CN108762826B - Process hiding method and computer readable storage medium - Google Patents
Process hiding method and computer readable storage medium Download PDFInfo
- Publication number
- CN108762826B CN108762826B CN201810365246.7A CN201810365246A CN108762826B CN 108762826 B CN108762826 B CN 108762826B CN 201810365246 A CN201810365246 A CN 201810365246A CN 108762826 B CN108762826 B CN 108762826B
- Authority
- CN
- China
- Prior art keywords
- list
- acquiring
- target
- program path
- process list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44557—Code layout in executable memory
- G06F9/44563—Sharing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a process hiding method and a computer readable storage medium, wherein the method comprises the following steps: acquiring a process with a program path matched with a preset program path from a process list at regular time, and acquiring a process number of the process; and when the target process inquires the process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process. The method can simply and efficiently realize process hiding, and has the advantages of high flexibility, strong stability and strong universality.
Description
Technical Field
The present invention relates to the field of software security technologies, and in particular, to a process hiding method and a computer-readable storage medium.
Background
In some software systems, in order to prevent some critical processes from being forcibly ended or being detected, it is necessary to perform hidden protection on the critical processes or all the processes in the software system, that is, the critical processes cannot be queried in a tool such as a task manager. The existing process hiding methods are endless, but the methods cannot be effective, flexible and stable at the same time. The method includes a process hiding method of a Kernel layer, such as DKOM (Direct Kernel Object management) and SSDT HOOK (System Services Descriptor Table). And process hiding methods of a user layer, such as a remote DLL injection combined API HOOK technology, a global message HOOK combined API HOOK technology and the like. However, none of these methods is flexible enough to be stable for the following reasons:
1. although the process hiding techniques of kernel layers such as DKOM and SSDT HOOK are simple and effective, if the application layer and the kernel layer do not communicate with each other, all application layer programs cannot detect the program hidden in the kernel layer, which may cause that all user layer programs cannot view the hidden process, and in practical applications, some application layer programs may need to detect the hidden process, so the process hiding techniques of the kernel layers are not flexible.
2. The process hiding technology of the kernel layer needs to load a driver and modify the kernel of the memory system, so that the problem of system instability is caused. The system at WIN64 bit has the blue screen problem caused by the limitation of KPP (Kernel Patch Protection Kernel Patch Protection).
3. Although the method for judging whether the process needs to be hidden according to the process ID in the user layer is effective, the process ID is generated along with the process starting, so that the method also needs to accurately judge the starting and closing of the process, and therefore the method is not flexible enough.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: provided are a process hiding method and a computer-readable storage medium, which are highly flexible and highly versatile.
In order to solve the technical problems, the invention adopts the technical scheme that: a process hiding method, comprising:
acquiring a process with a program path matched with a preset program path from a process list at regular time, and acquiring a process number of the process;
and when the target process inquires the process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process.
The invention also relates to a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of:
acquiring a process with a program path matched with a preset program path from a process list at regular time, and acquiring a process number of the process;
and when the target process inquires the process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process.
The invention has the beneficial effects that: the process needing to be hidden in the process list is obtained according to the program path corresponding to the process, and compared with a scheme judged according to the process number, the scheme is more flexible; and returning the filtered process list to the target process, so that the process list query result of the target process is a process list which does not contain the process to be hidden, thereby realizing process hiding. The invention has the characteristics of flexible configuration, stability, effectiveness, simplicity, high efficiency and strong universality, and can be flexibly applied to various application systems.
Drawings
Fig. 1 is a flowchart of a process hiding method according to a first embodiment of the present invention;
FIG. 2 is a flowchart of step S1 according to an embodiment of the present invention;
fig. 3 is a flowchart of step S2 according to an embodiment of the present invention.
Detailed Description
In order to explain technical contents, objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
The most key concept of the invention is as follows: and acquiring the process to be hidden according to the program path, and filtering the process to be hidden in the process list according to the process number.
Referring to fig. 1, a process hiding method includes:
acquiring a process with a program path matched with a preset program path from a process list at regular time, and acquiring a process number of the process;
and when the target process inquires the process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process.
From the above description, the beneficial effects of the present invention are: the system has the characteristics of flexible configuration, stability, effectiveness, simplicity, high efficiency and strong universality.
Further, the step of acquiring the process with the program path matched with the preset program path from the process list at regular time, and acquiring the process number of the process specifically includes:
determining a program path corresponding to a hidden process;
the service main process acquires a process list according to a preset time period;
acquiring a program path corresponding to each process in the process list;
traversing the process list;
and if the program path corresponding to the process is matched with the program path corresponding to the hidden process, acquiring the process number of the process.
As can be seen from the above description, by using a higher-authority Windows service process to traverse the process list, it is ensured that program paths of all processes except the system process can be acquired.
Further, after obtaining the process number of the process, the method further includes:
and when the process list is traversed, storing the acquired process number into the shared memory.
As can be seen from the above description, the shared memory is a simple and effective data sharing method between processes, and the process numbers are stored in the shared memory, so that other processes can also obtain the process numbers.
Further, when the target process queries the process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process specifically includes:
installing a global message hook;
when the currently opened process is detected to be a preset target process through the global message hook, modifying the entry address of the API function for acquiring the process list in the target process into the entry address of a preset process hidden function;
and when the target process inquires the process list, filtering the process with the process number consistent with the acquired process number in the process list through the process hidden function, and returning the filtered process list to the target process.
According to the description, the global message HOOK is combined with the API HOOK, so that modification on the kernel layer can be avoided, and the method is simple and efficient.
Further, the global message hook includes a mouse message hook, a keyboard message hook, and a CBT message hook.
As can be seen from the above description, the window event is monitored by installing a global message hook.
The invention also proposes a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of:
acquiring a process with a program path matched with a preset program path from a process list at regular time, and acquiring a process number of the process;
and when the target process inquires the process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process.
Further, the step of acquiring the process with the program path matched with the preset program path from the process list at regular time, and acquiring the process number of the process specifically includes:
determining a program path corresponding to a hidden process;
the service main process acquires a process list according to a preset time period;
acquiring a program path corresponding to each process in the process list;
traversing the process list;
and if the program path corresponding to the process is matched with the program path corresponding to the hidden process, acquiring the process number of the process.
Further, after obtaining the process number of the process, the method further includes:
and when the process list is traversed, storing the acquired process number into the shared memory.
Further, when the target process queries the process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process specifically includes:
installing a global message hook;
when the currently opened process is detected to be a preset target process through the global message hook, modifying the entry address of the API function for acquiring the process list in the target process into the entry address of a preset process hidden function;
and when the target process inquires the process list, filtering the process with the process number consistent with the acquired process number in the process list through the process hidden function, and returning the filtered process list to the target process.
Further, the global message hook includes a mouse message hook, a keyboard message hook, and a CBT message hook.
Example one
Referring to fig. 1, a first embodiment of the present invention is: a process hiding method is based on Windows service, can be applied to a sensitive system and comprises the following steps:
s1: acquiring a process with a program path matched with a preset program path from a process list at regular time, and acquiring a process number of the process;
s2: and when the target process inquires the process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process.
That is to say, the present embodiment is mainly divided into two parts, and the first part determines the program path of the process that needs to be hidden or the program path where the process is located for the service host process. In addition, program paths of all processes are obtained at regular time, and process IDs of the processes conforming to the paths are stored for hidden use of the processes in the second part of target programs.
Specifically, as shown in fig. 2, the S1 includes the following steps:
s101: determining a program path corresponding to a hidden process; namely, according to the actual application scene, the service main process determines the program path where the process needing to be hidden is located. The service host process may specify the full path of the program in which the process is located to hide the specified process, or may specify its parent path to hide all processes under that path.
S102: the service main process acquires a process list according to a preset time period; specifically, the service host process obtains a process list containing process IDs through the relevant Windows API. Preferably, the preset time period is 2S, that is, steps S102 to S108 are executed every 2S, so as to update the process needing to be hidden.
S103: acquiring a program path corresponding to each process in the process list; specifically, the service host process obtains a program path corresponding to each process in the process list through a relevant Windows API.
S104: and sequentially acquiring a process from the process list, namely acquiring a one-dimensional traversed process from the process list.
S105: and judging whether the program path corresponding to the process is matched with the program path corresponding to the hidden process, namely whether the program path corresponding to the hidden process comprises the program path corresponding to the process, if so, executing the step S106, and if not, executing the step S107.
S106: acquiring a process number of the process; further, the process ID of the process may be saved to a queue.
S107: and judging whether the traversal is finished, if so, executing the step S108, otherwise, continuously acquiring the next non-traversed process from the process list, namely, executing the step S104.
S108: and saving the acquired process number, and preferably, storing the acquired process number into the shared memory, that is, storing the process ID in the queue into the shared memory.
And the second part filters the process list acquired by the target program based on the API HOOK technology on the basis that the process ID of the hidden process is stored in the first part, so that the process is hidden.
Specifically, as shown in fig. 3, the S2 includes the following steps:
s201: installing a global message hook; specifically, a global message hook is installed in a local computer in order to monitor window events of the local computer, such as monitoring creation, movement, destruction, resizing, and the like of a window. Preferably, the message hook includes a mouse message hook, a keyboard message hook, and a CBT message hook.
S202: detecting whether the current process is the target process through the global message hook, that is, in the process of monitoring the window event, judging whether the opened process is the target process, if so, executing step S203. The target process may be preset in the shared memory.
S203: and modifying the entry address of the API function for acquiring the process list in the target program into the entry address of a preset process hidden function through an API HOOK technology, wherein the preset process hidden function is a function for hiding the process.
S204: when the target process queries the process list, the process hiding function is executed, specifically, in the process hiding number, the API function of the original obtained process list is called first to obtain the process list, then the process with the process number consistent with the process number stored in step S108 is deleted from the process list, and finally the process hiding function is returned, and the returned value is the filtered process list, thereby realizing process hiding.
Compared with the prior art, the embodiment has the following characteristics:
1. the method is more flexible; whether the process needs to be hidden is judged according to the path of the program process, the whole path of the process can be designated to hide the designated process, and a parent path can be designated to hide all processes under the path. At the same time, it may be specified through global message hooking techniques which processes cannot view critical processes (e.g., set the task manager to the managed process).
2. Is more stable and effective; by traversing the Process list using a higher-authority Windows service Process, it is ensured that the program paths of all processes except the System Process (System Idle Process and System Process) can be acquired.
3. The method is simple and efficient; and modifying the behavior of the target process by using a global message HOOK, an API HOOK technology and a shared memory technology, and filtering a process list acquired by the target process.
Example two
The present embodiment is a computer-readable storage medium corresponding to the above-mentioned embodiments, on which a computer program is stored, which when executed by a processor, performs the steps of:
acquiring a process with a program path matched with a preset program path from a process list at regular time, and acquiring a process number of the process;
and when the target process inquires the process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process.
Further, the step of acquiring the process with the program path matched with the preset program path from the process list at regular time, and acquiring the process number of the process specifically includes:
determining a program path corresponding to a hidden process;
the service main process acquires a process list according to a preset time period;
acquiring a program path corresponding to each process in the process list;
traversing the process list;
and if the program path corresponding to the process is matched with the program path corresponding to the hidden process, acquiring the process number of the process.
Further, after obtaining the process number of the process, the method further includes:
and when the process list is traversed, storing the acquired process number into the shared memory.
Further, when the target process queries the process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process specifically includes:
installing a global message hook;
when the currently opened process is detected to be a preset target process through the global message hook, modifying the entry address of the API function for acquiring the process list in the target process into the entry address of a preset process hidden function;
and when the target process inquires the process list, filtering the process with the process number consistent with the acquired process number in the process list through the process hidden function, and returning the filtered process list to the target process.
Further, the global message hook includes a mouse message hook, a keyboard message hook, and a CBT message hook.
In summary, according to the process hiding method and the computer readable storage medium provided by the present invention, the process to be hidden in the process list is obtained according to the program path corresponding to the process, which is more flexible than the scheme determined according to the process number; and returning the filtered process list to the target process, so that the process list query result of the target process is a process list which does not contain the process to be hidden, thereby realizing process hiding. The invention has the characteristics of flexible configuration, stability, effectiveness, simplicity, high efficiency and strong universality, and can be flexibly applied to various application systems.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all equivalent changes made by using the contents of the present specification and the drawings, or applied directly or indirectly to the related technical fields, are included in the scope of the present invention.
Claims (8)
1. A process hiding method, comprising:
acquiring a process with a program path matched with a preset program path from a process list at regular time, and acquiring a process number of the process;
when a target process inquires a process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process;
the timing acquiring process of the program path matched with the preset program path from the process list, and the acquiring process number of the process specifically comprises the following steps:
determining a program path corresponding to a hidden process;
the service main process acquires a process list according to a preset time period;
acquiring a program path corresponding to each process in the process list;
traversing the process list;
and if the program path corresponding to the process is matched with the program path corresponding to the hidden process, acquiring the process number of the process.
2. The process hiding method as claimed in claim 1, wherein after obtaining the process number of the process, further comprising:
and when the process list is traversed, storing the acquired process number into the shared memory.
3. The process hiding method according to claim 1, wherein the step of filtering the process list according to the acquired process number and returning the filtered process list to the target process when the target process queries the process list specifically comprises:
installing a global message hook;
when the currently opened process is detected to be a preset target process through the global message hook, modifying the entry address of the API function for acquiring the process list in the target process into the entry address of a preset process hidden function;
and when the target process inquires the process list, filtering the process with the process number consistent with the acquired process number in the process list through the process hidden function, and returning the filtered process list to the target process.
4. The process hiding method of claim 3, wherein the global message hooks comprise mouse message hooks, keyboard message hooks, and CBT message hooks.
5. A computer-readable storage medium, on which a computer program is stored, which program, when executed by a processor, carries out the steps of:
acquiring a process with a program path matched with a preset program path from a process list at regular time, and acquiring a process number of the process;
when a target process inquires a process list, filtering the process list according to the acquired process number, and returning the filtered process list to the target process;
the timing acquiring process of the program path matched with the preset program path from the process list, and the acquiring process number of the process specifically comprises the following steps:
determining a program path corresponding to a hidden process;
the service main process acquires a process list according to a preset time period;
acquiring a program path corresponding to each process in the process list;
traversing the process list;
and if the program path corresponding to the process is matched with the program path corresponding to the hidden process, acquiring the process number of the process.
6. The computer-readable storage medium of claim 5, wherein after obtaining the process number of the process, further comprising:
and when the process list is traversed, storing the acquired process number into the shared memory.
7. The computer-readable storage medium according to claim 5, wherein, when the target process queries the process list, filtering the process list according to the obtained process number, and returning the filtered process list to the target process specifically includes:
installing a global message hook;
when the currently opened process is detected to be a preset target process through the global message hook, modifying the entry address of the API function for acquiring the process list in the target process into the entry address of a preset process hidden function;
and when the target process inquires the process list, filtering the process with the process number consistent with the acquired process number in the process list through the process hidden function, and returning the filtered process list to the target process.
8. The computer-readable storage medium of claim 7, wherein the global message hook comprises a mouse message hook, a keyboard message hook, and a CBT message hook.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810365246.7A CN108762826B (en) | 2018-04-23 | 2018-04-23 | Process hiding method and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810365246.7A CN108762826B (en) | 2018-04-23 | 2018-04-23 | Process hiding method and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108762826A CN108762826A (en) | 2018-11-06 |
| CN108762826B true CN108762826B (en) | 2021-09-28 |
Family
ID=64011599
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810365246.7A Active CN108762826B (en) | 2018-04-23 | 2018-04-23 | Process hiding method and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108762826B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111414212B (en) * | 2020-03-27 | 2023-06-23 | 中国平安财产保险股份有限公司 | Global process control method, device, computer equipment and storage medium |
| CN114036468A (en) * | 2021-11-24 | 2022-02-11 | 深信服科技股份有限公司 | Process hiding method, device and equipment and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102394859A (en) * | 2011-07-27 | 2012-03-28 | 哈尔滨安天科技股份有限公司 | Method and system for detecting file stealing Trojan based on thread behavior |
| CN103620613A (en) * | 2011-03-28 | 2014-03-05 | 迈克菲股份有限公司 | System and method for virtual machine monitor based anti-malware security |
| CN104331659A (en) * | 2014-10-30 | 2015-02-04 | 浪潮电子信息产业股份有限公司 | Design method for system resource application isolation of critical application host |
| CN105117645A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7849311B2 (en) * | 2005-03-15 | 2010-12-07 | Silicon Graphics International | Computer system with dual operating modes |
| US7630975B2 (en) * | 2006-03-30 | 2009-12-08 | Microsoft Corporation | Unified searching and running of files |
| US9678747B2 (en) * | 2011-02-08 | 2017-06-13 | Openspan, Inc. | Code injection and code interception in an operating system with multiple subsystem environments |
| CN104615484B (en) * | 2015-02-13 | 2017-11-07 | 厦门市美亚柏科信息股份有限公司 | Adaptive sandbox construction method and its system |
| CN106682493B (en) * | 2015-11-06 | 2019-08-27 | 珠海豹趣科技有限公司 | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment |
| CN106127031A (en) * | 2016-06-23 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for protecting process and electronic equipment |
-
2018
- 2018-04-23 CN CN201810365246.7A patent/CN108762826B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103620613A (en) * | 2011-03-28 | 2014-03-05 | 迈克菲股份有限公司 | System and method for virtual machine monitor based anti-malware security |
| CN102394859A (en) * | 2011-07-27 | 2012-03-28 | 哈尔滨安天科技股份有限公司 | Method and system for detecting file stealing Trojan based on thread behavior |
| CN104331659A (en) * | 2014-10-30 | 2015-02-04 | 浪潮电子信息产业股份有限公司 | Design method for system resource application isolation of critical application host |
| CN105117645A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108762826A (en) | 2018-11-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180157837A1 (en) | Information Security Techniques Including Detection, Interdiction and/or Mitigation of Memory Injection Attacks | |
| US10176327B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| US10417416B1 (en) | Methods and systems for detecting computer security threats | |
| CN104881601A (en) | Floating window display setup, control method and device | |
| AU2013100355B4 (en) | Device-specific content delivery | |
| CN108762826B (en) | Process hiding method and computer readable storage medium | |
| US8539490B2 (en) | System and method for providing dynamic transaction optimizations | |
| CN107453932B (en) | Distributed storage system management method and device | |
| US10509767B2 (en) | Systems and methods for managing snapshots of a file system volume | |
| US20130311425A1 (en) | Database update notification method | |
| CN106250487B (en) | Database concurrency control method and device | |
| CN105786805A (en) | Intelligent mobile terminal, document manager and file display method of same | |
| EP3422186B1 (en) | Method, device and system for preventing memory data loss | |
| CN102646066A (en) | Method and device for obtaining starting-up time | |
| CN110321224B (en) | Terminal memory cleaning method and device and computer readable storage medium | |
| WO2019237822A1 (en) | Android system boot speed control method, smart device, and storage medium | |
| WO2017024519A1 (en) | Startup method of smart terminal system, device and smart terminal | |
| US7962922B2 (en) | Delivering callbacks into secure application areas | |
| CN107193590A (en) | A kind of anti-root methods based on android | |
| US20110246542A1 (en) | System for lightweight objects | |
| CN110298587B (en) | Public resource scheduling method and system, electronic equipment and storage medium | |
| CN114238399A (en) | Cache refreshing system, method and device, computer equipment and storage medium | |
| CN113282435A (en) | Application exception processing method and electronic equipment | |
| CN112463304A (en) | Rollback method and apparatus for container mirror image, computer device, and storage medium | |
| CN104808985B (en) | The management method and device of object in application program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |