CN105868625A - Method and device for intercepting restart deletion of file - Google Patents
Method and device for intercepting restart deletion of file Download PDFInfo
- Publication number
- CN105868625A CN105868625A CN201610457599.0A CN201610457599A CN105868625A CN 105868625 A CN105868625 A CN 105868625A CN 201610457599 A CN201610457599 A CN 201610457599A CN 105868625 A CN105868625 A CN 105868625A
- Authority
- CN
- China
- Prior art keywords
- file
- path
- eigenvalue
- system information
- deletion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a method and a device for intercepting restart deletion of a file and electronic equipment, relates to the technical field of computer security, and can effectively prevent a malicious process from deleting the file of security software. The method comprises the following steps: monitoring an event for calling a system information function in an operating system by a process; acquiring a type index number and setting data of the setting system information transmitted by the process according to the monitored event; judging whether the type index number of the set system information is an index number representing additional character string information of a set system registry, and judging whether a registry path to be modified in the set data is a restart deletion registry path, and judging whether a file path to be written in the set data is a protected file path and the process is a malicious process, if so, preventing the process from setting the system information. The method and the device are suitable for protecting the restart deletion of the security file.
Description
Technical field
The present invention relates to computer security technique field, particularly relate to a kind of file that intercepts and be restarted the side of deletion
Method and device.
Background technology
At present, fail-safe software has self-shield, and in the presence of self-shield, Malware deletes fail-safe software
Associated documents can be rejected.Then, the one that malicious process utilizes Windows system to provide restarts deletion
The mechanism of file, by the associated documents routing information following registry-location of write of fail-safe software:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager PendingFileRenameOperations, when subsystem is restarted instantly, the self-shield of fail-safe software
Also before Pending The Entry Into Force, system will delete the associated documents of fail-safe software, and such fail-safe software cannot be normal
Protection custom system.
The method of the write registration table of main flow is kernel function NtSetValueKey that calling system provides, it is possible to
Edit the registry data.During realizing the present invention, inventor finds Windows system kernel layer also
Providing kernel function NtSetSystemInformation, this function is some information for arranging system,
The such as time, processor, process, internal memory etc. information;NtSetSystemInformation function has three
Parameter, first parameter is the types index number of the system information needing setting, such as arranges temporal information pair
The call number answered is 28, and arranging call number corresponding to progress information is 5, etc., second parameter then sets
The concrete data put, if call number is 28, then this parameter is to arrange concrete time data;After deliberation,
Arrange the call number that value is 110 to represent and arrange system registry additional character string information.Call
NtSetSystemInformation function, is set to 110 by its first parameter, can be with edit the registry number
According to, second parameter comprises the registration table path of amendment, concrete key assignments title and the concrete data of amendment
Etc. information.Therefore malicious process can utilize NtSetSystemInformation function, by hidden amendment registration
The mode of table, deletes the file of fail-safe software, thus reduces the Prevention-Security performance of system.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of file that intercepts to be restarted the method for deletion, device and electricity
Subset, can effectively stop malicious process to delete the file of fail-safe software, reaches to protect the mesh of custom system
's.
First aspect, the embodiment of the present invention provides a kind of and intercepts the method that file is restarted deletion, including:
Monitor process is to arranging the event that system information function calls in operating system;
According to the described event listened to, obtain the types index number that system information is set that described process transmits
And data are set;
Judge whether that the described types index number arranging system information arranges system registry additional character for expression
The call number of string information, and the described registration table path to be modified that arranges in data is to restart deletion registration
Table path, and the described file path to be written arranged in data is shielded file path, and institute
The process of stating is malicious process;
The most then stop described process that system information is set.
In conjunction with first aspect, in the first embodiment of first aspect, described system is Windows
Operating system;Described the NtSetSystemInformation that system information function is operating system nucleus layer is set
Function;
Described monitor process is to arranging the event that system information function calls in operating system before, described
Method also includes: pre-sets hook and arranges the Hook Function of system information function;
Described monitor process to operating system arranges the event that system information function calls, including: logical
Cross described Hook Function monitor process to operating system arranges the event that system information function calls.
In conjunction with the first embodiment of first aspect, in the second embodiment of first aspect, described
Stop described process that system information is set, including:
Refuse information is returned to described process by described Hook Function;Or
Described Hook Function refusal calls and arranges system information function, to stop described process to arrange system information.
In conjunction with the first embodiment of first aspect, in the third embodiment of first aspect, described
Represent that the call number arranging system registry additional character string information is 110.
In conjunction with the first embodiment of first aspect, in the 4th kind of embodiment of first aspect, described
Restarting deletion registration table path is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations。
In conjunction with first aspect, in the 5th kind of possible implementation of first aspect, described in judge whether institute
Stating the file path to be written arranging in data is shielded file path, including:
According to the eigenvalue algorithm pre-set, ask for the described file path to be written arranged in data corresponding
The eigenvalue of file;
In the eigenvalue storehouse of the agent-protected file that judgement pre-sets, if record has described file road to be written
The eigenvalue of footpath respective file;
If record has the spy of described file path respective file to be written in the eigenvalue storehouse of described agent-protected file
Value indicative, it is determined that described file path to be written is shielded file path;
Wherein, in the eigenvalue storehouse of described agent-protected file, record has known shielded file path correspondence literary composition
The eigenvalue of part.
In conjunction with the 6th kind of embodiment of first aspect, in the 7th kind of possible implementation of first aspect,
At the eigenvalue algorithm that described basis pre-sets, ask for the described file path pair to be written arranged in data
Before answering the eigenvalue of file, also include:
Add up known agent-protected file path;
According to the eigenvalue algorithm pre-set, obtain the spy of described known agent-protected file path respective file
Value indicative;
The eigenvalue of known agent-protected file path respective file is write in the eigenvalue storehouse of agent-protected file.
In conjunction with first aspect, in the 7th kind of embodiment of first aspect, described in judge whether described process
It is malicious process, including:
Obtain described process path;
According to the eigenvalue algorithm pre-set, ask for the eigenvalue of described process path respective file;
Judge in the malicious process eigenvalue storehouse pre-set, if record has described process path respective file
Eigenvalue;
If described malicious process eigenvalue storehouse record has the eigenvalue of described process path respective file, it is determined that
Described process is malicious process;
Wherein, in described malicious process eigenvalue storehouse, record has the feature of known malicious process path respective file
Value.
In conjunction with the 7th kind of embodiment of first aspect, in the 8th kind of embodiment of first aspect, described
According to the eigenvalue algorithm pre-set, before asking for the eigenvalue of described process path respective file, also wrap
Include:
Statistics known malicious process path;
According to the eigenvalue algorithm pre-set, obtain the feature of described known malicious process path respective file
Value;
The eigenvalue of known malicious process path respective file is write in malicious process eigenvalue storehouse.
In conjunction with any one embodiment in the 5th to the 8th kind of embodiment of first aspect, in first aspect
The 9th kind of embodiment in, described in the eigenvalue algorithm that pre-sets be:
That asks for path calculates Message Digest 5 value or cryptographic Hash as eigenvalue as path respective file
Eigenvalue, or
The fileversion number eigenvalue as path respective file is obtained from path.
Second aspect, the embodiment of the present invention provides a kind of file that intercepts to be restarted the device of deletion, including:
Monitor module, for monitor process to operating system arranges the event that system information function calls;
Acquisition module, for the event listened to according to described monitoring module, obtains setting of described process transmission
Put the types index number of system information and data are set;
Judge module, for judging whether the types index number arranging system information that described acquisition module obtains
For representing, the call number of system registry additional character string information is set, and described arrange in data to be repaired
The registration table path changed is to restart deletion registration table path, and the described file road to be written arranged in data
Footpath is shielded file path, and described process is malicious process;
Blocking module, is used for when the judged result of described judge module is for being, stops described process to arrange and is
System information.
In conjunction with second aspect, in the first embodiment of second aspect, described operating system is Windows
During operating system, described monitoring module is previously provided with hook operating system nucleus layer
The Hook Function of NtSetSystemInformation function, described monitoring module is monitored by described Hook Function
Process is to arranging the event that system information function calls in operating system.
In conjunction with the first embodiment of second aspect, in the second embodiment of second aspect, described
Blocking module is called by described Hook Function arrange system information to described process return refuse information or refusal
Function, to stop described process to arrange system information.
In conjunction with the first embodiment of second aspect, in the third embodiment of second aspect, described
Judge module judges whether the types index number arranging system information that described acquisition module obtains is 110, is then
Determine that the types index number arranging system information is the index representing and arranging system registry additional character string information
Number.
In conjunction with the first embodiment of second aspect, in the 4th kind of embodiment of second aspect, described
State whether judge module judges the described registration table path to be modified arranged in data:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager PendingFileRenameOperations, be to determine the described note to be modified arranged in data
Volume table path is to restart deletion registration table path.
In conjunction with second aspect, in the 5th kind of embodiment of second aspect, described judge module, including:
First judges submodule, for judging whether the type arranging system information that described acquisition module obtains
Call number is the call number representing and arranging system registry additional character string information;
Second judges submodule, for when described first judges the judged result of submodule as being, it is judged that be
The registration table path to be modified arranged in data that no described acquisition module obtains is to restart deletion registration table road
Footpath;
The First Eigenvalue calculating sub module, is used for when described second judges the judged result of submodule as being,
According to the eigenvalue algorithm pre-set, ask for the literary composition to be written arranging in data that described acquisition module obtains
The eigenvalue of part path respective file;
First path judges submodule, is used in the eigenvalue storehouse of the agent-protected file that judgement pre-sets, is
No record has the feature of the file path respective file to be written that described the First Eigenvalue calculating sub module asks for
Value;If, it is determined that described file path to be written is shielded file path;Wherein, described protected
Protect record in the eigenvalue storehouse of file and have the eigenvalue of known shielded file path respective file;
3rd judges submodule, for judging that submodule judges described file to be written in described first path
When path is shielded file path, it may be judged whether described process is malicious process.
In conjunction with the 5th kind of embodiment of second aspect, in the 6th kind of embodiment of second aspect, described
Judge module also includes:
The eigenvalue storehouse of agent-protected file generates submodule, adds up known agent-protected file path in advance,
And according to the eigenvalue algorithm pre-set, obtain the feature of described known agent-protected file path respective file
Value is also stored in the eigenvalue storehouse of agent-protected file.
In conjunction with second aspect, in the 7th kind of embodiment of second aspect, described judge module, including:
First judges submodule, for judging whether the type arranging system information that described acquisition module obtains
Call number is the call number representing and arranging system registry additional character string information;
Second judges submodule, for when described first judges the judged result of submodule as being, it is judged that be
The registration table path to be modified arranged in data that no described acquisition module obtains is to restart deletion registration table road
Footpath;
4th judges submodule, for when described second judges the judged result of submodule as being, it is judged that be
The file path to be written arranged in data that no described acquisition module obtains is shielded file path;
Process path obtains submodule, for when the judged result of described 4th judge module is for being, obtains
Described process path;
Second Eigenvalue calculating sub module, for according to the eigenvalue algorithm pre-set, asking for described process
Path obtains the eigenvalue of the described process path respective file that submodule obtains;
Second path judges submodule, for judging in the malicious process eigenvalue storehouse pre-set, if note
Record the eigenvalue of the process path respective file having described Second Eigenvalue calculating sub module to ask for, if so,
Then determine that described process is malicious process;Wherein, in described malicious process eigenvalue storehouse, record has known malicious
The eigenvalue of process path respective file.
In conjunction with the 7th kind of embodiment of second aspect, in the 8th kind of embodiment of second aspect, described
Judge module also includes:
Malicious process eigenvalue storehouse generates submodule, for statistics known malicious process path in advance, and according to
The eigenvalue algorithm pre-set, obtains the eigenvalue of described known malicious process path and is stored in maliciously to enter
In journey eigenvalue storehouse.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, including: housing, processor, storage
Device, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and
Memorizer is arranged on circuit boards;Power circuit, for supplying for each circuit of above-mentioned electronic equipment or device
Electricity;Memorizer is used for storing executable program code;Processor is by performing of storing in reading memorizer
Program code runs the program corresponding with executable program code, is used for performing aforementioned any one embodiment institute
That states intercepts the method that file is restarted deletion.
A kind of file that intercepts that the embodiment of the present invention provides is restarted the method for deletion, device and electronic equipment,
By monitor process to operating system arranges the event that system information function calls, if listening to arrange
System information function is called by process, then obtain the types index number arranging system information that described process transmits
And data are set, and judge whether that the described types index number arranging system information arranges system registry for expression
The call number of table additional character string information, and the described registration table path to be modified arranged in data is to restart
Delete registration table path, and the described file path to be written arranged in data be shielded file path,
And described process is malicious process, if meeting above Rule of judgment, then stop described process that system information is set.
It is possible to intercept that Malware carries out file by the way of hidden edit the registry restarts act of deleting,
Improve security of system performance.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to enforcement
In example or description of the prior art, the required accompanying drawing used is briefly described, it should be apparent that, describe below
In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying
On the premise of going out creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method one of deletion;
Fig. 2 is a kind of implementation flow chart of step 103;
Fig. 3 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method two of deletion;
Fig. 4 a kind of intercepts the structural representation that file is restarted the device of deletion for what the present invention provided;
Fig. 5 is restarted the structural representation of the device of deletion for the another kind of interception file that the present invention provides;
Fig. 6 is restarted the structural representation of the device of deletion for the another kind of interception file that the present invention provides;
Fig. 7 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawings embodiment of the present invention offer is intercepted file be restarted the method for deletion, device and
Electronic equipment is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole realities
Execute example.Based on the embodiment in the present invention, those of ordinary skill in the art are not before making creative work
Put all other embodiments obtained, broadly fall into the scope of protection of the invention.
Fig. 1 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method one of deletion, as it is shown in figure 1,
The method of the present embodiment may include that
Step 101, monitor process are to arranging the event that system information function calls in operating system.
Operating system provides and arranges system information function.The process of malicious application sets described in calling
Put system information function and the associated documents routing information write of fail-safe software can be restarted deletion registry-location,
The most instantly, when subsystem is restarted, before the self-shield of fail-safe software also Pending The Entry Into Force, it is soft that system will delete safety
The associated documents of part.The present embodiment by monitoring calling the event arranging system information function, can and
Time intercept and capture malicious application system information to be arranged message.
The described event that step 102, basis listen to, obtains the class arranging system information that described process transmits
Type call number and data are set.
The process of malicious application starts to call described when arranging system information function, can be to arranging system letter
Breath function transmission arranges the types index number of system information and arranges data.In the present embodiment, can set described
Put the types index number of system information and data are set arrive described setting its section before system information function
Obtain.
Step 103, judge whether that the described types index number arranging system information arranges system registry for expression
The call number of additional character string information, and the described registration table path to be modified arranged in data is to restart
Delete registration table path, and the described file path to be written arranged in data be shielded file path,
And described process is malicious process;The most then perform step 104.
In this step, only in the types index number arranging system information, system registry is set for expression and adds
The call number of character string information, and registration table path to be modified is to restart deletion registration table path, and to be written
Entering file path is shielded file path, and when described process is malicious process, just proves that this monitors
To event be that malicious process calling system arranges system information function, it is desirable to agent-protected file path is write
Enter the event restarting the process path deleting registration table path, need it is stoped.
Step 104, stop described process that system information is set.
Fig. 2 is a kind of implementation flow chart of step 103, as in figure 2 it is shown, step 103 can include with
Lower step 1031-1036:
Step 1031: judging to arrange the types index number of system information, to be whether that expression arranges system registry attached
The call number of padding string information;The most then perform step 1032.
Step 1032, from described setting, data obtain registration table path to be modified.
Step 1033, judge that whether described registration table path to be modified is to restart deletion registration table path;If
It is then to perform step 1034.
In the present embodiment, if to be whether that expression arranges system registry attached for the types index number arranging system information
The call number of padding string information, then in order to prevent malicious process from arranging system information so that agent-protected file quilt
Restart deletion, obtain and registration table path to be modified in data is set to arrange that system information function transfers,
Judge whether it is to restart deletion registration table path.If it is not, the system information that this process is arranged then is described
It not about restarting the configuration information deleting file.
Step 1034, from described setting, data obtain file path to be written.
Step 1035, judge whether described file path to be written is shielded file path;The most then
Perform step 1036.
In the present embodiment, if registration table path to be modified is to restart deletion registration table path, obtain the most further
Take file path to be written, it is judged that whether file path to be written is shielded file path, i.e. judge this
Secondary write restarts whether the file deleted in registration table path is shielded file, if it is, explanation
This arranges system information and is likely to be malicious act.
In the present embodiment, as an optional mode, step 1035 can according to the eigenvalue algorithm pre-set,
Ask for the eigenvalue of described file path respective file to be written;Then the agent-protected file pre-set is judged
Eigenvalue storehouse in, if record has the eigenvalue of described file path respective file to be written;It is subject to if described
In the eigenvalue storehouse of protection file, record has the eigenvalue of described file path respective file to be written, it is determined that
Described file path to be written is shielded file path;Wherein, the eigenvalue storehouse of described agent-protected file
Middle record has the eigenvalue of known shielded file path respective file.The eigenvalue storehouse of agent-protected file
Generation method is: added up known agent-protected file path in advance before the present invention performs;According to pre-setting
Eigenvalue algorithm, obtain the eigenvalue of described known agent-protected file path respective file and write protected
In the eigenvalue storehouse of file.
Step 1036, judge whether described process is malicious process.
In this step, if described process is malicious process, then the judged result of step 103 is yes, can perform
Step 104.
Almost cannot accomplish the process path of stochastic transformation due to rogue program, therefore, in the present embodiment, make
Being an optional mode, step 1036 judges that whether described process is that the method for malicious process is: first obtains and works as
Front calling system arranges system information function want the write of agent-protected file path is restarted deletion registration table road
The process path in footpath;Described process path respective file is obtained subsequently according to the eigenvalue algorithm pre-set
Eigenvalue;Then judge in the feature database pre-set, if record has described process path respective file
Eigenvalue;If in the feature database pre-set, record has the eigenvalue of described process path respective file, the most really
Fixed described process is malicious process;If the feature database pre-set does not records described process path correspondence literary composition
The eigenvalue of part, it is determined that described process is not malicious process.Wherein, feature database pre-sets, special
The generation process levying storehouse is: statistics known malicious process path;According to the eigenvalue algorithm pre-set, obtain
The eigenvalue taking described known malicious process path respective file is stored in feature database.
By above step, will be failed when shielded file process is restarted deletion action by Malware.
Preferably, the eigenvalue of file path respective file to be written or process path respective file are being calculated
During eigenvalue, the eigenvalue algorithm of employing is: the calculating eap-message digest asking for file/process path to be written is calculated
Method (MD5) value or Hash (HASH) value as the eigenvalue of file to be written/process path respective file,
Or it is corresponding as file to be written/process path to obtain fileversion number from file/process path to be written
The eigenvalue of file.
What the present embodiment provided intercepts the method that file is restarted deletion, by monitor process in operating system
The event that system information function calls being set, being called by process if listening to arrange system information function,
Then obtain the types index number that system information is set of described process transmission and data are set, and setting described in judgement
Whether the types index number putting system information is the index representing and arranging system registry additional character string information
Number, if the described types index number arranging system information arranges system registry additional character string information for expression
Call number, then from described setting, data obtain registration table path to be modified, and judge described to be modified
Registration table path be whether to restart deletion registration table path, if described registration table path to be modified is to restart
Delete registration table path, then from described setting, data obtain file path to be written, and judge described to be written
Enter whether file path is shielded file path, if described file path to be written is shielded file
Path, then obtain described process path, and by described process path, it is judged that whether described process is malice
Process, if described process is malicious process, then stops described process to arrange system information.It is possible to intercept
Malware carries out the act of deleting of restarting of file by the way of hidden edit the registry, improves security of system
Performance.
Fig. 3 is the flow chart that the present invention intercepts that file is restarted the embodiment of the method two of deletion, and the present embodiment is used
In Windows operating system;Described generation system mistake function is operating system nucleus layer
NtSetSystemInformation function.The embodiment of the present invention is applicable to the safety such as Jinshan anti-virus software or Kingsoft bodyguard
The shutdown of operating system is protected by protection class application program.As it is shown on figure 3, the method for the present embodiment include as
Lower step:
NtSetSystemInformation function in operating system is called by step 201, monitor process
Event.
Hook Function is actually a program segment processing message, is called by system, it is linked into system.
Whenever specific message sends, before not arriving purpose window, Hook Function the most first captures this message, also
I.e. Hook Function first obtains control.At this moment Hook Function i.e. can be with this message of processed, it is also possible to does not makees
Process and continue to transmit this message, it is also possible to force the transmission of end.
In the present embodiment, Hook Function pre-build at security protection class application program before this step performs
In driving such as the defence of Jinshan anti-virus software, in this Hook Function hook operating system
NtSetSystemInformation function.The defence of security protection class application program drives and operates at Windows
I.e. bring into operation after system boot.
In the present embodiment, this enforcement is revised as in the original entry address of NtSetSystemInformation function
The entry address of the Hook Function in example.Malicious process when calling NtSetSystemInformation function,
Owing to the original entry address of NtSetSystemInformation function has been modified to the hook letter of the present embodiment
The entry address of number, then, when calling NtSetSystemInformation function, can skip to the hook of the present embodiment
The execution of function, is achieved in the supervision to NtSetSystemInformation function.Right in order to realize
The readjustment of NtSetSystemInformation function, by NtSetSystemInformation function original enter
Before the entry address of the Hook Function that port address is revised as in the present embodiment, it is right to need
The original entry address of NtSetSystemInformation function preserves.
Step 202, Hook Function are according to the described event listened to, and what acquisition process transmitted arranges system information
Types index number and data are set.
In the present embodiment, NtSetSystemInformation function is called by malicious process, be by
Windows operating system sends the message realization calling NtSetSystemInformation function, this message meeting
Directly intercepted and captured by Hook Function.Hook Function intercepts this message, is i.e. considered as listening to
The event that NtSetSystemInformation function is called by process, this message include process to
The relevant parameter that NtSetSystemInformation function transmits, including the types index number arranging system information
And data are set, data are set and include registration table path to be modified, concrete key assignments title, literary composition to be written
The information such as the concrete data of part path and amendment.
Whether step 203, to judge to arrange the types index number of system information be that expression arranges system registry and adds
The call number of character string information;The most then perform step 204;Otherwise, step 210 is performed.
In the present embodiment, if the types index number arranging system information is 110, then this call number is arranged for representing
The call number of system registry additional character string information, performs step 204;If arranging the type rope of system information
Quotation marks are not 110, then illustrate this to call not and be by registration table write, perform step 210.
Step 204, from described setting, data obtain registration table path to be modified.
Step 205, judge that whether described registration table path to be modified is to restart deletion registration table path;If so,
Then perform step 206;Otherwise, step 210 is performed.
In the present embodiment, it is judged that whether registration table path to be modified is to restart to delete registration table path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager PendingFileRenameOperations, if registration table path to be modified is not to restart deletion
Registration table path, then illustrate that this is not that deletion registration table path is restarted in operation, perform step 210.
Step 206, from described setting, data obtain file path to be written.
Step 207, judge whether described file path to be written is shielded file path;The most then hold
Row step 208;Otherwise, step 210 is performed.
In the present embodiment, the implementation of step 207 is similar with the step 1035 of said method embodiment, this
Place repeats no more.
Step 208, judge whether described process is malicious process;If described process is malicious process, then perform
Step 209;If described process is not malicious process, then perform step 210.
In the present embodiment, it is judged that whether described process is method and the step of said method embodiment of malicious process
Rapid 1036 are similar to, and here is omitted.
Step 209, Hook Function return refuse information to described process or refusal calls
NtSetSystemInformation function, to stop described process to arrange system information.
Step 210, described process is allowed to call NtSetSystemInformation function.
The present embodiment, is supervised the event calling NtSetSystemInformation function by Hook Function
Listen, and system information function is set in judging calling system the write of agent-protected file path is restarted and deleted
Except registration table path process path be malicious process time, stop in time it to call behavior, it is possible to prevent be
The secure file of system is not restarted deletion, improves the security performance of system.
Use a specific embodiment below, to the technology of embodiment of the method shown in any one in Fig. 1~Fig. 3
Scheme is described in detail.
In user computer environment, there is a Malware A and want to delete the file of Jinshan anti-virus software, but
Use conventional file deletion action can failure because there is self-shield in Jinshan anti-virus software, can protect file not by
Malice is deleted, and then this Malware uses the mode restarting deletion to delete the file of Jinshan anti-virus software.The present invention
The Hook NtSetSystemInformation letter of hidden edit the registry in the defence of Jinshan anti-virus software drives
Number, when the process of Malware A calls NtSetSystemInformation function the file road of Jinshan anti-virus software
Footpath information is written to restart deletion registry-location, it is desirable to when the file of Jinshan anti-virus software is restarted deletion,
This behavior will be intercepted by defence driving, and returns refusal message call so that Malware can not lead to
Cross and restart the file deleting Jinshan anti-virus software, thus preferably protection user system environment is not destroyed.
Fig. 4 a kind of intercepts the structural representation that file is restarted the device of deletion, such as Fig. 4 for what the present invention provided
Shown in, the device of the present embodiment may include that monitoring module 11, acquisition module 12, judge module 13, blocks
Cut module 14;Wherein, module 11 is monitored, for monitor process to operating system arranges system information function
The event called;Acquisition module 12, for according to monitoring the event that module 11 listens to, obtaining process
Transmit the types index number that system information is set and data are set;Judge module 13, is used for judging whether to obtain
The types index number arranging system information that delivery block 12 obtains arranges system registry additional character string for expression
The call number of information, and the described registration table path to be modified arranged in data is to restart deletion registration table
Path, and the described file path to be written arranged in data is shielded file path, and described
Process is malicious process;Blocking module 14, for when the judged result of judge module 13 is for being, stops institute
The process of stating arranges system information.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1, and it realizes
Principle is similar with technique effect, and here is omitted.
In another embodiment, it is restarted the device of deletion for Windows operating system when interception file
Time middle, monitor the NtSetSystemInformation being previously provided with hook operating system nucleus layer in module 11
The Hook Function of function, monitoring module 11 by described Hook Function monitor process to arranging in operating system is
The event that system information function calls.The device of the present embodiment, may be used for the method shown in Fig. 3 that performs real
Executing the technical scheme of example, it is similar with technique effect that it realizes principle, and here is omitted.
In another alternative embodiment, blocking module 14 is refused to the return of described process by described Hook Function
Message or refusal absolutely calls and arranges system information function, to stop described process to arrange system information.This enforcement
The device of example, may be used for performing the technical scheme of embodiment of the method shown in Fig. 3, and it realizes principle and technology
Effect is similar to, and here is omitted.
In another alternative embodiment, it is judged that module 13 judges the system that the arranges letter that acquisition module 12 obtains
Whether the types index number of breath is 110, is that determining that the types index number arranging system information is arranged for expression is
The call number of system registration table additional character string information.The device of the present embodiment, may be used for performing shown in Fig. 3
The technical scheme of embodiment of the method, it is similar with technique effect that it realizes principle, and here is omitted.
In another alternative embodiment, it is judged that whether module 14 judges registration table path to be modified:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager PendingFileRenameOperations, be to determine the described note to be modified arranged in data
Volume table path is to restart deletion registration table path.The device of the present embodiment, may be used for performing side shown in Fig. 3
The technical scheme of method embodiment, it is similar with technique effect that it realizes principle, and here is omitted.
Fig. 5 is restarted the structural representation of the device of deletion for the another kind of interception file that the present invention provides, as
Shown in Fig. 5, the device of the present embodiment is on the basis of Fig. 4 shown device structure, further, it is judged that mould
Block 13 includes: first judge submodule 131, second judge submodule 132, the First Eigenvalue calculate submodule
Block 133, first path judge that submodule the 134, the 3rd judges submodule 135;Wherein,
First judges submodule 131, for judging whether that what described acquisition module 12 obtained arranges system information
Types index number be to represent to arrange the call number of system registry additional character string information;Second judges submodule
Block 132, for when described first judges the judged result of submodule 131 as being, it may be judged whether described acquisition
The registration table path to be modified arranged in data that module 12 obtains is to restart deletion registration table path;First
Eigenvalue calculation submodule 133, is used for when described second judges the judged result of submodule 132 as being, root
According to the eigenvalue algorithm pre-set, ask for the file road to be written arranging in data that acquisition module 12 obtains
The eigenvalue of footpath respective file;First path judges submodule 134, for judging the protected literary composition pre-set
In the eigenvalue storehouse of part, if record has the file to be written that the First Eigenvalue calculating sub module 133 is asked for
The eigenvalue of path respective file;If, it is determined that described file path to be written is shielded file road
Footpath;Wherein, in the eigenvalue storehouse of described agent-protected file, record has known shielded file path correspondence literary composition
The eigenvalue of part;3rd judges submodule 135, for judging that submodule 134 is judged in described first path
When described file path to be written is shielded file path, it may be judged whether described process is malicious process.
