WO2024078348A1 - 应用移植环境下注册表操作的处理方法、装置和介质 - Google Patents
应用移植环境下注册表操作的处理方法、装置和介质 Download PDFInfo
- Publication number
- WO2024078348A1 WO2024078348A1 PCT/CN2023/122242 CN2023122242W WO2024078348A1 WO 2024078348 A1 WO2024078348 A1 WO 2024078348A1 CN 2023122242 W CN2023122242 W CN 2023122242W WO 2024078348 A1 WO2024078348 A1 WO 2024078348A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- registry
- call request
- processing
- target
- option
- Prior art date
Links
- 238000012545 processing Methods 0.000 title claims abstract description 210
- 238000000034 method Methods 0.000 title claims abstract description 144
- 230000008569 process Effects 0.000 claims abstract description 91
- 238000001514 detection method Methods 0.000 claims description 149
- 238000002054 transplantation Methods 0.000 claims description 18
- 230000002401 inhibitory effect Effects 0.000 abstract 1
- 230000006870 function Effects 0.000 description 32
- 238000010586 diagram Methods 0.000 description 14
- 238000012986 modification Methods 0.000 description 11
- 230000004048 modification Effects 0.000 description 11
- 238000004891 communication Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 10
- 238000013508 migration Methods 0.000 description 9
- 230000005012 migration Effects 0.000 description 9
- 238000004590 computer program Methods 0.000 description 5
- 238000003672 processing method Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 4
- 238000010295 mobile communication Methods 0.000 description 4
- 230000004931 aggregating effect Effects 0.000 description 3
- 238000013507 mapping Methods 0.000 description 2
- 238000011895 specific detection Methods 0.000 description 2
- 101100498818 Arabidopsis thaliana DDR4 gene Proteins 0.000 description 1
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 1
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 1
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 1
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 1
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/76—Adapting program code to run in a different environment; Porting
Definitions
- the embodiments of the present application relate to the technical field of application migration, and in particular, to a method, device and medium for processing registry operations in an application migration environment.
- the application of the second operating system can be migrated to the first operating system by using compatibility layer software such as Wine (Wine Is Not an Emulator).
- compatibility layer software such as Wine (Wine Is Not an Emulator).
- the compatibility layer software maintains the registry, which stores various parameters to control the loading of hardware drivers and the normal operation of Windows applications; once the registry is tampered with or damaged, it is likely to cause abnormalities in Windows applications.
- the relevant technology will detect the registry operation from the direction of the dynamic link library.
- the specific detection process includes: obtaining the registry operation function from the dynamic link library, saving the address of the registry operation function as the original address, and replacing the address of the registry operation function with the address of the Hook function; when any program performs a registry operation, the Hook function obtains the corresponding operation information and judges the operation information. If the judgment result indicates that the registry operation corresponds to a malicious operation, the registry operation is prohibited.
- the embodiment of the present application provides a method for processing registry operations in an application transplantation environment, which can improve the detection accuracy of registry operations, improve the matching degree between the processing results of registry operations and the personalized needs of users, and simplify the processing flow of the registry path, thereby improving the processing efficiency of the registry path.
- the embodiment of the present application also provides a processing device for registry operations in an application transplantation environment, an electronic device and a machine-readable medium to ensure the implementation and application of the above method.
- an embodiment of the present application discloses a method for processing registry operations in an application transplantation environment, the method being applied to a compatibility layer software running on a first operating system; the method comprising:
- processing options are displayed; the processing options include: a prohibition option, an allow option, and an add trust option; the add trust option is used to set the registry path corresponding to the target call request as a trust path;
- the registry operation corresponding to the target call request is processed according to the target processing option selected by the user.
- an embodiment of the present application discloses a device for processing registry operations in an application transplantation environment, the device comprising: a registry processing module, a detection module, a query module and a display module;
- the registry processing module, the detection module and the query module are located on the compatible layer service process side corresponding to the compatible layer software, and the display module is located on the window service process side corresponding to the compatible layer software;
- the registry processing module is used to receive a call request sent by an application of the second operating system for an API, obtain a target call request related to the registry operation from the call request according to a preset identifier carried in the call request, and send a registry path corresponding to the target call request to the detection module;
- the detection module is used to send the registry path corresponding to the target call request to the query module;
- the query module is used to call the database interface and/or the trust list interface, detect the registry operation corresponding to the target call request according to the registry path corresponding to the target call request, and return the detection result to the detection module;
- the detection module is further configured to send a processing option to the display module when the detection result indicates that the registry operation is a malicious operation;
- the display module is used to display the processing options; the processing options include: a prohibition option, an allow option and an add trust option; the add trust option is used to set the registry path corresponding to the target call request as a trust path;
- the registry processing module is further used to process the registry operation corresponding to the target call request according to the target processing option selected by the user.
- an embodiment of the present application discloses a device for processing registry operations in an application transplantation environment, the device being applied to a compatibility layer software running on a first operating system; the device comprising:
- a receiving module configured to receive, via a compatibility layer service process, a call request sent by an application of the second operating system for the API;
- An acquisition module used for acquiring a target call request related to a registry operation from the call request according to a preset identifier carried in the call request;
- a detection module used for detecting the registry operation corresponding to the target call request to obtain a corresponding detection result
- the display module is used to display processing options when the detection result indicates that the registry operation is a malicious operation; the processing options include: a prohibition option, an allow option, and an add trust option; the add trust option Used to set the registry path corresponding to the target call request as a trusted path;
- the processing module is used to process the registry operation corresponding to the target call request according to the target processing option selected by the user.
- the detection module includes:
- a first detection module is used to search in a database according to a registry path corresponding to the target call request; the database records a registry path corresponding to the malicious operation; or
- the second detection module is used to determine whether there is a registry path corresponding to the target call request in the trust list to obtain a corresponding determination result; the trust list records the registry path corresponding to the trust operation; or
- the third detection module is used to determine whether the registry path corresponding to the target call request exists in the trust list to obtain a corresponding judgment result. If the judgment result is not present, a search is performed in the database according to the registry path corresponding to the target call request; the database records the registry path corresponding to the malicious operation; the trust list records the registry path corresponding to the trusted operation.
- the processing module includes:
- a first processing module is used to prohibit the registry operation corresponding to the target call request when the target processing option selected by the user is a prohibition option;
- a second processing module is used to allow the target to call the corresponding registry operation of the request when the target processing option selected by the user is an allow option;
- the third processing module is used to allow the registry operation corresponding to the target call request and add the registry path corresponding to the target call request to the trust list when the target processing option selected by the user is the add trust option.
- the device further comprises:
- the operation permission module is used to allow the target to call the corresponding registry operation when the detection result indicates that the registry operation is a normal operation or a trusted operation.
- the acquisition module sends the registry path corresponding to the target call request to the detection module; the detection module sends the registry path corresponding to the target call request to the query module; the query module calls the database interface and/or the trust list interface, detects the registry operation corresponding to the target call request according to the registry path corresponding to the target call request, and returns the detection result to the detection module.
- the detection module when the detection result indicates that the registry operation is a malicious operation, the detection module sends a processing option to the display module so that the display module displays the processing option.
- an embodiment of the present application discloses an electronic device, comprising: a processor; and a memory, on which executable code is stored, and when the executable code is executed, the processor executes the method described in the embodiment of the present application.
- the present application discloses a machine-readable medium having executable code stored thereon.
- the processor executes the method described in the embodiment of the present application.
- a call request sent by the application of the second operating system for the API is received via the compatibility layer service process, and a target call request related to the registry operation is obtained from the call request according to the preset identifier carried in the call request.
- the compatibility layer service process is responsible for the communication with the application process, and the application process represents the application of the second operating system and sends a call request for the API to the compatibility layer service process; therefore, the compatibility layer service process can play a role in aggregating the call requests.
- the embodiment of the present application receives the call request sent by the application of the second operating system for the API via the compatibility layer service process, which can avoid the omission of the target call request related to the registry operation. On this basis, it can avoid the occurrence of detection omissions, thereby improving the detection accuracy of the registry operation.
- the embodiment of the present application detects the registry operation corresponding to the target call request, and when the detection result indicates that the registry operation is a malicious operation, a processing option is displayed, and the registry operation corresponding to the target call request is processed according to the target processing option selected by the user. Since the embodiment of the present application gives the user the right to select the processing option, and processes the registry operation corresponding to the target call request according to the target processing option selected by the user; therefore, the embodiment of the present application can improve the matching degree between the processing result of the registry operation and the personalized needs of the user.
- the processing options of the embodiment of the present application include adding a trust option, and the adding trust option is used to set the registry path corresponding to the target call request as a trust path, and the trust path can represent the registry path trusted by the user, and the detection result corresponding to the trust path can be a trust operation. Since the embodiment of the present application allows the registry operation corresponding to the target call request when the detection result represents that the registry operation is a trust operation, the registry operation corresponding to the target call request can be allowed in the case of saving the operation of displaying the processing options and the user selecting the target processing options; therefore, the embodiment of the present application can simplify the processing flow of the registry path and improve the processing efficiency of the registry path.
- FIG1 is a schematic flow chart of a method for processing registry operations in an application migration environment according to an embodiment of the present application
- FIG. 2 is a schematic diagram of the structure of a processing device for registry operations in an application migration environment according to an embodiment of the present application
- FIG. 3 is a schematic flow chart of the steps of a method for processing registry operations in an application migration environment according to an embodiment of the present application
- FIG. 4 is a schematic diagram of the structure of a processing device for registry operations in an application migration environment according to an embodiment of the present application
- FIG5 is a schematic diagram of the structure of an apparatus provided in one embodiment of the present application.
- the compatibility layer software is a compatibility layer that can run the application of the second operating system on multiple POSIX (Portable Operating System Interface) compatible first operating systems.
- POSIX Portable Operating System Interface
- the compatibility layer software can translate the Windows API call into a dynamic POSIX call, so that the Windows application can run in the first operating system other than Windows.
- Examples of the first operating system may include: Linux, macOS (Macintosh Operating System) and BSD (Berkeley Software Distribution), etc.
- Examples of the second operating system may include: Windows operating system (Windows operating system), etc. It can be understood that the embodiments of the present application do not limit the specific first operating system and the second operating system.
- the compatibility layer software may include: a compatibility layer service process (wineserver) and a set of dynamic link libraries.
- a compatibility layer service process wineserver
- a set of dynamic link libraries may be included in the compatibility layer software.
- the GUI Graphic User Interface
- the compatibility layer software may rely on a bitmap display window system.
- the first operating system may include the following processes related to the Windows application:
- the application process of the Windows application Calls to the dynamic link library can run in the context of this process.
- the application process calls down layer by layer through the dynamic link library provided by the compatibility layer software.
- the application process often communicates with the compatibility layer service process through a socket to accept the management and coordination of the compatibility layer service process; on the other hand, it may communicate with the window service process corresponding to the bitmap display window system through a socket, send graphic operation requests to it, and receive keyboard and mouse input.
- Compatibility layer service process whose specific functions include: providing a means of communication and synchronization between application processes; managing application processes and threads; registry services, etc.
- the window service process whose functions include: graphics display, and keyboard and mouse input.
- the related technology will detect the registry operation from the direction of the dynamic link library.
- the specific detection process includes: obtaining the registry operation function from the dynamic link library, saving the address of the registry operation function as the original address, and replacing the address of the registry operation function with the address of the Hook function; when any program performs a registry operation, the Hook function obtains the corresponding operation information and judges the operation information. If the judgment result indicates that the registry operation corresponds to a malicious operation, the registry operation is prohibited.
- the registry operation detection from the direction of the dynamic link library may result in the omission of the registry operation function, which will result in the omission of the detection, thereby making the detection accuracy of the registry operation low.
- the embodiment of the present application provides a A method for processing registry operations in an application transplantation environment, the method can be applied to compatible layer software running on a first operating system; the method can specifically include: receiving a call request sent by an application program of a second operating system for an API via a compatible layer service process; obtaining a target call request related to the registry operation from the call request according to a preset identifier carried in the call request; detecting the registry operation corresponding to the target call request to obtain a corresponding detection result; displaying processing options when the detection result indicates that the registry operation is a malicious operation; the processing options include: a prohibition option, an allow option and an add trust option; the add trust option is used to set the registry path corresponding to the target call request as a trust path; and processing the registry operation corresponding to the target call request according to the target processing option selected by the user.
- the embodiment of the present application receives a call request sent by the application of the second operating system for an API via a compatibility layer service process, and obtains a target call request related to the registry operation from the call request according to a preset identifier carried in the call request.
- the compatibility layer service process is responsible for communication with the application process, and the application process represents the application of the second operating system and sends a call request for the API to the compatibility layer service process; therefore, the compatibility layer service process can play a role in aggregating the call requests.
- the embodiment of the present application receives a call request sent by the application of the second operating system for an API via a compatibility layer service process, which can avoid the omission of the target call request related to the registry operation; on this basis, the embodiment of the present application can avoid the occurrence of detection omissions, thereby improving the detection accuracy of the registry operation.
- the embodiment of the present application detects the registry operation corresponding to the target call request, and when the detection result indicates that the registry operation is a malicious operation, displays processing options, and processes the registry operation corresponding to the target call request according to the target processing option selected by the user. Since the embodiment of the present application gives the user the right to select the processing option, and processes the registry operation corresponding to the target call request according to the target processing option selected by the user; therefore, the embodiment of the present application can improve the matching degree between the processing result of the registry operation and the personalized needs of the user.
- the processing options of the embodiment of the present application include adding a trust option, which is used to set the registry path corresponding to the target call request as a trust path.
- the trust path can represent a registry path trusted by the user, and the detection result corresponding to the trust path can be a trust operation; in this way, when the registry path corresponding to the target call request appears subsequently, the corresponding registry operation can be allowed, so the embodiment of the present application can simplify the processing flow of the registry path and improve the processing efficiency of the registry path.
- FIG. 1 a schematic flow chart of a method for processing registry operations in an application transplantation environment according to an embodiment of the present application is shown.
- the method can be applied to a compatibility layer software running on a first operating system.
- the method can specifically include the following steps:
- Step 101 receiving a call request for an API sent by an application of a second operating system via a compatibility layer service process
- Step 102 According to the preset identifier carried in the call request, a target call request related to the registry operation is obtained from the call request;
- Step 103 Detect the registry operation corresponding to the target call request to obtain a corresponding detection result
- Step 104 if the detection result indicates that the registry operation is a malicious operation, display processing options; the processing options specifically include: a prohibition option, an allow option, and an add trust option; the add trust option is used to set the registry path corresponding to the target call request as a trusted path;
- Step 105 Process the registry operation corresponding to the target call request according to the target processing option selected by the user.
- the compatibility layer service process may establish a connection such as a socket with the application process of the application of the second operating system; thus, the compatibility layer service process may utilize the connection to receive a call request sent by the application of the second operating system for an API.
- the call request may include: a target call request related to the registry operation, and may also include: a non-target call request unrelated to the registry operation.
- the embodiment of the present application can obtain the target call request related to the registry operation from the call request according to the preset identifier carried in the call request.
- the compatibility layer service process can pre-set a preset identifier corresponding to the registry operation so that the application process carries the preset identifier in the call request.
- the compatibility layer service process can also save the mapping relationship between the preset identifier and the registry operation information; in this way, the information in the call request can be matched with the preset identifier in the mapping relationship. If the match is successful, the call request can be considered to be a target call request related to the registry operation.
- the registry operation information may represent one or more registry operation categories, such as registry addition category, registry modification category, or registry deletion category.
- step 103 the registry operation corresponding to the target call request is detected, and the obtained detection result may include: malicious operation, normal operation, or trusted operation.
- Technical Solution 1 Search in a database according to the registry path corresponding to the target call request; the database records the registry path corresponding to the malicious operation; or
- Technical Solution 3 Determine whether the registry path corresponding to the target call request exists in the trust list to obtain the corresponding judgment result. If the judgment result is not present, search in the database according to the registry path corresponding to the target call request; the database records the registry path corresponding to the malicious operation; the trust list records the registry path corresponding to the trusted operation.
- Technical solution 1 can use the database to detect the registry operation corresponding to the target call request. In other words, a search is performed in the database. If the registry path corresponding to the target call request exists in the database, the detection result may be a malicious operation; or, if the registry path corresponding to the target call request does not exist in the database, the detection result may be a normal operation.
- the database records the registry path corresponding to the malicious operation.
- Table 1 a schematic diagram of a database of an embodiment of the present application is shown, and the database may specifically include: a registry path field and a description field.
- the registry path may refer to the path corresponding to the registry item on the disk.
- the embodiment of the present application does not limit the collection method of the registry path corresponding to the malicious operation in the database. In practical applications, it can be determined whether the historical registry operation in the registry operation log is a malicious operation. If so, the registry path corresponding to the historical registry behavior is written into the database.
- one collection method can match historical registry operations in the registry operation log with registry operation rules. If the match is successful, the historical registry operation can be considered a malicious operation and the historical registry operation can be saved. Write the corresponding registry path into the database.
- the registry operation rules can be determined by technical personnel in this field according to actual application requirements.
- the registry operation rules may include but are not limited to: modifying the system startup association, obtaining browser proxy information, and shielding the operating system's display system hidden file function.
- another collection method can use a machine learning classifier.
- the classifier can be trained using samples of malicious operations and samples of normal operations so that the classifier has the ability to classify malicious operations or normal operations; in this way, the historical registry operations in the registry operation log are input into the classifier, and the classification results output by the classifier can characterize whether the historical registry operation is malicious behavior. If so, the registry path corresponding to the historical registry behavior is written into the database.
- Technical Solution 2 can detect the registry operation corresponding to the target call request using the trust list. Specifically, it is determined whether the registry path corresponding to the target call request exists in the trust list. If the determination result is yes, the detection result is a trust operation.
- the trust list may record the registry path corresponding to the trust operation. Those skilled in the art may add the registry path corresponding to the trust operation to the trust list according to actual application requirements. Alternatively, when the target processing option selected by the user is to add the trust option, the registry path corresponding to the target call request is added to the trust list.
- Technical solution 3 can use the trust list and the database in sequence to detect the registry operation corresponding to the target call request.
- the detection result may be a malicious operation; or, if the registry path corresponding to the target call request does not exist in the database, the detection result may be a normal operation.
- step 104 if the detection result indicates that the registry operation is a malicious operation, a processing option may be displayed. Since the embodiment of the present application gives the user the right to select the processing option, and processes the registry operation corresponding to the target call request according to the target processing option selected by the user, the embodiment of the present application can make the processing result of the registry operation meet the personalized needs of the user.
- step 105 the registry operation corresponding to the target call request may be processed according to the target processing option selected by the user.
- Processing method 1 when the target processing option selected by the user is a prohibited option, prohibiting the registry operation corresponding to the target call request; or
- Processing method 2 when the target processing option selected by the user is the allow option, the target is allowed to call the registry operation corresponding to the request; or
- Processing method 3 when the target processing option selected by the user is the add trust option, the registry operation corresponding to the target call request is allowed, and the registry path corresponding to the target call request is added to the trust list.
- the method of the embodiment of the present application may further include: when the detection result indicates that the registry operation is a normal operation or a trusted operation, allowing the target to call the registry operation corresponding to the request.
- the method for processing registry operations in the application transplantation environment of the embodiment of the present application receives, via the compatibility layer service process, a call request sent by the application of the second operating system for the API, and obtains a target call request related to the registry operation from the call request according to a preset identifier carried in the call request.
- the compatibility layer service process is responsible for communication with the application process, and the application process represents the application of the second operating system and sends a call request for the API to the compatibility layer service process; therefore, the compatibility layer service process can play a role in aggregating the call requests.
- the embodiment of the present application receives, via the compatibility layer service process, a call request sent by the application of the second operating system for the API, which can avoid the omission of the target call request related to the registry operation; on this basis, the embodiment of the present application can avoid the occurrence of detection omissions, thereby improving the detection accuracy of the registry operation.
- the embodiment of the present application detects the registry operation corresponding to the target call request, and when the detection result indicates that the registry operation is a malicious operation, a processing option is displayed, and the registry operation corresponding to the target call request is processed according to the target processing option selected by the user. Since the embodiment of the present application gives the user the right to select the processing option, and processes the registry operation corresponding to the target call request according to the target processing option selected by the user; therefore, the embodiment of the present application can improve the matching degree between the processing result of the registry operation and the personalized needs of the user.
- the processing options of the embodiment of the present application include adding a trust option, and the adding trust option is used to set the registry path corresponding to the target call request as a trust path, and the trust path can represent the registry path trusted by the user, and the detection result corresponding to the trust path can be a trust operation. Since the embodiment of the present application allows the registry operation corresponding to the target call request when the detection result represents that the registry operation is a trust operation, the registry operation corresponding to the target call request can be allowed in the case of saving the operation of displaying the processing options and the user selecting the target processing options; therefore, the embodiment of the present application can simplify the processing flow of the registry path and improve the processing efficiency of the registry path.
- the method of the embodiment of the present application can be executed by a processing device for registry operation in an application transplantation environment.
- a processing device for registry operation in an application transplantation environment of an embodiment of the present application may include: a registry processing module 201, a detection module 202, a query module 203 and a display module 204.
- the registry processing module 201, the detection module 202 and the query module 203 may be located on the compatible layer service process side, and the display module 204 may be located on the window service process side.
- the registry processing module 201 is used to receive a call request sent by an application of the second operating system for an API, obtain a target call request related to a registry operation from the call request according to a preset identifier carried in the call request, and send a registry path corresponding to the target call request to the detection module 202;
- the detection module 202 is used to send the registry path corresponding to the target call request to the query module 203;
- the query module 203 is used to call the database interface and/or the trust list interface, detect the registry operation corresponding to the target call request according to the registry path corresponding to the target call request, and return the detection result to the detection module 202;
- the detection module 203 is further configured to send a processing option to the display module 204 if the detection result indicates that the registry operation is a malicious operation;
- Display module 204 used to display the processing options;
- the processing options may specifically include: a prohibition option, an allow option and an add trust option;
- the add trust option is used to set the registry path corresponding to the target call request as a trust path;
- the registry processing module 201 is further used to process the registry operation corresponding to the target call request according to the target processing option selected by the user.
- the registry processing module 201 in the related art usually allows all registry operations corresponding to the target call request.
- the registry processing module 201 in the embodiment of the present application will process the registry operation corresponding to the target call request based on the detection result and the target processing option selected by the user with the help of the processing results of the detection module 202, the query module 203 and the display module 204, which can not only improve the detection accuracy of the registry operation, but also improve the matching degree between the processing result of the registry operation and the personalized needs of the user.
- the process of detecting the registry operation corresponding to the target call request may specifically include:
- the registry processing module 201 sends the registry path corresponding to the target call request to the detection module 202;
- the detection module 202 sends the registry path corresponding to the target call request to the query module 203;
- the query module 203 calls the database interface and/or the trust list interface, detects the registry operation corresponding to the target call request according to the registry path corresponding to the target call request, and returns the detection result to the detection module 202.
- the detection module 202 can provide a detection interface to the registry processing module 201 in the form of a dynamic link library for the registry processing module 201 to call.
- Table 2 a schematic diagram of a detection interface in an embodiment of the present application is shown, wherein different detection interfaces are set for different registry operation categories, and the detection interface can also be called a detection function.
- the processing function DECL_HANDLER set_key_value
- the reg_change_check function detects the registry operation corresponding to the target call request A.
- the query module 203 may provide a query interface and an add trust interface to the detection module 202 in the form of a dynamic link library, so that the detection module 202 can call them.
- Table 3 a schematic diagram of a query interface of an embodiment of the present application is shown, wherein the embodiment of the present application can set different query interfaces for different registry operation categories, and the query interface can also be called a query function.
- the query interface When the query interface is called, the database interface and/or the trust list interface will be further called, and the registry operation corresponding to the target call request will be detected according to the registry path corresponding to the target call request.
- the processing function DECL_HANDLER set_key_value of the registry processing module 201 can call the reg_change_check function.
- the reg_change_check function calls the sty_reg_change_get function and passes the registry path that the application process wants to modify to the sty_reg_change_get function, for example: " ⁇ HKEY_CURRENT_USER ⁇ SOFTWARE ⁇ Microsoft ⁇ Windows ⁇ CurrentVersion ⁇ Run”.
- the sty_reg_change_get function continues to call the database interface and searches the database for the registry path that the process requests to modify, such as the registry path: " ⁇ HKEY_CURRENT_USER ⁇ SOFTWARE ⁇ Microsoft ⁇ Windows ⁇ CurrentVersion ⁇ Run".
- the target call request A corresponds to the registry
- the registry operation corresponding to the target call request A is a malicious operation.
- FIG. 4 a schematic diagram of an add trust interface of an embodiment of the present application is shown, wherein different add trust interfaces are set for different registry operation categories, and the add trust interface can also be called an add trust function.
- add trust When add trust is called, the registry path corresponding to the target call request is added to the trust list.
- the query module 203 returns the detection result to the detection module 202 so that the detection module 202 executes the subsequent process. For example, if the detection result is a normal operation or a trusted operation, the detection module 202 forwards the detection result to the registry processing module 201, and the registry processing module 201 allows the target to call the corresponding registry operation, that is, the registry processing module 201 can execute the normal processing flow. For another example, if the detection result is a malicious operation, the detection module 202 sends a processing option to the display module 204.
- displaying processing options may specifically include: when the detection result indicates that the registry operation is a malicious operation, the detection module 202 sends the processing options to the display module 204, so that the display module 204 displays the processing options.
- the detection module 202 can communicate with the display module 204 according to the socket protocol.
- the display module 204 provides multiple processing options to the user and returns the target processing option selected by the user to the detection module 202.
- the detection module 202 returns the target processing option selected by the user to the registry processing module 201.
- the registry processing module 201 can interrupt the relevant process of registry modification and return relevant error information to the application process; or, when the target processing option selected by the user is an allowed option, the registry processing module 201 can continue to execute the relevant process of registry modification; or, when the target processing option selected by the user is an add trust option, the registry processing module 201 can continue to execute the relevant process of registry modification and call the add trust interface to add the registry path corresponding to the target call request to the trust list.
- FIG. 3 shows the steps of a method for processing registry operations in an application migration environment according to an embodiment of the present application.
- the method can be applied to the compatibility layer software running on the first operating system, and the method can specifically include the following steps:
- Step 301 the registry processing module 201 receives a call request sent by an application of the second operating system for an API via a compatible layer service process, and obtains a target call request related to a registry operation from the call request according to a preset identifier carried in the call request;
- Step 302 the registry processing module 201 sends the registry path corresponding to the target call request to the detection module 202;
- Step 303 the detection module 202 sends the registry path corresponding to the target call request to the query module 203;
- Step 304 the query module 203 calls the database interface and/or the trust list interface, detects the registry operation corresponding to the target call request according to the registry path corresponding to the target call request, and returns the detection result to the detection module 202;
- the detection module 202 performs different processing according to different detection results. If the detection result is a malicious operation, step 305 is executed; or, if the detection result is a trusted operation or a normal operation, step 309 is executed;
- Step 305 If the detection result is a malicious operation, the detection module 202 sends the processing options to the display module 204 so that the display module 204 displays the processing options.
- the detection module 202 may also receive the target processing options selected by the user from the display module 204, and send the target processing options selected by the user to the registry processing module 201;
- the registry processing module 201 performs different processing according to different target processing options. If the target processing option is a prohibition option, execute step 306; or, if the target processing option is an allow option, execute step 307; if the target processing option is an add trust option, execute step 308;
- Step 306 when the target processing option is a prohibition option, the registry processing module 201 prohibits the registry operation corresponding to the target call request and returns relevant error information to the application process;
- Step 307 the registry processing module 201 executes the registry operation corresponding to the target call request when the target processing option is the permission option;
- Step 308 When the target processing option is the add trust option, the registry processing module 201 performs the registry operation corresponding to the target call request, and calls the add trust interface to add the registry path corresponding to the target call request to the trust list;
- Step 309 When the detection result is a trusted operation or a normal operation, the detection module 202 transfers the detection result to the registry processing module 201, so that the registry processing module 201 executes the registry operation corresponding to the target call request.
- a user installs a Windows application A via the compatibility layer software.
- Application A hopes that it can run automatically when the computer is turned on, so it requests to modify the registry key " ⁇ HKEY_CURRENT_USER ⁇ SOFTWARE ⁇ Microsoft ⁇ Windows ⁇ CurrentVersion ⁇ Run".
- the processing options are sent to the user via the display module 204.
- the display module 204 can send a message to the detection module 202 through socket communication (the message can carry the target processing option selected by the user). After receiving the target processing option, the detection module 202 calls the add trust interface to add the registry path corresponding to the target call request to the trust list.
- the embodiment of the present application further provides a processing device for registry operation in an application transplantation environment, the device is applied to the compatibility layer software running on the first operating system; referring to FIG4, the device may specifically include: a receiving module 401, an acquisition module 402, a detection module 403, a display module 404 and a processing module 405.
- the receiving module 401, the acquisition module 402 and the processing module 405 may be modules set in the aforementioned registry processing module 201.
- the receiving module 401 is used to receive a call request sent by an application of the second operating system to the API via a compatible layer service process;
- the acquisition module 402 is used to acquire a target call request related to the registry operation from the call request according to a preset identifier carried in the call request;
- the detection module 403 is used to detect the registry operation corresponding to the target call request to obtain a corresponding detection result
- Display module 404 used for displaying processing options when the detection result indicates that the registry operation is a malicious operation;
- the processing options include: a prohibition option, an allow option and an add trust option;
- the add trust option is used to set the registry path corresponding to the target call request as a trust path;
- the processing module 405 is used to process the registry operation corresponding to the target call request according to the target processing option selected by the user.
- the detection module 403 may specifically include:
- a first detection module is used to search in a database according to a registry path corresponding to the target call request; the database records a registry path corresponding to the malicious operation; or
- the second detection module is used to determine whether there is a registry path corresponding to the target call request in the trust list to obtain a corresponding determination result; the trust list records the registry path corresponding to the trust operation; or
- the third detection module is used to determine whether there is a registry path corresponding to the target call request in the trust list to obtain a corresponding judgment result. If the judgment result is that it does not exist, the registry path corresponding to the target call request is determined according to the registry path corresponding to the target call request. The path is searched in a database; the database records the registry path corresponding to the malicious operation; the trust list records the registry path corresponding to the trusted operation.
- processing module 405 may specifically include:
- a first processing module is used to prohibit the registry operation corresponding to the target call request when the target processing option selected by the user is a prohibition option;
- a second processing module is used to allow the target to call the corresponding registry operation of the request when the target processing option selected by the user is an allow option;
- the third processing module is used to allow the registry operation corresponding to the target call request and add the registry path corresponding to the target call request to the trust list when the target processing option selected by the user is the add trust option.
- the device may further include:
- the operation permission module is used to allow the target to call the corresponding registry operation when the detection result indicates that the registry operation is a normal operation or a trusted operation.
- the acquisition module sends the registry path corresponding to the target call request to the detection module; the detection module sends the registry path corresponding to the target call request to the query module; the query module calls the database interface and/or the trust list interface, detects the registry operation corresponding to the target call request according to the registry path corresponding to the target call request, and returns the detection result to the detection module.
- the detection module when the detection result indicates that the registry operation is a malicious operation, the detection module sends a processing option to the display module so that the display module displays the processing option.
- the embodiment of the present application also provides a non-volatile readable storage medium, which stores one or more modules (programs). When the one or more modules are applied to a device, the device can execute instructions (instructions) of each method step in the embodiment of the present application.
- the present application embodiment provides one or more machine-readable media on which instructions are stored, and when executed by one or more processors, an electronic device executes one or more of the methods described in the above embodiments.
- the electronic device includes various types of devices such as terminal devices and servers (clusters).
- FIG5 schematically shows an exemplary device 1100 that can be used to implement various embodiments described in this application.
- Figure 5 shows an exemplary apparatus 1100 having one or more processors 1102, a control module (chip set) 1104 coupled to at least one of the (one or more) processors 1102, a memory 1106 coupled to the control module 1104, a non-volatile memory (NVM)/storage device 1108 coupled to the control module 1104, one or more input/output devices 1110 coupled to the control module 1104, and a network interface 1112 coupled to the control module 1104.
- NVM non-volatile memory
- the processor 1102 may include one or more single-core or multi-core processors, and the processor 1102 may include any combination of general-purpose processors or special-purpose processors (such as graphics processors, application processors, baseband processors, etc.).
- the device 1100 can be used as a terminal device, server (cluster), etc. described in the embodiments of the present application.
- the apparatus 1100 may include one or more computer-readable media (e.g., memory 1106 or NVM/storage device 1108) having instructions 1114 and one or more processors 1102 combined with the one or more computer-readable media and configured to execute the instructions 1114 to implement a module to perform the actions described in the present disclosure.
- one or more computer-readable media e.g., memory 1106 or NVM/storage device 1108
- processors 1102 combined with the one or more computer-readable media and configured to execute the instructions 1114 to implement a module to perform the actions described in the present disclosure.
- control module 1104 may include any suitable interface controller to provide any suitable interface to at least one of the processor(s) 1102 and/or any suitable device or component in communication with the control module 1104 .
- the control module 1104 may include a memory controller module to provide an interface to the memory 1106.
- the memory controller module may be a hardware module, a software module, and/or a firmware module.
- the memory 1106 may be used, for example, to load and store data and/or instructions 1114 for the device 1100.
- the memory 1106 may include any suitable volatile memory, such as a suitable DRAM.
- the memory 1106 may include double data rate type four synchronous dynamic random access memory (DDR4 SDRAM).
- control module 1104 may include one or more input/output controllers to provide an interface to NVM/storage device 1108 and input/output device(s) 1110 .
- NVM/storage 1108 may be used to store data and/or instructions 1114.
- NVM/storage 1108 may include any suitable non-volatile memory (e.g., flash memory) and/or may include any suitable non-volatile storage device(s) (e.g., one or more hard disk drives (HDDs), one or more compact disk (CD) drives, and/or one or more digital versatile disk (DVD) drives).
- HDDs hard disk drives
- CD compact disk
- DVD digital versatile disk
- NVM/storage device 1108 may include storage resources that are physically part of the device on which apparatus 1100 is installed, or it may be accessible to the device without being part of the device. For example, NVM/storage device 1108 may be accessed via input/output device(s) 1110 over a network.
- (One or more) input/output devices 1110 may provide an interface for apparatus 1100 to communicate with any other appropriate device, and input/output devices 1110 may include communication components, audio components, sensor components, etc.
- Network interface 1112 may provide an interface for apparatus 1100 to communicate through one or more networks, and apparatus 1100 may wirelessly communicate with one or more components of a wireless network according to any of one or more wireless network standards and/or protocols, such as accessing a wireless network based on a communication standard, such as WiFi (Wireless Fidelity), 2G (2nd Generation wireless telephone technology), 3G (3rd Generation Mobile Communication Technology), 4G (4th Generation Mobile Communication Technology), 5G (5th Generation Mobile Communication Technology). Generation Mobile Communication Technology), etc., or a combination thereof for wireless communication.
- WiFi Wireless Fidelity
- 2G (2nd Generation wireless telephone technology 3G (3rd Generation Mobile Communication Technology)
- 4G 4th Generation Mobile Communication Technology
- 5G 5th Generation Mobile Communication Technology
- Generation Mobile Communication Technology etc., or a combination thereof for wireless communication.
- At least one of the processor(s) 1102 may be packaged together with the logic of one or more controllers (e.g., a memory controller module) of the control module 1104.
- at least one of the processor(s) 1102 may be packaged together with the logic of one or more controllers of the control module 1104 to form a system-in-a-package (SiP).
- SiP system-in-a-package
- at least one of the processor(s) 1102 may be integrated on the same die with the logic of one or more controllers of the control module 1104.
- at least one of the processor(s) 1102 may be integrated on the same die with the logic of one or more controllers of the control module 1104 to form a system on chip (SoC).
- SoC system on chip
- the device 1100 may be, but is not limited to, a terminal device such as a server, a desktop computing device, or a mobile computing device (e.g., a laptop computing device, a handheld computing device, a tablet computer, a netbook, etc.).
- the device 1100 may have more or fewer components and/or different architectures.
- the device 1100 includes one or more cameras, a keyboard, a liquid crystal display (LCD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an application specific integrated circuit (ASIC), and a speaker.
- LCD liquid crystal display
- ASIC application specific integrated circuit
- the main control chip can be used as a processor or control module in the detection device, sensor data, location information, etc. are stored in a memory or NVM/storage device, the sensor group can be used as an input/output device, and the communication interface may include a network interface.
- the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment.
- each process and/or box in the flowchart and/or block diagram, and the combination of the process and/or box in the flowchart and/or block diagram can be realized by computer program instructions.
- These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing terminal device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing terminal device produce a device for realizing the function specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.
- These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
- These computer program instructions can also be loaded into a computer or other programmable data processing terminal device so that A series of operational steps are executed on a computer or other programmable terminal device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable terminal device provide steps for implementing the functions specified in one or more flows of a flowchart and/or one or more blocks of a block diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Debugging And Monitoring (AREA)
- Stored Programmes (AREA)
Abstract
本申请实施例提供了一种应用移植环境下注册表操作的处理方法、装置和介质,其中的方法应用于运行在第一操作系统上的兼容层软件,具体包括:经由兼容层服务进程,接收第二操作系统的应用程序发送的调用请求;从调用请求中获取目标调用请求;对目标调用请求对应的注册表操作进行检测;在检测结果表征注册表操作为恶意操作的情况下,显示处理选项;处理选项包括:禁止选项、允许选项和添加信任选项;添加信任选项用于将目标调用请求对应的注册表路径置为信任路径;根据用户选择的目标处理选项,对目标调用请求对应的注册表操作进行处理。本申请实施例可以提高注册表操作的检测准确率,能够提高注册表操作的处理结果与用户的个性化需求之间的匹配度。
Description
相关申请的交叉引用
本申请要求在2022年10月13日提交中国专利局、申请号为202211250372.0、名称为“应用移植环境下注册表操作的处理方法、装置和介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请实施例涉及应用移植技术领域,特别是涉及一种应用移植环境下注册表操作的处理方法、装置和介质。
在应用移植领域中,可以利用例如Wine(Wine不是模拟器,Wine Is Not an Emulator)的兼容层软件,将第二操作系统的应用程序移植到第一操作系统上。以第二操作系统为Windows(视窗)操作系统为例,兼容层软件维护了注册表,注册表中存放着多种参数,控制着硬件驱动程序的装载以及Windows应用程序运行的正常与否;一旦注册表被篡改或破坏,很可能会造成Windows应用程序的异常。
为了实现对于注册表的保护,相关技术会从动态链接库方向进行注册表操作的检测,具体的检测过程包括:从动态链接库中获取注册表操作函数,将注册表操作函数的地址作为原始地址保存,使用Hook(钩子)函数的地址替换所述注册表操作函数的地址;当任意程序进行注册表操作时,所述Hook函数获取相应的操作信息,并对所述操作信息进行判断,如果判断结果表征所述注册表操作对应恶意操作,则禁止所述注册表操作。
在实际应用中,由于动态链接库中往往包含较多的注册表操作函数,故从动态链接库方向进行注册表操作的检测,有可能出现注册表操作函数的遗漏,将会出现检测遗漏的情况,进而使得注册表操作的检测准确率较低。
发明内容
本申请实施例提供了一种应用移植环境下注册表操作的处理方法,可以提高注册表操作的检测准确率,能够提高注册表操作的处理结果与用户的个性化需求之间的匹配度,且能够简化该注册表路径的处理流程,提高该注册表路径的处理效率。
相应的,本申请实施例还提供了一种应用移植环境下注册表操作的处理装置、一种电子设备和一种机器可读介质,用以保证上述方法的实现及应用。
第一方面,本申请实施例公开了一种应用移植环境下注册表操作的处理方法,所述方法应用于运行在第一操作系统上的兼容层软件;所述方法包括:
经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求;
根据所述调用请求中携带的预设标识,从所述调用请求中获取与注册表操作相关的目标调用请求;
对所述目标调用请求对应的注册表操作进行检测,以得到对应的检测结果;
在所述检测结果表征所述注册表操作为恶意操作的情况下,显示处理选项;所述处理选项包括:禁止选项、允许选项和添加信任选项;所述添加信任选项用于将所述目标调用请求对应的注册表路径置为信任路径;
根据用户选择的目标处理选项,对所述目标调用请求对应的注册表操作进行处理。
第二方面,本申请实施例公开了一种应用移植环境下注册表操作的处理装置,所述装置包括:注册表处理模块、检测模块、查询模块和显示模块;
其中,所述注册表处理模块、所述检测模块和所述查询模块位于所述兼容层软件对应的兼容层服务进程侧,所述显示模块位于所述兼容层软件对应的视窗服务进程侧;
所述注册表处理模块,用于接收第二操作系统的应用程序针对API发送的调用请求,根据所述调用请求中携带的预设标识,从所述调用请求中获取与注册表操作相关的目标调用请求,并向所述检测模块发送所述目标调用请求对应的注册表路径;
所述检测模块,用于向所述查询模块发送所述目标调用请求对应的注册表路径;
所述查询模块,用于调用数据库接口和/或信任列表接口,根据所述目标调用请求对应的注册表路径,对所述目标调用请求对应的注册表操作进行检测,并向所述检测模块返回检测结果;
所述检测模块,还用于在所述检测结果表征所述注册表操作为恶意操作的情况下,向所述显示模块发送处理选项;
所述显示模块,用于显示所述处理选项;所述处理选项包括:禁止选项、允许选项和添加信任选项;所述添加信任选项用于将所述目标调用请求对应的注册表路径置为信任路径;
所述注册表处理模块,还用于根据用户选择的目标处理选项,对所述目标调用请求对应的注册表操作进行处理。
第三方面,本申请实施例公开了一种应用移植环境下注册表操作的处理装置,所述装置应用于运行在第一操作系统上的兼容层软件;所述装置包括:
接收模块,用于经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求;
获取模块,用于根据所述调用请求中携带的预设标识,从所述调用请求中获取与注册表操作相关的目标调用请求;
检测模块,用于对所述目标调用请求对应的注册表操作进行检测,以得到对应的检测结果;
显示模块,用于在所述检测结果表征所述注册表操作为恶意操作的情况下,显示处理选项;所述处理选项包括:禁止选项、允许选项和添加信任选项;所述添加信任选项
用于将所述目标调用请求对应的注册表路径置为信任路径;
处理模块,用于根据用户选择的目标处理选项,对所述目标调用请求对应的注册表操作进行处理。
可选地,所述检测模块包括:
第一检测模块,用于根据所述目标调用请求对应的注册表路径,在数据库中进行查找;所述数据库中记录有恶意操作对应的注册表路径;或者
第二检测模块,用于判断信任列表中是否存在所述目标调用请求对应的注册表路径,以得到对应的判断结果;所述信任列表记录有信任操作对应的注册表路径;或者
第三检测模块,用于判断信任列表中是否存在所述目标调用请求对应的注册表路径,以得到对应的判断结果,若判断结果为不存在,则根据所述目标调用请求对应的注册表路径,在数据库中进行查找;所述数据库中记录有恶意操作对应的注册表路径;所述信任列表记录有信任操作对应的注册表路径。
可选地,所述处理模块包括:
第一处理模块,用于在用户选择的目标处理选项为禁止选项的情况下,禁止所述目标调用请求对应的注册表操作;或者
第二处理模块,用于在用户选择的目标处理选项为允许选项的情况下,允许所述目标调用请求对应的注册表操作;或者
第三处理模块,用于在用户选择的目标处理选项为添加信任选项的情况下,允许所述目标调用请求对应的注册表操作,并将所述目标调用请求对应的注册表路径添加至信任列表。
可选地,所述装置还包括:
操作允许模块,用于在所述检测结果表征所述注册表操作为正常操作或信任操作的情况下,允许所述目标调用请求对应的注册表操作。
可选地,所述获取模块向所述检测模块发送所述目标调用请求对应的注册表路径;所述检测模块向查询模块发送所述目标调用请求对应的注册表路径;所述查询模块调用数据库接口和/或信任列表接口,根据所述目标调用请求对应的注册表路径,对所述目标调用请求对应的注册表操作进行检测,并向所述检测模块返回检测结果。
可选地,所述检测模块在所述检测结果表征所述注册表操作为恶意操作的情况下,向显示模块发送处理选项,以使所述显示模块显示处理选项。
第四方面,本申请实施例公开了一种电子设备,包括:处理器;和存储器,其上存储有可执行代码,当所述可执行代码被执行时,使得所述处理器执行如本申请实施例所述的方法。
第五方面,本申请实施例公开了一种机器可读介质,其上存储有可执行代码,当所
述可执行代码被执行时,使得处理器执行如本申请实施例所述的方法。
本申请实施例包括以下优点:
本申请实施例的技术方案中,经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求,并根据该调用请求中携带的预设标识,从该调用请求中获取与注册表操作相关的目标调用请求。由于在应用移植技术领域,兼容层服务进程负责与应用进程之间的通信,而应用进程代表第二操作系统的应用程序并向兼容层服务进程发送针对API的调用请求;因此,兼容层服务进程能够起到汇总调用请求的作用。这样,本申请实施例经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求,可以避免与注册表操作相关的目标调用请求的遗漏,在此基础上,可以避免出现检测遗漏的情况,进而能够提高注册表操作的检测准确率。
并且,本申请实施例对该目标调用请求对应的注册表操作进行检测,在该检测结果表征该注册表操作为恶意操作的情况下,显示处理选项,根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理。由于本申请实施例将处理选项的选择权交由用户,并且根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理;因此,本申请实施例能够提高注册表操作的处理结果与用户的个性化需求之间的匹配度。
本申请实施例的处理选项包括添加信任选项,该添加信任选项用于将该目标调用请求对应的注册表路径置为信任路径,该信任路径可以表征被用户信任的注册表路径,该信任路径对应的检测结果可以为信任操作。由于在检测结果表征该注册表操作为信任操作的情况下,本申请实施例会允许该目标调用请求对应的注册表操作,故在后续出现该目标调用请求对应的注册表路径的情况下,可以在节省显示处理选项和用户选择目标处理选项的操作的情况下,允许该目标调用请求对应的注册表操作;因此本申请实施例能够简化该注册表路径的处理流程,提高该注册表路径的处理效率。
图1是本申请一个实施例的应用移植环境下注册表操作的处理方法的步骤流程示意图;
图2是本申请一个实施例的应用移植环境下注册表操作的处理装置的结构示意图;
图3是本申请一个实施例的应用移植环境下注册表操作的处理方法的步骤流程示意图;
图4是本申请一个实施例的应用移植环境下注册表操作的处理装置的结构示意图;
图5是本申请一个实施例提供的装置的结构示意图。
为使本申请的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施
方式对本申请作进一步详细的说明。
本申请实施例中,兼容层软件是一种能够在多种兼容POSIX(可移植操作系统接口,Portable Operating System Interface)的第一操作系统上运行第二操作系统的应用程序的兼容层。以第二操作系统为Windows操作系统为例,兼容层软件能够将Windows API的调用翻译成为动态的POSIX调用,因此能够使Windows应用程序在Windows之外的第一操作系统中运行。
第一操作系统的例子可以包括:Linux,macOS(麦金塔操作系统,Macintosh Operating System)及BSD(伯克利软件套件,Berkeley Software Distribution)等。第二操作系统的例子可以包括:Windows操作系统(视窗操作系统)等。可以理解,本申请实施例对于具体的第一操作系统和第二操作系统不加以限制。
兼容层软件可以包括:一个兼容层服务进程(wineserver)和一组动态链接库。此外,兼容层软件的GUI(图形用户界面,Graphical User Interface)可以依赖于位图显示的视窗系统。
在运行某个Windows应用程序的过程中,第一操作系统中可以包括与该Windows应用程序相关的如下进程:
(1)Windows应用程序的应用进程本身。对动态链接库的调用可以在该进程的上下文中运行。在需要得到兼容层软件的服务,或者通过兼容层软件间接提供的其他(特别是内核)服务的情况下,应用进程经由兼容层软件所提供的动态链接库逐层往下调用。在兼容层软件内部,应用进程往往通过套接字与兼容层服务进程进行通信,以接受兼容层服务进程的管理和协调;另一方面,又可能经由套接字与位图显示的视窗系统对应的视窗服务进程通信,向其发送图形操作请求并接收键盘和鼠标输入。
(2)兼容层服务进程,其作用具体包括:提供应用进程间通信与同步的手段;应用进程和线程的管理;注册表服务等等。
(3)视窗服务进程,其作用具体包括:图形的显示、以及键盘和鼠标输入。
为了实现对于注册表的保护,相关技术会从动态链接库方向进行注册表操作的检测,具体的检测过程包括:从动态链接库中获取注册表操作函数,将注册表操作函数的地址作为原始地址保存,使用Hook函数的地址替换所述注册表操作函数的地址;当任意程序进行注册表操作时,所述Hook函数获取相应的操作信息,并对所述操作信息进行判断,如果判断结果表征所述注册表操作对应恶意操作,则禁止所述注册表操作。然而,在实际应用中,由于动态链接库中往往包含较多的注册表操作函数,故从动态链接库方向进行注册表操作的检测,有可能出现注册表操作函数的遗漏,将会出现检测遗漏的情况,进而使得注册表操作的检测准确率较低。
针对相关技术中注册表操作的检测准确率较低的技术问题,本申请实施例提供了一
种应用移植环境下注册表操作的处理方法,该方法可以应用于运行在第一操作系统上的兼容层软件;该方法具体可以包括:经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求;根据该调用请求中携带的预设标识,从该调用请求中获取与注册表操作相关的目标调用请求;对该目标调用请求对应的注册表操作进行检测,以得到对应的检测结果;在该检测结果表征该注册表操作为恶意操作的情况下,显示处理选项;该处理选项包括:禁止选项、允许选项和添加信任选项;该添加信任选项用于将该目标调用请求对应的注册表路径置为信任路径;根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理。
本申请实施例经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求,并根据该调用请求中携带的预设标识,从该调用请求中获取与注册表操作相关的目标调用请求。由于在应用移植技术领域,兼容层服务进程负责与应用进程之间的通信,而应用进程代表第二操作系统的应用程序并向兼容层服务进程发送针对API的调用请求;因此,兼容层服务进程能够起到汇总调用请求的作用。这样,本申请实施例经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求,可以避免与注册表操作相关的目标调用请求的遗漏;在此基础上,本申请实施例可以避免出现检测遗漏的情况,进而能够提高注册表操作的检测准确率。
并且,本申请实施例对该目标调用请求对应的注册表操作进行检测,在该检测结果表征该注册表操作为恶意操作的情况下,显示处理选项,并根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理。由于本申请实施例将处理选项的选择权交由用户,并根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理;因此,本申请实施例能够提高注册表操作的处理结果与用户的个性化需求之间的匹配度。
此外,本申请实施例的处理选项包括添加信任选项,该添加信任选项用于将该目标调用请求对应的注册表路径置为信任路径,该信任路径可以表征被用户信任的注册表路径,该信任路径对应的检测结果可以为信任操作;这样,在后续出现该目标调用请求对应的注册表路径的情况下,可以允许对应的注册表操作,故本申请实施例可以简化该注册表路径的处理流程,提高该注册表路径的处理效率。
实施例一
参考图1,示出了本申请一个实施例的应用移植环境下注册表操作的处理方法的步骤流程示意图,该方法可以应用于运行在第一操作系统上的兼容层软件,该方法具体可以包括如下步骤:
步骤101、经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求;
步骤102、根据该调用请求中携带的预设标识,从该调用请求中获取与注册表操作相关的目标调用请求;
步骤103、对该目标调用请求对应的注册表操作进行检测,以得到对应的检测结果;
步骤104、在该检测结果表征该注册表操作为恶意操作的情况下,显示处理选项;该处理选项具体包括:禁止选项、允许选项和添加信任选项;该添加信任选项用于将该目标调用请求对应的注册表路径置为信任路径;
步骤105、根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理。
在步骤101中,兼容层服务进程可以与第二操作系统的应用程序的应用进程建立例如套接字的连接;这样,兼容层服务进程可以利用该连接,接收第二操作系统的应用程序针对API发送的调用请求。
在步骤102中,调用请求中既可以包括:与注册表操作相关的目标调用请求,也可以包括:与注册表操作无关的非目标调用请求。本申请实施例可以根据该调用请求中携带的预设标识,从该调用请求中获取与注册表操作相关的目标调用请求。
在实际应用中,兼容层服务进程可以预先设置注册表操作对应的预设标识,以使应用进程在调用请求中携带该预设标识。兼容层服务进程还可以保存预设标识与注册表操作信息之间的映射关系;这样,可以对调用请求中的信息与映射关系中的预设标识进行匹配,若匹配成功,则可以认为调用请求为与注册表操作相关的目标调用请求。
该注册表操作信息可以表征一个或多个注册表操作类别。注册表操作类别的例子可以包括:注册表添加类别、或注册表修改类别、或注册表删除类别等。
在步骤103中,对该目标调用请求对应的注册表操作进行检测,得到的检测结果可以包括:恶意操作、或正常操作、或信任操作。
本申请实施例可以提供对该目标调用请求对应的注册表操作进行检测的如下技术方案:
技术方案1、根据所述目标调用请求对应的注册表路径,在数据库中进行查找;该数据库中记录有恶意操作对应的注册表路径;或者
技术方案2、判断信任列表中是否存在所述目标调用请求对应的注册表路径,以得到对应的判断结果;所述信任列表记录有信任操作对应的注册表路径;或者
技术方案3、判断信任列表中是否存在所述目标调用请求对应的注册表路径,以得到对应的判断结果,若判断结果为不存在,则根据所述目标调用请求对应的注册表路径,在数据库中进行查找;所述数据库中记录有恶意操作对应的注册表路径;所述信任列表记录有信任操作对应的注册表路径。
技术方案1可以利用数据库对该目标调用请求对应的注册表操作进行检测。具体而
言,在数据库中进行查找,若数据库中存在目标调用请求对应的注册表路径,则检测结果可以为恶意操作;或者,若数据库中不存在目标调用请求对应的注册表路径,则检测结果可以为正常操作。
该数据库中记录有恶意操作对应的注册表路径。参照表1,示出了本申请一个实施例的数据库的示意,该数据库具体可以包括:注册表路径字段和说明字段。注册表路径可以指注册表项在磁盘中对应的路径。
表1
本申请实施例对于数据库中恶意操作对应的注册表路径的收集方式不加以限制。在实际应用中,可以判断注册表操作日志中的历史注册表操作是否为恶意操作,若是,则将历史注册表行为对应的注册表路径写入数据库。
例如,一种收集方式,可以对注册表操作日志中的历史注册表操作与注册表操作规则进行匹配,若匹配成功,则可以认为历史注册表操作为恶意操作,并将历史注册表行
为对应的注册表路径写入数据库。其中,注册表操作规则可由本领域技术人员根据实际应用需求确定。例如,注册表操作规则可以包括但不限于:修改系统的启动关联、获取浏览器代理信息和将操作系统的显示系统隐藏文件功能屏蔽等。又如,另一种收集方式可以采用机器学习的分类器。具体而言,可以利用恶意操作的样本和正常操作的样本,对分类器进行训练,以使分类器具备恶意操作或正常操作的分类能力;这样,将注册表操作日志中的历史注册表操作输入分类器,分类器输出的分类结果可以表征历史注册表操作是否为恶意行为,若是,则将历史注册表行为对应的注册表路径写入数据库。
技术方案2可以利用信任列表对该目标调用请求对应的注册表操作进行检测。具体而言,判断信任列表中是否存在所述目标调用请求对应的注册表路径,若判断结果为存在,则检测结果为信任操作。
该信任列表可以记录有信任操作对应的注册表路径。本领域技术人员可以根据实际应用需求,在信任列表中添加信任操作对应的注册表路径。或者,在用户选择的目标处理选项为添加信任选项的情况下,将所述目标调用请求对应的注册表路径添加至信任列表。
技术方案3可以依次利用信任列表和数据库对该目标调用请求对应的注册表操作进行检测。
具体而言,首先判断信任列表中是否存在所述目标调用请求对应的注册表路径,以得到对应的判断结果,若判断结果为不存在,则根据所述目标调用请求对应的注册表路径,在数据库中进行查找。若数据库中存在目标调用请求对应的注册表路径,则检测结果可以为恶意操作;或者,若数据库中不存在目标调用请求对应的注册表路径,则检测结果可以为正常操作。
在步骤104中,在该检测结果表征该注册表操作为恶意操作的情况下,可以显示处理选项。由于本申请实施例将处理选项的选择权交由用户,并根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理;因此,本申请实施例能够使注册表操作的处理结果符合用户的个性化需求。
在步骤105中,可以根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理。
本申请实施例可以提供根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理的如下处理方式:
处理方式1、在用户选择的目标处理选项为禁止选项的情况下,禁止所述目标调用请求对应的注册表操作;或者
处理方式2、在用户选择的目标处理选项为允许选项的情况下,允许所述目标调用请求对应的注册表操作;或者
处理方式3、在用户选择的目标处理选项为添加信任选项的情况下,允许所述目标调用请求对应的注册表操作,并将所述目标调用请求对应的注册表路径添加至信任列表。
禁止所述目标调用请求对应的注册表操作,可以指不执行所述目标调用请求对应的注册表操作。允许所述目标调用请求对应的注册表操作,可以指执行所述目标调用请求对应的注册表操作。
本申请实施例的方法还可以包括:在该检测结果表征该注册表操作为正常操作或信任操作的情况下,允许该目标调用请求对应的注册表操作。
综上,本申请实施例的应用移植环境下注册表操作的处理方法,经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求,并根据该调用请求中携带的预设标识,从该调用请求中获取与注册表操作相关的目标调用请求。由于在应用移植技术领域,兼容层服务进程负责与应用进程之间的通信,而应用进程代表第二操作系统的应用程序并向兼容层服务进程发送针对API的调用请求;因此,兼容层服务进程能够起到汇总调用请求的作用。这样,本申请实施例经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求,可以避免与注册表操作相关的目标调用请求的遗漏;在此基础上,本申请实施例可以避免出现检测遗漏的情况,进而能够提高注册表操作的检测准确率。
并且,本申请实施例对该目标调用请求对应的注册表操作进行检测,在该检测结果表征该注册表操作为恶意操作的情况下,显示处理选项,根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理。由于本申请实施例将处理选项的选择权交由用户,并且根据用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理;因此,本申请实施例能够提高注册表操作的处理结果与用户的个性化需求之间的匹配度。
此外,本申请实施例的处理选项包括添加信任选项,该添加信任选项用于将该目标调用请求对应的注册表路径置为信任路径,该信任路径可以表征被用户信任的注册表路径,该信任路径对应的检测结果可以为信任操作。由于在检测结果表征该注册表操作为信任操作的情况下,本申请实施例会允许该目标调用请求对应的注册表操作,故在后续出现该目标调用请求对应的注册表路径的情况下,可以在节省显示处理选项和用户选择目标处理选项的操作的情况下,允许该目标调用请求对应的注册表操作;因此本申请实施例能够简化该注册表路径的处理流程,提高该注册表路径的处理效率。
实施例二
本申请实施例的方法可由应用移植环境下注册表操作的处理装置执行。参照图2,示出了本申请一个实施例的应用移植环境下注册表操作的处理装置的结构示意图,该处理装置可以包括:注册表处理模块201、检测模块202、查询模块203和显示模块204。
其中,注册表处理模块201、检测模块202和查询模块203可以位于兼容层服务进程侧,显示模块204可以位于视窗服务进程侧。
其中,注册表处理模块201,用于接收第二操作系统的应用程序针对API发送的调用请求,根据所述调用请求中携带的预设标识,从所述调用请求中获取与注册表操作相关的目标调用请求,并向检测模块202发送所述目标调用请求对应的注册表路径;
检测模块202,用于向查询模块203发送所述目标调用请求对应的注册表路径;
查询模块203,用于调用数据库接口和/或信任列表接口,根据所述目标调用请求对应的注册表路径,对所述目标调用请求对应的注册表操作进行检测,并向检测模块202返回检测结果;
检测模块203,还用于在所述检测结果表征所述注册表操作为恶意操作的情况下,向显示模块204发送处理选项;
显示模块204,用于显示所述处理选项;所述处理选项具体可以包括:禁止选项、允许选项和添加信任选项;所述添加信任选项用于将所述目标调用请求对应的注册表路径置为信任路径;
注册表处理模块201,还用于根据用户选择的目标处理选项,对所述目标调用请求对应的注册表操作进行处理。
相关技术中的注册表处理模块201通常允许所有目标调用请求对应的注册表操作。而本申请实施例的注册表处理模块201会借助于检测模块202、查询模块203和显示模块204的处理结果,根据检测结果和用户选择的目标处理选项,对该目标调用请求对应的注册表操作进行处理,不仅能够提高注册表操作的检测准确率,而且能够提高注册表操作的处理结果与用户的个性化需求之间的匹配度。
应用图2所示的处理装置,对所述目标调用请求对应的注册表操作进行检测的过程具体可以包括:
注册表处理模块201向检测模块202发送所述目标调用请求对应的注册表路径;
检测模块202向查询模块203发送所述目标调用请求对应的注册表路径;
查询模块203调用数据库接口和/或信任列表接口,根据所述目标调用请求对应的注册表路径,对所述目标调用请求对应的注册表操作进行检测,并向所述检测模块202返回检测结果。
在实际应用中,检测模块202可以动态链接库的形式,向注册表处理模块201提供检测接口,以供注册表处理模块201调用。参照表2,示出了本申请实施例的一种检测接口的示意,其中,针对不同的注册表操作类别设置了不同的检测接口,检测接口也可以称为检测函数。
表2
以注册表修改类别的目标调用请求A为例,在应用进程发送注册表修改类别的目标调用请求的情况下,注册表处理模块201的处理函数DECL_HANDLER(set_key_value)可以调用reg_change_check函数,由reg_change_check函数对目标调用请求A对应的注册表操作进行检测。
查询模块203可以动态链接库形式,向检测模块202提供查询接口和添加信任接口。以供检测模块202调用。
参照表3,示出了本申请实施例的一种查询接口的示意,其中,本申请实施例可以针对不同的注册表操作类别设置不同的查询接口,查询接口也可以称为查询函数。在查询接口被调用的情况下,会进一步调用数据库接口和/或信任列表接口,根据所述目标调用请求对应的注册表路径,对所述目标调用请求对应的注册表操作进行检测。
表3
以注册表修改类别的目标调用请求A为例,在应用进程发送注册表修改类别的目标调用请求的情况下,注册表处理模块201的处理函数DECL_HANDLER(set_key_value)可以调用reg_change_check函数。
reg_change_check函数会调用sty_reg_change_get函数,并向sty_reg_change_get函数产生传递应用进程要修改的注册表路径,例如:“\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”,sty_reg_change_get函数会继续调用数据库接口,在数据库中搜索进程请求修改的注册表路径,如注册表路径:“\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”。
假设数据库不存在注册表路径对应的数据记录,可以说明目标调用请求A对应的注
册表操作是正常操作(无害操作);或者,假设数据库存在注册表路径对应的数据记录,可以说明目标调用请求A对应的注册表操作是恶意操作。
参照表4,示出了本申请实施例的一种添加信任接口的示意,其中,针对不同的注册表操作类别设置了不同的添加信任接口,添加信任接口也可以称为添加信任函数。在添加信任被调用的情况下,会将目标调用请求对应的注册表路径添加至信任列表。
表4
在具体实现中,查询模块203会向检测模块202返回检测结果,以使检测模块202执行后续流程。例如,在检测结果为正常操作或信任操作的情况下,检测模块202会向注册表处理模块201转发检测结果,而注册表处理模块201可以允许目标调用请求对应的注册表操作,也即,注册表处理模块201可以执行正常的处理流程。又如,在检测结果为恶意操作的情况下,检测模块202会向显示模块204发送处理选项。
因此,本申请实施例的在该检测结果表征该注册表操作为恶意操作的情况下,显示处理选项,具体可以包括:检测模块202在检测结果表征注册表操作为恶意操作的情况下,向显示模块204发送处理选项,以使显示模块204显示处理选项。
在实际应用中,检测模块202可以根据套接字协议与显示模块204进行通信。显示模块204向用户提供多个处理选项,并向检测模块202返回用户选择的目标处理选项。检测模块202则向注册表处理模块201返回用户选择的目标处理选项。
以目标调用请求对应注册表修改类别为例,在用户选择的目标处理选项为禁止选项的情况下,注册表处理模块201可以中断注册表修改的相关流程,并向应用进程返回相关的错误信息;或者,在用户选择的目标处理选项为允许选项的情况下,注册表处理模块201可以继续执行注册表修改的相关流程;或者,在用户选择的目标处理选项为添加信任选项的情况下,注册表处理模块201可以继续执行注册表修改的相关流程,并调用添加信任接口,将所述目标调用请求对应的注册表路径添加至信任列表。
参照图3,示出了本申请一个实施例的应用移植环境下注册表操作的处理方法的步骤
流程示意图,该方法可以应用于运行在第一操作系统上的兼容层软件,该方法具体可以包括如下步骤:
步骤301、注册表处理模块201经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求,并根据该调用请求中携带的预设标识,从该调用请求中获取与注册表操作相关的目标调用请求;
步骤302、注册表处理模块201向检测模块202发送该目标调用请求对应的注册表路径;
步骤303、检测模块202向查询模块203发送该目标调用请求对应的注册表路径;
步骤304、查询模块203调用数据库接口和/或信任列表接口,根据该目标调用请求对应的注册表路径,对该目标调用请求对应的注册表操作进行检测,并向检测模块202返回检测结果;
检测模块202根据不同的检测结果进行不同的处理。在检测结果为恶意操作的情况下,执行步骤305;或者,在检测结果为信任操作或正常操作的情况下,执行步骤309;
步骤305、在检测结果为恶意操作的情况下,检测模块202向显示模块204发送处理选项,以使显示模块204对处理选项进行显示。检测模块202还可以从显示模块204接收用户选择的目标处理选项,并向注册表处理模块201发送用户选择的目标处理选项;
注册表处理模块201根据不同的目标处理选项进行不同的处理。在目标处理选项为禁止选项的情况下,执行步骤306;或者,在目标处理选项为允许选项的情况下,执行步骤307;在目标处理选项为添加信任选项的情况下,执行步骤308;
步骤306、注册表处理模块201在目标处理选项为禁止选项的情况下,禁止目标调用请求对应的注册表操作,并向应用进程返回相关的错误信息;
步骤307、注册表处理模块201在目标处理选项为允许选项的情况下,执行目标调用请求对应的注册表操作;
步骤308、注册表处理模块201在目标处理选项为添加信任选项的情况下,执行目标调用请求对应的注册表操作,并调用添加信任接口,将该目标调用请求对应的注册表路径添加至信任列表;
步骤309、在检测结果为信任操作或正常操作的情况下,检测模块202向注册表处理模块201中转该检测结果,以使注册表处理模块201执行目标调用请求对应的注册表操作。
在本申请的一种应用示例中,用户经由兼容层软件安装了一个Windows的应用程序A,应用程序A希望自身能够开机自动运行,故请求修改注册表项“\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”,假设检测模块202获得的检测结果为恶意操作,故经由显示模块204向用户发送处理选项。
如果用户确认应用程序A的“修改注册表”的行为是无害行为,可针对对应的注册表路径添加信任,也即选择添加信任选项。显示模块204可以通过套接字通信,向检测模块202发送消息(该消息中可以携带用户选择的目标处理选项)。检测模块202接收到目标处理选项后,调用添加信任接口,将所述目标调用请求对应的注册表路径添加至信任列表。
需要说明的是,对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请实施例并不受所描述的动作顺序的限制,因为依据本申请实施例,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作并不一定是本申请实施例所必须的。
在上述实施例的基础上,本申请实施例还提供了一种应用移植环境下注册表操作的处理装置,所述装置应用于运行在第一操作系统上的兼容层软件;参照图4,所述装置具体可以包括:接收模块401、获取模块402、检测模块403、显示模块404和处理模块405。其中,接收模块401、获取模块402和处理模块405可以是前述的注册表处理模块201内设置的模块。
接收模块401,用于经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求;
获取模块402,用于根据所述调用请求中携带的预设标识,从所述调用请求中获取与注册表操作相关的目标调用请求;
检测模块403,用于对所述目标调用请求对应的注册表操作进行检测,以得到对应的检测结果;
显示模块404,用于在所述检测结果表征所述注册表操作为恶意操作的情况下,显示处理选项;所述处理选项包括:禁止选项、允许选项和添加信任选项;所述添加信任选项用于将所述目标调用请求对应的注册表路径置为信任路径;
处理模块405,用于根据用户选择的目标处理选项,对所述目标调用请求对应的注册表操作进行处理。
可选地,检测模块403具体可以包括:
第一检测模块,用于根据所述目标调用请求对应的注册表路径,在数据库中进行查找;所述数据库中记录有恶意操作对应的注册表路径;或者
第二检测模块,用于判断信任列表中是否存在所述目标调用请求对应的注册表路径,以得到对应的判断结果;所述信任列表记录有信任操作对应的注册表路径;或者
第三检测模块,用于判断信任列表中是否存在所述目标调用请求对应的注册表路径,以得到对应的判断结果,若判断结果为不存在,则根据所述目标调用请求对应的注册表
路径,在数据库中进行查找;所述数据库中记录有恶意操作对应的注册表路径;所述信任列表记录有信任操作对应的注册表路径。
可选地,处理模块405具体可以包括:
第一处理模块,用于在用户选择的目标处理选项为禁止选项的情况下,禁止所述目标调用请求对应的注册表操作;或者
第二处理模块,用于在用户选择的目标处理选项为允许选项的情况下,允许所述目标调用请求对应的注册表操作;或者
第三处理模块,用于在用户选择的目标处理选项为添加信任选项的情况下,允许所述目标调用请求对应的注册表操作,并将所述目标调用请求对应的注册表路径添加至信任列表。
可选地,所述装置还可以包括:
操作允许模块,用于在所述检测结果表征所述注册表操作为正常操作或信任操作的情况下,允许所述目标调用请求对应的注册表操作。
可选地,所述获取模块向所述检测模块发送所述目标调用请求对应的注册表路径;所述检测模块向查询模块发送所述目标调用请求对应的注册表路径;所述查询模块调用数据库接口和/或信任列表接口,根据所述目标调用请求对应的注册表路径,对所述目标调用请求对应的注册表操作进行检测,并向所述检测模块返回检测结果。
可选地,所述检测模块在所述检测结果表征所述注册表操作为恶意操作的情况下,向显示模块发送处理选项,以使所述显示模块显示处理选项。
本申请实施例还提供了一种非易失性可读存储介质,该存储介质中存储有一个或多个模块(programs),该一个或多个模块被应用在设备时,可以使得该设备执行本申请实施例中各方法步骤的指令(instructions)。
本申请实施例提供了一个或多个机器可读介质,其上存储有指令,当由一个或多个处理器执行时,使得电子设备执行如上述实施例中一个或多个所述的方法。本申请实施例中,所述电子设备包括终端设备、服务器(集群)等各类型的设备。
本公开的实施例可被实现为使用任意适当的硬件,固件,软件,或及其任意组合进行想要的配置的装置,该装置可包括:终端设备、服务器(集群)等电子设备。图5示意性地示出了可被用于实现本申请中所述的各个实施例的示例性装置1100。
对于一个实施例,图5示出了示例性装置1100,该装置具有一个或多个处理器1102、被耦合到(一个或多个)处理器1102中的至少一个的控制模块(芯片组)1104、被耦合到控制模块1104的存储器1106、被耦合到控制模块1104的非易失性存储器(NVM)/存储设备1108、被耦合到控制模块1104的一个或多个输入/输出设备1110,以及被耦合到控制模块1104的网络接口1112。
处理器1102可包括一个或多个单核或多核处理器,处理器1102可包括通用处理器或专用处理器(例如图形处理器、应用处理器、基频处理器等)的任意组合。在一些实施例中,装置1100能够作为本申请实施例中所述终端设备、服务器(集群)等设备。
在一些实施例中,装置1100可包括具有指令1114的一个或多个计算机可读介质(例如,存储器1106或NVM/存储设备1108)以及与该一个或多个计算机可读介质相合并被配置为执行指令1114以实现模块从而执行本公开中所述的动作的一个或多个处理器1102。
对于一个实施例,控制模块1104可包括任意适当的接口控制器,以向(一个或多个)处理器1102中的至少一个和/或与控制模块1104通信的任意适当的设备或组件提供任意适当的接口。
控制模块1104可包括存储器控制器模块,以向存储器1106提供接口。存储器控制器模块可以是硬件模块、软件模块和/或固件模块。
存储器1106可被用于例如为装置1100加载和存储数据和/或指令1114。对于一个实施例,存储器1106可包括任意适当的易失性存储器,例如,适当的DRAM。在一些实施例中,存储器1106可包括双倍数据速率类型四同步动态随机存取存储器(DDR4SDRAM)。
对于一个实施例,控制模块1104可包括一个或多个输入/输出控制器,以向NVM/存储设备1108及(一个或多个)输入/输出设备1110提供接口。
例如,NVM/存储设备1108可被用于存储数据和/或指令1114。NVM/存储设备1108可包括任意适当的非易失性存储器(例如,闪存)和/或可包括任意适当的(一个或多个)非易失性存储设备(例如,一个或多个硬盘驱动器(HDD)、一个或多个光盘(CD)驱动器和/或一个或多个数字通用光盘(DVD)驱动器)。
NVM/存储设备1108可包括在物理上作为装置1100被安装在其上的设备的一部分的存储资源,或者其可被该设备访问可不必作为该设备的一部分。例如,NVM/存储设备1108可通过网络经由(一个或多个)输入/输出设备1110进行访问。
(一个或多个)输入/输出设备1110可为装置1100提供接口以与任意其他适当的设备通信,输入/输出设备1110可以包括通信组件、音频组件、传感器组件等。网络接口1112可为装置1100提供接口以通过一个或多个网络通信,装置1100可根据一个或多个无线网络标准和/或协议中的任意标准和/或协议来与无线网络的一个或多个组件进行无线通信,例如接入基于通信标准的无线网络,如WiFi(无线保真,Wireless Fidelity)、2G(第二代手机通信技术规格,2-Generation wireless telephone technology)、3G(第三代移动通信技术,3rd-Generation Mobile Communication Technology)、4G(第四代移动通信技术,4th Generation Mobile Communication Technology)、5G(第五代移动通信技术,5th
Generation Mobile Communication Technology)等,或它们的组合进行无线通信。
对于一个实施例,(一个或多个)处理器1102中的至少一个可与控制模块1104的一个或多个控制器(例如,存储器控制器模块)的逻辑封装在一起。对于一个实施例,(一个或多个)处理器1102中的至少一个可与控制模块1104的一个或多个控制器的逻辑封装在一起以形成系统级封装(SiP,System In a Package)。对于一个实施例,(一个或多个)处理器1102中的至少一个可与控制模块1104的一个或多个控制器的逻辑集成在同一模具上。对于一个实施例,(一个或多个)处理器1102中的至少一个可与控制模块1104的一个或多个控制器的逻辑集成在同一模具上以形成片上系统(SoC,System on Chip)。
在各个实施例中,装置1100可以但不限于是:服务器、台式计算设备或移动计算设备(例如,膝上型计算设备、手持计算设备、平板电脑、上网本等)等终端设备。在各个实施例中,装置1100可具有更多或更少的组件和/或不同的架构。例如,在一些实施例中,装置1100包括一个或多个摄像机、键盘、液晶显示器(LCD,Liquid Crystal Display)屏幕(包括触屏显示器)、非易失性存储器端口、多个天线、图形芯片、专用集成电路(ASIC,Application Specific Integrated Circuit)和扬声器。
其中,检测装置中可采用主控芯片作为处理器或控制模块,传感器数据、位置信息等存储到存储器或NVM/存储设备中,传感器组可作为输入/输出设备,通信接口可包括网络接口。
对于装置实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。
本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。
本申请实施例是参照根据本申请实施例的方法、终端设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理终端设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理终端设备的处理器执行的指令产生用于实现在流程图的一个流程或多个流程和/或方框图的一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理终端设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图的一个流程或多个流程和/或方框图的一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理终端设备上,使得在
计算机或其他可编程终端设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程终端设备上执行的指令提供用于实现在流程图的一个流程或多个流程和/或方框图的一个方框或多个方框中指定的功能的步骤。
尽管已描述了本申请实施例的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例做出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本申请实施例范围的所有变更和修改。
最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者终端设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者终端设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者终端设备中还存在另外的相同要素。
以上对本申请所提供的一种应用移植环境下注册表操作的处理方法和装置、一种电子设备和一种机器可读介质,进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。
Claims (10)
- 一种应用移植环境下注册表操作的处理方法,其特征在于,所述方法应用于运行在第一操作系统上的兼容层软件;所述方法包括:经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求;根据所述调用请求中携带的预设标识,从所述调用请求中获取与注册表操作相关的目标调用请求;对所述目标调用请求对应的注册表操作进行检测,以得到对应的检测结果;在所述检测结果表征所述注册表操作为恶意操作的情况下,显示处理选项;所述处理选项包括:禁止选项、允许选项和添加信任选项;所述添加信任选项用于将所述目标调用请求对应的注册表路径置为信任路径;根据用户选择的目标处理选项,对所述目标调用请求对应的注册表操作进行处理。
- 根据权利要求1所述的方法,其特征在于,所述对所述目标调用请求对应的注册表操作进行检测,包括:根据所述目标调用请求对应的注册表路径,在数据库中进行查找;所述数据库中记录有恶意操作对应的注册表路径;或者判断信任列表中是否存在所述目标调用请求对应的注册表路径,以得到对应的判断结果;所述信任列表记录有信任操作对应的注册表路径;或者判断信任列表中是否存在所述目标调用请求对应的注册表路径,以得到对应的判断结果,若判断结果为不存在,则根据所述目标调用请求对应的注册表路径,在数据库中进行查找;所述数据库中记录有恶意操作对应的注册表路径;所述信任列表记录有信任操作对应的注册表路径。
- 根据权利要求1所述的方法,其特征在于,所述根据用户选择的目标处理选项,对所述目标调用请求对应的注册表操作进行处理,包括:在用户选择的目标处理选项为禁止选项的情况下,禁止所述目标调用请求对应的注册表操作;或者在用户选择的目标处理选项为允许选项的情况下,允许所述目标调用请求对应的注册表操作;或者在用户选择的目标处理选项为添加信任选项的情况下,允许所述目标调用请求对应的注册表操作,并将所述目标调用请求对应的注册表路径添加至信任列表。
- 根据权利要求1或2或3所述的方法,其特征在于,所述方法还包括:在所述检测结果表征所述注册表操作为正常操作或信任操作的情况下,允许所述目标调用请求对应的注册表操作。
- 根据权利要求1或2或3所述的方法,其特征在于,所述对所述目标调用请求对应 的注册表操作进行检测,包括:注册表处理模块向检测模块发送所述目标调用请求对应的注册表路径;所述检测模块向查询模块发送所述目标调用请求对应的注册表路径;所述查询模块调用数据库接口和/或信任列表接口,根据所述目标调用请求对应的注册表路径,对所述目标调用请求对应的注册表操作进行检测,并向所述检测模块返回检测结果。
- 根据权利要求5所述的方法,其特征在于,所述在所述检测结果表征所述注册表操作为恶意操作的情况下,显示处理选项,包括:所述检测模块在所述检测结果表征所述注册表操作为恶意操作的情况下,向显示模块发送处理选项,以使所述显示模块显示处理选项。
- 一种应用移植环境下注册表操作的处理装置,其特征在于,所述装置包括:注册表处理模块、检测模块、查询模块和显示模块;其中,所述注册表处理模块、所述检测模块和所述查询模块位于所述兼容层软件对应的兼容层服务进程侧,所述显示模块位于所述兼容层软件对应的视窗服务进程侧;所述注册表处理模块,用于接收第二操作系统的应用程序针对API发送的调用请求,根据所述调用请求中携带的预设标识,从所述调用请求中获取与注册表操作相关的目标调用请求,并向所述检测模块发送所述目标调用请求对应的注册表路径;所述检测模块,用于向所述查询模块发送所述目标调用请求对应的注册表路径;所述查询模块,用于调用数据库接口和/或信任列表接口,根据所述目标调用请求对应的注册表路径,对所述目标调用请求对应的注册表操作进行检测,并向所述检测模块返回检测结果;所述检测模块,还用于在所述检测结果表征所述注册表操作为恶意操作的情况下,向所述显示模块发送处理选项;所述显示模块,用于显示所述处理选项;所述处理选项包括:禁止选项、允许选项和添加信任选项;所述添加信任选项用于将所述目标调用请求对应的注册表路径置为信任路径;所述注册表处理模块,还用于根据用户选择的目标处理选项,对所述目标调用请求对应的注册表操作进行处理。
- 一种应用移植环境下注册表操作的处理装置,其特征在于,所述装置应用于运行在第一操作系统上的兼容层软件;所述装置包括:接收模块,用于经由兼容层服务进程,接收第二操作系统的应用程序针对API发送的调用请求;获取模块,用于根据所述调用请求中携带的预设标识,从所述调用请求中获取与注 册表操作相关的目标调用请求;检测模块,用于对所述目标调用请求对应的注册表操作进行检测,以得到对应的检测结果;显示模块,用于在所述检测结果表征所述注册表操作为恶意操作的情况下,显示处理选项;所述处理选项包括:禁止选项、允许选项和添加信任选项;所述添加信任选项用于将所述目标调用请求对应的注册表路径置为信任路径;处理模块,用于根据用户选择的目标处理选项,对所述目标调用请求对应的注册表操作进行处理。
- 一种电子设备,其特征在于,包括:处理器;和存储器,其上存储有可执行代码,当所述可执行代码被执行时,使得所述处理器执行如权利要求1-6中任一项所述的方法。
- 一种机器可读介质,其上存储有可执行代码,当所述可执行代码被执行时,使得处理器执行如权利要求1-6中任一项所述的方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211250372.0A CN115328580B (zh) | 2022-10-13 | 2022-10-13 | 应用移植环境下注册表操作的处理方法、装置和介质 |
CN202211250372.0 | 2022-10-13 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2024078348A1 true WO2024078348A1 (zh) | 2024-04-18 |
Family
ID=83914176
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2023/122242 WO2024078348A1 (zh) | 2022-10-13 | 2023-09-27 | 应用移植环境下注册表操作的处理方法、装置和介质 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN115328580B (zh) |
WO (1) | WO2024078348A1 (zh) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115328580B (zh) * | 2022-10-13 | 2022-12-16 | 中科方德软件有限公司 | 应用移植环境下注册表操作的处理方法、装置和介质 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102117286A (zh) * | 2009-12-30 | 2011-07-06 | 北大方正集团有限公司 | 注册表系统及运行方法 |
CN102542182A (zh) * | 2010-12-15 | 2012-07-04 | 苏州凌霄科技有限公司 | 基于Windows平台的强制访问控制装置及控制方法 |
CN103135947A (zh) * | 2013-03-26 | 2013-06-05 | 北京奇虎科技有限公司 | 一种显示Windows盘符的方法和装置 |
CN105912952A (zh) * | 2016-05-04 | 2016-08-31 | 广州广电运通金融电子股份有限公司 | 一种基于 Linux 的注册表服务系统、方法及金融自助设备 |
US11204992B1 (en) * | 2019-09-04 | 2021-12-21 | Ca, Inc. | Systems and methods for safely executing unreliable malware |
CN115328580A (zh) * | 2022-10-13 | 2022-11-11 | 中科方德软件有限公司 | 应用移植环境下注册表操作的处理方法、装置和介质 |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7721258B2 (en) * | 2005-11-03 | 2010-05-18 | Microsoft Corporation | Integrated development environment with managed platform registry |
EP1808763A1 (en) * | 2005-12-13 | 2007-07-18 | Neoware, Inc. | A procedure for booting a first computer using the operating system of a second computer |
CN101645003A (zh) * | 2008-08-04 | 2010-02-10 | 优诺威讯国际有限公司 | 软件移植方法及装置 |
CN104360839A (zh) * | 2014-10-20 | 2015-02-18 | 浪潮电子信息产业股份有限公司 | 自动从linux系统迁移到windows系统的方法 |
CN113139176B (zh) * | 2020-01-20 | 2024-07-16 | 华为技术有限公司 | 恶意文件的检测方法、装置、设备及存储介质 |
-
2022
- 2022-10-13 CN CN202211250372.0A patent/CN115328580B/zh active Active
-
2023
- 2023-09-27 WO PCT/CN2023/122242 patent/WO2024078348A1/zh unknown
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102117286A (zh) * | 2009-12-30 | 2011-07-06 | 北大方正集团有限公司 | 注册表系统及运行方法 |
CN102542182A (zh) * | 2010-12-15 | 2012-07-04 | 苏州凌霄科技有限公司 | 基于Windows平台的强制访问控制装置及控制方法 |
CN103135947A (zh) * | 2013-03-26 | 2013-06-05 | 北京奇虎科技有限公司 | 一种显示Windows盘符的方法和装置 |
CN105912952A (zh) * | 2016-05-04 | 2016-08-31 | 广州广电运通金融电子股份有限公司 | 一种基于 Linux 的注册表服务系统、方法及金融自助设备 |
US11204992B1 (en) * | 2019-09-04 | 2021-12-21 | Ca, Inc. | Systems and methods for safely executing unreliable malware |
CN115328580A (zh) * | 2022-10-13 | 2022-11-11 | 中科方德软件有限公司 | 应用移植环境下注册表操作的处理方法、装置和介质 |
Also Published As
Publication number | Publication date |
---|---|
CN115328580A (zh) | 2022-11-11 |
CN115328580B (zh) | 2022-12-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110865888B (zh) | 一种资源加载方法、装置、服务器及存储介质 | |
US9697353B2 (en) | Method and device for intercepting call for service by application | |
US10152660B2 (en) | Smart card read/write method and apparatus | |
US20220075518A1 (en) | Fast Data Copying Method and Electronic Device | |
US9325717B1 (en) | Web-store restriction of external libraries | |
US10592470B2 (en) | Discovery of calling application for control of file hydration behavior | |
US20220391489A1 (en) | Data processing method and apparatus, computer device, and storage medium | |
WO2024078348A1 (zh) | 应用移植环境下注册表操作的处理方法、装置和介质 | |
WO2020042769A1 (zh) | 图像信息的传输方法、装置、存储介质及电子设备 | |
WO2020216165A1 (zh) | 一种加载应用内页面标签的方法与设备 | |
WO2021189257A1 (zh) | 恶意进程的检测方法、装置、电子设备及存储介质 | |
WO2015067189A1 (en) | Method and apparatus for installing application | |
US10162488B1 (en) | Browser-based media scan | |
EP2686791B1 (en) | Variants of files in a file system | |
CN115454827B (zh) | 兼容性检测方法、系统、设备和介质 | |
US20140297953A1 (en) | Removable Storage Device Identity and Configuration Information | |
US20140337801A1 (en) | Methods and systems for displaying icons on a user interface | |
CN114579306A (zh) | 处理方法、装置及计算机设备 | |
CN107621903B (zh) | 一种双触摸屏设备及其响应控制方法 | |
US8990265B1 (en) | Context-aware durability of file variants | |
CN113377548A (zh) | 一种标识生成方法、装置、计算机设备、存储介质 | |
US11256864B2 (en) | Contacts autocomplete keyboard | |
CN114640674A (zh) | 一种内容分享方法和系统 | |
CN115186264A (zh) | 监控方法、装置、电子设备及计算机可读存储介质 | |
CN118193141A (zh) | 文件处理方法、装置、电子设备和计算机程序产品 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 23876551 Country of ref document: EP Kind code of ref document: A1 |