Summary of the invention
The problem to be solved in the present invention is: killing is carried out to virus in the existing most dependovirus of virus killing technology storehouse, take resource for computer system, and virus base is upgrading regularly, and computer system is passive to the protection of Virus, and newborn virus is not had defensive ability/resistance ability in the very first time.
Technical scheme of the present invention is: a kind of computer virus automatic protection method, with human immune system is model, making up guard process is installed in the computing machine, described guard process is by monitoring new procedures, engineering is reverse, judgement diffusivity copy-statement also obtains and duplicates destination path, automatically create high authority antibody file, BCR homology among the simulation human immune system is judged, MHC II offers the peptide section, the B cell discharges the process of antibody, realize the immunity of computing machine to Virus, the running environment of described guard process is unit, operating system is all Windows systems of version after Windows2000 reaches, may further comprise the steps:
1) monitor new procedures: guard process is provided with registration table, with any COM, EXE program with described guard process as unfolding mode, activate guard process when opening COM, EXE program, know the file path title of the program of opening by the Command start-up parameter, be stored among the variable filepath, subsequently guard process by the Wintrust.dll that calls the Windows system and carry judge COM, the EXE program of new operation whether have legal, not by that distort, not out of date digital signature, if by then discharging operation; If not by then temporarily being detained program, do not allow this COM, EXE program run as suspicious program, the Program path of the COM that will hang up, EXE program in the guard process internal delivery, enters next treatment scheme by DDE message subsequently;
2) engineering is reverse: the shelling program is set calls for guard process, guard process with the filepath that receives as start-up parameter, call outside shelling program, the shelling program is returned suspicious program and is separated address that shell deposits in addition to guard process, described address is stored among the variable UnpackedPath, guard process is changed the OPCODE sign indicating number of the suspicious program of variable UnpackedPath record with corresponding assembler code, realization is to the dis-assembling of suspicious program, the interim automatically storage of dis-assembling result, that guard process is searched in the dis-assembling result automatically is all " CALL DWORD PTR[XXXXXXX] " statement, promptly search for all subprocess statements that call in the dis-assembling code of the suspicious program that is shelled, wherein [XXXXXXX] represents assembly code, whenever search a place " CALL DWORD PTR[XXXXXXX] " statement, automatically above this assembly instruction up on seek " Push " statement in " CALL DWORD PTR[XXXXXXX] " interval, if call in the subprocess statement interval at two, find double Push statement, copy-statement formed jointly in " CALL DWORD PTR[XXXXXXX] " statement that two Push statements then determining to be found and first search; Guard process is carried out record respectively to the address of described two push statements, these two Push statements are carried out Push destination address location respectively, determine 16 scale coding data of the suspicious program corresponding subsequently with the address according to the push destination address, and 16 system data are converted to the plaintext form of Unicode sign indicating number, obtain described Unicode sign indicating number and it is kept among the array push (n) successively according to the order in suspicious program;
Guard process judges, if the array push (n) that returns is the program file path form of standard, judges that then the copy-statement that searches is to duplicate carrying out program file; Carry out the doubtful copy command of above-mentioned intercepting to call subprocedure call statement-switch target address be 16 systems and further be converted to Unicode sign indicating number-judge whether in the process into copy-statement, the dis-assembling code of the suspicious program of traversal retrieval sums up the copy-statement that all run into; Preserve push (n), be for further processing;
3) diffusivity is duplicated judgement: define an initial value and be 0 branch number variable Count, and in push (n) array, the character of per two Push destination addresses, previous is original path, a back destination path for duplicating; Original path of every appearance is the self-path of suspicious program, and Count+10, destination path of every appearance are movable equipment or LAN (Local Area Network) storage, belongs to obvious diffusion propagation and duplicates Count+40; Destination path of every appearance is the Windows system directory, and it is resident to belong to internal system, Count+5;
If Count is higher than 100, calculated by 100 minutes;
The threshold value that diffusivity is duplicated is set, and threshold value is corresponding with the level of security of guard process, and the level of security of the more little then protection of threshold value is high more, if Count is higher than threshold value less than 100, then has been judged to diffusivity and has duplicated; Otherwise Count then duplicates for no diffusivity less than threshold value, and releasing is freezed related suspicious program, allows its operation;
Be judged to the diffusivity version and entered next step processing immediately;
4) high authority folder of the same name is created: guard process is created the file operation, duplicate destination path in these all diffusivitys that possess the diffusivity version and create file, the file that duplicates destination path of described file and suspicious program is of the same name, method by revised file attribute among the VB is provided with file for hiding, and the API Calls by advapi32 and Kernel32, set up system for computer authority user " SysUser " temporarily, the hidden folder of just having set up is set to " SysUser " authority, i.e. system user authority;
5) virus is made mistakes and is withdrawed from: execution of step 4), releasing is to being detained freezing of suspicious program, allow its operation, when then having suspicious program that diffusivity duplicates and carrying out the file copy instruction, just meet the file of the same name that step 4) is created, just high authority antibody file, the RuntimeError mistake occurs, eject all kinds of dialog boxes of makeing mistakes, after ejection makes mistakes dialog box, suspicious program is because the characteristic of microsoft operation system, makes mistakes and is operated system finishing;
Through above step, realize the automatic protection of computing machine to Virus.
In the step 3), judge removable memory, the network storage mechanism of duplicating in the target by traversal hard disc of computer drive name or Kernel32API.
Step 4) is carried out the suspicious program temporary file of guard process deletion through shelling.
The present invention adopts the immunization method model of human immune system to bacterium and virus, Computer Organization Principles such as the dis-assembling by computer program, code conversion, PE file analysis, run-time error, based on the immunization method of human immune system to bacterium and virus, realize virus-free feature database, pure unit framework, do not need the networking upgrading, can be as human immune system MHC II, the intelligent analysis Virus, and imitation B cell, generate the antibody file automatically, cause computer virus and mistake occurs, be operated system finishing, make unit possess self-immunocompetence.
The compared with prior art virus-free storehouse of the present invention need not manual scanning, need not networking and upgrades virus base, makes antibody automatically at computer rogue program (being commonly called as virus), effectively tackles computer rogue program, makes computing machine possess initiatively defence capability to virus.After tested, the interception rate to survey virus can reach more than 99.7%; Among the authentication checks result of software product inspection center of the Jiangsu Province Information Industry Department, can use the inventive method written program to tackle the computer virus of all on-the-spot test.
Embodiment
As Fig. 1 and Fig. 2, the present invention is model with human immune system, making up guard process is installed in the computing machine, described guard process is by monitoring that new procedures, engineering are reverse, judging the diffusivity copy-statement and obtain and duplicate destination path, create high authority antibody file automatically, the process that BCR homology among the simulation human immune system is judged, MHC II offers the peptide section, the B cell discharges antibody, realize the immunity of computing machine, may further comprise the steps Virus:
1) monitor new procedures: guard process is provided with registration table, with any COM, EXE program with described guard process as unfolding mode, activate guard process when opening COM, EXE program, when guard process is installed, by the mode of file association the unfolding mode of * .Exe and * .Com is set automatically, registration entry value is revised as related guard process path.With this, all EXE and COM can not be moved by the operating system system, and all through the guard process operation, the guard process oneself get rid of, and can directly open by operating system.
For example, any COM, EXE program unfolding mode are associated as the path of guard process:
Detailed process: revise: " my computer HKEY_LOCAL-MACHINE SOFTWARE Classes exefile shell open command acquiescence " and " my computer HKEY_LOCAL-MACHINE SOFTWARE Classes comfile shell open command give tacit consent to " be: guard process path: " X: XXX guard process name .exe ";
Next, know by the Command start-up parameter to be stored in the file path title of the program of opening among the variable filepath that the Command start-up parameter is the capable argument section of return command, is the basic function of the program of VB exploitation; Subsequently guard process by the Wintrust.dll that calls the Windows system and carry judge COM, the EXE program of new operation whether have legal, not by that distort, not out of date digital signature, if by then discharging operation; If not by then temporarily being detained program, do not allow this COM, EXE program run as suspicious program, the Program path of the COM that will hang up, EXE program in the guard process internal delivery, enters next treatment scheme by DDE message subsequently;
2) engineering is reverse: the shelling program is set calls for guard process, guard process with the filepath that receives as start-up parameter, call outside shelling program, the shelling program is returned suspicious program and is separated address that shell deposits in addition to guard process, described address is stored among the variable UnpackedPath, guard process is changed the OPCODE sign indicating number of the suspicious program of variable UnpackedPath record with corresponding assembler code, realization is to the dis-assembling of suspicious program, the interim automatically storage of dis-assembling result, that guard process is searched in the dis-assembling result automatically is all " CALL DWORD PTR[XXXXXXX] " statement, promptly search for all subprocess statements that call in the dis-assembling code of the suspicious program that is shelled, wherein [XXXXXXX] represents assembly code, whenever search a place " CALL DWORD PTR[XXXXXXX] " statement, automatically above this assembly instruction up on seek " Push " statement in " CALL DWORD PTR[XXXXXXX] " interval, if call in the subprocess statement interval at two, find double Push statement, copy-statement formed jointly in " CALL DWORD PTR[XXXXXXX] " statement that two Push statements then determining to be found and first search; Guard process is carried out record respectively to the address of described two push statements, the address of these two Push statements is carried out Push destination address location respectively, determine 16 scale coding data of the suspicious program corresponding subsequently with the address according to the push destination address, and 16 system data are converted to the plaintext form of Unicode sign indicating number, obtain described Unicode sign indicating number and it is kept among the array push (n) successively according to the order in suspicious program;
Guard process judges, if the array push (n) that returns is the program file path form of standard, judges that then the copy-statement that searches is to duplicate carrying out program file; Carry out the doubtful copy command of above-mentioned intercepting to call subprocedure call statement-switch target address be 16 systems and further be converted to Unicode sign indicating number-judge whether in the process into copy-statement, the dis-assembling code of the suspicious program of traversal retrieval sums up the copy-statement that all run into; Preserve push (n), be for further processing;
3) diffusivity is duplicated judgement: define an initial value and be 0 branch number variable Count, and in push (n) array, the character of per two Push destination addresses, previous is original path, a back destination path for duplicating; Original path of every appearance is the self-path of suspicious program, and Count+10, destination path of every appearance are movable equipment or LAN (Local Area Network) storage, belongs to obvious diffusion propagation and duplicates Count+40; Destination path of every appearance is the Windows system directory, and it is resident to belong to internal system, Count+5;
If Count is higher than 100, calculated by 100 minutes;
The threshold value that diffusivity is duplicated is set, and threshold value is corresponding with the level of security of guard process, and the level of security of the more little then protection of threshold value is high more, if Count is higher than threshold value less than 100, then has been judged to diffusivity and has duplicated; Otherwise Count then duplicates for no diffusivity less than threshold value, and releasing is freezed related suspicious program, allows its operation;
Be judged to the diffusivity version and entered next step processing immediately;
4) high authority folder of the same name is created: guard process is created the file operation, duplicate destination path in these all diffusivitys that possess the diffusivity version and create file, the file that duplicates destination path of described file and suspicious program is of the same name, for example, the suspicious program of being found by guard process is called Virus.exe, if certain bar diffusivity copy-statement is for copying to " C: windows 2.exe " from " Virus.exe ", the file destination path of duplicating so is exactly " c: windows 2.exe ", then create file according to " c: windows 2.exe ", folder name is 2.exe, c: windows under.After file is created, method by revised file attribute among the VB is provided with file for hiding, and the API Calls by advapi32 and Kernel32, set up system for computer authority user " SysUser " temporarily, the hidden folder of just having set up is set to " SysUser " authority, i.e. system user authority;
5) virus is made mistakes and is withdrawed from: execution of step 4), releasing is to being detained freezing of suspicious program, allow its operation, when then having suspicious program that diffusivity duplicates and carrying out the file copy instruction, just meet the file of the same name that step 4) is created, just high authority antibody file, the RuntimeError mistake occurs, eject all kinds of dialog boxes of makeing mistakes, after ejection makes mistakes dialog box, suspicious program is because the characteristic of microsoft operation system, makes mistakes and is operated system finishing;
Through above step, realize the automatic protection of computing machine to Virus.
Wherein, in the step 3), judge removable memory, network storage mechanism by traversal hard disc of computer or Kernel32API.
Further, step 4) is carried out the suspicious program temporary file of guard process deletion through shelling.
With an embodiment concrete enforcement of the present invention is described below, in the present embodiment, guard process called after Behold.com of the present invention is the COM program.
1, certain Panda burning incense Virus Sample H: Setup.exe double-clicked by the user and open;
2, Setup.exe is moved as unfolding mode with Behold.com automatically;
3, Behold.com is operated system and activates operation with " H: Setup.exe " as the Command start-up parameter;
4, the SignatureCheck function carries out digital signature to " H: Setup.exe " and judges the nil signature among the Behold.com;
5, Behold.com sends to guard process PCIS|FormDDE interface with " H: Setup.exe ";
6, guard process obtains the Program path be suspended by DDE (PCIS|FormDDE interface), and " H: Setup.exe " as start-up parameter, started virtual machine shelling SDK (VMUnpackerSDK) automatically;
7, virtual machine shelling SDK (VMUnpackerSDK) returns UnpackedPath=" H: Setup~.exe~" to guard process DDE (PCIS|FormDDE interface);
8, guard process is called the clsDisAssemble generic module by disassembler clsDisAssemble.DisAssemble (" H: Setup~.exe~", 0) and is carried out dis-assembling;
9, guard process begins search " CALL DWORD PTR " among the Result as a result in dis-assembling;
9-1, guard process search " CALL DWORD PTRDS:[<﹠amp as a result among the Result in dis-assembling; KERNEL32.GetStartup〉";
9-1-1, guard process begin at " CALL DWORD PTR DS:[<﹠amp; KERNEL32.GetStartup〉" top, call subprocess statement below search " push " statement up to last one;
9-1-2, guard process do not search;
9-1-3, abandon and continue;
9-2, guard process search " CALL DWORD PTR SS:[EBP+14] " as a result among the Result in dis-assembling;
9-2-1, guard process begin in " CALL DWORD PTR SS:[EBP+14] " top, call subprocess statement below search " push " statement up to last one;
9-2-2, guard process search " PUSH EBX ", " PUSH ESI ", " PUSH EDI ";
9-2-3, abandon and continue;
9-3, guard process search " CALL DWORD PTRDS:[<﹠amp as a result among the Result in dis-assembling; KERNEL32.copyfile〉";
9-3-1, guard process begin at " CALL DWORD PTR DS:[<﹠amp; KERNEL32.copyfile〉" top, call subprocess statement below search " push " statement up to last one;
9-3-2, guard process search " PUSH setup.0041A2D9 ", " PUSH setup1.0041A282 ";
9-3-3, guard process are Unicode by GetHex2Unicode (0041A2D9), GetHex2Unicode (0041A282) with the Hex code conversion of the address of the Push of institute, push (0)=" Setup.exe ", push (1)=" C: windows winlogOn.exe ".
9-3-4, guard process are judged simply, think that Push (0), Push (1) are file path.
9-n, carry out cyclic search, judgement by above-mentioned regular guard process, final guard process is always handled Push (n).
10, according to the accumulation algorithm of Count in " diffusivity is duplicated judgement " chapters and sections in the literary composition, final Count=100.
11, guard process exists " C: windows winlogOn.exe " etc. the file path place of push (n) (n is an odd number) create file, and improve the folder management authority, be set to invisible.
12, guard process is by Shell " H: Setup.exe ", and vbNormalFocus removes the freezing of " H: Setup.exe ", and allows its operation.
13, " H: Setup.exe " runs into RuntimeError53 and ejects error box when normally moving to copy-statement, withdraws from subsequently.