In this embodiment, blocking module 14, is yes specifically for judging the judged result of submodule 135 the 3rd
Time, stop described process that system information is set.The device of the present embodiment, may be used for performing Fig. 1 or Fig. 3
The technical scheme of shown embodiment of the method, it is similar with technique effect that it realizes principle, and here is omitted.
Preferably, in another embodiment, the judge module 13 shown in Fig. 5 may also include agent-protected file
Eigenvalue storehouse generate submodule, for adding up known agent-protected file path in advance, and according to pre-setting
Eigenvalue algorithm, obtains the eigenvalue of known agent-protected file path respective file and is stored in agent-protected file
Eigenvalue storehouse in.Then first path judges that submodule 134 is the eigenvalue to agent-protected file when judging
Whether mate in the eigenvalue storehouse of the agent-protected file that storehouse generates submodule generation has file path to be written corresponding
The eigenvalue of file.The device of the present embodiment, may be used for performing embodiment of the method shown in Fig. 1 or Fig. 3
Technical scheme, it is similar with technique effect that it realizes principle, and here is omitted.
Fig. 6 is restarted the structural representation of the device of deletion for the another kind of interception file that the present invention provides, as
Shown in Fig. 6, the device of the present embodiment is on the basis of Fig. 4 shown device structure, further, it is judged that mould
Block 13 includes: first judge submodule 131, second judge submodule the 132, the 4th judge submodule 136,
Process path obtains submodule 137, Second Eigenvalue calculating sub module the 138, second path judges submodule 139;
Wherein, first judges submodule 131, for judging whether the system that the arranges letter that described acquisition module 12 obtains
The types index number of breath is the call number representing and arranging system registry additional character string information;Second judges son
Module 132, for when described first judges the judged result of submodule 131 as being, it may be judged whether described in obtain
The registration table path to be modified arranged in data that delivery block 12 obtains is to restart deletion registration table path;The
Four judge submodule 136, for when described second judges the judged result of submodule 132 as being, it is judged that be
The file path to be written arranged in data that no described acquisition module 12 obtains is shielded file path;
Process path obtains submodule 137, for when the judged result of the 4th judge module 136 is for being, obtains institute
State process path;Second Eigenvalue calculating sub module 138, for according to the eigenvalue algorithm pre-set, asking
Take process path and obtain the eigenvalue of the described process path respective file that submodule 136 obtains;Second path
Judge submodule 139, for judging in the malicious process eigenvalue storehouse pre-set, if record has the second spy
The eigenvalue of the process path respective file that value indicative calculating sub module 138 is asked for, if, it is determined that described
Process is malicious process;Wherein, in described malicious process eigenvalue storehouse, record has known malicious process path pair
Answer the eigenvalue of file.In this embodiment, blocking module 14, specifically for judging submodule in the second path
Block 139 is determined when described process is malicious process, stops described process to arrange system information.The present embodiment
Device, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1 or Fig. 3, its realize principle and
Technique effect is similar to, and here is omitted.
Preferably, in another embodiment, the judge module shown in Fig. 6 may also include malicious process feature
Value storehouse generates submodule, for statistics known malicious process path in advance, and according to the eigenvalue pre-set
Algorithm, obtains the eigenvalue of described known malicious process path and is stored in malicious process eigenvalue storehouse.Then
Second path judges that submodule 139 is to generate the evil that submodule generates to malicious process eigenvalue storehouse when judging
Meaning process eigenvalue mates, in storehouse, the process path pair whether having Second Eigenvalue calculating sub module 138 to ask for
Answer the eigenvalue of file.The device of the present embodiment, may be used for performing embodiment of the method shown in Fig. 1 or Fig. 3
Technical scheme, it is similar with technique effect that it realizes principle, and here is omitted.
The embodiment of the present invention also provides for a kind of electronic equipment.Fig. 7 is one embodiment of electronic equipment of the present invention
Structural representation, it is possible to achieve Fig. 1 or Fig. 2 of the present invention or the flow process of embodiment illustrated in fig. 3, such as Fig. 7 institute
Showing, above-mentioned electronic equipment may include that housing 21, processor 22, memorizer 23, circuit board 24 and electricity
Source circuit 25, wherein, circuit board 24 is placed in the interior volume that housing 21 surrounds, processor 22 and storage
Device 23 is arranged on circuit board 24;Power circuit 25, is used for each circuit for above-mentioned electronic equipment or device
Part is powered;Memorizer 23 is used for storing executable program code;Processor 22 is by reading in memorizer 23
The executable program code of storage runs the program corresponding with executable program code, is used for performing aforementioned
The method that interception file described in one embodiment is restarted deletion.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and with provide speech,
Data communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset,
Functional mobile phone, and low-end mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and place
Reason function, the most also possesses mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC set
Standby etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes:
Audio frequency, video playback module (such as iPod), handheld device, e-book, and intelligent toy and portable
Formula in-vehicle navigation apparatus.
(4) server: provide calculate service equipment, the composition of server include processor, hard disk, internal memory,
System bus etc., server is similar with general computer architecture, but owing to needing to provide highly reliable clothes
Business, therefore at aspects such as disposal ability, stability, reliability, safety, extensibility, manageabilitys
Require higher.
(5) other have the electronic equipment of data interaction function.
It should be noted that in this article, the relational terms of such as first and second or the like be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply these
Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " bag
Contain " or its any other variant be intended to comprising of nonexcludability, so that include a series of key element
Process, method, article or equipment not only include those key elements, but also include being not expressly set out
Other key elements, or also include the key element intrinsic for this process, method, article or equipment.?
In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that at bag
Include and the process of described key element, method, article or equipment there is also other identical element.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method,
Can be by computer program and complete to instruct relevant hardware, described program can be stored in a calculating
In machine read/write memory medium, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.
Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory,
Or random store-memory body (Random Access Memory, RAM) etc. ROM).
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited to
This, any those familiar with the art, in the technical scope that the invention discloses, can readily occur in
Change or replacement, all should contain within protection scope of the present invention.Therefore, protection scope of the present invention
Should be as the criterion with scope of the claims.
Claims (10)
1. one kind intercepts the method that file is restarted deletion, it is characterised in that including:
Monitor process is to arranging the event that system information function calls in operating system;
According to the described event listened to, obtain the types index number that system information is set that described process transmits
And data are set;
Judge whether that the described types index number arranging system information arranges system registry additional character for expression
The call number of string information, and the described registration table path to be modified that arranges in data is to restart deletion registration
Table path, and the described file path to be written arranged in data is shielded file path, and institute
The process of stating is malicious process;
The most then stop described process that system information is set.
2. the method that interception file as claimed in claim 1 is restarted deletion, it is characterised in that described system
System is Windows operating system;The described system information function that arranges is operating system nucleus layer
NtSetSystemInformation function;
Described monitor process is to arranging the event that system information function calls in operating system before, described
Method also includes: pre-sets hook and arranges the Hook Function of system information function;
Described monitor process to operating system arranges the event that system information function calls, including: logical
Cross described Hook Function monitor process to operating system arranges the event that system information function calls.
3. the method that interception file as claimed in claim 2 is restarted deletion, it is characterised in that described resistance
Only described process arranges system information, including:
Refuse information is returned to described process by described Hook Function;Or
Described Hook Function refusal calls and arranges system information function, to stop described process to arrange system information.
4. as claimed in claim 1 intercept the method that file is restarted deletion, it is characterised in that described in sentence
The most described disconnected file path to be written arranged in data is shielded file path, including:
According to the eigenvalue algorithm pre-set, ask for the described file path to be written arranged in data corresponding
The eigenvalue of file;
In the eigenvalue storehouse of the agent-protected file that judgement pre-sets, if record has described file road to be written
The eigenvalue of footpath respective file;
If record has the spy of described file path respective file to be written in the eigenvalue storehouse of described agent-protected file
Value indicative, it is determined that described file path to be written is shielded file path;
Wherein, in the eigenvalue storehouse of described agent-protected file, record has known shielded file path correspondence literary composition
The eigenvalue of part.
5. as claimed in claim 1 intercept the method that file is restarted deletion, it is characterised in that described in sentence
The most described disconnected process is malicious process, including:
Obtain described process path;
According to the eigenvalue algorithm pre-set, ask for the eigenvalue of described process path respective file;
Judge in the malicious process eigenvalue storehouse pre-set, if record has described process path respective file
Eigenvalue;
If described malicious process eigenvalue storehouse record has the eigenvalue of described process path respective file, it is determined that
Described process is malicious process;
Wherein, in described malicious process eigenvalue storehouse, record has the feature of known malicious process path respective file
Value.
6. one kind intercepts file and is restarted the device of deletion, it is characterised in that including:
Monitor module, for monitor process to operating system arranges the event that system information function calls;
Acquisition module, for the event listened to according to described monitoring module, obtains setting of described process transmission
Put the types index number of system information and data are set;
Judge module, for judging whether the types index number arranging system information that described acquisition module obtains
For representing, the call number of system registry additional character string information is set, and described arrange in data to be repaired
The registration table path changed is to restart deletion registration table path, and the described file road to be written arranged in data
Footpath is shielded file path, and described process is malicious process;
Blocking module, is used for when the judged result of described judge module is for being, stops described process to arrange and is
System information.
Interception file the most according to claim 6 is restarted the device of deletion, it is characterised in that described
When operating system is Windows operating system, described monitoring module is previously provided with in hook operating system
The Hook Function of the NtSetSystemInformation function of stratum nucleare, described monitoring module passes through described hook letter
Number monitor process is to arranging the event that system information function calls in operating system.
Interception file the most according to claim 7 is restarted the device of deletion, it is characterised in that described
Blocking module is called by described Hook Function arrange system information to described process return refuse information or refusal
Function, to stop described process to arrange system information.
9. the as claimed in claim 6 file that intercepts is restarted the device of deletion, it is characterised in that described in sentence
Disconnected module, including:
First judges submodule, for judging whether the type arranging system information that described acquisition module obtains
Call number is the call number representing and arranging system registry additional character string information;
Second judges submodule, for when described first judges the judged result of submodule as being, it is judged that be
The registration table path to be modified arranged in data that no described acquisition module obtains is to restart deletion registration table road
Footpath;
The First Eigenvalue calculating sub module, is used for when described second judges the judged result of submodule as being,
According to the eigenvalue algorithm pre-set, ask for the literary composition to be written arranging in data that described acquisition module obtains
The eigenvalue of part path respective file;
First path judges submodule, is used in the eigenvalue storehouse of the agent-protected file that judgement pre-sets, is
No record has the feature of the file path respective file to be written that described the First Eigenvalue calculating sub module asks for
Value;If, it is determined that described file path to be written is shielded file path;Wherein, described protected
Protect record in the eigenvalue storehouse of file and have the eigenvalue of known shielded file path respective file;
3rd judges submodule, for judging that submodule judges described file to be written in described first path
When path is shielded file path, it may be judged whether described process is malicious process.
10. an electronic equipment, it is characterised in that described electronic equipment includes: housing, processor, deposit
Reservoir, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor
Arrange on circuit boards with memorizer;Power circuit, is used for each circuit for above-mentioned electronic equipment or device
Power supply;Memorizer is used for storing executable program code;Processor is by holding of storing in reading memorizer
Line program code runs the program corresponding with executable program code, is used for performing aforementioned claim 1-5
The method that interception file described in any one is restarted deletion.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610457599.0A CN105868625B (en) | 2016-06-22 | 2016-06-22 | Method and device for intercepting restart deletion of file |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610457599.0A CN105868625B (en) | 2016-06-22 | 2016-06-22 | Method and device for intercepting restart deletion of file |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105868625A true CN105868625A (en) | 2016-08-17 |
CN105868625B CN105868625B (en) | 2018-10-12 |
Family
ID=56649877
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610457599.0A Active CN105868625B (en) | 2016-06-22 | 2016-06-22 | Method and device for intercepting restart deletion of file |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105868625B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107645546A (en) * | 2017-09-12 | 2018-01-30 | 深圳Tcl新技术有限公司 | File monitor method, smart machine and storage medium based on Android system |
CN108304699A (en) * | 2018-02-13 | 2018-07-20 | 北京奇安信科技有限公司 | A kind of method and device that security software is protected |
CN108363931A (en) * | 2018-02-13 | 2018-08-03 | 北京奇安信科技有限公司 | A kind of method and device that isolation area file is restored |
CN116204883A (en) * | 2023-01-11 | 2023-06-02 | 安芯网盾(北京)科技有限公司 | Method and system for detecting and blocking file self-deletion based on Linux kernel |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100025116A (en) * | 2008-08-27 | 2010-03-09 | (주) 애니컴페니언 | Fully automatic deletion using the system to prevent the leakage of documents |
US20120204060A1 (en) * | 2011-02-08 | 2012-08-09 | Wisconsin Alumni Research Foundation | Providing restartable file systems within computing devices |
CN102902919A (en) * | 2012-08-30 | 2013-01-30 | 北京奇虎科技有限公司 | Method, device and system for identifying and processing suspicious practices |
CN104035842A (en) * | 2014-06-30 | 2014-09-10 | 上海斐讯数据通信技术有限公司 | Method for deleting and recovering built-in application program |
CN104182661A (en) * | 2013-05-24 | 2014-12-03 | 富泰华工业(深圳)有限公司 | Software protection system |
-
2016
- 2016-06-22 CN CN201610457599.0A patent/CN105868625B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100025116A (en) * | 2008-08-27 | 2010-03-09 | (주) 애니컴페니언 | Fully automatic deletion using the system to prevent the leakage of documents |
US20120204060A1 (en) * | 2011-02-08 | 2012-08-09 | Wisconsin Alumni Research Foundation | Providing restartable file systems within computing devices |
CN102902919A (en) * | 2012-08-30 | 2013-01-30 | 北京奇虎科技有限公司 | Method, device and system for identifying and processing suspicious practices |
CN104182661A (en) * | 2013-05-24 | 2014-12-03 | 富泰华工业(深圳)有限公司 | Software protection system |
CN104035842A (en) * | 2014-06-30 | 2014-09-10 | 上海斐讯数据通信技术有限公司 | Method for deleting and recovering built-in application program |
Non-Patent Citations (1)
Title |
---|
刘晟等: "基于微过滤驱动的文件操作检测及重定向方法", 《信息与电子工程》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107645546A (en) * | 2017-09-12 | 2018-01-30 | 深圳Tcl新技术有限公司 | File monitor method, smart machine and storage medium based on Android system |
CN108304699A (en) * | 2018-02-13 | 2018-07-20 | 北京奇安信科技有限公司 | A kind of method and device that security software is protected |
CN108363931A (en) * | 2018-02-13 | 2018-08-03 | 北京奇安信科技有限公司 | A kind of method and device that isolation area file is restored |
CN108304699B (en) * | 2018-02-13 | 2020-07-14 | 奇安信科技集团股份有限公司 | Method and device for protecting security software |
CN116204883A (en) * | 2023-01-11 | 2023-06-02 | 安芯网盾(北京)科技有限公司 | Method and system for detecting and blocking file self-deletion based on Linux kernel |
CN116204883B (en) * | 2023-01-11 | 2023-08-22 | 安芯网盾(北京)科技有限公司 | Method and system for detecting and blocking file self-deletion based on Linux kernel |
Also Published As
Publication number | Publication date |
---|---|
CN105868625B (en) | 2018-10-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3029593B1 (en) | System and method of limiting the operation of trusted applications in the presence of suspicious programs | |
CN103632080B (en) | A kind of mobile data applications method for security protection based on USBKey | |
Hasan et al. | Toward a threat model for storage systems | |
CN105868625A (en) | Method and device for intercepting restart deletion of file | |
CN108932428B (en) | Lesog software processing method, device, equipment and readable storage medium | |
CN105844146B (en) | Method and device for protecting driver and electronic equipment | |
CN104246698A (en) | Computer with flexible operating system | |
CN107563192A (en) | A kind of means of defence for extorting software, device, electronic equipment and storage medium | |
CN106127031A (en) | Method and device for protecting process and electronic equipment | |
CN114065204A (en) | File-free Trojan horse searching and killing method and device | |
CN106203077A (en) | Processing method and device for copy information and electronic equipment | |
CN107846418A (en) | Fire wall Initiative Defence System and means of defence | |
CN106203092A (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
Lee et al. | Rcryptect: Real-time detection of cryptographic function in the user-space filesystem | |
CN106127034B (en) | A kind of method, apparatus that anti-locking system is maliciously closed and electronic equipment | |
CN106127050A (en) | Method and device for preventing system cursor from being maliciously modified and electronic equipment | |
CN106203107A (en) | Method and device for preventing system menu from being maliciously modified and electronic equipment | |
CN106022117A (en) | Method and device for preventing system environment variable from being modified and electronic equipment | |
CN106022120A (en) | File monitoring processing method and device and electronic equipment | |
CN106709357A (en) | Kernel internal storage monitoring based vulnerability prevention system for Android platform | |
CN112651039A (en) | Electric power data differentiation desensitization method and device fusing service scenes | |
CN109829324B (en) | Method for safely storing and quickly calling data and mobile terminal | |
CN106127051A (en) | Method and device for preventing mouse from being maliciously captured and electronic equipment | |
CN105844148A (en) | Method and device for protecting operating system and electronic equipment | |
CN113392410B (en) | Interface security detection method and device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20190109 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |