CN105893102A - Processing method and device for triggering blue screen by anti-virus security software and electronic equipment - Google Patents

Processing method and device for triggering blue screen by anti-virus security software and electronic equipment Download PDF

Info

Publication number
CN105893102A
CN105893102A CN201610498058.2A CN201610498058A CN105893102A CN 105893102 A CN105893102 A CN 105893102A CN 201610498058 A CN201610498058 A CN 201610498058A CN 105893102 A CN105893102 A CN 105893102A
Authority
CN
China
Prior art keywords
function
blue screen
driver
address
virus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610498058.2A
Other languages
Chinese (zh)
Other versions
CN105893102B (en
Inventor
李文靖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201610498058.2A priority Critical patent/CN105893102B/en
Publication of CN105893102A publication Critical patent/CN105893102A/en
Application granted granted Critical
Publication of CN105893102B publication Critical patent/CN105893102B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44594Unloading
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention discloses a processing method and a device for triggering a blue screen by anti-virus safety software and electronic equipment, relates to the technical field of internet anti-virus safety, and can accurately delete a driver of the anti-virus safety software triggering the blue screen without triggering the blue screen, so that the problem that the driver of the anti-virus safety software is disabled to a certain extent due to unified deletion of the driver of the virus safety software because the blue screen caused by crash of the driver cannot be judged in the prior art is solved, and the method comprises the following steps: creating a hook function hooked to a second defect detection function, wherein the second defect function is used for detecting system defects and generating a blue screen; judging whether a driver of the antivirus security software triggers a blue screen; and when the driver of the antivirus safety software is determined to trigger the blue screen and the preset blue screen count is reached, the driver of the antivirus safety software triggering the blue screen is uninstalled.

Description

A kind of anti-virus fail-safe software triggers the processing method of blue screen, device and electronic equipment
Technical field
The present invention relates to the Internet anti-virus security technology area, particularly relate to a kind of anti-virus fail-safe software and touch Turn blue processing method, device and the electronic equipment shielded.
Background technology
Computer blue screen, is again BSOD (Blue Screen of Death is called for short BSOD), is Microsoft Windows sequence of maneuvers system is when cannot recover from a system mistake, for protection computer data File is not destroyed and forces the screen picture of display.
Existing anti-virus fail-safe software forms based on driver and upper interface, and driver is responsible for The various defence monitoring of system, including: the monitoring of the operation such as file, registration table, service and process, drive Dynamic program be start after automatically actuated, if driver collapse if, blue screen will be triggered, cause whole System cannot normally use;If if the collapse of upper interface process, the simply collapse of process, will not trigger Blue screen, also not resulting in whole system cannot use.Therefore, the stability of driver is critically important.If it is anti- The driver of virus safe software causes collapse, such as every time after start, and driving of anti-virus fail-safe software After dynamic program loads, cause collapse and trigger blue screen, causing whole system to use, system of can only resetting, Great inconvenience will be brought to user to anti-virus fail-safe software, thus lose the support of user, by user Unloading is abandoned.
In the scheme of prior art, by utilizing shutdown call back function, add up the number of times that shuts down normally, come really The fixed driver whether loading anti-virus fail-safe software, such as, does not counts on and shuts down the most normally, When start drives module loading again, blue screen counting adds 1, when counting reaches 5, anti-virus fail-safe software Driver will exit certainly, reaches the effect being not loaded with.But this solution has a problem that, Be exactly in system any driver all may cause blue screen frequently, and prior art utilizes shutdown readjustment letter The scheme of number cannot be distinguished by triggering the driver that blue screen is anti-virus fail-safe software and causes, or other drives Dynamic program causes, and the most this blue screen just disabling anti-virus fail-safe software counting on certain counting drives The scheme loaded, can cause the error-disabling to anti-virus fail-safe software to a certain extent.
Summary of the invention
In view of this, the embodiment of the present invention provide a kind of anti-virus fail-safe software trigger blue screen processing method, Device and electronic equipment, be the blue screen that causes of the collapse of which kind of driver to solve prior art and cannot judge, Unified by the driver deletion of virus safe software, cause to a certain extent to anti-virus fail-safe software The problem of error-disabling.
First aspect, the embodiment of the present invention provides a kind of anti-virus fail-safe software to trigger the processing method of blue screen, Including:
Creating links up with in the Hook Function of the second defects detection function, and described second defect function is used for detecting system System defect also produces blue screen;
Determine whether that the driver of anti-virus fail-safe software triggers blue screen;
When the driver being defined as anti-virus fail-safe software triggers blue screen, and when reaching to preset blue screen counting, Unloading triggers the driver of the anti-virus fail-safe software of blue screen.
In conjunction with first aspect, in the first embodiment of first aspect, described establishment is linked up with and is lacked in second The Hook Function falling into detection function includes:
Obtain the function address of the second defects detection function, and preserve a second overall defects detection function Original function address;
Define a Hook Function, described Hook Function calls the second defects detection function of the described overall situation Original function address.
In conjunction with first aspect, in the second embodiment of first aspect, described acquisition the second defects detection The function address of function includes:
Call the function obtaining function address, get the first defects detection function for detecting system defect Function address;
By the function address of described first defects detection function, find described second defects detection function Function address.
In conjunction with first aspect, the first embodiment of first aspect or the second embodiment of first aspect, In the third embodiment of first aspect, described in determine whether the driver of anti-virus fail-safe software Triggering blue screen includes:
In described Hook Function, by calling acquisition call stack function, obtain the first eight call stack;
If the address of the first eight call stack described is present in default anti-virus fail-safe software driver address area In, it is determined that the driver for anti-virus fail-safe software is triggering blue screen.
In conjunction with the third embodiment of first aspect, in the 4th kind of embodiment of first aspect, described When the driver being defined as anti-virus fail-safe software triggers blue screen, and when reaching to preset blue screen counting, unload The driver carrying the anti-virus fail-safe software triggering blue screen includes:
When being defined as anti-virus fail-safe software and triggering blue screen, then the blue screen counting variable of the overall situation from increasing by 1;
When blue screen counting is more than or equal to blue screen counting preset value, then unloading hits in default anti-virus peace The anti-virus fail-safe software driver of full software driver address section.
Second aspect, the embodiment of the present invention provides a kind of anti-virus fail-safe software to trigger the processing means of blue screen, Including:
Creating unit, links up with in the Hook Function of the second defects detection function, described second defect for creating Function is for detecting system defect and produces blue screen;
Judging unit, for determining whether that the driver of anti-virus fail-safe software triggers blue screen;
Unloading unit, for triggering blue screen when the driver being defined as anti-virus fail-safe software, and reaches When presetting blue screen counting, unloading triggers the driver of the anti-virus fail-safe software of blue screen.
In conjunction with second aspect, in the first embodiment of second aspect, described creating unit includes:
Address acquisition module, for obtaining the function address of the second defects detection function, and preserves an overall situation The original function address of the second defects detection function;
Call by location module, for one Hook Function of definition, calls the described overall situation in described Hook Function The original function address of the second defects detection function.
In conjunction with the first embodiment of second aspect, in the second embodiment of second aspect, described Address acquisition module includes:
First address acquisition submodule, for calling the function obtaining function address, gets for detecting system The function address of the first defects detection function of system defect;Second address acquisition submodule, for by described The function address of the first defects detection function, finds the function address of described second defects detection function.
In conjunction with second aspect, the first embodiment of second aspect or the second embodiment of second aspect, In the third embodiment of second aspect, described judging unit includes:
Call stack module, in described Hook Function, by calling acquisition call stack function, before acquisition Eight call stacks;
First judge module, if being present in default anti-virus safety for the address of the first eight call stack described In software driver address section, it is determined that the driver for anti-virus fail-safe software is triggering blue screen.
In conjunction with the third embodiment of second aspect, in the 4th kind of embodiment of second aspect, described Unloading unit includes:
Counting module, for when being defined as anti-virus fail-safe software and triggering blue screen, then the blue screen meter of the overall situation Number variable is from increasing by 1;
Unload module, for when blue screen counting is more than or equal to preset value, then unloading hits in default anti- The anti-virus fail-safe software driver of virus safe software driver address section.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, and described electronic equipment includes: housing, Processor, memorizer, circuit board and power circuit, wherein, circuit board is placed in the space that housing surrounds Portion, processor and memorizer are arranged on circuit boards;Power circuit, for for each of above-mentioned electronic equipment Circuit or device are powered;Memorizer is used for storing executable program code;Processor is by reading in memorizer The executable program code of storage runs the program corresponding with executable program code, is used for performing to grasp as follows Make:
Creating links up with in the Hook Function of the second defects detection function, and described second defect function is used for detecting system System defect also produces blue screen;
Determine whether that the driver of anti-virus fail-safe software triggers blue screen;
When the driver being defined as anti-virus fail-safe software triggers blue screen, and when reaching to preset blue screen counting, Unloading triggers the driver of the anti-virus fail-safe software of blue screen.
Fourth aspect, the embodiment of the present invention additionally provides a kind of storage medium, is used for storing application program, institute A kind of anti-virus fail-safe software that stating application program is provided for performing the embodiment of the present invention triggers the place of blue screen Reason method.
5th aspect, the embodiment of the present invention additionally provides a kind of application program, is used for performing the embodiment of the present invention A kind of anti-virus fail-safe software provided triggers the processing method of blue screen.
A kind of anti-virus fail-safe software that the embodiment of the present invention provides triggers the processing method of blue screen, device and electricity Subset, links up with in the Hook Function of the second defects detection function by establishment, when judging that anti-virus safety is soft When the driver of part triggers blue screen, and when reaching to preset blue screen counting, unloading triggers the anti-virus of blue screen The driver of fail-safe software, the i.e. driver of disabling anti-virus fail-safe software trigger the anti-virus peace of blue screen The loading of the driver of full software so that user can normally use computer, does not results in user and resets and be System, improves Consumer's Experience, it is ensured that the charging ratio of anti-virus fail-safe software, it is to avoid owing to mistake is deleted The impact of user's amount of enlivening that the driver of anti-virus fail-safe software causes.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to enforcement In example or description of the prior art, the required accompanying drawing used is briefly described, it should be apparent that, describe below In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying On the premise of going out creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the process flow figure that the embodiment of the present invention a kind of anti-virus fail-safe software triggers blue screen;
Fig. 2 be the embodiment of the present invention a kind of anti-virus fail-safe software trigger blue screen processing method in cause blue screen Perform schematic diagram;
Fig. 3 is the processing means schematic diagram that the embodiment of the present invention a kind of anti-virus fail-safe software triggers blue screen;
Fig. 4 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawings anti-virus fail-safe software a kind of to the embodiment of the present invention trigger blue screen processing method and Device is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole realities Execute example.Based on the embodiment in the present invention, those of ordinary skill in the art are not before making creative work Put all other embodiments obtained, broadly fall into the scope of protection of the invention.
Fig. 1 is the process flow figure that the embodiment of the present invention a kind of anti-virus fail-safe software triggers blue screen, as Shown in Fig. 1, the method for the present embodiment may include that
Step 101, establishment are linked up with in the Hook Function of the second defects detection function, and described second defect function is used In detecting system defect and produce blue screen;
In the present embodiment, the second defects detection function be in windows operating system for detecting system Defect also produces the KeBugCheck2 of blue screen, and links up with in the second defects detection function KeBugCheck2's Hook Function is NewKeBugCheck2.
It should be noted that cause the function of blue screen to perform in flow process at driver, different system flow process has Distinguished, specific as follows shown:
Win7 system:
Drive module (such as 38sek)--> KeBugCheck--> KeBugCheckEx--> KeBugCheck2
XP system:
Drive module--> KeBugCheck--> KeBugCheck2
Win10 system:
Drive module--> KiBugCheck2--> KeBugCheck2
In order to realize a kind of general scheme, the selection of technical scheme of embodiment of the present invention example links up with the second defect Detection function KeBugCheck2 kernel function, because this function dominant systems is when driver triggers blue screen Will go to, it is possible to achieve general hook, triggering blue screen count and unload anti-virus fail-safe software and drive The scheme of program.
But the second defects detection function KeBugCheck2 is not to derive function, needs first to find second and lack Falling into the function address of detection function KeBugCheck2, just can link up with it with inline hook, this programme is with XP As a example by system, it is achieved hook, trigger blue screen and count and unload the side of anti-virus fail-safe software driver Method, other system principle is the same, it is achieved method is more or less the same.
As in figure 2 it is shown, from performing flow process it can be seen that the second defects detection function KeBugCheck2 It is that the first defects detection function KeBugCheck being sensed by system defect calls, and first lacks Falling into detection function KeBugCheck is that system derives, and can call the function obtaining function address MmGetSystemRoutineAddress kernel function, gets the first defects detection function KeBugCheck Function address, from dis-assembling code it can be seen that the first defects detection function KeBugCheck can call Second defects detection function KeBugCheck2, then, from the first defects detection function KeBugCheck's Function address, downward search, find out the second defects detection function KeBugCheck2 and do not derive the address of function. Find ff 75 08 e8 feature, and the second defects detection function can be obtained by virtual address conversion The function address of KeBugCheck2.Therefore, above-mentioned acquisition the second defects detection function KeBugCheck2 The method of function address is particularly as follows: call the function MmGetSystemRoutineAddress obtaining function address Kernel function, gets the function address of the first defects detection function KeBugCheck;Examined by the first defect Survey the function address of function KeBugCheck, find the letter of the second defects detection function KeBugCheck2 Number address.
There is function address, the most convenient hook, define a Hook Function NewKeBugCheck2, protect Deposit the original function address of the first defects detection function KeBugCheck2 of what a overall situation, at Hook Function NewKeBugCheck2 calls the original function address of this overall situation, it is achieved original systemic-function.Again The function address of the second defects detection function KeBugCheck2 is replaced with Hook Function The function address of NewKeBugCheck2, it is achieved inline hook.System, when triggering blue screen, all can perform To Hook Function NewKeBugCheck2, then this programme just can realize the driving of anti-virus fail-safe software Program triggers the tally function of blue screen.
Step 102, determine whether anti-virus fail-safe software driver trigger blue screen;
In the Hook Function NewKeBugCheck2 of this programme, when there being triggering blue screen, obtain by calling Taking call stack function RtlWalkFrameChain, obtain call stack, this programme only obtains the first eight call stack;
Call kernel function ZwQuerySystemInformation (SystemModuleInformation), can obtain Delivery block address section on virtual memory, obtains the anti-virus fail-safe software preset and drives module's address district Between, such as the driver module address section of the anti-virus fail-safe software that kisknl.sys, ksapi.sys etc. preset.
Having had these module's address preset interval, contrast takes call stack function by calling Eight call stack addresses that RtlWalkFrameChain obtains, see that whether to be present in these in these eight addresses pre- If anti-virus fail-safe software driver module address section in, be to determine that it is anti-virus fail-safe software Driver trigger blue screen.
Step 103, when be defined as anti-virus fail-safe software driver trigger blue screen, and reach preset indigo plant During screen counting, unloading triggers the driver of the anti-virus fail-safe software of blue screen.
In this step, specifically, when being defined as anti-virus fail-safe software and triggering blue screen, then the overall situation Blue screen counting variable is from increasing by 1;When blue screen counting is more than or equal to blue screen counting preset value, then unload hit Anti-virus fail-safe software driver in default anti-virus fail-safe software driver address section.At this In embodiment, blue screen counting preset value could be arranged to 5, then when blue screen calculates more than or equal to 5, just The anti-virus fail-safe software driver address section preset of unloading hit, drives mould as hit kisknl Block have invoked Hook Function NewKeBugCheck2, and that just drives the kisknl of anti-virus fail-safe software Unloading, discharging method is exactly to call the corresponding OnUnLoad routine function driving module, real by routine function The deletion of the data such as existing startup item, reaches the purpose of No starting.
The embodiment of the present invention, utilizes hook kernel blue screen function, and stack back trace technique determines driving of initiation blue screen Dynamic model block, it is possible to accurately judge the frequent blue screen being by which driving module of anti-virus fail-safe software to be caused, And can accurate statistics by anti-virus fail-safe software driver trigger blue screen number of times, reaching blue screen meter During number preset value, disabling triggers the loading of the driver of the anti-virus fail-safe software of blue screen so that Yong Huneng Enough normally use computer, do not result in user and reset system, improve Consumer's Experience, it is ensured that anti-virus is pacified The charging ratio of full software, does not results in impact to user's amount of enlivening of anti-virus fail-safe software.
Fig. 3 is the structural representation that the embodiment of the present invention a kind of anti-virus fail-safe software triggers the processing means of blue screen Figure, as it is shown on figure 3, the processing means that the anti-virus fail-safe software of the present embodiment triggers blue screen includes: create Unit 1, judging unit 2 and unloading unit 3.Wherein, creating unit 1, be used for creating link up with in second lack Fall into the Hook Function NewKeBugCheck2 of detection function KeBugCheck2, the second defect function KeBugCheck2 is for detecting system defect and produces blue screen;Judging unit 2, is used for determining whether anti-disease The driver of poison fail-safe software triggers blue screen;Unloading unit 3, for when being defined as anti-virus fail-safe software Driver triggers blue screen, and when reaching to preset blue screen counting, the anti-virus safety that unloading triggers blue screen is soft The driver of part.
Further, creating unit includes: address acquisition module, for obtaining the second defects detection function The function address of KeBugCheck2, and preserve a second overall defects detection function KeBugCheck2 Original function address;Call by location module, for one Hook Function NewKeBugCheck2 of definition, The second defects detection function of the described overall situation is called in described Hook Function NewKeBugCheck2 The original function address of KeBugCheck2.
Further, address acquisition module includes: the first address acquisition submodule, is used for calling acquisition function The function MmGetSystemRoutineAddress of address, gets the first defect for detecting system defect The function address of detection function KeBugCheck;Second address acquisition submodule, for lacking by described first Fall into the function address of detection function KeBugCheck, find described second defects detection function The function address of KeBugCheck2.
Further, it is judged that unit includes: call stack module, at described Hook Function In NewKeBugCheck2, by calling acquisition call stack function RtlWalkFrameChain, obtain the first eight Individual call stack;First judge module, if be present in default anti-in the address of the first eight call stack described In virus safe software driver address section, it is determined that the driver for anti-virus fail-safe software is touching Turn blue screen.
Further, described unloading unit 3 includes: counting module, for soft when being defined as anti-virus safety When part triggers blue screen, then the blue screen counting variable of the overall situation from increasing by 1;Unload module, for counting when blue screen During more than or equal to preset value, then unloading hits in default anti-virus fail-safe software driver address section Anti-virus fail-safe software driver.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1, and it realizes Principle is similar with technique effect, and here is omitted.
The embodiment of the present invention also provides for a kind of electronic equipment.Fig. 4 is one embodiment of electronic equipment of the present invention Structural representation, it is possible to achieve the flow process of embodiment illustrated in fig. 1 of the present invention, as shown in Figure 4, above-mentioned electronics Equipment may include that housing 31, processor 32, memorizer 33, circuit board 34 and power circuit 35, its In, circuit board 34 is placed in the interior volume that housing 31 surrounds, processor 32 and memorizer 33 and is arranged on On circuit board 34;Power circuit 35, powers for each circuit or the device for above-mentioned electronic equipment;Storage Device 33 is used for storing executable program code;Processor 32 is by performing of storing in reading memorizer 33 Program code runs the program corresponding with executable program code, is used for performing described in aforementioned any embodiment Anti-virus fail-safe software triggers the technical scheme of the processing method embodiment of blue screen, and it realizes principle and technology effect Seemingly, here is omitted for fruit.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and with provide speech, Data communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset, Functional mobile phone, and low-end mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and place Reason function, the most also possesses mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC set Standby etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes: Audio frequency, video playback module (such as iPod), handheld device, e-book, and intelligent toy and portable Formula in-vehicle navigation apparatus.
(4) server: provide calculate service equipment, the composition of server include processor, hard disk, internal memory, System bus etc., server is similar with general computer architecture, but owing to needing to provide highly reliable clothes Business, therefore at aspects such as disposal ability, stability, reliability, safety, extensibility, manageabilitys Require higher.
(5) other have the electronic equipment of data interaction function.
The embodiment of the present invention additionally provides a kind of storage medium, is used for storing application program, described application program The processing method of blue screen is triggered for the anti-virus fail-safe software performed described in the aforementioned any embodiment of the present invention
The embodiment of the present invention additionally provides a kind of application program, is used for performing the present invention aforementioned any embodiment institute The anti-virus fail-safe software stated triggers the processing method of blue screen.
It should be noted that in this article, the relational terms of such as first and second or the like be used merely to by One entity or operation separate with another entity or operating space, and not necessarily require or imply these Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " bag Contain " or its any other variant be intended to comprising of nonexcludability, so that include a series of key element Process, method, article or equipment not only include those key elements, but also include being not expressly set out Other key elements, or also include the key element intrinsic for this process, method, article or equipment.? In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that at bag Include and the process of described key element, method, article or equipment there is also other identical element.
The embodiment of the present invention, utilizes hook kernel blue screen function, and stack back trace technique determines driving of initiation blue screen Dynamic model block, it is possible to accurately judge the frequent blue screen being by which driving module of anti-virus fail-safe software to be caused, And can accurate statistics by anti-virus fail-safe software driver trigger blue screen number of times, reaching blue screen meter During number preset value, disabling triggers the loading of the driver of the anti-virus fail-safe software of blue screen so that Yong Huneng Enough normally use computer, do not result in user and reset system, improve Consumer's Experience, it is ensured that anti-virus is pacified The charging ratio of full software, does not results in impact to user's amount of enlivening of anti-virus fail-safe software.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, Can be by computer program and complete to instruct relevant hardware, described program can be stored in a calculating In machine read/write memory medium, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method. Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, Or random store-memory body (Random Access Memory, RAM) etc. ROM).
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited to This, any those familiar with the art, in the technical scope that the invention discloses, can readily occur in Change or replacement, all should contain within protection scope of the present invention.Therefore, protection scope of the present invention Should be as the criterion with scope of the claims.

Claims (10)

1. the processing method of an anti-virus fail-safe software triggering blue screen, it is characterised in that including:
Creating links up with in the Hook Function of the second defects detection function, and described second defect function is used for detecting system System defect also produces blue screen;
Determine whether that the driver of anti-virus fail-safe software triggers blue screen;
When the driver being defined as anti-virus fail-safe software triggers blue screen, and when reaching to preset blue screen counting, Unloading triggers the driver of the anti-virus fail-safe software of blue screen.
Method the most according to claim 1, it is characterised in that described establishment is linked up with and examined in the second defect The Hook Function surveying function includes:
Obtain the function address of the second defects detection function, and preserve a second overall defects detection function Original function address;
Define a Hook Function, described Hook Function calls the second defects detection function of the described overall situation Original function address.
Method the most according to claim 1, it is characterised in that described acquisition the second defects detection function Function address include:
Call the function obtaining function address, get the first defects detection function for detecting system defect Function address;
By the function address of described first defects detection function, find described second defects detection function Function address.
4. according to the method described in any one of claim 1-3, it is characterised in that described in determine whether anti- The driver of virus safe software triggers blue screen and includes:
In described Hook Function, by calling acquisition call stack function, obtain the first eight call stack;
If the address of the first eight call stack described is present in default anti-virus fail-safe software driver address area In, it is determined that the driver for anti-virus fail-safe software is triggering blue screen.
Method the most according to claim 4, it is characterised in that described soft when being defined as anti-virus safety The driver of part triggers blue screen, and when reaching to preset blue screen counting, unloading triggers the anti-virus peace of blue screen The driver of full software includes:
When being defined as anti-virus fail-safe software and triggering blue screen, then the blue screen counting variable of the overall situation from increasing by 1;
When blue screen counting is more than or equal to blue screen counting preset value, then unloading hits in default anti-virus peace The anti-virus fail-safe software driver of full software driver address section.
6. the processing means of an anti-virus fail-safe software triggering blue screen, it is characterised in that including:
Creating unit, links up with in the Hook Function of the second defects detection function, described second defect for creating Function is for detecting system defect and produces blue screen;
Judging unit, for determining whether that the driver of anti-virus fail-safe software triggers blue screen;
Unloading unit, for triggering blue screen when the driver being defined as anti-virus fail-safe software, and reaches When presetting blue screen counting, unloading triggers the driver of the anti-virus fail-safe software of blue screen.
Device the most according to claim 6, it is characterised in that described creating unit includes:
Address acquisition module, for obtaining the function address of the second defects detection function, and preserves an overall situation The original function address of the second defects detection function;
Call by location module, for one Hook Function of definition, calls the described overall situation in described Hook Function The original function address of the second defects detection function.
Device the most according to claim 7, it is characterised in that described address acquisition module includes:
First address acquisition submodule, for calling the function obtaining function address, gets for detecting system The function address of the first defects detection function of system defect;
Second address acquisition submodule, for by the function address of described first defects detection function, searches Function address to described second defects detection function.
9. according to the device described in any one of claim 6-8, it is characterised in that described judging unit includes:
Call stack module, in described Hook Function, by calling acquisition call stack function, before acquisition Eight call stacks;
First judge module, if being present in default anti-virus safety for the address of the first eight call stack described In software driver address section, it is determined that the driver for anti-virus fail-safe software is triggering blue screen.
10. an electronic equipment, it is characterised in that described electronic equipment includes: housing, processor, deposit Reservoir, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor Arrange on circuit boards with memorizer;Power circuit, is used for each circuit for above-mentioned electronic equipment or device Power supply;Memorizer is used for storing executable program code;Processor is by holding of storing in reading memorizer Line program code runs the program corresponding with executable program code, is used for performing to operate as follows:
Creating links up with in the Hook Function of the second defects detection function, and described second defect function is used for detecting system System defect also produces blue screen;
Determine whether that the driver of anti-virus fail-safe software triggers blue screen;
When the driver being defined as anti-virus fail-safe software triggers blue screen, and when reaching to preset blue screen counting, Unloading triggers the driver of the anti-virus fail-safe software of blue screen.
CN201610498058.2A 2016-06-29 2016-06-29 A kind of processing method, device and the electronic equipment of anti-virus security software triggering blue screen Active CN105893102B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610498058.2A CN105893102B (en) 2016-06-29 2016-06-29 A kind of processing method, device and the electronic equipment of anti-virus security software triggering blue screen

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610498058.2A CN105893102B (en) 2016-06-29 2016-06-29 A kind of processing method, device and the electronic equipment of anti-virus security software triggering blue screen

Publications (2)

Publication Number Publication Date
CN105893102A true CN105893102A (en) 2016-08-24
CN105893102B CN105893102B (en) 2019-11-12

Family

ID=56719487

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610498058.2A Active CN105893102B (en) 2016-06-29 2016-06-29 A kind of processing method, device and the electronic equipment of anti-virus security software triggering blue screen

Country Status (1)

Country Link
CN (1) CN105893102B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109710324A (en) * 2018-12-29 2019-05-03 360企业安全技术(珠海)有限公司 Processing method and processing device that blue screen is shown, storage medium, terminal

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1704908A (en) * 2004-05-26 2005-12-07 华为技术有限公司 Method for locating program abnormity
CN101599114A (en) * 2009-06-17 2009-12-09 北京东方微点信息技术有限责任公司 The method and system that the driving of Virus is positioned
CN101719090A (en) * 2009-12-25 2010-06-02 珠海市君天电子科技有限公司 Method for automatically analyzing crash cause of computer software system
CN103617396A (en) * 2013-11-29 2014-03-05 杭州华三通信技术有限公司 Detection method and system of vulnerability exploitation
CN103888447A (en) * 2014-03-03 2014-06-25 珠海市君天电子科技有限公司 Method and device for checking and killing viruses
CN105488398A (en) * 2015-12-04 2016-04-13 北京航空航天大学 Web application program behavior extraction method and malicious behavior detection method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1704908A (en) * 2004-05-26 2005-12-07 华为技术有限公司 Method for locating program abnormity
CN101599114A (en) * 2009-06-17 2009-12-09 北京东方微点信息技术有限责任公司 The method and system that the driving of Virus is positioned
CN101719090A (en) * 2009-12-25 2010-06-02 珠海市君天电子科技有限公司 Method for automatically analyzing crash cause of computer software system
CN103617396A (en) * 2013-11-29 2014-03-05 杭州华三通信技术有限公司 Detection method and system of vulnerability exploitation
CN103888447A (en) * 2014-03-03 2014-06-25 珠海市君天电子科技有限公司 Method and device for checking and killing viruses
CN105488398A (en) * 2015-12-04 2016-04-13 北京航空航天大学 Web application program behavior extraction method and malicious behavior detection method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
天国剑客: ""【转】VB小子玩转驱动程序(4):HOOK"", 《HTTP://BLOG.SINA.COM.CN/S/BLOG_66C999510100I37T.HTML》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109710324A (en) * 2018-12-29 2019-05-03 360企业安全技术(珠海)有限公司 Processing method and processing device that blue screen is shown, storage medium, terminal
CN109710324B (en) * 2018-12-29 2022-04-22 奇安信安全技术(珠海)有限公司 Processing method and device for blue screen display, storage medium and terminal

Also Published As

Publication number Publication date
CN105893102B (en) 2019-11-12

Similar Documents

Publication Publication Date Title
CN107729749A (en) With reference to system information and the Android simulator detection method and device of ardware feature
CN102141942A (en) Method and device for monitoring and protecting equipment
CN107193598B (en) Application starting method, mobile terminal and computer readable storage medium
US10955482B2 (en) Method and device for acquiring battery power level and electronic device
CN103227865B (en) Display method of voice recognition interface and mobile terminal
US9984231B2 (en) Detecting program evasion of virtual machines or emulators
CA2561204A1 (en) System and method for recovering from a software processing error
CN106708616A (en) Process control method and process control device
CN106534093B (en) A kind of processing method of terminal data, apparatus and system
CN106250244A (en) Method and device for releasing mutual exclusion lock and electronic equipment
WO2017032312A1 (en) Method and apparatus for presenting to-be-cleaned data, and electronic device
CN108920220B (en) Function calling method, device and terminal
CN108595218A (en) A kind of method and apparatus of loading system dynamic base
CN106933964A (en) A kind of method, device and electronic equipment for determining to read duration
CN105681648A (en) Picture viewing method and device and electronic equipment
CN110032473A (en) Data guard method, device, electronic equipment and system
CN106021007A (en) Method for detecting fault of terminal and terminal
WO2022237120A1 (en) Frame capture defense method and apparatus for game application, and storage medium and computer device
CN105893102A (en) Processing method and device for triggering blue screen by anti-virus security software and electronic equipment
CN110471832A (en) Processing method, device and the computer readable storage medium of program operation
CN107436830A (en) Use control method, system and electronic equipment
CN111062035B (en) Lesu software detection method and device, electronic equipment and storage medium
CN106708722A (en) Application testing method and device and electronic equipment
CN115600199A (en) Security assessment method and device, electronic equipment and computer readable storage medium
CN105787302B (en) A kind of processing method of application program, device and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20190117

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Applicant after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing

Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant