for the first time; determine whether an external device is received The copy request sent by the first DLL file to the specified directory of the application program, wherein the copy request is in the form of an I/O request; if the copy request is received, the first copy request is extracted from the copy request The first name of the DLL file; read the preset white list through the driver, and determine whether the first name exists in the white list, wherein a plurality of designated names are stored in the white list; if the If the first name exists in the whitelist, the first DLL file is verified and signed according to the first preset rule to obtain the corresponding verification result; according to the verification result, the copy request is corresponded的处理。 Treatment. In this application, only when the first DLL file exists in the whitelist, will the first DLL file be verified and signed, so there is no need to verify and sign the DLL files that are not in the whitelist, which effectively improves The processing efficiency of the copy request simplifies the processing flow of verifying the signature. And only after the first DLL file has passed the verification signature, can the copy request be processed, which effectively prevents the DLL file in the application from being hijacked, and improves the security and stability of the application. In addition, the verification and signature processing of the first DLL file is carried out by the driver, that is, it is completed before the application is started, so there is no need for the application to verify and sign every internal DLL file when it is started, which is effective Improved the startup rate of applications.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储与一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的和实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可以包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM通过多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双速据率SDRAM(SSRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。A person of ordinary skill in the art can understand that all or part of the processes in the above-mentioned embodiment methods can be implemented by instructing relevant hardware through a computer program. The computer program can be stored and a non-volatile computer readable storage. In the medium, when the computer program is executed, it may include the procedures of the above-mentioned method embodiments. Wherein, any reference to memory, storage, database or other media provided in this application and used in the embodiments may include non-volatile and/or volatile memory. Non-volatile memory may include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory may include random access memory (RAM) or external cache memory. As an illustration and not a limitation, RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual-rate SDRAM (SSRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
以上所述仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above are only the preferred embodiments of this application, and do not limit the scope of this application. Any equivalent structure or equivalent process transformation made using the content of the specification and drawings of this application, or directly or indirectly applied to other related The technical field is equally included in the scope of patent protection of this application.

Claims (20)

  1. 一种防止动态链接库文件劫持的方法,包括:A method to prevent hijacking of dynamic link library files, including:
    在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;Before starting the application for the first time, create a driver corresponding to the application;
    判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;Judging whether a copy request sent by an external first DLL file to the specified directory of the application program is received, wherein the form of the copy request is an I/O request;
    若接收到所述拷贝请求,从所述拷贝请求内提取所述第一DLL文件的第一名称;If the copy request is received, extract the first name of the first DLL file from the copy request;
    通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;Read a preset white list by the driver, and determine whether the first name exists in the white list, wherein a plurality of designated names are stored in the white list;
    若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;If the first name exists in the whitelist, verifying and signing the first DLL file according to a first preset rule to obtain a corresponding verification result;
    根据所述校验结果,对所述拷贝请求进行对应的处理。According to the verification result, corresponding processing is performed on the copy request.
  2. 根据权利要求1所述的防止动态链接库文件劫持的方法,所述通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称的步骤之前,包括:The method for preventing the hijacking of a dynamic link library file according to claim 1, before the step of reading a preset white list by the driver and determining whether the first name exists in the white list, the method comprises:
    接收用户输入的多个指定DLL文件分别对应的指定名称;Receive the designated names corresponding to multiple designated DLL files input by the user;
    将所有所述指定名称输入至预创建的第一名单内;Enter all the specified names into the pre-created first list;
    对所述第一名单进行加密处理,得到所述白名单。Encryption processing is performed on the first list to obtain the white list.
  3. 根据权利要求1所述的防止动态链接库文件劫持的方法,所述按照第一预设规则对所述第一DLL文件进行校验签名,得到校验结果的步骤,包括:The method for preventing the hijacking of a dynamic link library file according to claim 1, wherein the step of verifying and signing the first DLL file according to a first preset rule to obtain a verification result includes:
    获取所述第一DLL文件的资源来源,并判断所述第一DLL文件是否为第三方发布的资源;Acquiring the resource source of the first DLL file, and determining whether the first DLL file is a resource issued by a third party;
    若所述第一DLL文件是第三方发布的资源,则判断所述第一DLL文件是否包含对应的机构签名证书;If the first DLL file is a resource issued by a third party, determining whether the first DLL file contains a corresponding agency signature certificate;
    若所述第一DLL文件包含所述机构签名证书,则获取与所述机构签名证书对应的认证机构的最新版本的证书吊销列表;If the first DLL file contains the agency signature certificate, acquiring the latest version of the certificate revocation list of the certification agency corresponding to the agency signature certificate;
    判断所述证书吊销列表内是否包含所述机构签名证书;Judging whether the certificate revocation list contains the institution-signed certificate;
    若所述证书吊销列表内不包含所述第一证书,则判定所述第一DLL文件通过校验;If the first certificate is not included in the certificate revocation list, determining that the first DLL file passes the verification;
    若所述证书吊销列表内包含所述第一证书,则判定所述第一DLL文件未通过校验。If the first certificate is included in the certificate revocation list, it is determined that the first DLL file fails the verification.
  4. 根据权利要求3所述的防止动态链接库文件劫持的方法,所述获取所述第一DLL文件的资源来源,并判断所述第一DLL文件是否为第三方发布的资源的步骤之后,包括:According to the method for preventing the hijacking of a dynamic link library file according to claim 3, after the step of obtaining the resource source of the first DLL file and determining whether the first DLL file is a resource issued by a third party, the method comprises:
    若所述第一DLL文件不是第三方发布的资源,则提取所述第一DLL文件的第一数字签名;If the first DLL file is not a resource issued by a third party, extract the first digital signature of the first DLL file;
    调用所述驱动内预存储的公钥对所述第一数字签名进行解密,得到第一哈希值;Calling the pre-stored public key in the driver to decrypt the first digital signature to obtain the first hash value;
    对所述第一DLL文件的正文内容进行哈希计算,得到第二哈希值;Performing a hash calculation on the body content of the first DLL file to obtain a second hash value;
    判断所述第一哈希值与所述第二哈希值是否相同;Judging whether the first hash value is the same as the second hash value;
    若所述第一哈希值与所述第二哈希值相同,则判定所述第一DLL文件通过校验;If the first hash value is the same as the second hash value, it is determined that the first DLL file passes the verification;
    若所述第一哈希值与所述第二哈希值不相同,则判定所述第一DLL文件未通过校验。If the first hash value is not the same as the second hash value, it is determined that the first DLL file fails the verification.
  5. 根据权利要求1所述的防止动态链接库文件劫持的方法,所述根据所述校验结果,对所述拷贝请求进行对应的处理的步骤之后,包括:The method for preventing the hijacking of a dynamic link library file according to claim 1, after the step of correspondingly processing the copy request according to the verification result, the method comprises:
    运行所述应用程序;Run the application;
    获取所述应用程序在运行过程中生成的运行数据,并按照第二预设规则对所述运行数据进行评测,得到对应的评测结果,其中所述评测结果包括所述驱动与所述应用程序相兼容或所述驱动与所述应用程序不兼容;Obtain the operating data generated during the running of the application program, and evaluate the operating data according to the second preset rule to obtain the corresponding evaluation result, wherein the evaluation result includes the driver and the application program. Compatible or the driver is not compatible with the application;
    根据所述评测结果,对所述驱动或所述应用程序进行对应的处理。According to the evaluation result, corresponding processing is performed on the driver or the application program.
  6. 根据权利要求5所述的防止动态链接库文件劫持的方法,所述运行数据包括运行日志,所述获取所述应用程序在运行过程中生成的运行数据,并按照第二预设规则对所述运行数据进行评测,得到对应的评测结果的步骤,包括:The method for preventing the hijacking of a dynamic link library file according to claim 5, wherein the running data includes a running log, and the running data generated during the running of the application is obtained, and the running data is processed according to a second preset rule. The steps to run the data for evaluation and obtain the corresponding evaluation results include:
    获取所述应用程序在运行过程中生成的运行日志;Acquiring the running log generated during the running of the application;
    判断所述运行日志是否存在错误数据和/或异常数据;Determine whether there are error data and/or abnormal data in the operation log;
    若是,则判定所述驱动与所述应用程序不兼容;If it is, it is determined that the driver is not compatible with the application program;
    若否,则判定所述驱动与所述应用程序相兼容。If not, it is determined that the driver is compatible with the application program.
  7. 根据权利要求5所述的防止动态链接库文件劫持的方法,所述运行数据包括运行进程的进程标记符,所述获取所述应用程序在运行过程中生成的运行数据,并按照第二预设规则对所述运行数据进行评测,得到对应的评测结果的步骤,包括:The method for preventing the hijacking of a dynamic link library file according to claim 5, wherein the running data includes a process identifier of a running process, and the running data generated during the running of the application program is acquired, and the running data is generated according to a second preset The steps of evaluating the operating data by rules to obtain corresponding evaluation results include:
    获取所述应用程序对应的所有运行进程的PID;Acquiring PIDs of all running processes corresponding to the application;
    判断在第一预设时间段内,指定运行进程的PID是否发生变化,其中所述指定运行进程为所有所述运行进程中的一个或多个运行进程;Judging whether the PID of the designated running process has changed within the first preset time period, wherein the designated running process is one or more running processes among all the running processes;
    若是,则判定所述驱动与所述应用程序不兼容;If it is, it is determined that the driver is not compatible with the application program;
    若否,则判定所述驱动与所述应用程序相兼容。If not, it is determined that the driver is compatible with the application program.
  8. 一种防止动态链接库文件劫持的装置,包括:A device for preventing hijacking of dynamic link library files, including:
    创建模块,用于在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;A creation module for creating a driver corresponding to the application before starting the application for the first time;
    第一判断模块,用于判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;The first judgment module is used to judge whether a copy request from an external first DLL file to the specified directory of the application program is received, wherein the form of the copy request is an I/O request;
    提取模块,用于若接收到所述拷贝请求,提取所述第一DLL文件的第一名称;An extraction module, configured to extract the first name of the first DLL file if the copy request is received;
    第二判断模块,用于通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;The second judgment module is configured to read a preset white list through the driver, and judge whether the first name exists in the white list, wherein a plurality of designated names are stored in the white list;
    校验模块,用于若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;A verification module, configured to verify and sign the first DLL file according to a first preset rule if the first name exists in the white list to obtain a corresponding verification result;
    第一处理模块,用于根据所述校验结果,对所述拷贝请求进行对应的处理。The first processing module is configured to perform corresponding processing on the copy request according to the verification result.
  9. 一种计算机设备,包括:A computer device including:
    一个或多个处理器;One or more processors;
    存储器;Memory
    一个或多个计算机程序,其中所述一个或多个计算机程序被存储在所述存储器中并被配置为由所述一个或多个处理器执行,所述一个或多个计算机程序配置用于执行一种防止动态链接库文件劫持的方法;其中,所述防止动态链接库文件劫持的方法以下步骤:One or more computer programs, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, and the one or more computer programs are configured to execute A method for preventing hijacking of a dynamic link library file; wherein the method for preventing hijacking of a dynamic link library file has the following steps:
    在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;Before starting the application for the first time, create a driver corresponding to the application;
    判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;Judging whether a copy request sent by an external first DLL file to the specified directory of the application program is received, wherein the form of the copy request is an I/O request;
    若接收到所述拷贝请求,从所述拷贝请求内提取所述第一DLL文件的第一名称;If the copy request is received, extract the first name of the first DLL file from the copy request;
    通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;Read a preset white list by the driver, and determine whether the first name exists in the white list, wherein a plurality of designated names are stored in the white list;
    若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;If the first name exists in the whitelist, verifying and signing the first DLL file according to a first preset rule to obtain a corresponding verification result;
    根据所述校验结果,对所述拷贝请求进行对应的处理。According to the verification result, corresponding processing is performed on the copy request.
  10. 根据权利要求9所述的计算机设备,所述通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称的步骤之前,包括:9. The computer device according to claim 9, before the step of reading a preset white list through the driver and determining whether the first name exists in the white list, the method comprises:
    接收用户输入的多个指定DLL文件分别对应的指定名称;Receive the designated names corresponding to multiple designated DLL files input by the user;
    将所有所述指定名称输入至预创建的第一名单内;Enter all the specified names into the pre-created first list;
    对所述第一名单进行加密处理,得到所述白名单。Encryption processing is performed on the first list to obtain the white list.
  11. 根据权利要求9所述的计算机设备,所述按照第一预设规则对所述第一DLL文件进行校验签名,得到校验结果的步骤,包括:9. The computer device according to claim 9, wherein the step of verifying and signing the first DLL file according to a first preset rule to obtain a verification result comprises:
    获取所述第一DLL文件的资源来源,并判断所述第一DLL文件是否为第三方发布的资源;Acquiring the resource source of the first DLL file, and determining whether the first DLL file is a resource issued by a third party;
    若所述第一DLL文件是第三方发布的资源,则判断所述第一DLL文件是否包含对应的机构签名证书;If the first DLL file is a resource issued by a third party, determining whether the first DLL file contains a corresponding agency signature certificate;
    若所述第一DLL文件包含所述机构签名证书,则获取与所述机构签名证书对应的认证机构的最新版本的证书吊销列表;If the first DLL file contains the agency signature certificate, acquiring the latest version of the certificate revocation list of the certification agency corresponding to the agency signature certificate;
    判断所述证书吊销列表内是否包含所述机构签名证书;Judging whether the certificate revocation list contains the institution-signed certificate;
    若所述证书吊销列表内不包含所述第一证书,则判定所述第一DLL文件通过校验;If the first certificate is not included in the certificate revocation list, determining that the first DLL file passes the verification;
    若所述证书吊销列表内包含所述第一证书,则判定所述第一DLL文件未通过校验。If the first certificate is included in the certificate revocation list, it is determined that the first DLL file fails the verification.
  12. 根据权利要求11所述的计算机设备,所述获取所述第一DLL文件的资源来源,并判断所述第一DLL文件是否为第三方发布的资源的步骤之后,包括:11. The computer device according to claim 11, after the step of obtaining the resource source of the first DLL file and determining whether the first DLL file is a resource issued by a third party, comprising:
    若所述第一DLL文件不是第三方发布的资源,则提取所述第一DLL文件的第一数字签名;If the first DLL file is not a resource issued by a third party, extract the first digital signature of the first DLL file;
    调用所述驱动内预存储的公钥对所述第一数字签名进行解密,得到第一哈希值;Calling the pre-stored public key in the driver to decrypt the first digital signature to obtain the first hash value;
    对所述第一DLL文件的正文内容进行哈希计算,得到第二哈希值;Performing a hash calculation on the body content of the first DLL file to obtain a second hash value;
    判断所述第一哈希值与所述第二哈希值是否相同;Judging whether the first hash value is the same as the second hash value;
    若所述第一哈希值与所述第二哈希值相同,则判定所述第一DLL文件通过校验;If the first hash value is the same as the second hash value, it is determined that the first DLL file passes the verification;
    若所述第一哈希值与所述第二哈希值不相同,则判定所述第一DLL文件未通过校验。If the first hash value is not the same as the second hash value, it is determined that the first DLL file fails the verification.
  13. 根据权利要求9所述的计算机设备,所述根据所述校验结果,对所述拷贝请求进行对应的处理的步骤之后,包括:The computer device according to claim 9, after the step of correspondingly processing the copy request according to the verification result, the method comprises:
    运行所述应用程序;Run the application;
    获取所述应用程序在运行过程中生成的运行数据,并按照第二预设规则对所述运行数据进行评测,得到对应的评测结果,其中所述评测结果包括所述驱动与所述应用程序相兼容或所述驱动与所述应用程序不兼容;Obtain the operating data generated during the running of the application program, and evaluate the operating data according to the second preset rule to obtain the corresponding evaluation result, wherein the evaluation result includes the driver and the application program. Compatible or the driver is not compatible with the application;
    根据所述评测结果,对所述驱动或所述应用程序进行对应的处理。According to the evaluation result, corresponding processing is performed on the driver or the application program.
  14. 根据权利要求13所述的计算机设备,所述运行数据包括运行日志,所述获取所述应用程序在运行过程中生成的运行数据,并按照第二预设规则对所述运行数据进行评测,得到对应的评测结果的步骤,包括:The computer device according to claim 13, wherein the operation data includes an operation log, and the operation data generated during the operation of the application program is obtained, and the operation data is evaluated according to a second preset rule to obtain The steps of the corresponding evaluation results include:
    获取所述应用程序在运行过程中生成的运行日志;Acquiring the running log generated during the running of the application;
    判断所述运行日志是否存在错误数据和/或异常数据;Determine whether there are error data and/or abnormal data in the operation log;
    若是,则判定所述驱动与所述应用程序不兼容;If it is, it is determined that the driver is not compatible with the application program;
    若否,则判定所述驱动与所述应用程序相兼容。If not, it is determined that the driver is compatible with the application program.
  15. 根据权利要求13所述的计算机设备,所述运行数据包括运行进程的进程标记符,所述获取所述应用程序在运行过程中生成的运行数据,并按照第二预设规则对所述运行数据进行评测,得到对应的评测结果的步骤,包括:The computer device according to claim 13, wherein the running data includes a process identifier of a running process, the acquiring running data generated during the running of the application program, and comparing the running data according to a second preset rule The steps to perform the evaluation and obtain the corresponding evaluation results include:
    获取所述应用程序对应的所有运行进程的PID;Acquiring PIDs of all running processes corresponding to the application;
    判断在第一预设时间段内,指定运行进程的PID是否发生变化,其中所述指定运行进程为所有所述运行进程中的一个或多个运行进程;Judging whether the PID of the designated running process has changed within the first preset time period, wherein the designated running process is one or more running processes among all the running processes;
    若是,则判定所述驱动与所述应用程序不兼容;If it is, it is determined that the driver is not compatible with the application program;
    若否,则判定所述驱动与所述应用程序相兼容。If not, it is determined that the driver is compatible with the application program.
  16. 一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,该计算机程序被处理器执行时实现一种防止动态链接库文件劫持的方法;其中,所述防止动态链接库文件劫持的方法以下步骤:A computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, a method for preventing the hijacking of a dynamic link library file is implemented; wherein the prevention of the dynamic link library file The method of hijacking is as follows:
    在首次启动所述应用程序之前,创建与所述应用程序对应的驱动;Before starting the application for the first time, create a driver corresponding to the application;
    判断是否接收到外部的第一DLL文件对所述应用程序的指定目录发出的拷贝请求,其中所述拷贝请求的形式为I/O请求;Judging whether a copy request sent by an external first DLL file to the specified directory of the application program is received, wherein the form of the copy request is an I/O request;
    若接收到所述拷贝请求,从所述拷贝请求内提取所述第一DLL文件的第一名称;If the copy request is received, extract the first name of the first DLL file from the copy request;
    通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称,其中所述白名单内存储有多个指定名称;Read a preset white list by the driver, and determine whether the first name exists in the white list, wherein a plurality of designated names are stored in the white list;
    若所述白名单内存在所述第一名称,则按照第一预设规则对所述第一DLL文件进行校验签名,得到对应的校验结果;If the first name exists in the whitelist, verifying and signing the first DLL file according to a first preset rule to obtain a corresponding verification result;
    根据所述校验结果,对所述拷贝请求进行对应的处理。According to the verification result, corresponding processing is performed on the copy request.
  17. 根据权利要求16所述的计算机可读存储介质,所述通过所述驱动读取预设的白名单,并判断所述白名单内是否存在所述第一名称的步骤之前,包括:The computer-readable storage medium according to claim 16, before the step of reading a preset white list by the driver and determining whether the first name exists in the white list, the method comprises:
    接收用户输入的多个指定DLL文件分别对应的指定名称;Receive the designated names corresponding to multiple designated DLL files input by the user;
    将所有所述指定名称输入至预创建的第一名单内;Enter all the specified names into the pre-created first list;
    对所述第一名单进行加密处理,得到所述白名单。Encryption processing is performed on the first list to obtain the white list.
  18. 根据权利要求16所述的计算机可读存储介质,所述按照第一预设规则对所述第一DLL文件进行校验签名,得到校验结果的步骤,包括:16. The computer-readable storage medium according to claim 16, wherein the step of verifying and signing the first DLL file according to a first preset rule to obtain a verification result comprises:
    获取所述第一DLL文件的资源来源,并判断所述第一DLL文件是否为第三方发布的资源;Acquiring the resource source of the first DLL file, and determining whether the first DLL file is a resource issued by a third party;
    若所述第一DLL文件是第三方发布的资源,则判断所述第一DLL文件是否包含对应的机构签名证书;If the first DLL file is a resource issued by a third party, determining whether the first DLL file contains a corresponding agency signature certificate;
    若所述第一DLL文件包含所述机构签名证书,则获取与所述机构签名证书对应的认证机构的最新版本的证书吊销列表;If the first DLL file contains the agency signature certificate, acquiring the latest version of the certificate revocation list of the certification agency corresponding to the agency signature certificate;
    判断所述证书吊销列表内是否包含所述机构签名证书;Judging whether the certificate revocation list contains the institution-signed certificate;
    若所述证书吊销列表内不包含所述第一证书,则判定所述第一DLL文件通过校验;If the first certificate is not included in the certificate revocation list, determining that the first DLL file passes the verification;
    若所述证书吊销列表内包含所述第一证书,则判定所述第一DLL文件未通过校验。If the first certificate is included in the certificate revocation list, it is determined that the first DLL file fails the verification.
  19. 根据权利要求18所述的计算机可读存储介质,所述获取所述第一DLL文件的资源来源,并判断所述第一DLL文件是否为第三方发布的资源的步骤之后,包括:The computer-readable storage medium according to claim 18, after the step of obtaining the resource source of the first DLL file and determining whether the first DLL file is a resource issued by a third party, the method comprises:
    若所述第一DLL文件不是第三方发布的资源,则提取所述第一DLL文件的第一数字签名;If the first DLL file is not a resource issued by a third party, extract the first digital signature of the first DLL file;
    调用所述驱动内预存储的公钥对所述第一数字签名进行解密,得到第一哈希值;Calling the pre-stored public key in the driver to decrypt the first digital signature to obtain the first hash value;
    对所述第一DLL文件的正文内容进行哈希计算,得到第二哈希值;Performing a hash calculation on the body content of the first DLL file to obtain a second hash value;
    判断所述第一哈希值与所述第二哈希值是否相同;Judging whether the first hash value is the same as the second hash value;
    若所述第一哈希值与所述第二哈希值相同,则判定所述第一DLL文件通过校验;If the first hash value is the same as the second hash value, it is determined that the first DLL file passes the verification;
    若所述第一哈希值与所述第二哈希值不相同,则判定所述第一DLL文件未通过校验。If the first hash value is not the same as the second hash value, it is determined that the first DLL file fails the verification.
  20. 根据权利要求18所述的计算机可读存储介质,所述根据所述校验结果,对所述拷贝请求进行对应的处理的步骤之后,包括:18. The computer-readable storage medium according to claim 18, after the step of correspondingly processing the copy request according to the verification result, the method comprises:
    运行所述应用程序;Run the application;
    获取所述应用程序在运行过程中生成的运行数据,并按照第二预设规则对所述运行数据进行评测,得到对应的评测结果,其中所述评测结果包括所述驱动与所述应用程序相兼容或所述驱动与所述应用程序不兼容;Obtain the operating data generated during the running of the application program, and evaluate the operating data according to the second preset rule to obtain the corresponding evaluation result, wherein the evaluation result includes the driver and the application program. Compatible or the driver is not compatible with the application;
    根据所述评测结果,对所述驱动或所述应用程序进行对应的处理。According to the evaluation result, corresponding processing is performed on the driver or the application program.
PCT/CN2020/088014 2019-08-30 2020-04-30 Method and apparatus for preventing dynamic link library file hijacking, and computer device WO2021036322A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910817923.9A CN110688661A (en) 2019-08-30 2019-08-30 Method and device for preventing dynamic link library file hijacking and computer equipment
CN201910817923.9 2019-08-30

Publications (1)

Publication Number Publication Date
WO2021036322A1 true WO2021036322A1 (en) 2021-03-04

Family

ID=69107719

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/088014 WO2021036322A1 (en) 2019-08-30 2020-04-30 Method and apparatus for preventing dynamic link library file hijacking, and computer device

Country Status (2)

Country Link
CN (1) CN110688661A (en)
WO (1) WO2021036322A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110688661A (en) * 2019-08-30 2020-01-14 深圳壹账通智能科技有限公司 Method and device for preventing dynamic link library file hijacking and computer equipment
CN110928609B (en) * 2020-01-20 2020-06-16 武汉斗鱼鱼乐网络科技有限公司 Method, device and medium for marking equipment and computer equipment
CN111368299A (en) * 2020-03-02 2020-07-03 西安四叶草信息技术有限公司 Dynamic link library file hijacking detection method, device and storage medium
CN111159707A (en) * 2020-04-07 2020-05-15 北京安博通科技股份有限公司 Malicious DLL injection detection method and device
CN112257058A (en) * 2020-10-12 2021-01-22 麒麟软件有限公司 Trusted computing verification method and system for operating system
CN112637146A (en) * 2020-12-09 2021-04-09 恒生电子股份有限公司 Method and device for preventing injection, electronic equipment and computer readable storage medium
CN113760393A (en) * 2021-09-22 2021-12-07 杭州安恒信息技术股份有限公司 Protection method, device, equipment and medium for dynamic link library
CN115118516A (en) * 2022-07-18 2022-09-27 浪潮卓数大数据产业发展有限公司 Method, system and medium for integrated resource management

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102855274A (en) * 2012-07-17 2013-01-02 北京奇虎科技有限公司 Method and device for detecting suspicious progresses
CN103778375A (en) * 2012-10-24 2014-05-07 腾讯科技(深圳)有限公司 Device and method for preventing user equipment from loading illegal dynamic link library file
US20190163900A1 (en) * 2018-11-16 2019-05-30 Intel Corporation Methods, systems, articles of manufacture and apparatus to detect process hijacking
CN110688661A (en) * 2019-08-30 2020-01-14 深圳壹账通智能科技有限公司 Method and device for preventing dynamic link library file hijacking and computer equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102855274A (en) * 2012-07-17 2013-01-02 北京奇虎科技有限公司 Method and device for detecting suspicious progresses
CN103778375A (en) * 2012-10-24 2014-05-07 腾讯科技(深圳)有限公司 Device and method for preventing user equipment from loading illegal dynamic link library file
US20190163900A1 (en) * 2018-11-16 2019-05-30 Intel Corporation Methods, systems, articles of manufacture and apparatus to detect process hijacking
CN110688661A (en) * 2019-08-30 2020-01-14 深圳壹账通智能科技有限公司 Method and device for preventing dynamic link library file hijacking and computer equipment

Also Published As

Publication number Publication date
CN110688661A (en) 2020-01-14

Similar Documents

Publication Publication Date Title
WO2021036322A1 (en) Method and apparatus for preventing dynamic link library file hijacking, and computer device
US7802294B2 (en) Controlling computer applications' access to data
US9767280B2 (en) Information processing apparatus, method of controlling the same, information processing system, and information processing method
US20070186112A1 (en) Controlling execution of computer applications
US20060236122A1 (en) Secure boot
US9058504B1 (en) Anti-malware digital-signature verification
JP4975127B2 (en) Apparatus for providing tamper evidence to executable code stored on removable media
JP4844102B2 (en) Subprogram and information processing apparatus for executing the subprogram
CN113646761A (en) Providing application security, authentication and feature analysis to applications
CA2951914C (en) Restricted code signing
JP2001216173A (en) Method and system for preparing and using virus-free file certificate
GB2566264A (en) Application certificate
US9665711B1 (en) Managing and classifying states
WO2016165215A1 (en) Method and apparatus for loading code signing on applications
KR20170089352A (en) Firmware integrity verification for performing the virtualization system
JP4680562B2 (en) Secure identification of executable files for trust determination entities
JP2019008738A (en) Verification device
CN116956240A (en) Bypass Google safe net authentication method and related components
CN116707758A (en) Authentication method, equipment and server of trusted computing equipment
CN111538972A (en) System and method for verifying attack resilience in digital signatures of documents
US20210209240A1 (en) Information processing device, information processing method, information processing program, and information processing system
Halim et al. A lightweight binary authentication system for windows
CN111538971B (en) System and method for verifying digital signatures of files
CN117527439A (en) Digital certificate verification method, device, equipment and medium based on embedded certificate
CN114721693A (en) Microprocessor, BIOS firmware updating method, computer equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20856340

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 28/06/2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20856340

Country of ref document: EP

Kind code of ref document: A1