CN106203092B - Method and device for intercepting shutdown of malicious program and electronic equipment - Google Patents

Method and device for intercepting shutdown of malicious program and electronic equipment Download PDF

Info

Publication number
CN106203092B
CN106203092B CN201610512732.8A CN201610512732A CN106203092B CN 106203092 B CN106203092 B CN 106203092B CN 201610512732 A CN201610512732 A CN 201610512732A CN 106203092 B CN106203092 B CN 106203092B
Authority
CN
China
Prior art keywords
shutdown
call message
local
function
intercepting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610512732.8A
Other languages
Chinese (zh)
Other versions
CN106203092A (en
Inventor
李文靖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Zhuhai Seal Interest Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Seal Interest Technology Co Ltd filed Critical Zhuhai Seal Interest Technology Co Ltd
Priority to CN201610512732.8A priority Critical patent/CN106203092B/en
Publication of CN106203092A publication Critical patent/CN106203092A/en
Application granted granted Critical
Publication of CN106203092B publication Critical patent/CN106203092B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Telephone Function (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention discloses a method, a device and electronic equipment for intercepting shutdown of a malicious program, relates to the technical field of system security, and is simple in implementation process and not easy to be bypassed by the malicious program. The method comprises the following steps: monitoring a shutdown local process call message sent by an operation process through a hook function, wherein the hook function hook sends a kernel function of the shutdown local process call message; judging whether the shutdown local process call message meets a preset interception condition or not through the hook function; and if the shutdown local process call message meets a preset interception condition and the name of the operation process is contained in a preset malicious program process list, intercepting the shutdown local process call message through the hook function. The device and the electronic equipment are provided with corresponding modules for realizing the method. The method and the device are suitable for intercepting the shutdown operation of the malicious program on the electronic equipment.

Description

Method and device for intercepting shutdown of malicious program and electronic equipment
Technical Field
The invention relates to the technical field of system security, in particular to a method and a device for intercepting shutdown of a malicious program and electronic equipment.
Background
With the development of internet technology, malicious programs such as viruses and trojans are layered endlessly, and security software such as jinshanghanghaba is suitable for development in order to improve the security of the system. When the security software detects the existence of the malicious program or ends the malicious program process, the malicious program sends a shutdown message to the system to shut down the computer, so that the security software cannot easily kill the malicious program process.
first, the flow of a program (including a malicious program) sending a shutdown Local Procedure Call (LPC) message is known:
the method comprises the steps that a program takes shutdown LPC information as a parameter, a function of an Ndtll module for sending the shutdown LPC information, a kernel function of a kernel layer for sending the shutdown LPC information are called in sequence, then the shutdown LPC information is analyzed by a system, and the kernel function of a shutdown function is called, so that the shutdown operation of a computer is completed, wherein the Ndtll module is a basic module provided by Microsoft, and functions of reading and writing files, reading and writing a registry and the like are realized and run in an application layer; LPC is the mechanism of communication between system subsystem and client process, Windows has N subsystems, each subsystem is usually LPC communication, for example, subsystem of process management, service management, IO manager, memory manager, etc.
In the prior art, malicious shutdown messages can be intercepted by hooking the kernel function of the shutdown function, and malicious programs are prevented from spreading and damaging the system.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for intercepting shutdown of a malicious program, and an electronic device, so as to solve the problems that an existing kernel function of a hook shutdown function intercepts a malicious shutdown instruction, and is complex in implementation process and easy to be bypassed by the malicious program.
in a first aspect, an embodiment of the present invention provides a method for intercepting shutdown of a malicious program, including:
Monitoring a shutdown local process call message sent by an operation process through a hook function, wherein the hook function hook sends a kernel function of the shutdown local process call message;
Judging whether the shutdown local process call message meets a preset interception condition or not through the hook function;
and if the shutdown local process call message meets a preset interception condition and the name of the operation process is contained in a preset malicious program process list, intercepting the shutdown local process call message through the hook function.
with reference to the first aspect, in a first implementation manner of the first aspect, before listening, by the hook function, for a shutdown local procedure call message sent by an operating process, the method further includes:
Inquiring a preset system service descriptor table, acquiring the current address of the kernel function sending the shutdown local process calling message, and storing the acquired current address of the kernel function sending the shutdown local process calling message;
Creating a hook function and acquiring a function address of the hook function;
and updating the current address of the kernel function which sends the shutdown local process call message into the function address of the hook function in the system service descriptor table.
With reference to the first aspect, in a second implementation manner of the first aspect, the shutdown local procedure call message includes: a handle value and an operation command value of the target port;
The predetermined interception conditions include: a predetermined shutdown port handle value and a predetermined shutdown operation command value, where the predetermined shutdown port handle value is a handle value of a shutdown or restart port, and the predetermined shutdown operation command value includes: shutdown and restart;
The step of judging whether the shutdown local procedure call message meets a preset interception condition through the hook function comprises:
judging whether a handle value of a target port in the shutdown local procedure call message is the same as a preset shutdown port handle value or not through the hook function;
if the value is the same as the preset shutdown port handle value, judging whether the operation command value in the shutdown local process calling message is shutdown or restart;
If the operation command value in the shutdown local process calling message is shutdown or restart, the shutdown local process calling message meets a preset interception condition.
With reference to the first aspect, in a third implementation manner of the first aspect, if the shutdown local procedure call message meets a predetermined interception condition and the name of the operation process is included in a preset malicious program process list, intercepting the shutdown local procedure call message by the hook function includes:
if the shutdown local process call message meets a preset interception condition, acquiring an installation path of the operation process through the hook function;
Extracting the name of the operation process from the acquired installation path of the operation process;
and inquiring a preset malicious program process list, and if the name of the operation process is contained in the preset malicious program process list, intercepting the shutdown local process call message.
With reference to the third implementation manner of the first aspect, in a fourth implementation manner of the first aspect, the intercepting the shutdown local procedure call message includes:
and exiting the hook function, and not transmitting the shutdown local procedure call message to the kernel function which sends the shutdown local procedure call message.
With reference to the first aspect, in a fifth implementation manner of the first aspect, the method further includes:
If the shutdown local process call message does not meet the preset interception condition or the name of the operation process is not contained in a preset malicious program process list, transmitting the shutdown local process call message to a kernel function sending the shutdown local process call message through the hook function.
With reference to the fifth implementation manner of the first aspect, in a sixth implementation manner of the first aspect, before the sending, by the hook function, the shutdown local procedure call message to the kernel function that sends the shutdown local procedure call message, the method further includes:
And updating the current address of the kernel function sending the shutdown local procedure call message into the original address of the saved kernel function sending the shutdown local procedure call message in a system service descriptor table.
with reference to the first aspect or any one of the first to sixth implementation manners of the first aspect, in a seventh implementation manner of the first aspect, the list of malicious program processes is an extensible list of malicious program processes.
in a second aspect, an embodiment of the present invention provides an apparatus for intercepting shutdown of a malicious program, including:
the monitoring module is used for monitoring a shutdown local process call message sent by an operation process through a hook function, wherein the hook function hook sends a kernel function of the shutdown local process call message;
The judging module is used for judging whether the shutdown local process calling message meets a preset interception condition or not through the hook function;
And the interception module is used for intercepting the shutdown local process call message through the hook function if the shutdown local process call message meets a preset interception condition and the name of the operation process is contained in a preset malicious program process list.
With reference to the second aspect, in a first implementation manner of the second aspect, the apparatus further includes: a hooking module; the hook module includes:
The first obtaining unit is used for inquiring a preset system service descriptor table, obtaining the current address of the kernel function for sending the shutdown local process call message, and storing the obtained current address of the kernel function for sending the shutdown local process call message;
The second acquisition unit is used for creating a hook function and acquiring a function address of the hook function;
and the address updating unit is used for updating the current address of the kernel function which sends the shutdown local procedure call message into the function address of the hook function in the system service descriptor table.
With reference to the second aspect, in a second implementation manner of the second aspect, the shutdown local procedure call message includes: a handle value and an operation command value of the target port;
The predetermined interception conditions include: a predetermined shutdown port handle value and a predetermined shutdown operation command value, where the predetermined shutdown port handle value is a handle value of a shutdown or restart port, and the predetermined shutdown operation command value includes: shutdown and restart;
the judging module comprises:
a first judging unit, configured to judge, by using the hook function, whether a handle value of a target port in the shutdown local procedure call message is the same as a predetermined shutdown port handle value;
a second judging unit, configured to judge whether an operation command value in the shutdown local procedure call message is shutdown or restart if the operation command value is the same as a preset shutdown port handle value;
and the message determining unit is used for determining that the shutdown local process calling message meets a preset interception condition if the operation command value in the shutdown local process calling message is shutdown or restart.
With reference to the second aspect, in a third implementation manner of the second aspect, the intercepting module includes:
an obtaining unit, configured to obtain, if the shutdown local process call message meets a predetermined interception condition, an installation path of the operation process through the hook function;
The extracting unit is used for extracting the name of the operation process from the acquired installation path of the operation process;
And the intercepting unit is used for inquiring a preset malicious program process list, and intercepting the shutdown local process calling message if the name of the operation process is contained in the preset malicious program process list.
with reference to the third implementation manner of the second aspect, in a fourth implementation manner of the second aspect, the intercepting unit is specifically configured to exit the hook function, and not transmit the shutdown local procedure call message to a kernel function that sends the shutdown local procedure call message.
With reference to the second aspect, in a fifth implementation manner of the second aspect, the intercepting module is further configured to transmit the shutdown local procedure call message to a kernel function that sends the shutdown local procedure call message through the hook function if the shutdown local procedure call message does not meet a predetermined intercepting condition, or the name of the operation process is not included in a preset malicious program process list.
with reference to the fifth implementation manner of the second aspect, in a sixth implementation manner of the second aspect, the intercepting module is further configured to update, in a system service descriptor table, a current address of a kernel function that sends the shutdown local procedure call message to a saved original address of the kernel function that sends the shutdown local procedure call message.
With reference to the second aspect or any one of the first to sixth implementation manners of the second aspect, in a seventh implementation manner of the second aspect, the list of malicious program processes is an extensible list of malicious program processes.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing any one of the above methods for intercepting shutdown of a malicious program.
according to the method, the device and the electronic equipment for intercepting shutdown of the malicious program, the shutdown local process call message sent by the operation process is monitored through the hook function, wherein the hook function hook sends the kernel function of the shutdown local process call message; judging whether the shutdown local process call message meets a preset interception condition or not through the hook function; if the shutdown local process call message meets the preset interception condition and the name of the operation process is contained in a preset malicious program process list, the shutdown local process call message is intercepted through the hook function, so that the hook function of the kernel function of the shutdown LPC message is sent through the hook to intercept the shutdown LPC message which meets the preset interception condition and is sent by the malicious operation process.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating a method for intercepting shutdown of a malicious program according to an embodiment of the present invention;
FIG. 2 is a schematic flowchart illustrating a method for intercepting shutdown of a malicious program according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an apparatus for intercepting shutdown of a malicious program according to an embodiment of the present invention;
Fig. 4 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
fig. 1 is a flowchart illustrating a method for intercepting shutdown of a malicious program according to an embodiment of the present invention, as shown in fig. 1, the method according to the embodiment may include:
Step 101, a shutdown local process call message sent by an operating process is monitored through a hook function, wherein the hook function hook sends a kernel function of the shutdown local process call message.
in this embodiment, the shutdown LPC message sent by the operation process is monitored through the hook function, and the process of sending the shutdown LPC message by the operation process includes:
In the operation process, the shutdown LPC message is taken as a parameter- > a function of sending the shutdown LPC message of the ndtll module- > the hook function- > the kernel function of sending the shutdown LPC message of the kernel layer- > the kernel function of analyzing the shutdown LPC message by the system and calling the kernel function of the shutdown function, so that the shutdown operation of the computer is completed.
in this embodiment, it is assumed that the function of calling the ndtll module to send the shutdown LPC message is the ntalpcsend receive port function of the ndtll module; the hook function provided by the embodiment is a NewNtAlpcSendWaitReceivPort function; the kernel function of the kernel layer for sending the shutdown LPC message is an NtAlpcSendWaitReceivPort function of the kernel layer; the kernel function of the power-off function is an NtShutdownSystemfunction.
in this embodiment, as can be known from a flow of sending a shutdown LPC message by an operation process, a kernel function ntalpcsense and waitdeyiveport of a hook kernel layer or a kernel function ntshutdown system can all implement interception of a malicious shutdown LPC message, but when the kernel function ntalpcsense and waitdeyiveport of the hook function hook kernel layer intercepts the malicious shutdown LPC message, because the kernel function ntalpsesndwaitdeyiveport sending the shutdown LPC message is located at an upper layer of the kernel function ntshutdown system, the implementation process is relatively simple, and the interception of the malicious shutdown LPC message can be more easily and stably implemented.
in this embodiment, the step of hooking the kernel function ntalpcsendwaitreeceiveport of the kernel layer by the hook function newntalpcsendwaitreeceiveport includes:
Querying a System Services Descriptor Table (SSDT) preset in the System, obtaining a current address of a kernel function ntalpcsense and waitreceiveport that sends the shutdown LPC message, and storing the obtained current address; creating a hook function NewNtAlPcSendWaitReceivPort and acquiring a function address of the hook function; in the system service descriptor table, updating the current address of a kernel function NtAlpcSendWaitReceivePort which sends the shutdown LPC message to the function address of the hook function NewNtAlpcSendWaitReceivePort, thereby realizing the hooking of the NewNtAlpcSendWaitReceivePort function.
in this embodiment, as an optional embodiment, before monitoring, by the hook function, a shutdown local procedure call message sent by an operating process, the method further includes:
Inquiring a preset system service descriptor table, acquiring the current address of the kernel function sending the shutdown local process calling message, and storing the acquired current address of the kernel function sending the shutdown local process calling message;
Creating a hook function and acquiring a function address of the hook function;
And updating the current address of the kernel function which sends the shutdown local process call message into the function address of the hook function in the system service descriptor table.
and step 102, judging whether the shutdown local process call message meets a preset interception condition or not through the hook function.
In this embodiment, the shutdown LPC message at least includes: a handle value of the target port and an operation command value.
In this embodiment, the predetermined interception condition includes: a preset shutdown port handle value and a preset shutdown operation command value, wherein the preset shutdown port handle value is a handle value of a shutdown or restart port, and the handle value of the shutdown port and the handle value of the restart port may be the same or different, and are collectively called the shutdown port handle value; the predetermined shutdown operation command value includes: shutdown and restart.
In this embodiment, whether the shutdown LPC message meets a predetermined interception condition is determined by the hook function newntalpcsendwaitreceiveportal.
Step 103, if the shutdown local process call message meets a predetermined interception condition and the name of the operation process is included in a preset malicious program process list, intercepting the shutdown local process call message through the hook function.
In this embodiment, when the shutdown LPC message meets a predetermined interception condition, in a hook function newntalpcsend waitreceivevecort, it is further necessary to determine whether the operation process is a malicious program, and specifically, kernel functions such as ZwQueryInformationProcess may be called to obtain an installation path of the operation process, such as C: windows, system32, av2. exe; extracting the name of the operation process, for example, av2.exe, from the acquired installation path of the operation process; and then, inquiring a preset malicious program process list, and if the name of the operation process is contained in the preset malicious program process list, intercepting the shutdown LPC message.
in this embodiment, as an optional embodiment, if the shutdown local procedure call message meets a predetermined interception condition and the name of the operation process is included in a preset malicious program process list, intercepting the shutdown local procedure call message by the hook function includes:
If the shutdown local process call message meets a preset interception condition, acquiring an installation path of the operation process through the hook function;
Extracting the name of the operation process from the acquired installation path of the operation process;
and inquiring a preset malicious program process list, and if the name of the operation process is contained in the preset malicious program process list, intercepting the shutdown local process call message.
In this embodiment, when the system is normally shutdown or restarted, the shutdown LPC message is also sent, so the preset malicious program process list cannot include system processes such as cssss _ EXE, SMSS _ EXE, LSASS _ EXE, winload _ EXE, and the like, and the preset malicious program process list may include names of known malicious shutdown processes, such as av2.EXE, add 2.EXE, and kei3. EXE. As still another alternative embodiment, the list of malicious program processes is an extensible list of malicious program processes, so that a user can update the list of malicious program processes according to actual application conditions.
in this embodiment, when a shutdown LPC message sent by an operation process meets a predetermined interception condition and the name of the operation process is included in a preset malicious program process list, intercepting the shutdown local process call message by the hook function newntalpcsendwaitreceiveviciverport, exiting the hook function newntalpcsendwaitreceiveviciverport, and not continuing to execute the kernel function ntalpcsendwaitreceiveceiveviciverport, the sending of the LPC shutdown message fails, and the operation of shutting down the computer fails.
in this embodiment, as a further optional embodiment, the intercepting the shutdown local procedure call message includes:
and exiting the hook function, and not transmitting the shutdown local procedure call message to the kernel function which sends the shutdown local procedure call message.
In this embodiment, if the shutdown LPC message sent by the operation process does not meet the predetermined interception condition, or the name of the operation process is not included in the preset malicious program process list, the hook function newntalpcsendwaitreceiveveceivport may continue to call and execute the kernel function ntalpcsendwaitreceivevecort, and the shutdown LPC message is successfully sent, and the operation of closing the computer is successful.
In this embodiment, as a further optional embodiment, the method further includes:
if the shutdown local process call message does not meet the preset interception condition or the name of the operation process is not contained in a preset malicious program process list, transmitting the shutdown local process call message to a kernel function sending the shutdown local process call message through the hook function.
In this embodiment, in order that the hook function newntalpcsendwaitreceiveceivevicort can transmit the shutdown LPC message to the kernel function ntalpcsendwaitreceiveceiveportant, before the hook function newntalpcsendwaitreceiveceiveportant calls to execute the kernel function NtAlpcSendWaitReceivePort, in a system service descriptor table, the current address of the kernel function that sends the shutdown LPC message needs to be updated to the original address of the kernel function that has been saved and that sends the shutdown LPC message.
in this embodiment, as a further optional embodiment, before the sending the shutdown local procedure call message to the kernel function that sends the shutdown local procedure call message through the hook function, the method further includes:
and updating the current address of the kernel function sending the shutdown local procedure call message into the original address of the saved kernel function sending the shutdown local procedure call message in a system service descriptor table.
the method for intercepting shutdown of the malicious program provided by the embodiment of the invention monitors a shutdown local process call message sent by an operation process through a hook function, wherein the hook function hook sends a kernel function of the shutdown local process call message; judging whether the shutdown local process call message meets a preset interception condition or not through the hook function; if the shutdown local process call message meets the preset interception condition and the name of the operation process is contained in a preset malicious program process list, the shutdown local process call message is intercepted through the hook function, so that the hook function of the kernel function of the shutdown LPC message is sent through the hook to intercept the shutdown LPC message which meets the preset interception condition and is sent by the malicious operation process.
Fig. 2 is a schematic diagram illustrating a specific flow of a method for intercepting shutdown of a malicious program according to an embodiment of the present invention, as shown in fig. 2, the method according to the embodiment may include:
Step 201, a shutdown local process call message sent by an operating process is monitored through a hook function, wherein the hook function hook sends a kernel function of the shutdown local process call message.
in this embodiment, the process of step 201 is similar to that of step 101 in the above method embodiment, and is not described here again.
Step 202, judging whether the handle value of the target port in the shutdown local procedure call message is the same as the handle value of the preset shutdown port through the hook function.
in this embodiment, the shutdown LPC message at least includes: a handle value of the target port and an operation command value.
in this embodiment, when an operating process sends a shutdown LPC message, it executes the hooking function newntalpcsendwaitreceiveiveport, where a parameter in a parameter list of the hooking function newntalpcsendwaitreceiveceiveceiveport is a target port handle parameter, the target port handle parameter receives a handle value of a target port in the shutdown LPC message, and the hooking function newntalpcsendwaiveceiveceiveceiveceivetermincept calls a specified kernel function, for example, oberrendertoebjectbyname, to obtain a predetermined shutdown port handle value, and if the shutdown port handle value returned by the function obendertermineobjbyname is the same as the target port value in the parameter, it indicates that the operating process is sending an LPC shutdown message to the shutdown port, and then step 203 continues to be executed.
in this embodiment, the predetermined shutdown port handle value is included in a predetermined interception condition, where the predetermined interception condition further includes: a predetermined shutdown operation command value; the preset shutdown port handle value is a handle value of a shutdown or restart port, and the handle value of the shutdown port and the handle value of the restart port can be the same or different and are collectively called the shutdown port handle value; the predetermined shutdown operation command value includes: shutdown and restart.
Step 203, if the value is the same as the preset shutdown port handle value, determining whether the operation command value in the shutdown local procedure call message is shutdown or restart.
In this embodiment, a parameter list of the hook function newntalpcsendwaitreceiveiveport further includes a data structure of a PPORT _ MESSAGE type, that is, a data structure sent to the shutdown port, where the data structure is a data structure of a pData member pointer pointing to a pshutdo _ WINDOW _ MESSAGE type structure, and the pshutdo _ WINDOW _ MESSAGE is a data structure of a shutdown LPC MESSAGE, where there is an operation command value used to receive an operation command value in the shutdown LPC MESSAGE.
in this embodiment, if the operation process is to send a shutdown LPC message to a shutdown port, it is further necessary to determine whether an operation command value in the shutdown LPC message is a predetermined shutdown or restart operation command value.
Step 204, if the operation command value in the shutdown local procedure call message is shutdown or restart, the shutdown local procedure call message conforms to a predetermined interception condition.
in this embodiment, if the operation command value received by the PSHUTDOWN _ WINDOW _ MESSAGE data structure is equal to SHUTDOWN _ PORT _ ID (SHUTDOWN) or RESTART _ PORT _ ID (RESTART), it indicates that the SHUTDOWN local procedure call MESSAGE meets the predetermined interception condition, and step 205 continues to be executed.
Step 205, if the shutdown local process call message meets a predetermined interception condition and the name of the operation process is included in a preset malicious program process list, intercepting the shutdown local process call message through the hook function.
in this embodiment, the process of step 205 is similar to that of step 103 of the above method embodiment, and is not described here again.
The method for intercepting shutdown of the malicious program provided by the embodiment of the invention monitors a shutdown local process call message sent by an operation process through a hook function, wherein the hook function hook sends a kernel function of the shutdown local process call message; judging whether the shutdown local process call message meets a preset interception condition or not through the hook function; if the shutdown local process call message meets the preset interception condition and the name of the operation process is contained in a preset malicious program process list, the shutdown local process call message is intercepted through the hook function, so that the hook function of the kernel function of the shutdown LPC message is sent through the hook to intercept the shutdown LPC message which meets the preset interception condition and is sent by the malicious operation process.
Fig. 3 is a schematic structural diagram of the apparatus for intercepting shutdown of malicious programs according to the present invention, and as shown in fig. 3, the apparatus of this embodiment may include: a monitoring module 11, a judging module 12 and an intercepting module 13, wherein,
The monitoring module 11 is configured to monitor a shutdown local procedure call message sent by an operation process through a hook function, where the hook function hook sends a kernel function of the shutdown local procedure call message.
in this embodiment, the shutdown LPC message sent by the operation process is monitored through the hook function, and the process of sending the shutdown LPC message by the operation process includes:
In the operation process, the shutdown LPC message is taken as a parameter- > a function of sending the shutdown LPC message of the ndtll module- > the hook function- > the kernel function of sending the shutdown LPC message of the kernel layer- > the kernel function of analyzing the shutdown LPC message by the system and calling the kernel function of the shutdown function, so that the shutdown operation of the computer is completed.
in this embodiment, it is assumed that the function of calling the ndtll module to send the shutdown LPC message is the ntalpcsend receive port function of the ndtll module; the hook function provided by the embodiment is a NewNtAlpcSendWaitReceivPort function; the kernel function of the kernel layer for sending the shutdown LPC message is an NtAlpcSendWaitReceivPort function of the kernel layer; the kernel function of the power-off function is an NtShutdownSystemfunction.
in this embodiment, as can be known from a flow of sending a shutdown LPC message by an operation process, a kernel function ntalpcsense and waitdeyiveport of a hook kernel layer or a kernel function ntshutdown system can all implement interception of a malicious shutdown LPC message, but when the kernel function ntalpcsense and waitdeyiveport of the hook function hook kernel layer intercepts the malicious shutdown LPC message, because the kernel function ntalpsesndwaitdeyiveport sending the shutdown LPC message is located at an upper layer of the kernel function ntshutdown system, the implementation process is relatively simple, and the interception of the malicious shutdown LPC message can be more easily and stably implemented.
In this embodiment, a hooking module may be used to hook a kernel function ntalpcsendwaitdaiteceiveport of a kernel layer with a hook function ntalpcsendwaitdaiteceiveport.
In this embodiment, as an optional embodiment, the apparatus further includes: a hooking module; the hook module includes:
The first obtaining unit is used for inquiring a preset system service descriptor table, obtaining the current address of the kernel function for sending the shutdown local process call message, and storing the obtained current address of the kernel function for sending the shutdown local process call message;
the second acquisition unit is used for creating a hook function and acquiring a function address of the hook function;
And the address updating unit is used for updating the current address of the kernel function which sends the shutdown local procedure call message into the function address of the hook function in the system service descriptor table.
in this embodiment, the step of hooking the kernel function ntalpcsendwaitreeceiveport of the kernel layer by the hook function newntalpcsendwaitreeceiveport includes:
querying a System Services Descriptor Table (SSDT) preset in the System, obtaining a current address of a kernel function ntalpcsense and waitreceiveport that sends the shutdown LPC message, and storing the obtained current address; creating a hook function NewNtAlPcSendWaitReceivPort and acquiring a function address of the hook function; in the system service descriptor table, updating the current address of a kernel function NtAlpcSendWaitReceivePort which sends the shutdown LPC message to the function address of the hook function NewNtAlpcSendWaitReceivePort, thereby realizing the hooking of the NewNtAlpcSendWaitReceivePort function.
the determining module 12 is configured to determine, through the hook function, whether the shutdown local procedure call message meets a predetermined interception condition.
In this embodiment, the shutdown LPC message at least includes: a handle value of the target port and an operation command value.
In this embodiment, the predetermined interception condition includes: a preset shutdown port handle value and a preset shutdown operation command value, wherein the preset shutdown port handle value is a handle value of a shutdown or restart port, and the handle value of the shutdown port and the handle value of the restart port may be the same or different, and are collectively called the shutdown port handle value; the predetermined shutdown operation command value includes: shutdown and restart.
In this embodiment, whether the shutdown LPC message meets a predetermined interception condition is determined by the hook function newntalpcsendwaitreceiveportal.
in this embodiment, the determining module 12 includes: a first judging unit, a second judging unit and a message determining unit, wherein,
The first judging unit is configured to judge, through the hook function, whether a handle value of a target port in the shutdown local procedure call message is the same as a predetermined shutdown port handle value.
in this embodiment, when an operation process sends a shutdown LPC message, the operation process may execute a hook function newntalpcsendwaitreceiveiveport, where a parameter in a parameter list of the hook function newntalpcsendwaitreceiveceiveceivevector is a target port handle parameter, the target port handle parameter receives a handle value of a target port in the shutdown LPC message, and the hook function newntalpcsendwaiveceiveceivereceiveport calls a specified kernel function, for example, oberrenceobjectbyname, to obtain a predetermined shutdown port handle value, and if the handle value of the target port in the parameter is the same as the handle value of the shutdown port handle returned by the function oberrenceobiectbyname, it indicates that the operation process sends the LPC shutdown message to the shutdown port.
And the second judging unit is used for judging whether the operation command value in the shutdown local process calling message is shutdown or restart if the operation command value is the same as the preset shutdown port handle value.
in this embodiment, a parameter list of the hook function newntalpcsendwaitreceiveiveport further includes a data structure of a PPORT _ MESSAGE type, that is, a data structure sent to the shutdown port, where the data structure is a data structure of a pData member pointer pointing to a pshutdo _ WINDOW _ MESSAGE type structure, and the pshutdo _ WINDOW _ MESSAGE is a data structure of a shutdown LPC MESSAGE, where there is an operation command value used to receive an operation command value in the shutdown LPC MESSAGE.
In this embodiment, if the operation process is to send a shutdown LPC message to a shutdown port, it is further necessary to determine whether an operation command value in the shutdown LPC message is a predetermined shutdown or restart operation command value.
the message determining unit is configured to determine that the shutdown local procedure call message meets a predetermined interception condition if the operation command value in the shutdown local procedure call message is shutdown or restart.
In this embodiment, if the operation command value received by the PSHUTDOWN _ WINDOW _ MESSAGE data structure is equal to SHUTDOWN _ PORT _ ID (SHUTDOWN) or RESTART _ PORT _ ID (RESTART), it indicates that the SHUTDOWN local procedure call MESSAGE meets a predetermined interception condition.
the intercepting module 13 is configured to intercept the shutdown local procedure call message through the hook function if the shutdown local procedure call message meets a predetermined intercepting condition and the name of the operation process is included in a preset malicious program process list.
in this embodiment, when the shutdown LPC message meets a predetermined interception condition, in a hook function newntalpcsend waitreceivevecort, it is further necessary to determine whether the operation process is a malicious program, and specifically, kernel functions such as ZwQueryInformationProcess may be called to obtain an installation path of the operation process, such as C: windows, system32, av2. exe; extracting the name of the operation process, for example, av2.exe, from the acquired installation path of the operation process; and then, inquiring a preset malicious program process list, and if the name of the operation process is contained in the preset malicious program process list, intercepting the shutdown LPC message.
In this embodiment, as an optional embodiment, the intercepting module 13 includes:
an obtaining unit, configured to obtain, if the shutdown local process call message meets a predetermined interception condition, an installation path of the operation process through the hook function;
The extracting unit is used for extracting the name of the operation process from the acquired installation path of the operation process;
And the intercepting unit is used for inquiring a preset malicious program process list, and intercepting the shutdown local process calling message if the name of the operation process is contained in the preset malicious program process list.
In this embodiment, when the system is normally shutdown or restarted, the shutdown LPC message is also sent, so the preset malicious program process list cannot include system processes such as cssss _ EXE, SMSS _ EXE, LSASS _ EXE, winload _ EXE, and the like, and the preset malicious program process list may include names of known malicious shutdown processes, such as av2.EXE, add 2.EXE, and kei3. EXE. As still another alternative embodiment, the list of malicious program processes is an extensible list of malicious program processes, so that a user can update the list of malicious program processes according to actual application conditions.
In this embodiment, when a shutdown LPC message sent by an operation process meets a predetermined interception condition and the name of the operation process is included in a preset malicious program process list, intercepting the shutdown local process call message by the hook function newntalpcsendwaitreceiveviciverport, exiting the hook function newntalpcsendwaitreceiveviciverport, and not continuing to execute the kernel function ntalpcsendwaitreceiveceiveviciverport, the sending of the LPC shutdown message fails, and the operation of shutting down the computer fails.
In this embodiment, as a further optional embodiment, the intercepting unit is specifically configured to exit the hook function, and not transmit the shutdown local procedure call message to a kernel function that sends the shutdown local procedure call message.
In this embodiment, if the shutdown LPC message sent by the operation process does not meet the predetermined interception condition, or the name of the operation process is not included in the preset malicious program process list, the hook function newntalpcsendwaitreceiveveceivport may continue to call and execute the kernel function ntalpcsendwaitreceivevecort, and the shutdown LPC message is successfully sent, and the operation of closing the computer is successful.
in this embodiment, as another optional embodiment, the intercepting module 13 is further configured to transmit the shutdown local procedure call message to a kernel function that sends the shutdown local procedure call message through the hook function if the shutdown local procedure call message does not meet a predetermined intercepting condition, or the name of the operation process is not included in a preset malicious program process list.
in this embodiment, in order that the hook function newntalpcsendwaitreceiveceivevicort can transmit the shutdown LPC message to the kernel function ntalpcsendwaitreceiveceiveportant, before the hook function newntalpcsendwaitreceiveceiveportant calls to execute the kernel function NtAlpcSendWaitReceivePort, in a system service descriptor table, the current address of the kernel function that sends the shutdown LPC message needs to be updated to the original address of the kernel function that has been saved and that sends the shutdown LPC message.
In this embodiment, as a further optional embodiment, the intercepting module 13 is further configured to update, in a system service descriptor table, a current address of a kernel function that sends the shutdown local procedure call message to a stored original address of the kernel function that sends the shutdown local procedure call message.
in the apparatus for intercepting shutdown of a malicious program according to this embodiment, a hook function is used to monitor a shutdown local procedure call message sent by an operation process, where the hook function hook sends a kernel function of the shutdown local procedure call message; judging whether the shutdown local process call message meets a preset interception condition or not through the hook function; if the shutdown local process call message meets the preset interception condition and the name of the operation process is contained in a preset malicious program process list, the shutdown local process call message is intercepted through the hook function, so that the hook function of the kernel function of the shutdown LPC message is sent through the hook to intercept the shutdown LPC message which meets the preset interception condition and is sent by the malicious operation process.
it is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
all the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
in particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof.
In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
the embodiment of the invention also provides the electronic equipment. Fig. 4 is a schematic structural diagram of an embodiment of an electronic device of the present invention, which can implement the processes of the embodiments shown in fig. 1 to 3 of the present invention, and as shown in fig. 4, the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, so as to perform the method for intercepting shutdown of a malicious program according to any of the foregoing embodiments.
The specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code may refer to the description of the embodiment shown in fig. 1 to 3 of the present invention, and are not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) a portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) a server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
from the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
it will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (15)

1. a method for intercepting shutdown of a malicious program is characterized by comprising the following steps:
monitoring a shutdown local process call message sent by an operation process through a hook function, wherein the hook function hook sends a kernel function of the shutdown local process call message, and the shutdown local process call message comprises: a handle value and an operation command value of the target port;
Judging whether the shutdown local process call message meets a preset interception condition or not through the hook function;
If the shutdown local process call message meets a preset interception condition and the name of the operation process is contained in a preset malicious program process list, intercepting the shutdown local process call message through the hook function;
The predetermined interception conditions include: a predetermined shutdown port handle value and a predetermined shutdown operation command value, where the predetermined shutdown port handle value is a handle value of a shutdown or restart port, and the predetermined shutdown operation command value includes: shutdown and restart;
The step of judging whether the shutdown local procedure call message meets a preset interception condition through the hook function comprises:
Judging whether a handle value of a target port in the shutdown local procedure call message is the same as a preset shutdown port handle value or not through the hook function;
if the value is the same as the preset shutdown port handle value, judging whether the operation command value in the shutdown local process calling message is shutdown or restart;
If the operation command value in the shutdown local process calling message is shutdown or restart, the shutdown local process calling message meets a preset interception condition.
2. The method for intercepting shutdown of malicious programs according to claim 1, wherein before listening for a shutdown local procedure call message sent by an operating process through a hook function, the method further comprises:
inquiring a preset system service descriptor table, acquiring the current address of the kernel function sending the shutdown local process calling message, and storing the acquired current address of the kernel function sending the shutdown local process calling message;
Creating a hook function and acquiring a function address of the hook function;
And updating the current address of the kernel function which sends the shutdown local process call message into the function address of the hook function in the system service descriptor table.
3. The method for intercepting shutdown of a malicious program according to claim 1, wherein if the shutdown local procedure call message meets a predetermined interception condition and the name of the operation process is included in a preset malicious program process list, intercepting the shutdown local procedure call message by the hook function includes:
if the shutdown local process call message meets a preset interception condition, acquiring an installation path of the operation process through the hook function;
extracting the name of the operation process from the acquired installation path of the operation process;
and inquiring a preset malicious program process list, and if the name of the operation process is contained in the preset malicious program process list, intercepting the shutdown local process call message.
4. the method for intercepting shutdown of a malicious program according to claim 3, wherein the intercepting of the shutdown local procedure call message comprises:
And exiting the hook function, and not transmitting the shutdown local procedure call message to the kernel function which sends the shutdown local procedure call message.
5. The method for intercepting malware shutdown of claim 1, further comprising:
If the shutdown local process call message does not meet the preset interception condition or the name of the operation process is not contained in a preset malicious program process list, transmitting the shutdown local process call message to a kernel function sending the shutdown local process call message through the hook function.
6. The method for intercepting shutdown of a malicious program according to claim 5, wherein before the step of transmitting the shutdown local procedure call message to a kernel function that sends the shutdown local procedure call message through the hook function, the method further comprises:
and updating the current address of the kernel function sending the shutdown local procedure call message into the original address of the saved kernel function sending the shutdown local procedure call message in a system service descriptor table.
7. the method for intercepting shutdown of a malicious program according to any one of claims 1 to 6, wherein the malicious program process list is an extensible malicious program process list.
8. an apparatus for intercepting shutdown of a malicious program, comprising:
a monitoring module, configured to monitor, through a hook function, a shutdown local procedure call message sent by an operation process, where the hook function hook sends a kernel function of the shutdown local procedure call message, and the shutdown local procedure call message includes: a handle value and an operation command value of the target port;
the judging module is used for judging whether the shutdown local process calling message meets a preset interception condition or not through the hook function;
The interception module is used for intercepting the shutdown local process call message through the hook function if the shutdown local process call message meets a preset interception condition and the name of the operation process is contained in a preset malicious program process list;
The predetermined interception conditions include: a predetermined shutdown port handle value and a predetermined shutdown operation command value, where the predetermined shutdown port handle value is a handle value of a shutdown or restart port, and the predetermined shutdown operation command value includes: shutdown and restart;
The judging module comprises:
A first judging unit, configured to judge, by using the hook function, whether a handle value of a target port in the shutdown local procedure call message is the same as a predetermined shutdown port handle value;
A second judging unit, configured to judge whether an operation command value in the shutdown local procedure call message is shutdown or restart if the operation command value is the same as a preset shutdown port handle value;
And the message determining unit is used for determining that the shutdown local process calling message meets a preset interception condition if the operation command value in the shutdown local process calling message is shutdown or restart.
9. The apparatus for intercepting shutdown of a malicious program according to claim 8, further comprising: a hooking module; the hook module includes:
The first obtaining unit is used for inquiring a preset system service descriptor table, obtaining the current address of the kernel function for sending the shutdown local process call message, and storing the obtained current address of the kernel function for sending the shutdown local process call message;
The second acquisition unit is used for creating a hook function and acquiring a function address of the hook function;
And the address updating unit is used for updating the current address of the kernel function which sends the shutdown local procedure call message into the function address of the hook function in the system service descriptor table.
10. the apparatus for intercepting shutdown of a malicious program according to claim 8, wherein the intercepting module comprises:
An obtaining unit, configured to obtain, if the shutdown local process call message meets a predetermined interception condition, an installation path of the operation process through the hook function;
The extracting unit is used for extracting the name of the operation process from the acquired installation path of the operation process;
And the intercepting unit is used for inquiring a preset malicious program process list, and intercepting the shutdown local process calling message if the name of the operation process is contained in the preset malicious program process list.
11. The apparatus for intercepting shutdown of a malicious program according to claim 10, wherein the intercepting unit is specifically configured to exit the hook function and not transmit the shutdown local procedure call message to a kernel function that sends the shutdown local procedure call message.
12. The apparatus for intercepting shutdown of a malicious program according to claim 8, wherein the intercepting module is further configured to transmit the shutdown local procedure call message to a kernel function that sends the shutdown local procedure call message through the hook function if the shutdown local procedure call message does not meet a predetermined intercepting condition or a name of the operation process is not included in a preset malicious program process list.
13. The apparatus for intercepting shutdown of a malicious program according to claim 12, wherein the intercepting module is further configured to update, in a system service descriptor table, a current address of the kernel function that sent the shutdown local procedure call message to an original address of the saved kernel function that sent the shutdown local procedure call message.
14. An apparatus for intercepting shutdown of a malicious program according to any one of claims 8 to 13, wherein the malicious program process list is an extensible malicious program process list.
15. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the method for intercepting shutdown of the malicious program according to any one of claims 1 to 7.
CN201610512732.8A 2016-06-30 2016-06-30 Method and device for intercepting shutdown of malicious program and electronic equipment Active CN106203092B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610512732.8A CN106203092B (en) 2016-06-30 2016-06-30 Method and device for intercepting shutdown of malicious program and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610512732.8A CN106203092B (en) 2016-06-30 2016-06-30 Method and device for intercepting shutdown of malicious program and electronic equipment

Publications (2)

Publication Number Publication Date
CN106203092A CN106203092A (en) 2016-12-07
CN106203092B true CN106203092B (en) 2019-12-10

Family

ID=57464032

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610512732.8A Active CN106203092B (en) 2016-06-30 2016-06-30 Method and device for intercepting shutdown of malicious program and electronic equipment

Country Status (1)

Country Link
CN (1) CN106203092B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108846287A (en) * 2018-06-26 2018-11-20 北京奇安信科技有限公司 A kind of method and device of detection loophole attack
CN108804147B (en) * 2018-05-28 2022-05-10 新华三云计算技术有限公司 Linkage shutdown method and device and client
CN111639341B (en) * 2020-05-29 2023-09-05 北京金山云网络技术有限公司 Malicious program detection method and device, electronic equipment and storage medium
CN114138369A (en) * 2021-12-02 2022-03-04 北京江民新科技术有限公司 Progress protection method and system for windows whole system
CN114327010A (en) * 2021-12-28 2022-04-12 杭州雾联科技有限公司 System control method, device and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101094245A (en) * 2007-07-11 2007-12-26 华中科技大学 Game platform system based on peer-to-peer covered network
CN102413142A (en) * 2011-11-30 2012-04-11 华中科技大学 Active defense method based on cloud platform
CN102831358A (en) * 2012-09-21 2012-12-19 北京奇虎科技有限公司 Method and device for preventing homepage tamper
CN102932329A (en) * 2012-09-26 2013-02-13 北京奇虎科技有限公司 Method and device for intercepting behaviors of program, and client equipment
CN103036895A (en) * 2012-12-20 2013-04-10 北京奇虎科技有限公司 Method and system for state tracking
CN103810031A (en) * 2014-02-26 2014-05-21 珠海市君天电子科技有限公司 Method and device for managing wireless network shared software

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103795703A (en) * 2011-04-18 2014-05-14 北京奇虎科技有限公司 Method for ensuring user network security and client

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101094245A (en) * 2007-07-11 2007-12-26 华中科技大学 Game platform system based on peer-to-peer covered network
CN102413142A (en) * 2011-11-30 2012-04-11 华中科技大学 Active defense method based on cloud platform
CN102831358A (en) * 2012-09-21 2012-12-19 北京奇虎科技有限公司 Method and device for preventing homepage tamper
CN102932329A (en) * 2012-09-26 2013-02-13 北京奇虎科技有限公司 Method and device for intercepting behaviors of program, and client equipment
CN103036895A (en) * 2012-12-20 2013-04-10 北京奇虎科技有限公司 Method and system for state tracking
CN103810031A (en) * 2014-02-26 2014-05-21 珠海市君天电子科技有限公司 Method and device for managing wireless network shared software

Also Published As

Publication number Publication date
CN106203092A (en) 2016-12-07

Similar Documents

Publication Publication Date Title
CN106203092B (en) Method and device for intercepting shutdown of malicious program and electronic equipment
AU2018229557A1 (en) Methods and apparatus for identifying and removing malicious applications
WO2017219589A1 (en) Method and system for processing program crash message
US9747449B2 (en) Method and device for preventing application in an operating system from being uninstalled
CN109375937A (en) Method for upgrading system, device, terminal device and storage medium
US10516690B2 (en) Physical device detection for a mobile application
CN107844306B (en) Application program repairing method and device, storage medium and terminal
EP3486823B1 (en) System notification service control method, apparatus, terminal device, and storage medium
CN108563472B (en) Service plug-in loading method and device based on multi-open application
CN105320777A (en) Application program recommendation method and device
CN111782294A (en) Application program running method and device, electronic equipment and storage medium
CN111062035A (en) Lesog software detection method and device, electronic equipment and storage medium
CN110611675A (en) Vector magnitude detection rule generation method and device, electronic equipment and storage medium
CN111030977A (en) Attack event tracking method and device and storage medium
CN114035812A (en) Application software installation and/or operation method, device, electronic equipment and storage medium
CN108875371B (en) Sandbox analysis method and device, electronic equipment and storage medium
CN113779576A (en) Identification method and device for executable file infected virus and electronic equipment
CN114285621A (en) Network threat monitoring method and device and electronic equipment
CN104978214B (en) A kind of component loading method, device and terminal
CN106169044B (en) Method and device for protecting thread data and electronic equipment
CN106203090B (en) Guard method, device and the electronic equipment of thread
CN111490885B (en) Method for processing equipment error information, electronic equipment and storage medium
CN111797393B (en) Method and device for detecting malicious mining behavior based on GPU
CN115618352A (en) Security vulnerability repairing method and device, electronic equipment and storage medium
CN108875362B (en) Sample behavior obtaining method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20190117

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Applicant after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing

Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant