CN106203092A - Method and device for intercepting shutdown of malicious program and electronic equipment - Google Patents
Method and device for intercepting shutdown of malicious program and electronic equipment Download PDFInfo
- Publication number
- CN106203092A CN106203092A CN201610512732.8A CN201610512732A CN106203092A CN 106203092 A CN106203092 A CN 106203092A CN 201610512732 A CN201610512732 A CN 201610512732A CN 106203092 A CN106203092 A CN 106203092A
- Authority
- CN
- China
- Prior art keywords
- shutdown
- message
- function
- lpc
- lpc message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Telephone Function (AREA)
Abstract
The embodiment of the invention discloses a method, a device and electronic equipment for intercepting shutdown of a malicious program, relates to the technical field of system security, and is simple in implementation process and not easy to be bypassed by the malicious program. The method comprises the following steps: monitoring a shutdown local process call message sent by an operation process through a hook function, wherein the hook function hook sends a kernel function of the shutdown local process call message; judging whether the shutdown local process call message meets a preset interception condition or not through the hook function; and if the shutdown local process call message meets a preset interception condition and the name of the operation process is contained in a preset malicious program process list, intercepting the shutdown local process call message through the hook function. The device and the electronic equipment are provided with corresponding modules for realizing the method. The method and the device are suitable for intercepting the shutdown operation of the malicious program on the electronic equipment.
Description
Technical field
The present invention relates to technical field of system security, particularly relate to a kind of intercept rogue program shutdown method, device and
Electronic equipment.
Background technology
Along with Internet technology develops, the rogue program such as virus, wooden horse emerges in an endless stream, in order to improve the safety of system,
The fail-safe softwares such as Jinshan anti-virus software to adapt to development.Indivedual rogue programs are in the presence of fail-safe software detects it, or terminating
During rogue program process, rogue program can send out a shutdown message to system, allows computer shutdown, and this makes the fail-safe software can not
Kill the process of this kind of rogue program easily.
First, learn about that program (including, rogue program) sends shutdown LPC (Local
Procedure Call, LPC) flow process of message:
Program is with shutdown LPC message as parameter, and that calls ndtll module successively sends the shutdown function of LPC message, kernel
The kernel function sending shutdown LPC message of layer, again by shutting down LPC message call the kernel of shut-off function described in system analysis
Function, thus complete computer shutdown operation, wherein, Ndtll module is the basic module that Microsoft provides, it is achieved some are normal
By functions such as function, such as reading and writing of files, read-write registration tablies, operate in application layer;LPC be System Subsystem and client process it
Between the mechanism of communication, Windows has N number of subsystem, is usually LPC communication, such as, management of process before subsystems
System, Service Management, I/O Manager, the subsystem such as memory manager.
In prior art, the interception of malice shutdown message can be realized by the kernel function of hook shut-off function, stop
Rogue program propagates destruction system, but, owing to the kernel function of shut-off function is positioned at the end of transmission shutdown LPC message flow
Layer, goes to intercept malice shutdown command by the kernel function linking up with described shut-off function, it is achieved process is complicated, and easily by malice journey
Sequence gets around.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of method, device and electronic equipment intercepting rogue program shutdown, with
The kernel function solving existing hook shut-off function intercepts malice shutdown command, it is achieved process is complicated, and easily by rogue program
The problem got around.
First aspect, the embodiment of the present invention provides a kind of method intercepting rogue program shutdown, including:
The shutdown LPC message sent by Hook Function snoop-operations process, wherein, described Hook Function
Hook sends the kernel function of described shutdown LPC message;
Judge whether described shutdown LPC message meets predetermined interception condition by described Hook Function;
If described shutdown LPC message meets predetermined interception condition, and the title of described operation process comprises
In default rogue program process list, then intercept described shutdown LPC message by described Hook Function.
In conjunction with first aspect, in the first embodiment of first aspect, by Hook Function snoop-operations process
Before the shutdown LPC message sent, described method also includes:
The system service descriptor table that inquiry is preset, obtains the kernel function sending described shutdown LPC message
Current address, and preserve the current address of kernel function sending described shutdown LPC message of acquisition;
Create Hook Function, obtain the function address of described Hook Function;
In described system service descriptor table, working as of the kernel function of described shutdown LPC message will be sent
Front address is updated to the function address of described Hook Function.
In conjunction with first aspect, in the second embodiment of first aspect, described shutdown LPC message bag
Include: the handle value of target port and operational order value;
Described predetermined interception condition includes: predetermined shutdown port handle value and predetermined power-off operation bid value, its
In, described predetermined shutdown port handle value is shutdown or the handle value of restarting port, described predetermined power-off operation bid value
Including: shut down and restart;
Described judge whether described shutdown LPC message meets predetermined interception bar by described Hook Function
Part includes:
Whether the handle value of target port in described shutdown LPC message is judged by described Hook Function
Identical with predetermined shutdown port handle value;
If identical with predetermined shutdown port handle value, then judge the operation life in described shutdown LPC message
Make whether value is shutdown or restarts;
If the operational order value in described shutdown LPC message is for shutdown or restarts, the local mistake of the most described shutdown
Journey message call meets predetermined interception condition.
In conjunction with first aspect, in the third embodiment of first aspect, if described shutdown LPC
Message meets predetermined interception condition, and the title of described operation process is included in default rogue program process list, then
Intercept described shutdown LPC message by described Hook Function to include:
If described shutdown LPC message meets predetermined interception condition, then obtain institute by described Hook Function
State the installation path of operation process;
From the installation path of the described operation process obtained, extract the title of described operation process;
The rogue program process list that inquiry is preset, enters if the title of described operation process is included in default rogue program
In Cheng Liebiao, then intercept described shutdown LPC message.
In conjunction with the third embodiment of first aspect, in the 4th kind of embodiment of first aspect, described interception institute
State shutdown LPC message to include:
Exit described Hook Function, described shutdown LPC message is not sent to the transmission local mistake of described shutdown
The kernel function of journey message call.
In conjunction with first aspect, in the 5th kind of implementation of first aspect, described method also includes:
If described shutdown LPC message does not meets predetermined interception condition, or, the name of described operation process
Claim to be not comprised in the rogue program process list preset, then by described Hook Function by described shutdown LPC
Message sends the kernel function sending described shutdown LPC message to.
In conjunction with the 5th kind of embodiment of first aspect, in the 6th kind of implementation of first aspect, described in pass through institute
State Hook Function and described shutdown LPC message is sent to the kernel sending described shutdown LPC message
Before function, described method also includes:
In system service descriptor table, the current position of the kernel function of described shutdown LPC message will be sent
Location is updated to the original address of the kernel function sending described shutdown LPC message preserved.
In conjunction with first aspect, or combine the first of first aspect to any one embodiment in the 6th kind, in first party
In the 7th kind of embodiment in face, described rogue program process list is extendible rogue program process list.
Second aspect, the embodiment of the present invention provides a kind of device intercepting rogue program shutdown, including:
Monitor module, for the shutdown LPC message sent by Hook Function snoop-operations process, wherein,
Described Hook Function hook sends the kernel function of described shutdown LPC message;
By described Hook Function, judge module, for judging whether described shutdown LPC message meets predetermined
Interception condition;
Blocking module, if meeting predetermined interception condition, and described operation for described shutdown LPC message
The title of process is included in default rogue program process list, then intercept the local mistake of described shutdown by described Hook Function
Journey message call.
In conjunction with second aspect, in the first embodiment of second aspect, described device also includes: Hooking module;Institute
State Hooking module to include:
First acquiring unit, for inquiring about default system service descriptor table, obtains and sends the local process of described shutdown
The current address of the kernel function of message call, and preserve the kernel letter sending described shutdown LPC message of acquisition
The current address of number;
Second acquisition unit, is used for creating Hook Function, obtains the function address of described Hook Function;
Address updating block, in described system service descriptor table, will send described shutdown LPC
The current address of the kernel function of message is updated to the function address of described Hook Function.
In conjunction with second aspect, in the second embodiment of second aspect, described shutdown LPC message bag
Include: the handle value of target port and operational order value;
Described predetermined interception condition includes: predetermined shutdown port handle value and predetermined power-off operation bid value, its
In, described predetermined shutdown port handle value is shutdown or the handle value of restarting port, described predetermined power-off operation bid value
Including: shut down and restart;
Described judge module includes:
First judging unit, for judging the target in described shutdown LPC message by described Hook Function
Whether the handle value of port is identical with predetermined shutdown port handle value;
Second judging unit, if being used for identical with predetermined shutdown port handle value, then judges the local process of described shutdown
Whether the operational order value in message call is shutdown or restarts;
Message determines unit, if the operational order value in described shutdown LPC message is shutdown or weight
Opening, the most described shutdown LPC message meets predetermined interception condition.
In conjunction with second aspect, in the third embodiment of second aspect, described blocking module includes:
Acquiring unit, if meeting predetermined interception condition for described shutdown LPC message, then by described
Hook Function obtains the installation path of described operation process;
Extraction unit, for the installation path from the described operation process obtained, extracts the title of described operation process;
Interception unit, for inquiring about default rogue program process list, if the title of described operation process is included in pre-
If rogue program process list in, then intercept described shutdown LPC message.
In conjunction with the third embodiment of second aspect, in the 4th kind of embodiment of second aspect, described interception is single
Unit, specifically for exiting described Hook Function, does not send the described shutdown of transmission to originally by described shutdown LPC message
The kernel function of ground invocation of procedure message.
In conjunction with second aspect, in the 5th kind of embodiment of second aspect, described blocking module, if being additionally operable to described pass
Machine LPC message does not meets predetermined interception condition, or, the title of described operation process is not comprised in presetting
Rogue program process list in, then by described Hook Function to described shutdown LPC message sent transmission institute
State the kernel function of shutdown LPC message.
In conjunction with the 5th kind of embodiment of second aspect, in the 6th kind of embodiment of second aspect, described interception mould
Block, is additionally operable in system service descriptor table, will send the current of the kernel function of described shutdown LPC message
Address is updated to the original address of the kernel function sending described shutdown LPC message preserved.
In conjunction with second aspect, or combine the first of second aspect to any one embodiment in the 6th kind, in second party
In the 7th kind of embodiment in face, described rogue program process list is extendible rogue program process list.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, and described electronic equipment includes: housing, processor, deposit
Reservoir, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing surrounds, processor and memorizer and arranges
On circuit boards;Power circuit, powers for each circuit or the device for above-mentioned electronic equipment;Memorizer is used for storing can be held
Line program code;Processor runs and executable program code pair by reading the executable program code of storage in memorizer
The program answered, for performing aforementioned arbitrary described method intercepting rogue program shutdown.
A kind of method, device and electronic equipment intercepting rogue program shutdown that the embodiment of the present invention provides, passes through hook
The shutdown LPC message that function snoop-operations process sends, wherein, described Hook Function hook sends described shutdown
The kernel function of LPC message;Judge whether described shutdown LPC message accords with by described Hook Function
Close predetermined interception condition;If described shutdown LPC message meets predetermined interception condition, and described operation process
Title be included in default rogue program process list, then intercept the described local process of shutdown by described Hook Function and adjust
By message, so, being sent the described Hook Function of the kernel function of described shutdown LPC message by hook, interception meets predetermined
Interception condition and the shutdown LPC message sent by malicious operation process, due to, send the kernel function of described shutdown LPC message
It is positioned at the upper strata of the kernel function of shut-off function, it is achieved process is relatively easy, and is stably difficult to be got around by rogue program, be conducive to
Maintaining system safety.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to
Other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is the method flow schematic diagram that embodiments of the invention intercept rogue program shutdown;
Fig. 2 is the method idiographic flow schematic diagram that embodiments of the invention intercept rogue program shutdown;
Fig. 3 is that the embodiment of embodiments of the invention intercepts the apparatus structure schematic diagram that rogue program shuts down;
Fig. 4 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawings the embodiment of the present invention is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole embodiments.Base
Embodiment in the present invention, those of ordinary skill in the art obtained under not making creative work premise all its
Its embodiment, broadly falls into the scope of protection of the invention.
Fig. 1 is the method flow schematic diagram that embodiments of the invention intercept rogue program shutdown, as it is shown in figure 1, this enforcement
The method of example may include that
Step 101, the shutdown LPC message sent by Hook Function snoop-operations process, wherein, described
Hook Function hook sends the kernel function of described shutdown LPC message.
In the present embodiment, the shutdown LPC message sent by Hook Function snoop-operations process, then operation process sends and closes
The flow process of machine LPC message includes:
Operation process with shutdown LPC message as parameter-> call ndtll module send shutdown LPC message function-> basis
The kernel function sending shutdown LPC message of Hook Function-> inner nuclear layer that embodiment provides-> shut down by described in system analysis again
LPC message also calls the kernel function of shut-off function, thus completes computer shutdown operation.
In the present embodiment, it is assumed that the function sending shutdown LPC message calling ndtll module is ndtll module
NtAlpcSendWaitReceivePort function;The Hook Function that the present embodiment provides is
NewNtAlpcSendWaitReceivePort function;The kernel function sending shutdown LPC message of inner nuclear layer is inner nuclear layer
NtAlpcSendWaitReceivePort function;The kernel function of described shut-off function is NtShutdownSystem function.
In the present embodiment, knowable to the flow process that operation process sends shutdown LPC message, the kernel function of hook inner nuclear layer
NtAlpcSendWaitReceivePort or kernel function NtShutdownSystem can realize the malice LPC that shuts down and disappear
The interception of breath, but, kernel function NtAlpcSendWaitReceivePort of Hook Function hook inner nuclear layer intercepts malice and closes
During machine LPC message, due to, kernel function NtAlpcSendWaitReceivePort sending described shutdown LPC message is positioned at pass
The upper strata of kernel function NtShutdownSystem of machine function, it is achieved process is relatively easy, and can be easier to more stably real
The interception of now malice shutdown LPC message.
In the present embodiment, the kernel function of Hook Function NewNtAlpcSendWaitReceivePort hook inner nuclear layer
The step of NtAlpcSendWaitReceivePort includes:
The service descriptor table (System Services Descriptor Table, SSDT) preset in inquiry system,
Obtain the current address of kernel function NtAlpcSendWaitReceivePort sending described shutdown LPC message, and preservation obtains
The described current address taken;Create Hook Function NewNtAlpcSendWaitReceivePort, obtain described Hook Function
Function address;In described system service descriptor table, the kernel function of described shutdown LPC message will be sent
The current address of NtAlpcSendWaitReceivePort is updated to described Hook Function
The function address of NewNtAlpcSendWaitReceivePort, it is achieved thereby that NewNtAlpcSendWaitReceivePort
The hook of function.
In the present embodiment, as an alternative embodiment, local in the shutdown sent by Hook Function snoop-operations process
Before invocation of procedure message, described method also includes:
The system service descriptor table that inquiry is preset, obtains the kernel function sending described shutdown LPC message
Current address, and preserve the current address of kernel function sending described shutdown LPC message of acquisition;
Create Hook Function, obtain the function address of described Hook Function;
In described system service descriptor table, working as of the kernel function of described shutdown LPC message will be sent
Front address is updated to the function address of described Hook Function.
Step 102, judge whether described shutdown LPC message meets predetermined blocking by described Hook Function
The condition of cutting.
In the present embodiment, described shutdown LPC message at least includes: the handle value of target port and operational order value.
In the present embodiment, described predetermined interception condition includes: predetermined shutdown port handle value and predetermined shutdown behaviour
Making bid value, wherein, described predetermined shutdown port handle value is shutdown or the handle value of restarting port, the handle of shutdown port
Value can be identical with the handle value of restarting port, it is also possible to different, and the two is referred to as port handle value of shutting down;Described predetermined pass
Machine operational order value includes: shuts down and restarts.
In the present embodiment, judge described shutdown by described Hook Function NewNtAlpcSendWaitReceivePort
Whether LPC message meets predetermined interception condition.
If step 103 described shutdown LPC message meets predetermined interception condition, and described operation process
Title is included in default rogue program process list, then intercept described shutdown LPC by described Hook Function
Message.
In the present embodiment, when described shutdown LPC message meets predetermined interception condition, at Hook Function
In NewNtAlpcSendWaitReceivePort, also need to judge whether described operation process is rogue program, concrete, permissible
Call the kernel function such as ZwQueryInformationProcess and obtain the installation path of operation process, as C: windows
system32\av2.exe;From the installation path of the described operation process obtained, extract the title of described operation process, example
As, av2.exe;Then, the rogue program process list that inquiry is preset, if the title of described operation process is included in default evil
In meaning program process list, then intercept described shutdown LPC message.
In the present embodiment, as an alternative embodiment, if described shutdown LPC message meets predetermined
Interception condition, and the title of described operation process is included in default rogue program process list, then by described hook letter
Number intercepts described shutdown LPC message and includes:
If described shutdown LPC message meets predetermined interception condition, then obtain institute by described Hook Function
State the installation path of operation process;
From the installation path of the described operation process obtained, extract the title of described operation process;
The rogue program process list that inquiry is preset, enters if the title of described operation process is included in default rogue program
In Cheng Liebiao, then intercept described shutdown LPC message.
In the present embodiment, when system normal shutdown or when restarting, shutdown LPC message also can be sent, so the malice preset
In program process list, it is impossible to comprise the system processs such as CSRSS_EXE, SMSS_EXE, LSASS_EXE, WINLOGON_EXE, institute
State default rogue program process list and can include the title of known malice shutdown process, such as, av2.exe,
Ad2.exe, kei3.exe etc..As another alternative embodiment, described rogue program process list is extendible rogue program
Process list, in order to user can update described rogue program process list according to practical situations.
In the present embodiment, the shutdown LPC message sent when operation process meets predetermined interception condition, and described operate into
The title of journey is included in default rogue program process list, then by described Hook Function
NewNtAlpcSendWaitReceivePort intercepts described shutdown LPC message, exits described Hook Function
NewNtAlpcSendWaitReceivePort, does not continue executing with kernel function NtAlpcSendWaitReceivePort, then institute
Stating shutdown LPC message and send unsuccessfully, the operation shut down computer will be failed.
In the present embodiment, as yet another alternative embodiment, described interception described shutdown LPC message includes:
Exit described Hook Function, described shutdown LPC message is not sent to the transmission local mistake of described shutdown
The kernel function of journey message call.
In the present embodiment, if the shutdown LPC message that operation process sends does not meets predetermined interception condition, or, described
The title of operation process is not comprised in the rogue program process list preset, the most described Hook Function
NewNtAlpcSendWaitReceivePort may proceed to call execution kernel function NtAlpcSendWaitReceivePort,
Described shutdown LPC message sends successfully, and the operation shut down computer will be successful.
In the present embodiment, as another alternative embodiment, described method also includes:
If described shutdown LPC message does not meets predetermined interception condition, or, the name of described operation process
Claim to be not comprised in the rogue program process list preset, then by described Hook Function by described shutdown LPC
Message sends the kernel function sending described shutdown LPC message to.
In the present embodiment, in order to described Hook Function NewNtAlpcSendWaitReceivePort can be by described shutdown
LPC message sends kernel function NtAlpcSendWaitReceivePort to, at described Hook Function
NewNtAlpcSendWaitReceivePort call execution described kernel function NtAlpcSendWaitReceivePort it
Before, in system service descriptor table, need to be updated to protect by the current address sending the kernel function of described shutdown LPC message
The original address of the kernel function sending described shutdown LPC message deposited.
In the present embodiment, as yet another alternative embodiment, described by described Hook Function by the described local process of shutdown
Before message call sends the kernel function sending described shutdown LPC message to, described method also includes:
In system service descriptor table, the current position of the kernel function of described shutdown LPC message will be sent
Location is updated to the original address of the kernel function sending described shutdown LPC message preserved.
A kind of method intercepting rogue program shutdown that the embodiment of the present invention provides, by Hook Function snoop-operations process
The shutdown LPC message sent, wherein, described Hook Function hook sends described shutdown LPC message
Kernel function;Judge whether described shutdown LPC message meets predetermined interception bar by described Hook Function
Part;If described shutdown LPC message meets predetermined interception condition, and the title of described operation process is included in pre-
If rogue program process list in, then intercept described shutdown LPC message by described Hook Function, so, logical
Cross the described Hook Function that hook sends the kernel function of described shutdown LPC message, intercept and meet willful intercept condition and by disliking
The shutdown LPC message that meaning operation process sends, due to, the kernel function sending described shutdown LPC message is positioned at shut-off function
The upper strata of kernel function, it is achieved process is relatively easy, and be stably difficult to be got around by rogue program, beneficially maintaining system safety.
Fig. 2 is the method idiographic flow schematic diagram that the embodiment of the present invention intercepts rogue program shutdown, as in figure 2 it is shown, this reality
The method executing example may include that
Step 201, the shutdown LPC message sent by Hook Function snoop-operations process, wherein, described
Hook Function hook sends the kernel function of described shutdown LPC message.
In the present embodiment, the process of step 201 is similar with the step 101 of said method embodiment, and here is omitted.
Step 202, judged the sentence of target port in described shutdown LPC message by described Hook Function
Whether bin value is identical with predetermined shutdown port handle value.
In the present embodiment, described shutdown LPC message at least includes: the handle value of target port and operational order value.
In the present embodiment, when there being operation process to send shutdown LPC message, carry out described Hook Function
The parameter row of NewNtAlpcSendWaitReceivePort, described Hook Function NewNtAlpcSendWaitReceivePort
Having a parameter in table is target port handle parameter, described target port handle parameter receive in described shutdown LPC message
The handle value of target port, and called, by described Hook Function NewNtAlpcSendWaitReceivePort, the kernel specified
Function, such as, ObReferenceObjectByName, obtain predetermined shutdown port handle value, if function
The handle value of the shutdown port handle value target port in parameter that ObReferenceObjectByName returns is identical, then
Illustrate that operation process is to send shutdown LPC message toward shutdown port, then continue executing with step 203.
In the present embodiment, described predetermined shutdown port handle value is included in predetermined interception condition, described predetermined
Interception condition also includes: predetermined power-off operation bid value;Wherein, described predetermined shutdown port handle value for shutdown or is restarted
The handle value of port, the handle value of shutdown port can be identical with the handle value of restarting port, it is also possible to different, the two is referred to as
Shutdown port handle value;Described predetermined power-off operation bid value includes: shuts down and restarts.
If step 203 is identical with predetermined shutdown port handle value, then judge in described shutdown LPC message
Operational order value be whether shutdown or restart.
In the present embodiment, the parameter list of described Hook Function NewNtAlpcSendWaitReceivePort also has one
The data structure of individual PPORT_MESSAGE type, is i.e. the data structure sent to shutdown port, and this data structure is one
PData pointer to member, points to the structure of a PSHUTDOWN_WINDOW_MESSAGE type, PSHUTDOWN_WINDOW_
MESSAGE is exactly the data structure of LPC message of shutting down, and wherein, has an operational order value, is used for receiving described shutdown LPC and disappears
Operational order value in breath.
In the present embodiment, if operation process is to send shutdown LPC message toward shutdown port, also need to determine whether described pass
Whether the operational order value in machine LPC message is predetermined shutdown or reboot operation bid value.
If the operational order value in step 204 described shutdown LPC message is for shutdown or restarts, the most described pass
Machine LPC message meets predetermined interception condition.
In the present embodiment, if the operational order value that PSHUTDOWN_WINDOW_MESSAGE data structure receives is equal to
SHUTDOWN_PORT_ID (shuts down), or RESTART_PORT_ID (restarting), then illustrate that described shutdown LPC disappears
Breath meets predetermined interception condition, continues executing with step 205.
If step 205 described shutdown LPC message meets predetermined interception condition, and described operation process
Title is included in default rogue program process list, then intercept described shutdown LPC by described Hook Function
Message.
In the present embodiment, the process of step 205 is similar with the step 103 of said method embodiment, and here is omitted.
A kind of method intercepting rogue program shutdown that the embodiment of the present invention provides, by Hook Function snoop-operations process
The shutdown LPC message sent, wherein, described Hook Function hook sends described shutdown LPC message
Kernel function;Judge whether described shutdown LPC message meets predetermined interception bar by described Hook Function
Part;If described shutdown LPC message meets predetermined interception condition, and the title of described operation process is included in pre-
If rogue program process list in, then intercept described shutdown LPC message by described Hook Function, so, logical
Cross the described Hook Function that hook sends the kernel function of described shutdown LPC message, intercept and meet willful intercept condition and by disliking
The shutdown LPC message that meaning operation process sends, due to, the kernel function sending described shutdown LPC message is positioned at shut-off function
The upper strata of kernel function, it is achieved process is relatively easy, and be stably difficult to be got around by rogue program, beneficially maintaining system safety.
Fig. 3 is the apparatus structure schematic diagram that the present invention intercepts rogue program shutdown, as it is shown on figure 3, the device of the present embodiment
May include that and monitor module 11, judge module 12 and blocking module 13, wherein,
Described monitoring module 11, is disappeared for the shutdown LPC sent by Hook Function snoop-operations process
Breath, wherein, described Hook Function hook sends the kernel function of described shutdown LPC message.
In the present embodiment, the shutdown LPC message sent by Hook Function snoop-operations process, then operation process sends and closes
The flow process of machine LPC message includes:
Operation process with shutdown LPC message as parameter-> call ndtll module send shutdown LPC message function-> basis
The kernel function sending shutdown LPC message of Hook Function-> inner nuclear layer that embodiment provides-> shut down by described in system analysis again
LPC message also calls the kernel function of shut-off function, thus completes computer shutdown operation.
In the present embodiment, it is assumed that the function sending shutdown LPC message calling ndtll module is ndtll module
NtAlpcSendWaitReceivePort function;The Hook Function that the present embodiment provides is
NewNtAlpcSendWaitReceivePort function;The kernel function sending shutdown LPC message of inner nuclear layer is inner nuclear layer
NtAlpcSendWaitReceivePort function;The kernel function of described shut-off function is NtShutdownSystem function.
In the present embodiment, knowable to the flow process that operation process sends shutdown LPC message, the kernel function of hook inner nuclear layer
NtAlpcSendWaitReceivePort or kernel function NtShutdownSystem can realize the malice LPC that shuts down and disappear
The interception of breath, but, kernel function NtAlpcSendWaitReceivePort of Hook Function hook inner nuclear layer intercepts malice and closes
During machine LPC message, due to, kernel function NtAlpcSendWaitReceivePort sending described shutdown LPC message is positioned at pass
The upper strata of kernel function NtShutdownSystem of machine function, it is achieved process is relatively easy, and can be easier to more stably real
The interception of now malice shutdown LPC message.
In the present embodiment, Hook Function NewNtAlpcSendWaitReceivePort can be realized by Hooking module and hang
Kernel function NtAlpcSendWaitReceivePort of hook inner nuclear layer.
In the present embodiment, as an alternative embodiment, described device also includes: Hooking module;Described Hooking module includes:
First acquiring unit, for inquiring about default system service descriptor table, obtains and sends the local process of described shutdown
The current address of the kernel function of message call, and preserve the kernel letter sending described shutdown LPC message of acquisition
The current address of number;
Second acquisition unit, is used for creating Hook Function, obtains the function address of described Hook Function;
Address updating block, in described system service descriptor table, will send described shutdown LPC
The current address of the kernel function of message is updated to the function address of described Hook Function.
In the present embodiment, the kernel function of Hook Function NewNtAlpcSendWaitReceivePort hook inner nuclear layer
The step of NtAlpcSendWaitReceivePort includes:
The service descriptor table (System Services Descriptor Table, SSDT) preset in inquiry system,
Obtain the current address of kernel function NtAlpcSendWaitReceivePort sending described shutdown LPC message, and preservation obtains
The described current address taken;Create Hook Function NewNtAlpcSendWaitReceivePort, obtain described Hook Function
Function address;In described system service descriptor table, the kernel function of described shutdown LPC message will be sent
The current address of NtAlpcSendWaitReceivePort is updated to described Hook Function
The function address of NewNtAlpcSendWaitReceivePort, it is achieved thereby that NewNtAlpcSendWaitReceivePort
The hook of function.
By described Hook Function, described judge module 12, for judging whether described shutdown LPC message accords with
Close predetermined interception condition.
In the present embodiment, described shutdown LPC message at least includes: the handle value of target port and operational order value.
In the present embodiment, described predetermined interception condition includes: predetermined shutdown port handle value and predetermined shutdown behaviour
Making bid value, wherein, described predetermined shutdown port handle value is shutdown or the handle value of restarting port, the handle of shutdown port
Value can be identical with the handle value of restarting port, it is also possible to different, and the two is referred to as port handle value of shutting down;Described predetermined pass
Machine operational order value includes: shuts down and restarts.
In the present embodiment, judge described shutdown by described Hook Function NewNtAlpcSendWaitReceivePort
Whether LPC message meets predetermined interception condition.
In the present embodiment, described judge module 12 includes: the first judging unit, the second judging unit and message determine list
Unit, wherein,
Described first judging unit, for judging in described shutdown LPC message by described Hook Function
Whether the handle value of target port is identical with predetermined shutdown port handle value.
In the present embodiment, when there being operation process to send shutdown LPC message, carry out described Hook Function
The parameter row of NewNtAlpcSendWaitReceivePort, described Hook Function NewNtAlpcSendWaitReceivePort
Having a parameter in table is target port handle parameter, described target port handle parameter receive in described shutdown LPC message
The handle value of target port, and called, by described Hook Function NewNtAlpcSendWaitReceivePort, the kernel specified
Function, such as, ObReferenceObjectByName, obtain predetermined shutdown port handle value, if function
The handle value of the shutdown port handle value target port in parameter that ObReferenceObiectByName returns is identical, then
Illustrate that operation process is to send shutdown LPC message toward shutdown port.
Described second judging unit, if being used for identical with predetermined shutdown port handle value, then judges described shutdown this locality
Whether the operational order value in invocation of procedure message is shutdown or restarts.
In the present embodiment, the parameter list of described Hook Function NewNtAlpcSendWaitReceivePort also has one
The data structure of individual PPORT_MESSAGE type, is i.e. the data structure sent to shutdown port, and this data structure is one
PData pointer to member, points to the structure of a PSHUTDOWN_WINDOW_MESSAGE type, PSHUTDOWN_WINDOW_
MESSAGE is exactly the data structure of LPC message of shutting down, and wherein, has an operational order value, is used for receiving described shutdown LPC and disappears
Operational order value in breath.
In the present embodiment, if operation process is to send shutdown LPC message toward shutdown port, also need to determine whether described pass
Whether the operational order value in machine LPC message is predetermined shutdown or reboot operation bid value.
Described message determines unit, if the operational order value in the described shutdown LPC message for shutdown or
Restarting, the most described shutdown LPC message meets predetermined interception condition.
In the present embodiment, if the operational order value that PSHUTDOWN_WINDOW_MESSAGE data structure receives is equal to
SHUTDOWN_PORT_ID (shuts down), or RESTART_PORT_ID (restarting), then illustrate that described shutdown LPC disappears
Breath meets predetermined interception condition.
Described blocking module 13, if meeting predetermined interception condition, and institute for described shutdown LPC message
The title stating operation process is included in default rogue program process list, then intercept described shutdown by described Hook Function
LPC message.
In the present embodiment, when described shutdown LPC message meets predetermined interception condition, at Hook Function
In NewNtAlpcSendWaitReceivePort, also need to judge whether described operation process is rogue program, concrete, permissible
Call the kernel function such as ZwQueryInformationProcess and obtain the installation path of operation process, as C: windows
system32\av2.exe;From the installation path of the described operation process obtained, extract the title of described operation process, example
As, av2.exe;Then, the rogue program process list that inquiry is preset, if the title of described operation process is included in default evil
In meaning program process list, then intercept described shutdown LPC message.
In the present embodiment, as an alternative embodiment, described blocking module 13 includes:
Acquiring unit, if meeting predetermined interception condition for described shutdown LPC message, then by described
Hook Function obtains the installation path of described operation process;
Extraction unit, for the installation path from the described operation process obtained, extracts the title of described operation process;
Interception unit, for inquiring about default rogue program process list, if the title of described operation process is included in pre-
If rogue program process list in, then intercept described shutdown LPC message.
In the present embodiment, when system normal shutdown or when restarting, shutdown LPC message also can be sent, so the malice preset
In program process list, it is impossible to comprise the system processs such as CSRSS_EXE, SMSS_EXE, LSASS_EXE, WINLOGON_EXE, institute
State default rogue program process list and can include the title of known malice shutdown process, such as, av2.exe,
Ad2.exe, kei3.exe etc..As another alternative embodiment, described rogue program process list is extendible rogue program
Process list, in order to user can update described rogue program process list according to practical situations.
In the present embodiment, the shutdown LPC message sent when operation process meets predetermined interception condition, and described operate into
The title of journey is included in default rogue program process list, then by described Hook Function
NewNtAlpcSendWaitReceivePort intercepts described shutdown LPC message, exits described Hook Function
NewNtAlpcSendWaitReceivePort, does not continue executing with kernel function NtAlpcSendWaitReceivePort, then institute
Stating shutdown LPC message and send unsuccessfully, the operation shut down computer will be failed.
In the present embodiment, as yet another alternative embodiment, described interception unit, specifically for exiting described Hook Function,
Described shutdown LPC message is not sent to the kernel function sending described shutdown LPC message.
In the present embodiment, if the shutdown LPC message that operation process sends does not meets predetermined interception condition, or, described
The title of operation process is not comprised in the rogue program process list preset, the most described Hook Function
NewNtAlpcSendWaitReceivePort may proceed to call execution kernel function NtAlpcSendWaitReceivePort,
Described shutdown LPC message sends successfully, and the operation shut down computer will be successful.
In the present embodiment, as another alternative embodiment, described blocking module 13, if being additionally operable to the local process of described shutdown
Message call does not meets predetermined interception condition, or, the title of described operation process is not comprised in the rogue program preset
In process list, then by described Hook Function to described shutdown LPC message sent transmission described shutdown this locality
The kernel function of invocation of procedure message.
In the present embodiment, in order to described Hook Function NewNtAlpcSendWaitReceivePort can be by described shutdown
LPC message sends kernel function NtAlpcSendWaitReceivePort to, at described Hook Function
NewNtAlpcSendWaitReceivePort call execution described kernel function NtAlpcSendWaitReceivePort it
Before, in system service descriptor table, need to be updated to protect by the current address sending the kernel function of described shutdown LPC message
The original address of the kernel function sending described shutdown LPC message deposited.
In the present embodiment, as yet another alternative embodiment, described blocking module 13, it is additionally operable at system service descriptor table
In, the current address sending the kernel function of described shutdown LPC message is updated to the described pass of transmission preserved
The original address of the kernel function of machine LPC message.
A kind of device intercepting rogue program shutdown that the present embodiment provides, is sent by Hook Function snoop-operations process
Shutdown LPC message, wherein, described Hook Function hook send described shutdown LPC message interior
Kernel function;Judge whether described shutdown LPC message meets predetermined interception condition by described Hook Function;If
Described shutdown LPC message meets predetermined interception condition, and the title of described operation process is included in default evil
In meaning program process list, then intercept described shutdown LPC message by described Hook Function, so, by hook
Send the described Hook Function of the kernel function of described shutdown LPC message, intercept and meet willful intercept condition and by malicious operation
The shutdown LPC message that process sends, due to, the kernel function sending described shutdown LPC message is positioned at the kernel letter of shut-off function
The upper strata of number, it is achieved process is relatively easy, and is stably difficult to be got around by rogue program, beneficially maintaining system safety.
It should be noted that in this article, the relational terms of such as first and second or the like is used merely to a reality
Body or operation separate with another entity or operating space, and deposit between not necessarily requiring or imply these entities or operating
Relation or order in any this reality.And, term " includes ", " comprising " or its any other variant are intended to
Comprising of nonexcludability, so that include that the process of a series of key element, method, article or equipment not only include that those are wanted
Element, but also include other key elements being not expressly set out, or also include for this process, method, article or equipment
Intrinsic key element.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that
Other identical element is there is also in including the process of described key element, method, article or equipment.
Each embodiment in this specification all uses relevant mode to describe, identical similar portion between each embodiment
Dividing and see mutually, what each embodiment stressed is the difference with other embodiments.
For device embodiment, owing to it is substantially similar to embodiment of the method, so the comparison described is simple
Single, relevant part sees the part of embodiment of the method and illustrates.
Represent in flow charts or the logic described otherwise above at this and/or step, for example, it is possible to be considered as to use
In the sequencing list of the executable instruction realizing logic function, may be embodied in any computer-readable medium, for
Instruction execution system, device or equipment (system such as computer based system, including processor or other can hold from instruction
Row system, device or equipment instruction fetch also perform the system instructed) use, or combine these instruction execution systems, device or set
Standby and use.For the purpose of this specification, " computer-readable medium " can be any can to comprise, store, communicate, propagate or pass
Defeated program is for instruction execution system, device or equipment or combines these instruction execution systems, device or equipment and the dress that uses
Put.The more specifically example (non-exhaustive list) of computer-readable medium includes following: have the electricity of one or more wiring
Connecting portion (electronic installation), portable computer diskette box (magnetic device), random access memory (RAM), read only memory
(ROM), erasable read only memory (EPROM or flash memory), the fiber device edited, and portable optic disk is read-only deposits
Reservoir (CDROM).It addition, computer-readable medium can even is that and can print the paper of described program thereon or other are suitable
Medium, because then can carry out editing, interpreting or if desired with it such as by paper or other media are carried out optical scanning
His suitable method is processed to electronically obtain described program, is then stored in computer storage.
Should be appreciated that each several part of the present invention can realize by hardware, software, firmware or combinations thereof.
In the above-described embodiment, multiple steps or method can be with storing in memory and by suitably instructing execution
Software or firmware that system performs realize.Such as, if realized with hardware, with the most the same, available
Any one or their combination in following technology well known in the art realize: have for data signal realizes logic merit
The discrete logic of the logic gates of energy, has the special IC of suitable combination logic gate circuit, programmable gate
Array (PGA), field programmable gate array (FPGA) etc..
The embodiment of the present invention also provides for a kind of electronic equipment.Fig. 4 is that the structure of one embodiment of electronic equipment of the present invention is shown
It is intended to, it is possible to achieve the flow process of Fig. 1-3 illustrated embodiment of the present invention, as shown in Figure 4, above-mentioned electronic equipment may include that housing
41, processor 42, memorizer 43, circuit board 44 and power circuit 45, wherein, circuit board 44 is placed in the space that housing 41 surrounds
Inside, processor 42 and memorizer 43 are arranged on circuit board 44;Power circuit 45, for each electricity for above-mentioned electronic equipment
Road or device are powered;Memorizer 43 is used for storing executable program code;Processor 42 is by reading storage in memorizer 43
Executable program code runs the program corresponding with executable program code, for performing blocking described in aforementioned any embodiment
The method cutting rogue program shutdown.
Processor 42 to concrete process and the processor 42 of performing of above-mentioned steps by running executable program code
The step performed further, may refer to the description of Fig. 1-3 illustrated embodiment of the present invention, does not repeats them here.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset, functional mobile phone, and low
End mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and processes merit
Can, the most also possess mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes: audio frequency,
Video player (such as iPod), handheld device, e-book, and intelligent toy and portable car-mounted navigator.
(4) server: providing the equipment of the service of calculating, the composition of server includes that processor, hard disk, internal memory, system are total
Lines etc., server is similar with general computer architecture, but owing to needing to provide highly reliable service, is therefore processing energy
The aspects such as power, stability, reliability, safety, extensibility, manageability require higher.
(5) other have the electronic equipment of data interaction function.
Those skilled in the art are appreciated that and realize all or part of step that above-described embodiment method is carried
Suddenly the program that can be by completes to instruct relevant hardware, and described program can be stored in a kind of computer-readable storage medium
In matter, this program upon execution, including one or a combination set of the step of embodiment of the method.
For convenience of description, describing apparatus above is to be divided into various units/modules to be respectively described with function.Certainly, exist
Implement the function of each unit/module to be realized in same or multiple softwares and/or hardware during the present invention.
As seen through the above description of the embodiments, those skilled in the art it can be understood that to the present invention can
The mode adding required general hardware platform by software realizes.Based on such understanding, technical scheme essence
On the part that in other words prior art contributed can embody with the form of software product, this computer software product
Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that a computer equipment
(can be personal computer, server, or the network equipment etc.) performs some of each embodiment of the present invention or embodiment
Method described in part.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, be permissible
Instructing relevant hardware by computer program to complete, described program can be stored in a computer read/write memory medium
In, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic
Dish, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access
Memory, RAM) etc..
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited thereto, and any
Those familiar with the art in the technical scope that the invention discloses, the change that can readily occur in or replacement, all answer
Contain within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with scope of the claims.
Claims (10)
1. the method intercepting rogue program shutdown, it is characterised in that including:
The shutdown LPC message sent by Hook Function snoop-operations process, wherein, described Hook Function is linked up with
Send the kernel function of described shutdown LPC message;
Judge whether described shutdown LPC message meets predetermined interception condition by described Hook Function;
If described shutdown LPC message meets predetermined interception condition, and the title of described operation process is included in pre-
If rogue program process list in, then by described Hook Function intercept described shutdown LPC message.
The method of interception rogue program the most according to claim 1 shutdown, it is characterised in that monitored by Hook Function
Before the shutdown LPC message that operation process sends, described method also includes:
The system service descriptor table that inquiry is preset, acquisition sends working as of the kernel function of described shutdown LPC message
Front address, and preserve the current address of the kernel function sending described shutdown LPC message of acquisition;
Create Hook Function, obtain the function address of described Hook Function;
In described system service descriptor table, the current position of the kernel function of described shutdown LPC message will be sent
Location is updated to the function address of described Hook Function.
The method of interception rogue program the most according to claim 1 shutdown, it is characterised in that described shutdown this locality process is adjusted
Include by message: the handle value of target port and operational order value;
Described predetermined interception condition includes: predetermined shutdown port handle value and predetermined power-off operation bid value, wherein, and institute
Stating predetermined shutdown port handle value is shutdown or the handle value of restarting port, and described predetermined power-off operation bid value includes:
Shut down and restart;
Described judge whether described shutdown LPC message meets predetermined interception condition bag by described Hook Function
Include:
By described Hook Function judge the handle value of target port in described shutdown LPC message whether with in advance
Fixed shutdown port handle value is identical;
If identical with predetermined shutdown port handle value, then judge the operational order value in described shutdown LPC message
Whether it is to shut down or restart;
If the operational order value in described shutdown LPC message is for shutdown or restarts, the local process of the most described shutdown is adjusted
Predetermined interception condition is met by message.
The method of interception rogue program the most according to claim 1 shutdown, it is characterised in that if described shutdown this locality
Invocation of procedure message meets predetermined interception condition, and the title of described operation process is included in default rogue program process row
In table, then intercept described shutdown LPC message by described Hook Function and include:
If described shutdown LPC message meets predetermined interception condition, then obtain described behaviour by described Hook Function
Make the installation path of process;
From the installation path of the described operation process obtained, extract the title of described operation process;
The rogue program process list that inquiry is preset, if the title of described operation process is included in default rogue program process row
In table, then intercept described shutdown LPC message.
The method of interception rogue program the most according to claim 4 shutdown, it is characterised in that the described shutdown of described interception is originally
Ground invocation of procedure message includes:
Exit described Hook Function, described shutdown LPC message is not sent to the transmission local process of described shutdown and adjusts
By the kernel function of message.
The method of interception rogue program the most according to claim 1 shutdown, it is characterised in that described method also includes:
If described shutdown LPC message does not meets predetermined interception condition, or, the title of described operation process does not has
Have and be included in default rogue program process list, then by described Hook Function by described shutdown LPC message
Send the kernel function sending described shutdown LPC message to.
The method of interception rogue program the most according to claim 6 shutdown, it is characterised in that described by described hook letter
Before described shutdown LPC message is sent to the kernel function sending described shutdown LPC message by number,
Described method also includes:
In system service descriptor table, the current address of the kernel function of described shutdown LPC message will be sent more
The original address of the new kernel function sending described shutdown LPC message for having preserved.
8. according to the method intercepting rogue program shutdown described in any one of claim 1-7, it is characterised in that described malice journey
Sequence process list is extendible rogue program process list.
9. the device intercepting rogue program shutdown, it is characterised in that including:
Monitor module, for the shutdown LPC message sent by Hook Function snoop-operations process, wherein, described
Hook Function hook sends the kernel function of described shutdown LPC message;
By described Hook Function, judge module, for judging whether described shutdown LPC message meets predetermined blocking
The condition of cutting;
Blocking module, if meeting predetermined interception condition, and described operation process for described shutdown LPC message
Title be included in default rogue program process list, then intercept the described local process of shutdown by described Hook Function and adjust
Use message.
The device of interception rogue program the most according to claim 9 shutdown, it is characterised in that described device also includes: hang
Hook modules;Described Hooking module includes:
First acquiring unit, for inquiring about default system service descriptor table, obtains and sends described shutdown LPC
The current address of the kernel function of message, and preserve the kernel function sending described shutdown LPC message of acquisition
Current address;
Second acquisition unit, is used for creating Hook Function, obtains the function address of described Hook Function;
Address updating block, in described system service descriptor table, will send described shutdown LPC message
The current address of kernel function be updated to the function address of described Hook Function.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610512732.8A CN106203092B (en) | 2016-06-30 | 2016-06-30 | Method and device for intercepting shutdown of malicious program and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610512732.8A CN106203092B (en) | 2016-06-30 | 2016-06-30 | Method and device for intercepting shutdown of malicious program and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106203092A true CN106203092A (en) | 2016-12-07 |
CN106203092B CN106203092B (en) | 2019-12-10 |
Family
ID=57464032
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610512732.8A Active CN106203092B (en) | 2016-06-30 | 2016-06-30 | Method and device for intercepting shutdown of malicious program and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106203092B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108804147A (en) * | 2018-05-28 | 2018-11-13 | 新华三云计算技术有限公司 | Link closedown method, device and client |
CN109753806A (en) * | 2018-06-26 | 2019-05-14 | 360企业安全技术(珠海)有限公司 | Server protection method and device |
CN111639341A (en) * | 2020-05-29 | 2020-09-08 | 北京金山云网络技术有限公司 | Malicious program detection method and device, electronic device and storage medium |
CN114138369A (en) * | 2021-12-02 | 2022-03-04 | 北京江民新科技术有限公司 | Progress protection method and system for windows whole system |
CN114327010A (en) * | 2021-12-28 | 2022-04-12 | 杭州雾联科技有限公司 | System control method, device and medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101094245A (en) * | 2007-07-11 | 2007-12-26 | 华中科技大学 | Game platform system based on peer-to-peer covered network |
CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
CN102831358A (en) * | 2012-09-21 | 2012-12-19 | 北京奇虎科技有限公司 | Method and device for preventing homepage tamper |
CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
CN103036895A (en) * | 2012-12-20 | 2013-04-10 | 北京奇虎科技有限公司 | Method and system for state tracking |
CN103795703A (en) * | 2011-04-18 | 2014-05-14 | 北京奇虎科技有限公司 | Method for ensuring user network security and client |
CN103810031A (en) * | 2014-02-26 | 2014-05-21 | 珠海市君天电子科技有限公司 | Method and device for managing wireless network shared software |
-
2016
- 2016-06-30 CN CN201610512732.8A patent/CN106203092B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101094245A (en) * | 2007-07-11 | 2007-12-26 | 华中科技大学 | Game platform system based on peer-to-peer covered network |
CN103795703A (en) * | 2011-04-18 | 2014-05-14 | 北京奇虎科技有限公司 | Method for ensuring user network security and client |
CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
CN102831358A (en) * | 2012-09-21 | 2012-12-19 | 北京奇虎科技有限公司 | Method and device for preventing homepage tamper |
CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
CN103036895A (en) * | 2012-12-20 | 2013-04-10 | 北京奇虎科技有限公司 | Method and system for state tracking |
CN103810031A (en) * | 2014-02-26 | 2014-05-21 | 珠海市君天电子科技有限公司 | Method and device for managing wireless network shared software |
Non-Patent Citations (1)
Title |
---|
网友: ""Hook ExitWindowsEx的阻止关机有关问题"", 《HTTP://WWW.MYEXCEPTION.CN/VC-MFC /151113.HTML》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108804147A (en) * | 2018-05-28 | 2018-11-13 | 新华三云计算技术有限公司 | Link closedown method, device and client |
CN109753806A (en) * | 2018-06-26 | 2019-05-14 | 360企业安全技术(珠海)有限公司 | Server protection method and device |
CN109753806B (en) * | 2018-06-26 | 2024-01-19 | 奇安信安全技术(珠海)有限公司 | Server protection method and device |
CN111639341A (en) * | 2020-05-29 | 2020-09-08 | 北京金山云网络技术有限公司 | Malicious program detection method and device, electronic device and storage medium |
CN111639341B (en) * | 2020-05-29 | 2023-09-05 | 北京金山云网络技术有限公司 | Malicious program detection method and device, electronic equipment and storage medium |
CN114138369A (en) * | 2021-12-02 | 2022-03-04 | 北京江民新科技术有限公司 | Progress protection method and system for windows whole system |
CN114327010A (en) * | 2021-12-28 | 2022-04-12 | 杭州雾联科技有限公司 | System control method, device and medium |
Also Published As
Publication number | Publication date |
---|---|
CN106203092B (en) | 2019-12-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106203092A (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
CN109831419A (en) | The determination method and device of shell program authority | |
CN104021467A (en) | Method and device for protecting payment security of mobile terminal and mobile terminal | |
CN106169047A (en) | Method and device for opening monitoring camera and electronic equipment | |
CN105844146B (en) | Method and device for protecting driver and electronic equipment | |
CN106201468A (en) | Screen capture processing method and device and electronic equipment | |
CN106203077B (en) | A kind of processing method of Copy Info, device and electronic equipment | |
CN104246698A (en) | Computer with flexible operating system | |
CN105893847B (en) | A kind of method, apparatus and electronic equipment for protecting security protection application file | |
CN106127031A (en) | Method and device for protecting process and electronic equipment | |
CN109800571B (en) | Event processing method and device, storage medium and electronic device | |
CN105868625B (en) | Method and device for intercepting restart deletion of file | |
CN105095758B (en) | Screen locking applied program processing method, device and mobile terminal | |
CN106126291A (en) | Method and device for deleting malicious file and electronic equipment | |
US20040205354A1 (en) | System and method for detecting malicious applications | |
CN106127034B (en) | A kind of method, apparatus that anti-locking system is maliciously closed and electronic equipment | |
CN106022117A (en) | Method and device for preventing system environment variable from being modified and electronic equipment | |
CN106203114A (en) | Application program protection method and device and electronic equipment | |
CN106127029A (en) | Starting method and device of security application program and electronic equipment | |
CN106203115A (en) | Application program protection method and device and electronic equipment | |
CN105844148A (en) | Method and device for protecting operating system and electronic equipment | |
CN106022120A (en) | File monitoring processing method and device and electronic equipment | |
CN107818260B (en) | Method and device for guaranteeing system safety | |
CN106228062B (en) | A kind of method, apparatus and electronic equipment for the treatment of progress registration | |
CN106022111A (en) | Processing method and device for hiding pop-up window and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20190117 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant |