CN106203118B - Processing method and device for modifying flicker time of insertion mark and electronic equipment - Google Patents

Processing method and device for modifying flicker time of insertion mark and electronic equipment Download PDF

Info

Publication number
CN106203118B
CN106203118B CN201610551698.5A CN201610551698A CN106203118B CN 106203118 B CN106203118 B CN 106203118B CN 201610551698 A CN201610551698 A CN 201610551698A CN 106203118 B CN106203118 B CN 106203118B
Authority
CN
China
Prior art keywords
function
software process
scintillation time
shut
modification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610551698.5A
Other languages
Chinese (zh)
Other versions
CN106203118A (en
Inventor
杨峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201610551698.5A priority Critical patent/CN106203118B/en
Publication of CN106203118A publication Critical patent/CN106203118A/en
Application granted granted Critical
Publication of CN106203118B publication Critical patent/CN106203118B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephonic Communication Services (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a processing method and a processing device for modifying the flashing time of an insertion mark and electronic equipment, which can solve the problem that the prior art can not prevent malicious software from modifying the flashing time of the insertion mark so as to cause that the system safety can not be effectively protected. The method comprises the following steps: detecting the behavior of calling a shutdown prohibition function by a software process; when the behavior that a software process calls a shutdown prohibition function is detected, acquiring a first function index number transmitted when the software process calls the shutdown prohibition function; judging whether the first function index number is the same as a second function index number of a kernel corresponding to the function of modifying the flicker time of the insertion mark; if not, calling a function for prohibiting shutdown to execute the operation corresponding to the first function index number, otherwise, judging whether the software process is a malicious software process; if the process is the malicious software process, the operation of modifying the insertion mark flashing time is refused to be carried out, otherwise, the operation of modifying the insertion mark flashing time is carried out by calling the shutdown forbidding function. The method is suitable for processing the modification operation of the flicker time of the insertion mark.

Description

Processing method, device and the electronic equipment of modification insertion label scintillation time
Technical field
The present invention relates to technical field of system security more particularly to a kind of processing sides of modification insertion label scintillation time Method, device and electronic equipment.
Background technique
In computer systems, it is provided with SetCaretBlinkTime function, when for flashing to be arranged for insertion label Between, unit is millisecond, and Malware can be using the scintillation time of the method change insertion label, if the sudden strain of a muscle of insertion label The bright time is set as 1 millisecond, when such user is inserted into label, and the label flashing that user sees will dodge quickly, very much, serious to destroy User system environment.
Currently, insertion label scintillation time is not modified in order to prevent, it is hook application layer under normal conditions SetCaretBlinkTime function, the function that SetCaretBlinkTime function corresponds to system kernel are NtUserCallOneParam function.NtUserCallOneParam function is a public function, the function of many application layers The function of corresponding kernel is all it.NtUserCallOneParam function distinguishes different application layers with a feature index number Function, rogue program can be passed to corresponding feature index number by the NtUserCallOneParam function of calling kernel, come Modification insertion label scintillation time, such rogue program being capable of destruction of computer systems environment.
Therefore, the processing method of existing modification insertion label scintillation time cannot prevent Malware modification insertion mark Remember scintillation time, causes system that cannot be effectively protected safely.
Summary of the invention
In view of this, the embodiment of the present invention provides processing method, device and the electricity of a kind of modification insertion label scintillation time Sub- equipment can prevent Malware modification insertion label scintillation time, thus effective protection system safety.
In a first aspect, the embodiment of the present invention provides a kind of processing method of modification insertion label scintillation time, comprising:
Inspection software process calls the behavior for forbidding shut-off function function;
When detecting that software process calling forbids the behavior of shut-off function function, obtains the software process and call and prohibit Feature index No. the first being only passed to when shut-off function function;
Judge the second function of the feature index No. first kernel corresponding with modification insertion label scintillation time power function Whether energy call number is identical;
If not identical, calling forbids shut-off function function to execute operation corresponding with the feature index No. first, Otherwise judge whether the software process is malicious software process;
If the software process is malicious software process, refusal, which is modified, is inserted into label scintillation time operation, otherwise Calling forbids shut-off function function to execute modification insertion label scintillation time operation.
With reference to first aspect, in the first embodiment of first aspect, the modification insertion label scintillation time function Feature index No. the second that energy function corresponds to kernel is different under different systems.
With reference to first aspect, in second of embodiment of first aspect, it is described judge the software process whether be Malicious software process includes:
Obtain the characteristic information of the software process;
The characteristic information of the software process is inquired in the feature database for being stored with malicious software process characteristic information;
If the characteristic information of the software process can be inquired, determine the software process for malicious software process, it is no Then determine that the software process is not malicious software process.
Second of embodiment with reference to first aspect, in the third embodiment of first aspect, in the detection Before software process calling forbids the behavior of shut-off function function, the method also includes:
Feature database is established, the characteristic information for the malicious software process that will acquire is stored in the feature database.
Second aspect, the embodiment of the present invention provide a kind of processing unit of modification insertion label scintillation time, comprising:
Detection unit calls the behavior for forbidding shut-off function function for inspection software process;
Acquiring unit, for detecting that software process calling forbids the behavior of shut-off function function when the detection unit When, it obtains the software process and calls the feature index No. the first for forbidding being passed to when shut-off function function;
First judging unit, for judging the feature index No. first and modification insertion label scintillation time power function Whether feature index No. the second of corresponding kernel is identical;
First processing units, for when the judging result of first judging unit is not identical, calling to forbid shutting down Power function executes operation corresponding with the feature index No. first;
Second judgment unit, for when the judging result of first judging unit be it is identical when, judge the software into Whether journey is malicious software process;
The second processing unit, for when the second judgment unit determines the software process for malicious software process, Refusal, which is modified, is inserted into label scintillation time operation;
Third processing unit, for determining that the software process is not malicious software process when the second judgment unit When, calling forbids shut-off function function to execute modification insertion label scintillation time operation.
In conjunction with second aspect, in the first embodiment of second aspect, the modification insertion label scintillation time function Feature index No. the second that energy function corresponds to kernel is different under different systems.
In conjunction with second aspect, in second of embodiment of second aspect, the second judgment unit includes:
Subelement is obtained, for obtaining the characteristic information of the software process;
Subelement is inquired, for inquiring the software process in the feature database for being stored with malicious software process characteristic information Characteristic information;
Judgment sub-unit, for determining when the inquiry subelement can inquire the characteristic information of the software process The software process is malicious software process, otherwise determines that the software process is not malicious software process.
In conjunction with second of embodiment of second aspect, in the third embodiment of second aspect, described device is also Include:
Establish unit, for the detection unit inspection software process call forbid shut-off function function behavior it Before, feature database is established, the characteristic information for the malicious software process that will acquire is stored in the feature database.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, and the electronic equipment includes: shell, processor, deposits Reservoir, circuit board and power circuit, wherein circuit board is placed in the space interior that shell surrounds, processor and memory setting On circuit boards;Power circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing and can hold Line program code;Processor is run and executable program code pair by reading the executable program code stored in memory The program answered, for executing the processing method of aforementioned any modification insertion label scintillation time.
Processing method, device and the electronic equipment of a kind of modification insertion label scintillation time provided in an embodiment of the present invention, When detecting that software process calling forbids the behavior of shut-off function function, obtains the software process calling and forbid the function that shuts down Feature index No. the first being passed to when energy function judges the feature index No. first and modification insertion label scintillation time function Can function correspond to kernel feature index No. the second it is whether identical, if not identical, calling forbid shut-off function function execute and The corresponding operation of the feature index No. first, otherwise judges whether the software process is malicious software process, if then Refuse insertion label scintillation time operation of modifying, otherwise calls and forbid the execution modification insertion label flashing of shut-off function function Time operation.Compared with prior art, the present invention can forbid the function that shuts down in such a way that hook forbids shut-off function function Energy function modifies by way of kernel malicious software process insertion label scintillation time behavior before executing intercepts, Malware modification insertion label scintillation time is prevented, thus effective protection system safety.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow chart of the processing method embodiment one of present invention modification insertion label scintillation time;
Fig. 2 is the flow chart of the processing method embodiment two of present invention modification insertion label scintillation time;
Fig. 3 is the structural schematic diagram of the processing device embodiment one of present invention modification insertion label scintillation time;
Fig. 4 is the structural schematic diagram of the processing device embodiment two of present invention modification insertion label scintillation time;
Fig. 5 is the structural schematic diagram of electronic equipment embodiment of the present invention.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its Its embodiment, shall fall within the protection scope of the present invention.
In following various embodiments of the present invention, NtUserCallOneParam function is to forbid shut-off function function, SetCaretBlinkTime function is modification insertion label scintillation time power function.
Fig. 1 is the flow chart of the processing method embodiment one of present invention modification insertion label scintillation time, as shown in Figure 1, The method of the present embodiment may include:
Step S11, inspection software process calls the behavior of NtUserCallOneParam function.
In the present embodiment, NtUserCallOneParam function is a public function of inner nuclear layer, many application layers The function that function corresponds to kernel is all the NtUserCallOneParam function.
Step S12, when detecting that software process calls the behavior of NtUserCallOneParam function, described in acquisition Software process calls feature index No. the first being passed to when NtUserCallOneParam function.
In the present embodiment, software process can be passed to first to inner nuclear layer when calling NtUserCallOneParam function Feature index number.
Specifically, aforesaid operations can be realized by Hook Function, the Hook Function and NtUserCallOneParam Function is linked up with, and when having detected that software process calls NtUserCallOneParam function, is being executed Before NtUserCallOneParam function, which obtains feature index No. the first that software process is passed to inner nuclear layer.
Step S13, judge the second function of the feature index No. first kernel corresponding with SetCaretBlinkTime function Whether energy call number is identical, if not identical, thens follow the steps S14, no to then follow the steps S15.
In the present embodiment, the SetCaretBlinkTime function is the second function rope of corresponding kernel using layer functions Quotation marks are different under different systems.Specifically, the SetCaretBlinkTime function corresponds to the second function of kernel Call number is 59 under XP system, is 62 under Win7 system, is 64 under Win8 system, is 66 under Win8.1 system, It is 68 under Win10 system.
Specifically, the process of step S13 can be realized by the Hook Function in step S12.
Step S14, NtUserCallOneParam function is called to execute behaviour corresponding with the feature index No. first Make.
In the present embodiment, if the second of the feature index No. first kernel corresponding with SetCaretBlinkTime function Feature index number is not identical, shows that the corresponding operation of the software process is not modification insertion label scintillation time, then can hold The row software process.
Step S15, judge whether the software process is malicious software process, if the software process be Malware into Journey thens follow the steps S16, no to then follow the steps S17.
In the present embodiment, Malware refers to virus, the journey of worm and Trojan Horse that malice task is executed in system Sequence is implemented to control by destroying software process to system.
Specifically, the process of step S17 can be realized by the Hook Function in step S12.
Step S16, refusal, which is modified, is inserted into label scintillation time operation.
In the present embodiment, if the software process is malicious software process, modification insertion label scintillation time behaviour is executed Work may damage safely system, it is therefore desirable to modify insertion label scintillation time operation to this and intercept, tie Shu Benci operation.
Specifically, the process of step S17 can be realized by the Hook Function in step S12.
Step S17, NtUserCallOneParam function is called to execute modification insertion label scintillation time operation.
In the present embodiment, if the software process is not malicious software process, show the corresponding modification of the software process Insertion label scintillation time operation is normal operating, can permit this modification insertion label scintillation time operation and carries out.
Specifically, the process of step S17 can be realized by the Hook Function in step S12.
The present embodiment obtains institute when detecting that software process calls the behavior of NtUserCallOneParam function It states software process and calls feature index No. the first being passed to when NtUserCallOneParam function, judge first function Whether feature index No. the second of call number kernel corresponding with SetCaretBlinkTime function is identical, if not identical, calls NtUserCallOneParam function executes corresponding with the feature index No. first operation, otherwise judge the software into Whether journey is malicious software process, if then refusing insertion label scintillation time operation of modifying, is otherwise called NtUserCallOneParam function executes modification insertion label scintillation time operation.Compared with prior art, the present invention can It is soft to malice before the execution of NtUserCallOneParam function by way of linking up with NtUserCallOneParam function The behavior that part process modifies insertion label scintillation time by way of kernel is intercepted, and Malware modification insertion mark is prevented Scintillation time is remembered, thus effective protection system safety.
Fig. 2 is the flow chart of the processing method embodiment two of present invention modification insertion label scintillation time, as shown in Fig. 2, The method of the present embodiment may include:
Step S21, feature database is established, the characteristic information for the malicious software process that will acquire is stored in the feature database In.
In the present embodiment, feature database can be established according to the malicious software process that security software in system monitors, it will The characteristic information of the malicious software process monitored is stored in the feature database, alternatively, user can add manually malice it is soft The characteristic information of part process is into the feature database.Wherein, the characteristic information of software process can be characterized code, each software into Journey has unique condition code.
Further, the feature database can also be updated according to the real-time monitoring situation of security software.
Step S22, inspection software process calls the behavior of NtUserCallOneParam function.
In the present embodiment, the process of the behavior of inspection software process calling NtUserCallOneParam function and above-mentioned side The step S11 of method embodiment is similar, and details are not described herein again.
Step S23, when detecting that software process calls the behavior of NtUserCallOneParam function, described in acquisition Software process calls feature index No. the first being passed to when NtUserCallOneParam function.
In the present embodiment, obtains the software process and call the first function being passed to when NtUserCallOneParam function The process of energy call number is similar with the step S12 of above method embodiment, and details are not described herein again.
Step S24, judge the second function of the feature index No. first kernel corresponding with SetCaretBlinkTime function Whether energy call number is identical, if not identical, thens follow the steps S25, no to then follow the steps S26 and step S27.
In the present embodiment, the of the feature index No. first kernel corresponding with SetCaretBlinkTime function is judged Whether identical feature indexes No. two process be similar with the step S13 of above method embodiment, and details are not described herein again.
Step S25, NtUserCallOneParam function is called to execute behaviour corresponding with the feature index No. first Make.
In the present embodiment, NtUserCallOneParam function is called to execute corresponding with the feature index No. first The process of operation is similar with the step S14 of above method embodiment, and details are not described herein again.
Step S26, the characteristic information of the software process is obtained.
In the present embodiment, the characteristic information of the software process can be characterized code, and each software process has unique Condition code.
Specifically, the process of step S26 can be realized by the Hook Function in step S12.
Step S27, the feature of the software process is inquired in the feature database for being stored with malicious software process characteristic information Information determines that the software process for malicious software process, executes step if the characteristic information of the software process can be inquired Otherwise rapid S28 determines that the software process is not malicious software process, execute step S29.
In the present embodiment, Malware refers to virus, the journey of worm and Trojan Horse that malice task is executed in system Sequence is implemented to control by destroying software process to system.
Specifically, the process of step S27 can be realized by the Hook Function in step S12.
Step S28, refusal, which is modified, is inserted into label scintillation time operation.
In the present embodiment, refusal, which is modified, is inserted into the step of process and above method embodiment that label scintillation time operates Rapid S16 is similar, and details are not described herein again.
Step S29, NtUserCallOneParam function is called to execute modification insertion label scintillation time operation.
In the present embodiment, NtUserCallOneParam function is called to execute the mistake of modification insertion label scintillation time operation Journey is similar with the step S17 of above method embodiment, and details are not described herein again.
The present embodiment obtains institute when detecting that software process calls the behavior of NtUserCallOneParam function It states software process and calls feature index No. the first being passed to when NtUserCallOneParam function, judge first function Whether feature index No. the second of call number kernel corresponding with SetCaretBlinkTime function is identical, if not identical, calls NtUserCallOneParam function executes corresponding with the feature index No. first operation, otherwise be stored with it is maliciously soft The characteristic information of the software process is inquired in the feature database of part process characteristic information to judge whether the software process is evil Otherwise meaning software process calls NtUserCallOneParam if then refusing insertion label scintillation time operation of modifying Function executes modification insertion label scintillation time operation.Compared with prior art, the present invention can pass through hook The mode of NtUserCallOneParam function, it is logical to malicious software process before the execution of NtUserCallOneParam function The mode for crossing kernel modifies insertion and the behavior of scintillation time is marked to be intercepted, when preventing Malware modification insertion label flashing Between, thus effective protection system safety.
Fig. 3 is the structural schematic diagram of the processing device embodiment one of present invention modification insertion label scintillation time, such as Fig. 3 institute Show, the device of the present embodiment may include: detection unit 11, acquiring unit 12, the first judging unit 13, first processing units 14, second judgment unit 15, the second processing unit 16, third processing unit 17, wherein detection unit 11 is used for inspection software The behavior of process calling NtUserCallOneParam function;Acquiring unit 12, for having been detected when the detection unit 11 When software process calls the behavior of NtUserCallOneParam function, obtains the software process and call Feature index No. the first being passed to when NtUserCallOneParam function;First judging unit 13, for judging described Whether feature index No. the second of feature index No. one kernel corresponding with SetCaretBlinkTime function is identical;First processing Unit 14, for calling NtUserCallOneParam letter when the judging result of first judging unit 13 is not identical Number executes operation corresponding with the feature index No. first;Second judgment unit 15, for working as first judging unit When 13 judging result is identical, judge whether the software process is malicious software process;The second processing unit 16, for working as When the second judgment unit 15 determines the software process for malicious software process, refusal modify insertion label flashing when Between operate;Third processing unit 17, for when the second judgment unit 15 determine the software process not and be Malware into Cheng Shi calls NtUserCallOneParam function to execute modification insertion label scintillation time operation.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill Art effect is similar, and details are not described herein again.
Further, the SetCaretBlinkTime function corresponds to feature index No. the second of kernel and is in different It is different under system.
Further, the SetCaretBlinkTime function corresponds to feature index No. the second of kernel under XP system It is 59, is 62 under Win7 system, be 64 under Win8 system, be 66 under Win8.1 system, is 68 under Win10 system.
Fig. 4 is the structural schematic diagram of the processing device embodiment two of present invention modification insertion label scintillation time, such as Fig. 4 institute Show, on the basis of the device of the present embodiment apparatus structure shown in Fig. 3, further, the second judgment unit 15 includes:
Subelement 151 is obtained, for obtaining the characteristic information of the software process;
Subelement 152 is inquired, for inquiring the software in the feature database for being stored with malicious software process characteristic information The characteristic information of process;
Judgment sub-unit 153, for the characteristic information of the software process can be inquired when the inquiry subelement 152 When, the software process is determined for malicious software process, otherwise determines that the software process is not malicious software process.
Further, described device further include:
Unit 18 is established, for calling NtUserCallOneParam function in the 11 inspection software process of detection unit Behavior before, establish feature database, the characteristic information for the malicious software process that will acquire is stored in the feature database.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1 or Fig. 2, realize former Reason is similar with technical effect, and details are not described herein again.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.
For Installation practice, since it is substantially similar to the method embodiment, so the comparison of description is simple Single, the relevent part can refer to the partial explaination of embodiments of method.
Expression or logic and/or step described otherwise above herein in flow charts, for example, being considered use In the order list for the executable instruction for realizing logic function, may be embodied in any computer-readable medium, for Instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be held from instruction The instruction fetch of row system, device or equipment and the system executed instruction) it uses, or combine these instruction execution systems, device or set It is standby and use.For the purpose of this specification, " computer-readable medium ", which can be, any may include, stores, communicates, propagates or pass Defeated program is for instruction execution system, device or equipment or the dress used in conjunction with these instruction execution systems, device or equipment It sets.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electricity of one or more wirings Interconnecting piece (electronic device), portable computer diskette box (magnetic device), random access memory (RAM), read-only memory (ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk is read-only deposits Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other are suitable Medium, because can then be edited, be interpreted or when necessary with it for example by carrying out optical scanner to paper or other media His suitable method is handled electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.
In the above-described embodiment, multiple steps or method can be with storages in memory and by suitable instruction execution The software or firmware that system executes are realized.For example, in another embodiment, can be used if realized with hardware Any one of following technology well known in the art or their combination are realized: being had for realizing logic function to data-signal The discrete logic of the logic gates of energy, the specific integrated circuit with suitable combinational logic gate circuit, programmable gate Array (PGA), field programmable gate array (FPGA) etc..
The embodiment of the present invention also provides a kind of electronic equipment, and the electronic equipment includes described in aforementioned any embodiment Device.
Fig. 5 is the structural schematic diagram of electronic equipment embodiment of the present invention, may be implemented to implement shown in Fig. 1 or Fig. 2 of the present invention The process of example, as shown in figure 5, above-mentioned electronic equipment may include: shell 31, processor 32, memory 33, circuit board 34 and electricity Source circuit 35, wherein circuit board 34 is placed in the space interior that shell 31 surrounds, and processor 32 and memory 33 are arranged in circuit On plate 34;Power circuit 35, for each circuit or the device power supply for above-mentioned electronic equipment;Memory 33 is for storing and can hold Line program code;Processor 32 is run and executable program generation by reading the executable program code stored in memory 33 The corresponding program of code, for executing the processing method of aforementioned any modification insertion label scintillation time.
Processor 32 to the specific implementation procedures of above-mentioned steps and processor 32 by operation executable program code come The step of further executing may refer to the description of Fig. 1 of the present invention or embodiment illustrated in fig. 2, and details are not described herein.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment: the characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data Communication is main target.This Terminal Type includes: smart phone (such as iPhone), multimedia handset, functional mobile phone and low Hold mobile phone etc..
(2) super mobile personal computer equipment: this kind of equipment belongs to the scope of personal computer, there is calculating and processing function Can, generally also have mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind of equipment can show and play multimedia content.Such equipment include: audio, Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server: providing the equipment of the service of calculating, and the composition of server includes that processor, hard disk, memory, system are total Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
For convenience of description, description apparatus above is to be divided into various units/modules with function to describe respectively.Certainly, exist Implement to realize each unit/module function in the same or multiple software and or hardware when the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can It realizes by means of software and necessary general hardware platform.Based on this understanding, technical solution of the present invention essence On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product It can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that a computer equipment (can be personal computer, server or the network equipment etc.) executes the certain of each embodiment or embodiment of the invention Method described in part.

Claims (9)

1. a kind of processing method of modification insertion label scintillation time characterized by comprising
Inspection software process calls the behavior for forbidding shut-off function function;Wherein, the shut-off function function is forbidden to be NtUserCallOneParam function;
When detecting that software process calling forbids the behavior of shut-off function function, obtains the software process calling and forbid closing Feature index No. the first being passed to when machine power function;
Judge the second function rope of the feature index No. first kernel corresponding with modification insertion label scintillation time power function Whether quotation marks are identical;
If not identical, calling forbids shut-off function function to execute operation corresponding with the feature index No. first, otherwise Judge whether the software process is malicious software process;
If the software process is malicious software process, refusal, which is modified, is inserted into label scintillation time operation, otherwise calls Shut-off function function is forbidden to execute modification insertion label scintillation time operation.
2. the processing method of modification insertion label scintillation time according to claim 1, which is characterized in that the modification is inserted The feature index No. the second for entering to mark scintillation time power function to correspond to kernel is different under different systems.
3. the processing method of modification insertion label scintillation time according to claim 1, which is characterized in that the judgement institute State whether software process is that malicious software process includes:
Obtain the characteristic information of the software process;
The characteristic information of the software process is inquired in the feature database for being stored with malicious software process characteristic information;
If the characteristic information of the software process can be inquired, determine that the software process for malicious software process, is otherwise sentenced The fixed software process is not malicious software process.
4. the processing method of modification insertion label scintillation time according to claim 3, which is characterized in that in the detection Before software process calling forbids the behavior of shut-off function function, the method also includes:
Feature database is established, the characteristic information for the malicious software process that will acquire is stored in the feature database.
5. a kind of processing unit of modification insertion label scintillation time characterized by comprising
Detection unit calls the behavior for forbidding shut-off function function for inspection software process;Wherein, forbid shut-off function function For NtUserCallOneParam function;
Acquiring unit, for when the detection unit detect software process calling forbid the behavior of shut-off function function when, It obtains the software process and calls the feature index No. the first for forbidding being passed to when shut-off function function;
First judging unit marks scintillation time power function corresponding for judging that the feature index No. first is inserted into modification Whether feature index No. the second of kernel is identical;
First processing units, for when the judging result of first judging unit is not identical, calling to forbid shut-off function Function executes operation corresponding with the feature index No. first;
Second judgment unit, for judging that the software process is when the judging result of first judging unit is identical No is malicious software process;
The second processing unit, for when the second judgment unit determines the software process for malicious software process, refusal Insertion label scintillation time of modifying operates;
Third processing unit, for adjusting when the second judgment unit determines that the software process is not malicious software process It is operated with forbidding shut-off function function to execute modification insertion label scintillation time.
6. the processing unit of modification insertion label scintillation time according to claim 5, which is characterized in that the modification is inserted The feature index No. the second for entering to mark scintillation time power function to correspond to kernel is different under different systems.
7. the processing unit of modification insertion label scintillation time according to claim 5, which is characterized in that described second sentences Disconnected unit includes:
Subelement is obtained, for obtaining the characteristic information of the software process;
Subelement is inquired, for inquiring the spy of the software process in the feature database for being stored with malicious software process characteristic information Reference breath;
Judgment sub-unit, for when the inquiry subelement can inquire the characteristic information of the software process, described in judgement Software process is malicious software process, otherwise determines that the software process is not malicious software process.
8. the processing unit of modification insertion label scintillation time according to claim 7, which is characterized in that described device is also Include:
Unit is established, for building before detection unit inspection software process calling forbids the behavior of shut-off function function Vertical feature database, the characteristic information for the malicious software process that will acquire are stored in the feature database.
9. a kind of electronic equipment, which is characterized in that the electronic equipment includes: shell, processor, memory, circuit board and electricity Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply Circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing executable program code;Processing Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding The processing method of modification insertion label scintillation time described in the aforementioned any claim 1-4 of row.
CN201610551698.5A 2016-07-13 2016-07-13 Processing method and device for modifying flicker time of insertion mark and electronic equipment Active CN106203118B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610551698.5A CN106203118B (en) 2016-07-13 2016-07-13 Processing method and device for modifying flicker time of insertion mark and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610551698.5A CN106203118B (en) 2016-07-13 2016-07-13 Processing method and device for modifying flicker time of insertion mark and electronic equipment

Publications (2)

Publication Number Publication Date
CN106203118A CN106203118A (en) 2016-12-07
CN106203118B true CN106203118B (en) 2019-01-22

Family

ID=57477283

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610551698.5A Active CN106203118B (en) 2016-07-13 2016-07-13 Processing method and device for modifying flicker time of insertion mark and electronic equipment

Country Status (1)

Country Link
CN (1) CN106203118B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102663288A (en) * 2012-03-22 2012-09-12 奇智软件(北京)有限公司 Virus killing method and device thereof
CN102867146A (en) * 2012-09-18 2013-01-09 珠海市君天电子科技有限公司 Method and system for preventing computer virus from frequently infecting systems
CN103679032A (en) * 2013-12-13 2014-03-26 北京奇虎科技有限公司 Method and device for preventing malicious software

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8316445B2 (en) * 2008-04-23 2012-11-20 Trusted Knight Corporation System and method for protecting against malware utilizing key loggers
US8621628B2 (en) * 2010-02-25 2013-12-31 Microsoft Corporation Protecting user mode processes from improper tampering or termination

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102663288A (en) * 2012-03-22 2012-09-12 奇智软件(北京)有限公司 Virus killing method and device thereof
CN102867146A (en) * 2012-09-18 2013-01-09 珠海市君天电子科技有限公司 Method and system for preventing computer virus from frequently infecting systems
CN103679032A (en) * 2013-12-13 2014-03-26 北京奇虎科技有限公司 Method and device for preventing malicious software

Also Published As

Publication number Publication date
CN106203118A (en) 2016-12-07

Similar Documents

Publication Publication Date Title
Wang et al. Quantitative security risk assessment of android permissions and applications
EP1619572A1 (en) System and method of identifying and preventing security violations within a computing system
CN104680084B (en) The method and system of privacy of user is protected in computer
CN106201468B (en) A kind of processing method of screenshotss, device and electronic equipment
CN104506495A (en) Intelligent network APT attack threat analysis method
WO2006074294A3 (en) Methods and apparatus providing security to computer systems and networks
CN105303107A (en) Abnormal process detection method and apparatus
CN104361281B (en) A kind of solution of Android platform phishing attack
CN106203092A (en) Method and device for intercepting shutdown of malicious program and electronic equipment
CN106203119B (en) Hide processing method, device and the electronic equipment of cursor
CN106127031A (en) Method and device for protecting process and electronic equipment
CN104462940A (en) Monitoring method and device for computer USB interface
Prince Cybersecurity: The security and protection challenges of our digital world
CN107992745A (en) Kidnap countermeasure in a kind of interface based on Android platform
CN106203115B (en) A kind of means of defence of application program, device and electronic equipment
CN106203118B (en) Processing method and device for modifying flicker time of insertion mark and electronic equipment
CN106022111B (en) Processing method and device for hiding pop-up window and electronic equipment
CN106201032B (en) Modify processing method, device and the electronic equipment of double click interval time
CN106709357A (en) Kernel internal storage monitoring based vulnerability prevention system for Android platform
KR102161777B1 (en) Trusted execution environment system
CN106203114A (en) Application program protection method and device and electronic equipment
CN106022109A (en) Method and device for preventing thread from being suspended and electronic equipment
CN106203189A (en) Equipment data acquisition method and device and terminal equipment
CN106228062B (en) A kind of method, apparatus and electronic equipment for the treatment of progress registration
KR102161770B1 (en) System and method for obtaining memory information

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20190116

Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Patentee after: Zhuhai Leopard Technology Co.,Ltd.

Address before: 100085 East District, No. 33 Xiaoying West Road, Haidian District, Beijing

Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.