CN102034047A - Automatic protection method for computer virus - Google Patents
Automatic protection method for computer virus Download PDFInfo
- Publication number
- CN102034047A CN102034047A CN2010105982342A CN201010598234A CN102034047A CN 102034047 A CN102034047 A CN 102034047A CN 2010105982342 A CN2010105982342 A CN 2010105982342A CN 201010598234 A CN201010598234 A CN 201010598234A CN 102034047 A CN102034047 A CN 102034047A
- Authority
- CN
- China
- Prior art keywords
- program
- guard process
- file
- statement
- push
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an automatic protection method for a computer virus. A protection program is constructed and installed in a computer by taking a human immune system as a model; and the protection program realizes immunity of the computer from a virus program by monitoring a new program, performing engineering reversing, judging a diffusive replication statement, acquiring a replication target path, automatically creating a high-authority antibody folder, simulating byte count register (BCR) homologous judgment in the human immune system, presenting a peptide section by using a major histocompatibility complex (MHC) II and releasing an antibody by using a cell B. Compared with the prior art, the method has the advantages that: a virus database and manual scanning are not needed, network interconnection is not needed to update the virus database, the antibody is automatically produced aiming at a computer malicious program, and the computer malicious program is effectively intercepted, so the computer has active defense capacity to the virus. Tests show that the interception rate of the tested virus can reach over 99.7 percent.
Description
Technical field
The invention belongs to field of computer technology, relate to virus protection, adopt the human immune system that the immunization method model of bacterium and virus is realized the self-protection of computing machine to Virus, be a kind of computer virus automatic protection method.
Background technology
Antivirus software uses " condition code " virus killing technology mostly in the global range at present." condition code " virus killing technology is in the current network environment that virus is on the increase, and shortcoming appears: virus base constantly expands; Need networking regularly to upgrade; All the time lag behind virus; The user infects new virus often.
The technology and the defective of existing multiple antivirus software are as follows:
As seen present most of antivirus softwares all need to carry out the scanning of computer system, the basis that needs virus base to judge as scanning, scanning to computer system all can take a large amount of system resources usually, and virus base upgrading regularly could effectively be worked, and huge day by day virus base takies a large amount of storage spaces.
Summary of the invention
The problem to be solved in the present invention is: killing is carried out to virus in the existing most dependovirus of virus killing technology storehouse, take resource for computer system, and virus base is upgrading regularly, and computer system is passive to the protection of Virus, and newborn virus is not had defensive ability/resistance ability in the very first time.
Technical scheme of the present invention is: a kind of computer virus automatic protection method, with human immune system is model, making up guard process is installed in the computing machine, described guard process is by monitoring new procedures, engineering is reverse, judgement diffusivity copy-statement also obtains and duplicates destination path, automatically create high authority antibody file, BCR homology among the simulation human immune system is judged, MHC II offers the peptide section, the B cell discharges the process of antibody, realize the immunity of computing machine to Virus, the running environment of described guard process is unit, operating system is all Windows systems of version after Windows2000 reaches, may further comprise the steps:
1) monitor new procedures: guard process is provided with registration table, with any COM, EXE program with described guard process as unfolding mode, activate guard process when opening COM, EXE program, know the file path title of the program of opening by the Command start-up parameter, be stored among the variable filepath, subsequently guard process by the Wintrust.dll that calls the Windows system and carry judge COM, the EXE program of new operation whether have legal, not by that distort, not out of date digital signature, if by then discharging operation; If not by then temporarily being detained program, do not allow this COM, EXE program run as suspicious program, the Program path of the COM that will hang up, EXE program in the guard process internal delivery, enters next treatment scheme by DDE message subsequently;
2) engineering is reverse: the shelling program is set calls for guard process, guard process with the filepath that receives as start-up parameter, call outside shelling program, the shelling program is returned suspicious program and is separated address that shell deposits in addition to guard process, described address is stored among the variable UnpackedPath, guard process is changed the OPCODE sign indicating number of the suspicious program of variable UnpackedPath record with corresponding assembler code, realization is to the dis-assembling of suspicious program, the interim automatically storage of dis-assembling result, that guard process is searched in the dis-assembling result automatically is all " CALL DWORD PTR[XXXXXXX] " statement, promptly search for all subprocess statements that call in the dis-assembling code of the suspicious program that is shelled, wherein [XXXXXXX] represents assembly code, whenever search a place " CALL DWORD PTR[XXXXXXX] " statement, automatically above this assembly instruction up on seek " Push " statement in " CALL DWORD PTR[XXXXXXX] " interval, if call in the subprocess statement interval at two, find double Push statement, copy-statement formed jointly in " CALL DWORD PTR[XXXXXXX] " statement that two Push statements then determining to be found and first search; Guard process is carried out record respectively to the address of described two push statements, these two Push statements are carried out Push destination address location respectively, determine 16 scale coding data of the suspicious program corresponding subsequently with the address according to the push destination address, and 16 system data are converted to the plaintext form of Unicode sign indicating number, obtain described Unicode sign indicating number and it is kept among the array push (n) successively according to the order in suspicious program;
Guard process judges, if the array push (n) that returns is the program file path form of standard, judges that then the copy-statement that searches is to duplicate carrying out program file; Carry out the doubtful copy command of above-mentioned intercepting to call subprocedure call statement-switch target address be 16 systems and further be converted to Unicode sign indicating number-judge whether in the process into copy-statement, the dis-assembling code of the suspicious program of traversal retrieval sums up the copy-statement that all run into; Preserve push (n), be for further processing;
3) diffusivity is duplicated judgement: define an initial value and be 0 branch number variable Count, and in push (n) array, the character of per two Push destination addresses, previous is original path, a back destination path for duplicating; Original path of every appearance is the self-path of suspicious program, and Count+10, destination path of every appearance are movable equipment or LAN (Local Area Network) storage, belongs to obvious diffusion propagation and duplicates Count+40; Destination path of every appearance is the Windows system directory, and it is resident to belong to internal system, Count+5;
If Count is higher than 100, calculated by 100 minutes;
The threshold value that diffusivity is duplicated is set, and threshold value is corresponding with the level of security of guard process, and the level of security of the more little then protection of threshold value is high more, if Count is higher than threshold value less than 100, then has been judged to diffusivity and has duplicated; Otherwise Count then duplicates for no diffusivity less than threshold value, and releasing is freezed related suspicious program, allows its operation;
Be judged to the diffusivity version and entered next step processing immediately;
4) high authority folder of the same name is created: guard process is created the file operation, duplicate destination path in these all diffusivitys that possess the diffusivity version and create file, the file that duplicates destination path of described file and suspicious program is of the same name, method by revised file attribute among the VB is provided with file for hiding, and the API Calls by advapi32 and Kernel32, set up system for computer authority user " SysUser " temporarily, the hidden folder of just having set up is set to " SysUser " authority, i.e. system user authority;
5) virus is made mistakes and is withdrawed from: execution of step 4), releasing is to being detained freezing of suspicious program, allow its operation, when then having suspicious program that diffusivity duplicates and carrying out the file copy instruction, just meet the file of the same name that step 4) is created, just high authority antibody file, the RuntimeError mistake occurs, eject all kinds of dialog boxes of makeing mistakes, after ejection makes mistakes dialog box, suspicious program is because the characteristic of microsoft operation system, makes mistakes and is operated system finishing;
Through above step, realize the automatic protection of computing machine to Virus.
In the step 3), judge removable memory, the network storage mechanism of duplicating in the target by traversal hard disc of computer drive name or Kernel32API.
Step 4) is carried out the suspicious program temporary file of guard process deletion through shelling.
The present invention adopts the immunization method model of human immune system to bacterium and virus, Computer Organization Principles such as the dis-assembling by computer program, code conversion, PE file analysis, run-time error, based on the immunization method of human immune system to bacterium and virus, realize virus-free feature database, pure unit framework, do not need the networking upgrading, can be as human immune system MHC II, the intelligent analysis Virus, and imitation B cell, generate the antibody file automatically, cause computer virus and mistake occurs, be operated system finishing, make unit possess self-immunocompetence.
The compared with prior art virus-free storehouse of the present invention need not manual scanning, need not networking and upgrades virus base, makes antibody automatically at computer rogue program (being commonly called as virus), effectively tackles computer rogue program, makes computing machine possess initiatively defence capability to virus.After tested, the interception rate to survey virus can reach more than 99.7%; Among the authentication checks result of software product inspection center of the Jiangsu Province Information Industry Department, can use the inventive method written program to tackle the computer virus of all on-the-spot test.
Description of drawings
Fig. 1 is a principle of the invention process flow diagram.
Fig. 2 is human immune system's workflow.
Embodiment
As Fig. 1 and Fig. 2, the present invention is model with human immune system, making up guard process is installed in the computing machine, described guard process is by monitoring that new procedures, engineering are reverse, judging the diffusivity copy-statement and obtain and duplicate destination path, create high authority antibody file automatically, the process that BCR homology among the simulation human immune system is judged, MHC II offers the peptide section, the B cell discharges antibody, realize the immunity of computing machine, may further comprise the steps Virus:
1) monitor new procedures: guard process is provided with registration table, with any COM, EXE program with described guard process as unfolding mode, activate guard process when opening COM, EXE program, when guard process is installed, by the mode of file association the unfolding mode of * .Exe and * .Com is set automatically, registration entry value is revised as related guard process path.With this, all EXE and COM can not be moved by the operating system system, and all through the guard process operation, the guard process oneself get rid of, and can directly open by operating system.
For example, any COM, EXE program unfolding mode are associated as the path of guard process:
Detailed process: revise: " my computer HKEY_LOCAL-MACHINE SOFTWARE Classes exefile shell open command acquiescence " and " my computer HKEY_LOCAL-MACHINE SOFTWARE Classes comfile shell open command give tacit consent to " be: guard process path: " X: XXX guard process name .exe ";
Next, know by the Command start-up parameter to be stored in the file path title of the program of opening among the variable filepath that the Command start-up parameter is the capable argument section of return command, is the basic function of the program of VB exploitation; Subsequently guard process by the Wintrust.dll that calls the Windows system and carry judge COM, the EXE program of new operation whether have legal, not by that distort, not out of date digital signature, if by then discharging operation; If not by then temporarily being detained program, do not allow this COM, EXE program run as suspicious program, the Program path of the COM that will hang up, EXE program in the guard process internal delivery, enters next treatment scheme by DDE message subsequently;
2) engineering is reverse: the shelling program is set calls for guard process, guard process with the filepath that receives as start-up parameter, call outside shelling program, the shelling program is returned suspicious program and is separated address that shell deposits in addition to guard process, described address is stored among the variable UnpackedPath, guard process is changed the OPCODE sign indicating number of the suspicious program of variable UnpackedPath record with corresponding assembler code, realization is to the dis-assembling of suspicious program, the interim automatically storage of dis-assembling result, that guard process is searched in the dis-assembling result automatically is all " CALL DWORD PTR[XXXXXXX] " statement, promptly search for all subprocess statements that call in the dis-assembling code of the suspicious program that is shelled, wherein [XXXXXXX] represents assembly code, whenever search a place " CALL DWORD PTR[XXXXXXX] " statement, automatically above this assembly instruction up on seek " Push " statement in " CALL DWORD PTR[XXXXXXX] " interval, if call in the subprocess statement interval at two, find double Push statement, copy-statement formed jointly in " CALL DWORD PTR[XXXXXXX] " statement that two Push statements then determining to be found and first search; Guard process is carried out record respectively to the address of described two push statements, the address of these two Push statements is carried out Push destination address location respectively, determine 16 scale coding data of the suspicious program corresponding subsequently with the address according to the push destination address, and 16 system data are converted to the plaintext form of Unicode sign indicating number, obtain described Unicode sign indicating number and it is kept among the array push (n) successively according to the order in suspicious program;
Guard process judges, if the array push (n) that returns is the program file path form of standard, judges that then the copy-statement that searches is to duplicate carrying out program file; Carry out the doubtful copy command of above-mentioned intercepting to call subprocedure call statement-switch target address be 16 systems and further be converted to Unicode sign indicating number-judge whether in the process into copy-statement, the dis-assembling code of the suspicious program of traversal retrieval sums up the copy-statement that all run into; Preserve push (n), be for further processing;
3) diffusivity is duplicated judgement: define an initial value and be 0 branch number variable Count, and in push (n) array, the character of per two Push destination addresses, previous is original path, a back destination path for duplicating; Original path of every appearance is the self-path of suspicious program, and Count+10, destination path of every appearance are movable equipment or LAN (Local Area Network) storage, belongs to obvious diffusion propagation and duplicates Count+40; Destination path of every appearance is the Windows system directory, and it is resident to belong to internal system, Count+5;
If Count is higher than 100, calculated by 100 minutes;
The threshold value that diffusivity is duplicated is set, and threshold value is corresponding with the level of security of guard process, and the level of security of the more little then protection of threshold value is high more, if Count is higher than threshold value less than 100, then has been judged to diffusivity and has duplicated; Otherwise Count then duplicates for no diffusivity less than threshold value, and releasing is freezed related suspicious program, allows its operation;
Be judged to the diffusivity version and entered next step processing immediately;
4) high authority folder of the same name is created: guard process is created the file operation, duplicate destination path in these all diffusivitys that possess the diffusivity version and create file, the file that duplicates destination path of described file and suspicious program is of the same name, for example, the suspicious program of being found by guard process is called Virus.exe, if certain bar diffusivity copy-statement is for copying to " C: windows 2.exe " from " Virus.exe ", the file destination path of duplicating so is exactly " c: windows 2.exe ", then create file according to " c: windows 2.exe ", folder name is 2.exe, c: windows under.After file is created, method by revised file attribute among the VB is provided with file for hiding, and the API Calls by advapi32 and Kernel32, set up system for computer authority user " SysUser " temporarily, the hidden folder of just having set up is set to " SysUser " authority, i.e. system user authority;
5) virus is made mistakes and is withdrawed from: execution of step 4), releasing is to being detained freezing of suspicious program, allow its operation, when then having suspicious program that diffusivity duplicates and carrying out the file copy instruction, just meet the file of the same name that step 4) is created, just high authority antibody file, the RuntimeError mistake occurs, eject all kinds of dialog boxes of makeing mistakes, after ejection makes mistakes dialog box, suspicious program is because the characteristic of microsoft operation system, makes mistakes and is operated system finishing;
Through above step, realize the automatic protection of computing machine to Virus.
Wherein, in the step 3), judge removable memory, network storage mechanism by traversal hard disc of computer or Kernel32API.
Further, step 4) is carried out the suspicious program temporary file of guard process deletion through shelling.
With an embodiment concrete enforcement of the present invention is described below, in the present embodiment, guard process called after Behold.com of the present invention is the COM program.
1, certain Panda burning incense Virus Sample H: Setup.exe double-clicked by the user and open;
2, Setup.exe is moved as unfolding mode with Behold.com automatically;
3, Behold.com is operated system and activates operation with " H: Setup.exe " as the Command start-up parameter;
4, the SignatureCheck function carries out digital signature to " H: Setup.exe " and judges the nil signature among the Behold.com;
5, Behold.com sends to guard process PCIS|FormDDE interface with " H: Setup.exe ";
6, guard process obtains the Program path be suspended by DDE (PCIS|FormDDE interface), and " H: Setup.exe " as start-up parameter, started virtual machine shelling SDK (VMUnpackerSDK) automatically;
7, virtual machine shelling SDK (VMUnpackerSDK) returns UnpackedPath=" H: Setup~.exe~" to guard process DDE (PCIS|FormDDE interface);
8, guard process is called the clsDisAssemble generic module by disassembler clsDisAssemble.DisAssemble (" H: Setup~.exe~", 0) and is carried out dis-assembling;
9, guard process begins search " CALL DWORD PTR " among the Result as a result in dis-assembling;
9-1, guard process search " CALL DWORD PTRDS:[<﹠amp as a result among the Result in dis-assembling; KERNEL32.GetStartup〉";
9-1-1, guard process begin at " CALL DWORD PTR DS:[<﹠amp; KERNEL32.GetStartup〉" top, call subprocess statement below search " push " statement up to last one;
9-1-2, guard process do not search;
9-1-3, abandon and continue;
9-2, guard process search " CALL DWORD PTR SS:[EBP+14] " as a result among the Result in dis-assembling;
9-2-1, guard process begin in " CALL DWORD PTR SS:[EBP+14] " top, call subprocess statement below search " push " statement up to last one;
9-2-2, guard process search " PUSH EBX ", " PUSH ESI ", " PUSH EDI ";
9-2-3, abandon and continue;
9-3, guard process search " CALL DWORD PTRDS:[<﹠amp as a result among the Result in dis-assembling; KERNEL32.copyfile〉";
9-3-1, guard process begin at " CALL DWORD PTR DS:[<﹠amp; KERNEL32.copyfile〉" top, call subprocess statement below search " push " statement up to last one;
9-3-2, guard process search " PUSH setup.0041A2D9 ", " PUSH setup1.0041A282 ";
9-3-3, guard process are Unicode by GetHex2Unicode (0041A2D9), GetHex2Unicode (0041A282) with the Hex code conversion of the address of the Push of institute, push (0)=" Setup.exe ", push (1)=" C: windows winlogOn.exe ".
9-3-4, guard process are judged simply, think that Push (0), Push (1) are file path.
9-n, carry out cyclic search, judgement by above-mentioned regular guard process, final guard process is always handled Push (n).
10, according to the accumulation algorithm of Count in " diffusivity is duplicated judgement " chapters and sections in the literary composition, final Count=100.
11, guard process exists " C: windows winlogOn.exe " etc. the file path place of push (n) (n is an odd number) create file, and improve the folder management authority, be set to invisible.
12, guard process is by Shell " H: Setup.exe ", and vbNormalFocus removes the freezing of " H: Setup.exe ", and allows its operation.
13, " H: Setup.exe " runs into RuntimeError53 and ejects error box when normally moving to copy-statement, withdraws from subsequently.
Claims (3)
1. computer virus automatic protection method, it is characterized in that with human immune system being model, making up guard process is installed in the computing machine, described guard process is by monitoring new procedures, engineering is reverse, judgement diffusivity copy-statement also obtains and duplicates destination path, automatically create high authority antibody file, BCR homology among the simulation human immune system is judged, MHC II offers the peptide section, the B cell discharges the process of antibody, realize the immunity of computing machine to Virus, the running environment of described guard process is unit, operating system is all Windows systems of version after Windows2000 reaches, may further comprise the steps:
1) monitor new procedures: guard process is provided with registration table, with any COM, EXE program with described guard process as unfolding mode, activate guard process when opening COM, EXE program, know the file path title of the program of opening by the Command start-up parameter, be stored among the variable filepath, subsequently guard process by the Wintrust.dll that calls the Windows system and carry judge COM, the EXE program of new operation whether have legal, not by that distort, not out of date digital signature, if by then discharging operation; If not by then temporarily being detained program, do not allow this COM, EXE program run as suspicious program, the Program path of the COM that will hang up, EXE program in the guard process internal delivery, enters next treatment scheme by DDE message subsequently;
2) engineering is reverse: the shelling program is set calls for guard process, guard process with the filepath that receives as start-up parameter, call outside shelling program, the shelling program is returned suspicious program and is separated address that shell deposits in addition to guard process, described address is stored among the variable UnpackedPath, guard process is changed the OPCODE sign indicating number of the suspicious program of variable UnpackedPath record with corresponding assembler code, realization is to the dis-assembling of suspicious program, the interim automatically storage of dis-assembling result, that guard process is searched in the dis-assembling result automatically is all " CALL DWORD PTR[XXXXXXX] " statement, promptly search for all subprocess statements that call in the dis-assembling code of the suspicious program that is shelled, wherein [XXXXXXX] represents assembly code, whenever search a place " CALL DWORD PTR[XXXXXXX] " statement, automatically above this assembly instruction up on seek " Push " statement in " CALL DWORD PTR[XXXXXXX] " interval, if call in the subprocess statement interval at two, find double Push statement, copy-statement formed jointly in " CALL DWORD PTR[XXXXXXX] " statement that two Push statements then determining to be found and first search; Guard process is carried out record respectively to the address of described two push statements, these two Push statements are carried out Push destination address location respectively, determine 16 scale coding data of the suspicious program corresponding subsequently with the address according to the push destination address, and 16 system data are converted to the plaintext form of Unicode sign indicating number, obtain described Unicode sign indicating number and it is kept among the array push (n) successively according to the order in suspicious program;
Guard process judges, if the array push (n) that returns is the program file path form of standard, judges that then the copy-statement that searches is to duplicate carrying out program file; Carry out the doubtful copy command of above-mentioned intercepting to call subprocedure call statement-switch target address be 16 systems and further be converted to Unicode sign indicating number-judge whether in the process into copy-statement, the dis-assembling code of the suspicious program of traversal retrieval sums up the copy-statement that all run into; Preserve push (n), be for further processing;
3) diffusivity is duplicated judgement: define an initial value and be 0 branch number variable Count, and in push (n) array, the character of per two Push destination addresses, previous is original path, a back destination path for duplicating; Original path of every appearance is the self-path of suspicious program, and Count+10, destination path of every appearance are movable equipment or LAN (Local Area Network) storage, belongs to obvious diffusion propagation and duplicates Count+40; Destination path of every appearance is the Windows system directory, and it is resident to belong to internal system, Count+5;
If Count is higher than 100, calculated by 100 minutes;
The threshold value that diffusivity is duplicated is set, and threshold value is corresponding with the level of security of guard process, and the level of security of the more little then protection of threshold value is high more, if Count is higher than threshold value less than 100, then has been judged to diffusivity and has duplicated; Otherwise Count then duplicates for no diffusivity less than threshold value, and releasing is freezed related suspicious program, allows its operation;
Be judged to the diffusivity version and entered next step processing immediately;
4) high authority folder of the same name is created: guard process is created the file operation, duplicate destination path in these all diffusivitys that possess the diffusivity version and create file, the file that duplicates destination path of described file and suspicious program is of the same name, method by revised file attribute among the VB is provided with file for hiding, and the API Calls by advapi32 and Kernel32, set up system for computer authority user " SysUser " temporarily, the hidden folder of just having set up is set to " SysUser " authority, i.e. system user authority;
5) virus is made mistakes and is withdrawed from: execution of step 4), releasing is to being detained freezing of suspicious program, allow its operation, when then having suspicious program that diffusivity duplicates and carrying out the file copy instruction, just meet the file of the same name that step 4) is created, just high authority antibody file, the RuntimeError mistake occurs, eject all kinds of dialog boxes of makeing mistakes, after ejection makes mistakes dialog box, suspicious program is because the characteristic of microsoft operation system, makes mistakes and is operated system finishing;
Through above step, realize the automatic protection of computing machine to Virus.
2. a kind of computer virus automatic protection method according to claim 1 is characterized in that in the step 3), judges removable memory, the network storage mechanism of duplicating in the target by traversal hard disc of computer drive name or Kernel32API.
3. a kind of computer virus automatic protection method according to claim 1 and 2 is characterized in that the suspicious program temporary file of step 4) execution guard process deletion through shelling.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010598234A CN102034047B (en) | 2010-12-21 | 2010-12-21 | Automatic protection method for computer virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010598234A CN102034047B (en) | 2010-12-21 | 2010-12-21 | Automatic protection method for computer virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102034047A true CN102034047A (en) | 2011-04-27 |
| CN102034047B CN102034047B (en) | 2012-10-17 |
Family
ID=43886927
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010598234A Active CN102034047B (en) | 2010-12-21 | 2010-12-21 | Automatic protection method for computer virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102034047B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102306254A (en) * | 2011-08-29 | 2012-01-04 | 奇智软件(北京)有限公司 | Method and system for defending viruses or malicious programs |
| CN102930209A (en) * | 2012-10-16 | 2013-02-13 | 北京奇虎科技有限公司 | File processing method and file processing device in mobile equipment |
| CN103544431A (en) * | 2012-07-09 | 2014-01-29 | 腾讯科技(深圳)有限公司 | Immune method, system and device for illegal program |
| CN103793209A (en) * | 2012-10-26 | 2014-05-14 | 珠海市君天电子科技有限公司 | Method and system for modifying Android program execution flow |
| CN102306254B (en) * | 2011-08-29 | 2016-12-14 | 北京奇虎科技有限公司 | A kind of virus or the defence method of rogue program and system |
| CN109254877A (en) * | 2018-09-11 | 2019-01-22 | 广州骏凯永卓信息科技有限公司 | A kind of Monitoring and maintenance system of enterprise's computer software fault |
| CN110933057A (en) * | 2019-11-21 | 2020-03-27 | 深圳渊联技术有限公司 | Internet of things security terminal and security control method thereof |
| CN112100618A (en) * | 2019-06-18 | 2020-12-18 | 深信服科技股份有限公司 | Virus file detection method, system, equipment and computer storage medium |
| CN113177207A (en) * | 2021-04-27 | 2021-07-27 | 顶象科技有限公司 | Virus immunization method and device and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003012643A1 (en) * | 2001-08-01 | 2003-02-13 | Networks Associates Technology, Inc. | Virus scanning on thin client devices using programmable assembly language |
| CN1641516A (en) * | 2004-01-05 | 2005-07-20 | 华为技术有限公司 | Method for ensuring system safety for window operating system |
| CN1900940A (en) * | 2006-07-19 | 2007-01-24 | 谢朝霞 | Method for computer safety start |
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
-
2010
- 2010-12-21 CN CN201010598234A patent/CN102034047B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003012643A1 (en) * | 2001-08-01 | 2003-02-13 | Networks Associates Technology, Inc. | Virus scanning on thin client devices using programmable assembly language |
| CN1641516A (en) * | 2004-01-05 | 2005-07-20 | 华为技术有限公司 | Method for ensuring system safety for window operating system |
| CN1900940A (en) * | 2006-07-19 | 2007-01-24 | 谢朝霞 | Method for computer safety start |
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102306254B (en) * | 2011-08-29 | 2016-12-14 | 北京奇虎科技有限公司 | A kind of virus or the defence method of rogue program and system |
| CN102306254A (en) * | 2011-08-29 | 2012-01-04 | 奇智软件(北京)有限公司 | Method and system for defending viruses or malicious programs |
| CN103544431A (en) * | 2012-07-09 | 2014-01-29 | 腾讯科技(深圳)有限公司 | Immune method, system and device for illegal program |
| CN103544431B (en) * | 2012-07-09 | 2016-01-06 | 腾讯科技(深圳)有限公司 | A kind of immunization method to illegal program, system and device |
| CN102930209A (en) * | 2012-10-16 | 2013-02-13 | 北京奇虎科技有限公司 | File processing method and file processing device in mobile equipment |
| CN102930209B (en) * | 2012-10-16 | 2016-04-27 | 北京奇虎科技有限公司 | The document handling method of movable storage device and document handling apparatus |
| CN103793209A (en) * | 2012-10-26 | 2014-05-14 | 珠海市君天电子科技有限公司 | Method and system for modifying Android program execution flow |
| CN109254877A (en) * | 2018-09-11 | 2019-01-22 | 广州骏凯永卓信息科技有限公司 | A kind of Monitoring and maintenance system of enterprise's computer software fault |
| CN112100618A (en) * | 2019-06-18 | 2020-12-18 | 深信服科技股份有限公司 | Virus file detection method, system, equipment and computer storage medium |
| CN112100618B (en) * | 2019-06-18 | 2023-12-29 | 深信服科技股份有限公司 | Virus file detection method, system, equipment and computer storage medium |
| CN110933057A (en) * | 2019-11-21 | 2020-03-27 | 深圳渊联技术有限公司 | Internet of things security terminal and security control method thereof |
| CN110933057B (en) * | 2019-11-21 | 2021-11-23 | 深圳渊联技术有限公司 | Internet of things security terminal and security control method thereof |
| CN113177207A (en) * | 2021-04-27 | 2021-07-27 | 顶象科技有限公司 | Virus immunization method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102034047B (en) | 2012-10-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102034047B (en) | Automatic protection method for computer virus | |
| CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
| CN106506435B (en) | For detecting the method and firewall system of network attack | |
| Cozzie et al. | Digging for Data Structures. | |
| CN107004089A (en) | Malware detection method and its system | |
| KR101260028B1 (en) | Automatic management system for group and mutant information of malicious code | |
| Yoon et al. | Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study | |
| CN104023034A (en) | Security defensive system and defensive method based on software-defined network | |
| Xiao et al. | From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild | |
| CN105956468B (en) | A kind of Android malicious application detection method and system based on file access dynamic monitoring | |
| CN103886259B (en) | Kernel level rootkit based on Xen virtualized environment detection and processing method | |
| US20190243912A1 (en) | Rapid design, development, and reuse of blockchain environment and smart contracts | |
| CN101183414A (en) | Program detection method, device and program analyzing method | |
| CN107688743A (en) | The determination method and system of a kind of rogue program | |
| CN106302404B (en) | A kind of collection network is traced to the source the method and system of information | |
| CN106355092B (en) | System and method for optimizing anti-virus measurement | |
| CN110826058B (en) | Device, method and medium for malware detection based on user interaction | |
| CN106384048A (en) | Threat message processing method and device | |
| CN105897752A (en) | Safety detection method and device of unknown domain name | |
| CN109543410A (en) | One kind being based on the associated malicious code detecting method of Semantic mapping | |
| CN107515778A (en) | A kind of origin method for tracing and system based on context-aware | |
| Win et al. | Detection of malware and kernel-level rootkits in cloud computing environments | |
| CN107644161A (en) | Safety detecting method, device and the equipment of sample | |
| CN105683985B (en) | For virtual machine idiotropic system, method and non-transitory computer-readable medium | |
| Li et al. | Large-scale third-party library detection in android markets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: JIANGSU GUORUI XINAN TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: YAO ZHIHAO Effective date: 20130926 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 210018 NANJING, JIANGSU PROVINCE TO: 210023 NANJING, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20130926 Address after: 210023, 20, Xu Zhuang base, Jiangsu Software Park, 699-22 Xuanwu Avenue, Jiangsu, Nanjing Patentee after: Jiangsu GuoRui XinAn Technology Co., Ltd. Address before: 210018, Jiangsu Province, Xuanwu District, Nanjing four archway 61, created software building, room 632 Patentee before: Yao Zhihao |
|
| C53 | Correction of patent for invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Yao Zhihao Inventor after: Wu Hesheng Inventor before: Yao Zhihao |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: YAO ZHIHAO TO: YAO ZHIHAO WU HESHENG |