CN105893102A - Processing method and device for triggering blue screen by anti-virus security software and electronic equipment - Google Patents
Processing method and device for triggering blue screen by anti-virus security software and electronic equipment Download PDFInfo
- Publication number
- CN105893102A CN105893102A CN201610498058.2A CN201610498058A CN105893102A CN 105893102 A CN105893102 A CN 105893102A CN 201610498058 A CN201610498058 A CN 201610498058A CN 105893102 A CN105893102 A CN 105893102A
- Authority
- CN
- China
- Prior art keywords
- function
- blue screen
- driver
- address
- virus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44594—Unloading
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention discloses a processing method and a device for triggering a blue screen by anti-virus safety software and electronic equipment, relates to the technical field of internet anti-virus safety, and can accurately delete a driver of the anti-virus safety software triggering the blue screen without triggering the blue screen, so that the problem that the driver of the anti-virus safety software is disabled to a certain extent due to unified deletion of the driver of the virus safety software because the blue screen caused by crash of the driver cannot be judged in the prior art is solved, and the method comprises the following steps: creating a hook function hooked to a second defect detection function, wherein the second defect function is used for detecting system defects and generating a blue screen; judging whether a driver of the antivirus security software triggers a blue screen; and when the driver of the antivirus safety software is determined to trigger the blue screen and the preset blue screen count is reached, the driver of the antivirus safety software triggering the blue screen is uninstalled.
Description
Technical field
The present invention relates to the Internet anti-virus security technology area, particularly relate to a kind of anti-virus fail-safe software and touch
Turn blue processing method, device and the electronic equipment shielded.
Background technology
Computer blue screen, is again BSOD (Blue Screen of Death is called for short BSOD), is Microsoft
Windows sequence of maneuvers system is when cannot recover from a system mistake, for protection computer data
File is not destroyed and forces the screen picture of display.
Existing anti-virus fail-safe software forms based on driver and upper interface, and driver is responsible for
The various defence monitoring of system, including: the monitoring of the operation such as file, registration table, service and process, drive
Dynamic program be start after automatically actuated, if driver collapse if, blue screen will be triggered, cause whole
System cannot normally use;If if the collapse of upper interface process, the simply collapse of process, will not trigger
Blue screen, also not resulting in whole system cannot use.Therefore, the stability of driver is critically important.If it is anti-
The driver of virus safe software causes collapse, such as every time after start, and driving of anti-virus fail-safe software
After dynamic program loads, cause collapse and trigger blue screen, causing whole system to use, system of can only resetting,
Great inconvenience will be brought to user to anti-virus fail-safe software, thus lose the support of user, by user
Unloading is abandoned.
In the scheme of prior art, by utilizing shutdown call back function, add up the number of times that shuts down normally, come really
The fixed driver whether loading anti-virus fail-safe software, such as, does not counts on and shuts down the most normally,
When start drives module loading again, blue screen counting adds 1, when counting reaches 5, anti-virus fail-safe software
Driver will exit certainly, reaches the effect being not loaded with.But this solution has a problem that,
Be exactly in system any driver all may cause blue screen frequently, and prior art utilizes shutdown readjustment letter
The scheme of number cannot be distinguished by triggering the driver that blue screen is anti-virus fail-safe software and causes, or other drives
Dynamic program causes, and the most this blue screen just disabling anti-virus fail-safe software counting on certain counting drives
The scheme loaded, can cause the error-disabling to anti-virus fail-safe software to a certain extent.
Summary of the invention
In view of this, the embodiment of the present invention provide a kind of anti-virus fail-safe software trigger blue screen processing method,
Device and electronic equipment, be the blue screen that causes of the collapse of which kind of driver to solve prior art and cannot judge,
Unified by the driver deletion of virus safe software, cause to a certain extent to anti-virus fail-safe software
The problem of error-disabling.
First aspect, the embodiment of the present invention provides a kind of anti-virus fail-safe software to trigger the processing method of blue screen,
Including:
Creating links up with in the Hook Function of the second defects detection function, and described second defect function is used for detecting system
System defect also produces blue screen;
Determine whether that the driver of anti-virus fail-safe software triggers blue screen;
When the driver being defined as anti-virus fail-safe software triggers blue screen, and when reaching to preset blue screen counting,
Unloading triggers the driver of the anti-virus fail-safe software of blue screen.
In conjunction with first aspect, in the first embodiment of first aspect, described establishment is linked up with and is lacked in second
The Hook Function falling into detection function includes:
Obtain the function address of the second defects detection function, and preserve a second overall defects detection function
Original function address;
Define a Hook Function, described Hook Function calls the second defects detection function of the described overall situation
Original function address.
In conjunction with first aspect, in the second embodiment of first aspect, described acquisition the second defects detection
The function address of function includes:
Call the function obtaining function address, get the first defects detection function for detecting system defect
Function address;
By the function address of described first defects detection function, find described second defects detection function
Function address.
In conjunction with first aspect, the first embodiment of first aspect or the second embodiment of first aspect,
In the third embodiment of first aspect, described in determine whether the driver of anti-virus fail-safe software
Triggering blue screen includes:
In described Hook Function, by calling acquisition call stack function, obtain the first eight call stack;
If the address of the first eight call stack described is present in default anti-virus fail-safe software driver address area
In, it is determined that the driver for anti-virus fail-safe software is triggering blue screen.
In conjunction with the third embodiment of first aspect, in the 4th kind of embodiment of first aspect, described
When the driver being defined as anti-virus fail-safe software triggers blue screen, and when reaching to preset blue screen counting, unload
The driver carrying the anti-virus fail-safe software triggering blue screen includes:
When being defined as anti-virus fail-safe software and triggering blue screen, then the blue screen counting variable of the overall situation from increasing by 1;
When blue screen counting is more than or equal to blue screen counting preset value, then unloading hits in default anti-virus peace
The anti-virus fail-safe software driver of full software driver address section.
Second aspect, the embodiment of the present invention provides a kind of anti-virus fail-safe software to trigger the processing means of blue screen,
Including:
Creating unit, links up with in the Hook Function of the second defects detection function, described second defect for creating
Function is for detecting system defect and produces blue screen;
Judging unit, for determining whether that the driver of anti-virus fail-safe software triggers blue screen;
Unloading unit, for triggering blue screen when the driver being defined as anti-virus fail-safe software, and reaches
When presetting blue screen counting, unloading triggers the driver of the anti-virus fail-safe software of blue screen.
In conjunction with second aspect, in the first embodiment of second aspect, described creating unit includes:
Address acquisition module, for obtaining the function address of the second defects detection function, and preserves an overall situation
The original function address of the second defects detection function;
Call by location module, for one Hook Function of definition, calls the described overall situation in described Hook Function
The original function address of the second defects detection function.
In conjunction with the first embodiment of second aspect, in the second embodiment of second aspect, described
Address acquisition module includes:
First address acquisition submodule, for calling the function obtaining function address, gets for detecting system
The function address of the first defects detection function of system defect;Second address acquisition submodule, for by described
The function address of the first defects detection function, finds the function address of described second defects detection function.
In conjunction with second aspect, the first embodiment of second aspect or the second embodiment of second aspect,
In the third embodiment of second aspect, described judging unit includes:
Call stack module, in described Hook Function, by calling acquisition call stack function, before acquisition
Eight call stacks;
First judge module, if being present in default anti-virus safety for the address of the first eight call stack described
In software driver address section, it is determined that the driver for anti-virus fail-safe software is triggering blue screen.
In conjunction with the third embodiment of second aspect, in the 4th kind of embodiment of second aspect, described
Unloading unit includes:
Counting module, for when being defined as anti-virus fail-safe software and triggering blue screen, then the blue screen meter of the overall situation
Number variable is from increasing by 1;
Unload module, for when blue screen counting is more than or equal to preset value, then unloading hits in default anti-
The anti-virus fail-safe software driver of virus safe software driver address section.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, and described electronic equipment includes: housing,
Processor, memorizer, circuit board and power circuit, wherein, circuit board is placed in the space that housing surrounds
Portion, processor and memorizer are arranged on circuit boards;Power circuit, for for each of above-mentioned electronic equipment
Circuit or device are powered;Memorizer is used for storing executable program code;Processor is by reading in memorizer
The executable program code of storage runs the program corresponding with executable program code, is used for performing to grasp as follows
Make:
Creating links up with in the Hook Function of the second defects detection function, and described second defect function is used for detecting system
System defect also produces blue screen;
Determine whether that the driver of anti-virus fail-safe software triggers blue screen;
When the driver being defined as anti-virus fail-safe software triggers blue screen, and when reaching to preset blue screen counting,
Unloading triggers the driver of the anti-virus fail-safe software of blue screen.
Fourth aspect, the embodiment of the present invention additionally provides a kind of storage medium, is used for storing application program, institute
A kind of anti-virus fail-safe software that stating application program is provided for performing the embodiment of the present invention triggers the place of blue screen
Reason method.
5th aspect, the embodiment of the present invention additionally provides a kind of application program, is used for performing the embodiment of the present invention
A kind of anti-virus fail-safe software provided triggers the processing method of blue screen.
A kind of anti-virus fail-safe software that the embodiment of the present invention provides triggers the processing method of blue screen, device and electricity
Subset, links up with in the Hook Function of the second defects detection function by establishment, when judging that anti-virus safety is soft
When the driver of part triggers blue screen, and when reaching to preset blue screen counting, unloading triggers the anti-virus of blue screen
The driver of fail-safe software, the i.e. driver of disabling anti-virus fail-safe software trigger the anti-virus peace of blue screen
The loading of the driver of full software so that user can normally use computer, does not results in user and resets and be
System, improves Consumer's Experience, it is ensured that the charging ratio of anti-virus fail-safe software, it is to avoid owing to mistake is deleted
The impact of user's amount of enlivening that the driver of anti-virus fail-safe software causes.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to enforcement
In example or description of the prior art, the required accompanying drawing used is briefly described, it should be apparent that, describe below
In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying
On the premise of going out creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the process flow figure that the embodiment of the present invention a kind of anti-virus fail-safe software triggers blue screen;
Fig. 2 be the embodiment of the present invention a kind of anti-virus fail-safe software trigger blue screen processing method in cause blue screen
Perform schematic diagram;
Fig. 3 is the processing means schematic diagram that the embodiment of the present invention a kind of anti-virus fail-safe software triggers blue screen;
Fig. 4 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawings anti-virus fail-safe software a kind of to the embodiment of the present invention trigger blue screen processing method and
Device is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole realities
Execute example.Based on the embodiment in the present invention, those of ordinary skill in the art are not before making creative work
Put all other embodiments obtained, broadly fall into the scope of protection of the invention.
Fig. 1 is the process flow figure that the embodiment of the present invention a kind of anti-virus fail-safe software triggers blue screen, as
Shown in Fig. 1, the method for the present embodiment may include that
Step 101, establishment are linked up with in the Hook Function of the second defects detection function, and described second defect function is used
In detecting system defect and produce blue screen;
In the present embodiment, the second defects detection function be in windows operating system for detecting system
Defect also produces the KeBugCheck2 of blue screen, and links up with in the second defects detection function KeBugCheck2's
Hook Function is NewKeBugCheck2.
It should be noted that cause the function of blue screen to perform in flow process at driver, different system flow process has
Distinguished, specific as follows shown:
Win7 system:
Drive module (such as 38sek)--> KeBugCheck--> KeBugCheckEx--> KeBugCheck2
XP system:
Drive module--> KeBugCheck--> KeBugCheck2
Win10 system:
Drive module--> KiBugCheck2--> KeBugCheck2
In order to realize a kind of general scheme, the selection of technical scheme of embodiment of the present invention example links up with the second defect
Detection function KeBugCheck2 kernel function, because this function dominant systems is when driver triggers blue screen
Will go to, it is possible to achieve general hook, triggering blue screen count and unload anti-virus fail-safe software and drive
The scheme of program.
But the second defects detection function KeBugCheck2 is not to derive function, needs first to find second and lack
Falling into the function address of detection function KeBugCheck2, just can link up with it with inline hook, this programme is with XP
As a example by system, it is achieved hook, trigger blue screen and count and unload the side of anti-virus fail-safe software driver
Method, other system principle is the same, it is achieved method is more or less the same.
As in figure 2 it is shown, from performing flow process it can be seen that the second defects detection function KeBugCheck2
It is that the first defects detection function KeBugCheck being sensed by system defect calls, and first lacks
Falling into detection function KeBugCheck is that system derives, and can call the function obtaining function address
MmGetSystemRoutineAddress kernel function, gets the first defects detection function KeBugCheck
Function address, from dis-assembling code it can be seen that the first defects detection function KeBugCheck can call
Second defects detection function KeBugCheck2, then, from the first defects detection function KeBugCheck's
Function address, downward search, find out the second defects detection function KeBugCheck2 and do not derive the address of function.
Find ff 75 08 e8 feature, and the second defects detection function can be obtained by virtual address conversion
The function address of KeBugCheck2.Therefore, above-mentioned acquisition the second defects detection function KeBugCheck2
The method of function address is particularly as follows: call the function MmGetSystemRoutineAddress obtaining function address
Kernel function, gets the function address of the first defects detection function KeBugCheck;Examined by the first defect
Survey the function address of function KeBugCheck, find the letter of the second defects detection function KeBugCheck2
Number address.
There is function address, the most convenient hook, define a Hook Function NewKeBugCheck2, protect
Deposit the original function address of the first defects detection function KeBugCheck2 of what a overall situation, at Hook Function
NewKeBugCheck2 calls the original function address of this overall situation, it is achieved original systemic-function.Again
The function address of the second defects detection function KeBugCheck2 is replaced with Hook Function
The function address of NewKeBugCheck2, it is achieved inline hook.System, when triggering blue screen, all can perform
To Hook Function NewKeBugCheck2, then this programme just can realize the driving of anti-virus fail-safe software
Program triggers the tally function of blue screen.
Step 102, determine whether anti-virus fail-safe software driver trigger blue screen;
In the Hook Function NewKeBugCheck2 of this programme, when there being triggering blue screen, obtain by calling
Taking call stack function RtlWalkFrameChain, obtain call stack, this programme only obtains the first eight call stack;
Call kernel function ZwQuerySystemInformation (SystemModuleInformation), can obtain
Delivery block address section on virtual memory, obtains the anti-virus fail-safe software preset and drives module's address district
Between, such as the driver module address section of the anti-virus fail-safe software that kisknl.sys, ksapi.sys etc. preset.
Having had these module's address preset interval, contrast takes call stack function by calling
Eight call stack addresses that RtlWalkFrameChain obtains, see that whether to be present in these in these eight addresses pre-
If anti-virus fail-safe software driver module address section in, be to determine that it is anti-virus fail-safe software
Driver trigger blue screen.
Step 103, when be defined as anti-virus fail-safe software driver trigger blue screen, and reach preset indigo plant
During screen counting, unloading triggers the driver of the anti-virus fail-safe software of blue screen.
In this step, specifically, when being defined as anti-virus fail-safe software and triggering blue screen, then the overall situation
Blue screen counting variable is from increasing by 1;When blue screen counting is more than or equal to blue screen counting preset value, then unload hit
Anti-virus fail-safe software driver in default anti-virus fail-safe software driver address section.At this
In embodiment, blue screen counting preset value could be arranged to 5, then when blue screen calculates more than or equal to 5, just
The anti-virus fail-safe software driver address section preset of unloading hit, drives mould as hit kisknl
Block have invoked Hook Function NewKeBugCheck2, and that just drives the kisknl of anti-virus fail-safe software
Unloading, discharging method is exactly to call the corresponding OnUnLoad routine function driving module, real by routine function
The deletion of the data such as existing startup item, reaches the purpose of No starting.
The embodiment of the present invention, utilizes hook kernel blue screen function, and stack back trace technique determines driving of initiation blue screen
Dynamic model block, it is possible to accurately judge the frequent blue screen being by which driving module of anti-virus fail-safe software to be caused,
And can accurate statistics by anti-virus fail-safe software driver trigger blue screen number of times, reaching blue screen meter
During number preset value, disabling triggers the loading of the driver of the anti-virus fail-safe software of blue screen so that Yong Huneng
Enough normally use computer, do not result in user and reset system, improve Consumer's Experience, it is ensured that anti-virus is pacified
The charging ratio of full software, does not results in impact to user's amount of enlivening of anti-virus fail-safe software.
Fig. 3 is the structural representation that the embodiment of the present invention a kind of anti-virus fail-safe software triggers the processing means of blue screen
Figure, as it is shown on figure 3, the processing means that the anti-virus fail-safe software of the present embodiment triggers blue screen includes: create
Unit 1, judging unit 2 and unloading unit 3.Wherein, creating unit 1, be used for creating link up with in second lack
Fall into the Hook Function NewKeBugCheck2 of detection function KeBugCheck2, the second defect function
KeBugCheck2 is for detecting system defect and produces blue screen;Judging unit 2, is used for determining whether anti-disease
The driver of poison fail-safe software triggers blue screen;Unloading unit 3, for when being defined as anti-virus fail-safe software
Driver triggers blue screen, and when reaching to preset blue screen counting, the anti-virus safety that unloading triggers blue screen is soft
The driver of part.
Further, creating unit includes: address acquisition module, for obtaining the second defects detection function
The function address of KeBugCheck2, and preserve a second overall defects detection function KeBugCheck2
Original function address;Call by location module, for one Hook Function NewKeBugCheck2 of definition,
The second defects detection function of the described overall situation is called in described Hook Function NewKeBugCheck2
The original function address of KeBugCheck2.
Further, address acquisition module includes: the first address acquisition submodule, is used for calling acquisition function
The function MmGetSystemRoutineAddress of address, gets the first defect for detecting system defect
The function address of detection function KeBugCheck;Second address acquisition submodule, for lacking by described first
Fall into the function address of detection function KeBugCheck, find described second defects detection function
The function address of KeBugCheck2.
Further, it is judged that unit includes: call stack module, at described Hook Function
In NewKeBugCheck2, by calling acquisition call stack function RtlWalkFrameChain, obtain the first eight
Individual call stack;First judge module, if be present in default anti-in the address of the first eight call stack described
In virus safe software driver address section, it is determined that the driver for anti-virus fail-safe software is touching
Turn blue screen.
Further, described unloading unit 3 includes: counting module, for soft when being defined as anti-virus safety
When part triggers blue screen, then the blue screen counting variable of the overall situation from increasing by 1;Unload module, for counting when blue screen
During more than or equal to preset value, then unloading hits in default anti-virus fail-safe software driver address section
Anti-virus fail-safe software driver.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1, and it realizes
Principle is similar with technique effect, and here is omitted.
The embodiment of the present invention also provides for a kind of electronic equipment.Fig. 4 is one embodiment of electronic equipment of the present invention
Structural representation, it is possible to achieve the flow process of embodiment illustrated in fig. 1 of the present invention, as shown in Figure 4, above-mentioned electronics
Equipment may include that housing 31, processor 32, memorizer 33, circuit board 34 and power circuit 35, its
In, circuit board 34 is placed in the interior volume that housing 31 surrounds, processor 32 and memorizer 33 and is arranged on
On circuit board 34;Power circuit 35, powers for each circuit or the device for above-mentioned electronic equipment;Storage
Device 33 is used for storing executable program code;Processor 32 is by performing of storing in reading memorizer 33
Program code runs the program corresponding with executable program code, is used for performing described in aforementioned any embodiment
Anti-virus fail-safe software triggers the technical scheme of the processing method embodiment of blue screen, and it realizes principle and technology effect
Seemingly, here is omitted for fruit.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and with provide speech,
Data communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset,
Functional mobile phone, and low-end mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and place
Reason function, the most also possesses mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC set
Standby etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes:
Audio frequency, video playback module (such as iPod), handheld device, e-book, and intelligent toy and portable
Formula in-vehicle navigation apparatus.
(4) server: provide calculate service equipment, the composition of server include processor, hard disk, internal memory,
System bus etc., server is similar with general computer architecture, but owing to needing to provide highly reliable clothes
Business, therefore at aspects such as disposal ability, stability, reliability, safety, extensibility, manageabilitys
Require higher.
(5) other have the electronic equipment of data interaction function.
The embodiment of the present invention additionally provides a kind of storage medium, is used for storing application program, described application program
The processing method of blue screen is triggered for the anti-virus fail-safe software performed described in the aforementioned any embodiment of the present invention
The embodiment of the present invention additionally provides a kind of application program, is used for performing the present invention aforementioned any embodiment institute
The anti-virus fail-safe software stated triggers the processing method of blue screen.
It should be noted that in this article, the relational terms of such as first and second or the like be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply these
Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " bag
Contain " or its any other variant be intended to comprising of nonexcludability, so that include a series of key element
Process, method, article or equipment not only include those key elements, but also include being not expressly set out
Other key elements, or also include the key element intrinsic for this process, method, article or equipment.?
In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that at bag
Include and the process of described key element, method, article or equipment there is also other identical element.
The embodiment of the present invention, utilizes hook kernel blue screen function, and stack back trace technique determines driving of initiation blue screen
Dynamic model block, it is possible to accurately judge the frequent blue screen being by which driving module of anti-virus fail-safe software to be caused,
And can accurate statistics by anti-virus fail-safe software driver trigger blue screen number of times, reaching blue screen meter
During number preset value, disabling triggers the loading of the driver of the anti-virus fail-safe software of blue screen so that Yong Huneng
Enough normally use computer, do not result in user and reset system, improve Consumer's Experience, it is ensured that anti-virus is pacified
The charging ratio of full software, does not results in impact to user's amount of enlivening of anti-virus fail-safe software.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method,
Can be by computer program and complete to instruct relevant hardware, described program can be stored in a calculating
In machine read/write memory medium, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.
Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory,
Or random store-memory body (Random Access Memory, RAM) etc. ROM).
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited to
This, any those familiar with the art, in the technical scope that the invention discloses, can readily occur in
Change or replacement, all should contain within protection scope of the present invention.Therefore, protection scope of the present invention
Should be as the criterion with scope of the claims.
Claims (10)
1. the processing method of an anti-virus fail-safe software triggering blue screen, it is characterised in that including:
Creating links up with in the Hook Function of the second defects detection function, and described second defect function is used for detecting system
System defect also produces blue screen;
Determine whether that the driver of anti-virus fail-safe software triggers blue screen;
When the driver being defined as anti-virus fail-safe software triggers blue screen, and when reaching to preset blue screen counting,
Unloading triggers the driver of the anti-virus fail-safe software of blue screen.
Method the most according to claim 1, it is characterised in that described establishment is linked up with and examined in the second defect
The Hook Function surveying function includes:
Obtain the function address of the second defects detection function, and preserve a second overall defects detection function
Original function address;
Define a Hook Function, described Hook Function calls the second defects detection function of the described overall situation
Original function address.
Method the most according to claim 1, it is characterised in that described acquisition the second defects detection function
Function address include:
Call the function obtaining function address, get the first defects detection function for detecting system defect
Function address;
By the function address of described first defects detection function, find described second defects detection function
Function address.
4. according to the method described in any one of claim 1-3, it is characterised in that described in determine whether anti-
The driver of virus safe software triggers blue screen and includes:
In described Hook Function, by calling acquisition call stack function, obtain the first eight call stack;
If the address of the first eight call stack described is present in default anti-virus fail-safe software driver address area
In, it is determined that the driver for anti-virus fail-safe software is triggering blue screen.
Method the most according to claim 4, it is characterised in that described soft when being defined as anti-virus safety
The driver of part triggers blue screen, and when reaching to preset blue screen counting, unloading triggers the anti-virus peace of blue screen
The driver of full software includes:
When being defined as anti-virus fail-safe software and triggering blue screen, then the blue screen counting variable of the overall situation from increasing by 1;
When blue screen counting is more than or equal to blue screen counting preset value, then unloading hits in default anti-virus peace
The anti-virus fail-safe software driver of full software driver address section.
6. the processing means of an anti-virus fail-safe software triggering blue screen, it is characterised in that including:
Creating unit, links up with in the Hook Function of the second defects detection function, described second defect for creating
Function is for detecting system defect and produces blue screen;
Judging unit, for determining whether that the driver of anti-virus fail-safe software triggers blue screen;
Unloading unit, for triggering blue screen when the driver being defined as anti-virus fail-safe software, and reaches
When presetting blue screen counting, unloading triggers the driver of the anti-virus fail-safe software of blue screen.
Device the most according to claim 6, it is characterised in that described creating unit includes:
Address acquisition module, for obtaining the function address of the second defects detection function, and preserves an overall situation
The original function address of the second defects detection function;
Call by location module, for one Hook Function of definition, calls the described overall situation in described Hook Function
The original function address of the second defects detection function.
Device the most according to claim 7, it is characterised in that described address acquisition module includes:
First address acquisition submodule, for calling the function obtaining function address, gets for detecting system
The function address of the first defects detection function of system defect;
Second address acquisition submodule, for by the function address of described first defects detection function, searches
Function address to described second defects detection function.
9. according to the device described in any one of claim 6-8, it is characterised in that described judging unit includes:
Call stack module, in described Hook Function, by calling acquisition call stack function, before acquisition
Eight call stacks;
First judge module, if being present in default anti-virus safety for the address of the first eight call stack described
In software driver address section, it is determined that the driver for anti-virus fail-safe software is triggering blue screen.
10. an electronic equipment, it is characterised in that described electronic equipment includes: housing, processor, deposit
Reservoir, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor
Arrange on circuit boards with memorizer;Power circuit, is used for each circuit for above-mentioned electronic equipment or device
Power supply;Memorizer is used for storing executable program code;Processor is by holding of storing in reading memorizer
Line program code runs the program corresponding with executable program code, is used for performing to operate as follows:
Creating links up with in the Hook Function of the second defects detection function, and described second defect function is used for detecting system
System defect also produces blue screen;
Determine whether that the driver of anti-virus fail-safe software triggers blue screen;
When the driver being defined as anti-virus fail-safe software triggers blue screen, and when reaching to preset blue screen counting,
Unloading triggers the driver of the anti-virus fail-safe software of blue screen.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610498058.2A CN105893102B (en) | 2016-06-29 | 2016-06-29 | A kind of processing method, device and the electronic equipment of anti-virus security software triggering blue screen |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610498058.2A CN105893102B (en) | 2016-06-29 | 2016-06-29 | A kind of processing method, device and the electronic equipment of anti-virus security software triggering blue screen |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105893102A true CN105893102A (en) | 2016-08-24 |
CN105893102B CN105893102B (en) | 2019-11-12 |
Family
ID=56719487
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610498058.2A Active CN105893102B (en) | 2016-06-29 | 2016-06-29 | A kind of processing method, device and the electronic equipment of anti-virus security software triggering blue screen |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105893102B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109710324A (en) * | 2018-12-29 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Processing method and processing device that blue screen is shown, storage medium, terminal |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1704908A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | Method for locating program abnormity |
CN101599114A (en) * | 2009-06-17 | 2009-12-09 | 北京东方微点信息技术有限责任公司 | The method and system that the driving of Virus is positioned |
CN101719090A (en) * | 2009-12-25 | 2010-06-02 | 珠海市君天电子科技有限公司 | Method for automatically analyzing crash cause of computer software system |
CN103617396A (en) * | 2013-11-29 | 2014-03-05 | 杭州华三通信技术有限公司 | Detection method and system of vulnerability exploitation |
CN103888447A (en) * | 2014-03-03 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and device for checking and killing viruses |
CN105488398A (en) * | 2015-12-04 | 2016-04-13 | 北京航空航天大学 | Web application program behavior extraction method and malicious behavior detection method |
-
2016
- 2016-06-29 CN CN201610498058.2A patent/CN105893102B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1704908A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | Method for locating program abnormity |
CN101599114A (en) * | 2009-06-17 | 2009-12-09 | 北京东方微点信息技术有限责任公司 | The method and system that the driving of Virus is positioned |
CN101719090A (en) * | 2009-12-25 | 2010-06-02 | 珠海市君天电子科技有限公司 | Method for automatically analyzing crash cause of computer software system |
CN103617396A (en) * | 2013-11-29 | 2014-03-05 | 杭州华三通信技术有限公司 | Detection method and system of vulnerability exploitation |
CN103888447A (en) * | 2014-03-03 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and device for checking and killing viruses |
CN105488398A (en) * | 2015-12-04 | 2016-04-13 | 北京航空航天大学 | Web application program behavior extraction method and malicious behavior detection method |
Non-Patent Citations (1)
Title |
---|
天国剑客: ""【转】VB小子玩转驱动程序(4):HOOK"", 《HTTP://BLOG.SINA.COM.CN/S/BLOG_66C999510100I37T.HTML》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109710324A (en) * | 2018-12-29 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Processing method and processing device that blue screen is shown, storage medium, terminal |
CN109710324B (en) * | 2018-12-29 | 2022-04-22 | 奇安信安全技术(珠海)有限公司 | Processing method and device for blue screen display, storage medium and terminal |
Also Published As
Publication number | Publication date |
---|---|
CN105893102B (en) | 2019-11-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107729749A (en) | With reference to system information and the Android simulator detection method and device of ardware feature | |
CN102141942A (en) | Method and device for monitoring and protecting equipment | |
CN107193598B (en) | Application starting method, mobile terminal and computer readable storage medium | |
US10955482B2 (en) | Method and device for acquiring battery power level and electronic device | |
CN103227865B (en) | Display method of voice recognition interface and mobile terminal | |
US9984231B2 (en) | Detecting program evasion of virtual machines or emulators | |
CA2561204A1 (en) | System and method for recovering from a software processing error | |
CN106708616A (en) | Process control method and process control device | |
CN106534093B (en) | A kind of processing method of terminal data, apparatus and system | |
CN106250244A (en) | Method and device for releasing mutual exclusion lock and electronic equipment | |
WO2017032312A1 (en) | Method and apparatus for presenting to-be-cleaned data, and electronic device | |
CN108920220B (en) | Function calling method, device and terminal | |
CN108595218A (en) | A kind of method and apparatus of loading system dynamic base | |
CN106933964A (en) | A kind of method, device and electronic equipment for determining to read duration | |
CN105681648A (en) | Picture viewing method and device and electronic equipment | |
CN110032473A (en) | Data guard method, device, electronic equipment and system | |
CN106021007A (en) | Method for detecting fault of terminal and terminal | |
WO2022237120A1 (en) | Frame capture defense method and apparatus for game application, and storage medium and computer device | |
CN105893102A (en) | Processing method and device for triggering blue screen by anti-virus security software and electronic equipment | |
CN110471832A (en) | Processing method, device and the computer readable storage medium of program operation | |
CN107436830A (en) | Use control method, system and electronic equipment | |
CN111062035B (en) | Lesu software detection method and device, electronic equipment and storage medium | |
CN106708722A (en) | Application testing method and device and electronic equipment | |
CN115600199A (en) | Security assessment method and device, electronic equipment and computer readable storage medium | |
CN105787302B (en) | A kind of processing method of application program, device and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20190117 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant |