CN114691220A - Method, apparatus, electronic device, medium, and program product for protecting a process - Google Patents
Method, apparatus, electronic device, medium, and program product for protecting a process Download PDFInfo
- Publication number
- CN114691220A CN114691220A CN202011642755.3A CN202011642755A CN114691220A CN 114691220 A CN114691220 A CN 114691220A CN 202011642755 A CN202011642755 A CN 202011642755A CN 114691220 A CN114691220 A CN 114691220A
- Authority
- CN
- China
- Prior art keywords
- kernel
- kernel module
- module
- protected
- task
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 204
- 230000008569 process Effects 0.000 title claims abstract description 159
- 238000004590 computer program Methods 0.000 claims description 19
- 230000006870 function Effects 0.000 claims description 17
- 238000010586 diagram Methods 0.000 description 14
- 230000002159 abnormal effect Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000007493 shaping process Methods 0.000 description 1
- 230000009131 signaling function Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
- G06F9/4406—Loading of operating system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
- G06F9/4806—Task transfer initiation or dispatching
- G06F9/4843—Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Stored Programmes (AREA)
Abstract
The present disclosure provides a method for a kernel module to execute a protection process, wherein the kernel module is loaded in a Linux system kernel; the method comprises the following steps: acquiring a process identifier of a process to be protected; determining a task structure body associated with the process identifier, wherein the task structure body comprises a signal structure body; and configuring an uninterruptible attribute for a signal structure body in the task structure body so as to protect the process to be protected from being interrupted by other processes. The present disclosure also provides an apparatus, an electronic device, a medium, and a program product for protecting a process.
Description
Technical Field
The present disclosure relates to a method, apparatus, electronic device, medium, and program product for protecting a process.
Background
Linux is a Unix-like operating system which is free to use and spread freely, and is a multi-user, multi-task, multi-thread and multi-CPU supporting operating system based on POSIX and UNIX. It can run major UNIX tools, applications and network protocols. It supports 32-bit and 64-bit hardware. Linux inherits the design idea of Unix with network as core, and is a multi-user network operating system with stable performance. In the Linux system, processes can send a soft interrupt signal (signal) to each other through a system call kill command, so that the processes are interrupted.
In the related technology, a Hook (hijacking) sys _ kill mode is adopted to prevent a process from being interrupted by other processes, namely Hook is directly carried out on system call of the sys _ kill, then a system call table is forcibly rewritten, and signals for interrupting the process are filtered and intercepted. This approach is complex to implement and does not achieve the effect of completely preventing the process from being interrupted, and the process can still be interrupted by a signal sent via the sigqueue (signaling function).
In another related technology, a Hook LSM (Linux security module) mode is adopted to prevent a process from being interrupted by other processes, that is, a user-defined security _ task _ kill function is replaced or inserted into a Linux kernel LSM, and interception and filtering of signals are performed through the function, so that the effect of preventing and killing processes is achieved. However, the LSM has a large difference between Linux kernels of different versions, and thus the compatibility of the method is poor. In addition, in the high-version Linux system, the LSM is in a read-only state after the system is started, and cannot be dynamically modified, so that the method cannot be applied to the high-version Linux systems.
In addition, the above two related technical solutions can prevent the process from being interrupted, and at the same time, the user-mode process cannot normally process some signals (such as signals like SIGBUS and SIGSEGV), and these signals are signals that the kernel must send under the abnormal condition of the user-mode program, so that the normal operation of the program is adversely affected.
Disclosure of Invention
One aspect of the present disclosure provides a method for executing a protection process by a kernel module, wherein the kernel module is loaded in a Linux system kernel; the method comprises the following steps: acquiring a process identifier of a process to be protected; determining a task structure body associated with the process identifier, wherein the task structure body comprises a signal structure body; and configuring an uninterruptible attribute for a signal structure body in the task structure body so as to protect the process to be protected from being interrupted by other processes.
Optionally, the method further comprises: loading the kernel module to a Linux system kernel by: acquiring a kernel module code; compiling the kernel module code to obtain a kernel module; and loading the compiled kernel module to a kernel space of a kernel of the Linux system.
Optionally, the operation of loading the kernel module into the kernel of the Linux system further includes: adding a process identifier into the kernel module code in the process of compiling the kernel module code; the loading the compiled kernel module into the kernel space of the kernel of the Linux system comprises: storing the process identification into a kernel space where the kernel module is located; the acquiring the process identifier of the process to be protected comprises the following steps: and reading the process identification of the process to be protected from the inner part of the kernel space where the kernel module is positioned.
Optionally, the obtaining the process identifier of the process to be protected includes: and receiving a process identifier from a user mode space as the process identifier of the process to be protected, wherein the user mode space is positioned outside a kernel space where the kernel module is positioned.
Optionally, the determining a task structure body associated with the process identifier includes: acquiring a process identifier structural body corresponding to the process identifier by calling a find _ pid _ ns function; and acquiring a task structure body corresponding to the process identification structure body by calling the pid _ task function.
Optionally, the signal structure comprises a set of signal attributes; configuring an uninterruptible attribute for a signal structure in the task structure includes: adding the uninterruptible attribute to the set of signal attributes.
Another aspect of the present disclosure provides an apparatus for protecting a process, including a loading module and a kernel module, where the loading module is configured to load the kernel module into a kernel of a Linux system; the kernel module comprises: the acquisition submodule is used for acquiring a process identifier of a process to be protected; the searching submodule is used for determining a task structure body associated with the process identification, wherein the task structure body comprises a signal structure body; and the configuration submodule is used for configuring an uninterruptible attribute for the signal structure body in the task structure body so as to protect the process to be protected from being interrupted by other processes.
Another aspect of the present disclosure provides an electronic device including: one or more processors; memory for storing one or more computer programs, wherein the one or more computer programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
According to the embodiment of the disclosure, the task structure body associated with the process identifier of the process to be protected is determined, and then the uninterruptible attribute is configured for the signal structure body in the task structure body, so that the process to be protected can be protected from being interrupted by other processes, the implementation is simpler and more convenient compared with the related technology, and the signal communication mechanism among processes of a Linux system cannot be influenced.
Drawings
For a more complete understanding of the present disclosure and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
FIG. 1 schematically illustrates a flow diagram of a method of protecting a process according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a method of protecting a process according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a block diagram of an apparatus to protect a process according to an embodiment of the disclosure; and
FIG. 4 schematically illustrates a block diagram of a computer system suitable for implementing the methods described in embodiments of the present disclosure, in accordance with embodiments of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some block diagrams and/or flow diagrams are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, which execute via the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon for use by or in connection with an instruction execution system.
Embodiments of the present disclosure provide a method for protecting a process, which may be performed by a kernel module loaded in a kernel of a Linux system. The method comprises the following steps: acquiring a process identifier of a process to be protected; determining a task structure body associated with the process identifier, wherein the task structure body comprises a signal structure body; and configuring an uninterruptible attribute for a signal structure body in the task structure body so as to protect the process to be protected from being interrupted by other processes.
Fig. 1 schematically shows a flow chart of a method of protecting a process according to an embodiment of the present disclosure.
As shown in fig. 1, the method includes operations S110 to S150. The following operations S110 to S150 may be performed by a kernel module loaded in a kernel of the Linux system.
In operation S110, a process identifier of a process to be protected is obtained.
According to the embodiment of the disclosure, each process in the Linux system is assigned a unique integer identification code, which is called a process ID number, PID for short.
According to the embodiment of the disclosure, the process identifier of the process to be protected may be stored in the kernel module in advance, or may be transmitted from a process outside the kernel module.
In operation S120, a task structure associated with the process identification is determined.
According to the embodiment of the disclosure, a process identification structure (struct pid) corresponding to a process identification can be obtained by calling a find _ pid _ ns function, and then a task structure (struct task _ struct) corresponding to the process identification structure can be obtained by calling a pid _ task function.
More specifically, the find _ pid _ ns function may be called to find the struct pid structure as follows:
struct pid*spid=find_pid_ns(pid,&init_pid_ns);
wherein pid is a process identifier, and init _ pid _ ns is an init namespace structure definition disclosed by a Linux system kernel.
Then, the struct task _ struct structure corresponding to the pid _ task function acquisition process can be called as follows:
struct task_struct*tsk=pid_task(spid,PIDTYPE_PID);
the PIDTYPE _ PID is a macro defined by a kernel, and the macro is used for identifying that a PID _ task function needs to acquire a corresponding struct task _ struct structure through a struct PID structure. The struct pid structure is a structure provided by a Linux system kernel.
According to an embodiment of the present disclosure, the task _ structure includes a signal structure (signal). The signal structure may be used to control process signal properties.
In this embodiment, the structure task _ structure is defined as follows. It should be noted that the following definition of struct task _ struct is merely an example, and in the process of practical application, the struct task _ struct may further include other members besides signal.
struct task_struct{
struct signal_struct*signal;
};
Wherein the member signal type of the struct task _ struct structure is structsignal _ struct.
The structure type (structure signal _ structure) is defined as follows. It should be noted that the following definition of struct signal _ struct is merely an example, and in the process of practical application, the struct signal _ struct may further include other members besides flags.
struct signal_struct{
unsigned int flags;
};
Wherein the signal structure comprises a set of signal attributes (flags). A flags is a shaping value that is a collection of values of a series of signal properties of a process.
In operation S130, an uninterruptible attribute is configured for a signal structure in the task structure to protect the process to be protected from being interrupted by other processes.
Operation S130 may include, for example, adding an uninterruptible attribute in the set of signal attributes, according to an embodiment of the present disclosure.
More specifically, a process may be set with a signal attribute named SIGAL _ unspikeable as follows:
tsk->signal->flags|=SIGNAL_UNKILLABLE
wherein, "|" represents a bitwise OR operation, SIGAL _ UNKILLABLE is a macro predefined by the kernel of the Linux system.
According to the embodiment of the disclosure, when a Linux system kernel sends a signal to a process, if the SIGAL _ unspullable signal attribute is set to the process, the signal is directly discarded in the case that the process does not explicitly indicate that the signal needs to be processed, so that the process is prevented from being interrupted.
According to the embodiment of the disclosure, the task structure body associated with the process identifier of the process to be protected is determined, and then the uninterruptible attribute is configured for the signal structure body in the task structure body, so that the process to be protected can be protected from being interrupted by other processes in the user state space, and the implementation is simpler and more convenient compared with the related technology.
In addition, when a process in the Linux system is abnormal, the Linux system kernel sends an abnormal signal such as SIGSEGV or SIGBUS to the process. The Hook signal method adopted by the related art can intercept these abnormal signals, so that the related process cannot normally process these signals. According to the method for protecting the process, the abnormal signal is not intercepted, and the signal communication mechanism among the processes of the Linux system is not influenced.
Fig. 2 schematically shows a flow chart of a method of protecting a process according to an embodiment of the present disclosure.
As shown in FIG. 2, in addition to operations S110-S130, the method may further include operations S210-S230 for loading a kernel module into a Linux system kernel.
Specifically, in operation S210, kernel module code is acquired.
In operation S220, the kernel module code is compiled to obtain a kernel module.
In operation S230, the compiled kernel module is loaded into a kernel space of a kernel of the Linux system.
According to the embodiment of the disclosure, the compiled kernel module can be loaded to the kernel space of the Linux system kernel through an insmod command.
According to the embodiment of the disclosure, a parameter is set for the kernel module when the kernel module is written, and the parameter is used for transmitting the PID of the process needing to be protected into the kernel. Based on this, in compiling the kernel module code, the process identification of the process to be protected can be added as a parameter to the kernel module code. When the compiled kernel module is loaded to the kernel space of the kernel of the Linux system, the process identifier is stored in the kernel space where the kernel module is located, so that when the process identifier of the process to be protected needs to be acquired, the process identifier of the process to be protected can be read from the kernel space where the kernel module is located.
According to another embodiment of the disclosure, after the compiled kernel module is loaded into the kernel of the Linux system, a process identifier from a user mode space can be received, and the identifier is used as a process identifier of a process to be protected, so as to protect the process corresponding to the process identifier, wherein the user mode space is located outside the kernel space where the kernel module is located. For example, a process located in the user state space may transmit the PID of the process to be protected to a kernel module located in the kernel space of the system in a netlink or the like manner, and then the kernel module protects the process corresponding to the process identifier.
Fig. 3 schematically shows a block diagram of an apparatus for protecting a process according to an embodiment of the present disclosure.
As shown in fig. 3, the apparatus 300 for protecting a process includes a load module 310 and a kernel module 320. The apparatus 300 for protecting a process may perform the method described above with reference to fig. 1-2.
Specifically, the loading module 310 may be configured to load the kernel module into a Linux system kernel.
The kernel module 320 may include, for example, an acquisition submodule 321, a lookup submodule 322, and a configuration submodule 323.
The obtaining submodule 321 may be configured to obtain a process identifier of a process to be protected. The obtaining sub-module 321 may be used to perform operation S110, for example.
The searching submodule 322 may be configured to determine a task structure associated with the process identifier, where the task structure includes a signal structure. The lookup submodule 322 may be used to perform operation S120, for example.
The configuration submodule 323 may be configured to configure an uninterruptible attribute for a signal structure in the task structure, so as to protect the process to be protected from being interrupted by other processes. The configuration submodule 323 may be used to perform operation S130, for example.
According to an embodiment of the present disclosure, the loading module may include, for example, a code obtaining module, a compiling submodule, and a loading submodule.
The code acquisition module is used for acquiring the kernel module code. The code acquisition module may be used to perform operation S210, for example.
And the compiling submodule is used for compiling the kernel module code to obtain the kernel module. The compiling submodule may be used to perform operation S220, for example.
And the loading submodule is used for loading the compiled kernel module into the kernel space of the kernel of the Linux system. The load submodule may be used to perform operation S230, for example.
According to the embodiment of the disclosure, the task structure body associated with the process identifier of the process to be protected is determined, and then the uninterruptible attribute is configured for the signal structure body in the task structure body, so that the process to be protected can be protected from being interrupted by other processes, the implementation is simpler and more convenient compared with the related technology, and the signal communication mechanism among processes of a Linux system cannot be influenced.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any number of the load module 310 and the kernel module 320 may be combined in one module to be implemented, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the load module 310 and the core module 320 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware, and firmware, or in any suitable combination of any of them. Alternatively, at least one of the load module 310 and the kernel module 320 may be at least partially implemented as a computer program module, which when executed may perform a corresponding function.
FIG. 4 schematically illustrates a block diagram of a computer system suitable for implementing the above-described method according to an embodiment of the present disclosure. The computer system illustrated in FIG. 4 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.
As shown in fig. 4, computer system 400 includes a processor 410 and a computer-readable storage medium 420. The computer system 400 may perform a method according to an embodiment of the disclosure.
In particular, processor 410 may include, for example, a general purpose microprocessor, an instruction set processor and/or related chip set and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), and/or the like. The processor 410 may also include onboard memory for caching purposes. The processor 410 may be a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
Computer-readable storage medium 420, for example, may be a non-volatile computer-readable storage medium, specific examples including, but not limited to: magnetic storage devices, such as magnetic tape or Hard Disk Drives (HDDs); optical storage devices, such as compact disks (CD-ROMs); a memory, such as a Random Access Memory (RAM) or a flash memory; and so on.
The computer-readable storage medium 420 may comprise a computer program 421, which computer program 421 may comprise code/computer-executable instructions that, when executed by the processor 410, cause the processor 410 to perform a method according to an embodiment of the disclosure, or any variant thereof.
The computer program 421 may be configured with, for example, computer program code comprising computer program modules. For example, in an example embodiment, code in computer program 421 may include one or more program modules, including for example 421A, modules 421B, … …. It should be noted that the division and number of the modules are not fixed, and those skilled in the art may use suitable program modules or program module combinations according to actual situations, so that the processor 410 may execute the method according to the embodiment of the present disclosure or any variation thereof when the program modules are executed by the processor 410.
According to an embodiment of the present invention, at least one of the load module 310 and the core module 320 may be implemented as a computer program module described with reference to fig. 4, which, when executed by the processor 410, may implement the respective operations described above.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
While the disclosure has been shown and described with reference to certain exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the disclosure as defined by the appended claims and their equivalents. Accordingly, the scope of the present disclosure should not be limited to the above-described embodiments, but should be defined not only by the appended claims, but also by equivalents thereof.
Claims (10)
1. A method for executing a protection process by a kernel module, wherein the kernel module is loaded in a Linux system kernel; the method comprises the following steps:
acquiring a process identifier of a process to be protected;
determining a task structure body associated with the process identifier, wherein the task structure body comprises a signal structure body; and
and configuring an uninterruptible attribute for the signal structure in the task structure so as to protect the process to be protected from being interrupted by other processes.
2. The method of claim 1, further comprising: loading the kernel module to a Linux system kernel by:
acquiring a kernel module code;
compiling the kernel module code to obtain a kernel module; and
and loading the compiled kernel module into a kernel space of a kernel of the Linux system.
3. The method of claim 2, wherein the operation of loading the kernel module into a Linux system kernel further comprises: adding a process identifier into the kernel module code in the process of compiling the kernel module code;
the loading the compiled kernel module into the kernel space of the kernel of the Linux system comprises: storing the process identification into a kernel space where the kernel module is located;
the acquiring the process identifier of the process to be protected comprises the following steps: and reading the process identification of the process to be protected from the inner part of the kernel space where the kernel module is positioned.
4. The method of claim 1, wherein the obtaining the process identifier of the process to be protected comprises:
and receiving a process identifier from a user mode space as the process identifier of the process to be protected, wherein the user mode space is positioned outside a kernel space where the kernel module is positioned.
5. The method of claim 1, wherein the determining a task structure associated with the process identification comprises:
acquiring a process identification structural body corresponding to the process identification by calling a find _ pid _ ns function; and
and acquiring a task structure corresponding to the process identification structure by calling the pid _ task function.
6. The method of claim 1, wherein the signal structure comprises a set of signal attributes;
configuring an uninterruptible attribute for a signal structure in the task structure includes:
adding the uninterruptible attribute to the set of signal attributes.
7. The device for protecting the process comprises a loading module and a kernel module, wherein,
the loading module is used for loading the kernel module to the kernel of the Linux system;
the kernel module comprises:
the acquisition submodule is used for acquiring a process identifier of a process to be protected;
the searching submodule is used for determining a task structure body associated with the process identification, wherein the task structure body comprises a signal structure body; and
and the configuration submodule is used for configuring an uninterruptible attribute for the signal structure in the task structure so as to protect the process to be protected from being interrupted by other processes.
8. An electronic device, comprising:
one or more processors;
a memory for storing one or more computer programs,
wherein the one or more computer programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1 to 6.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 6.
10. A computer program product comprising computer executable instructions for implementing the method of any one of claims 1 to 6 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011642755.3A CN114691220A (en) | 2020-12-30 | 2020-12-30 | Method, apparatus, electronic device, medium, and program product for protecting a process |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011642755.3A CN114691220A (en) | 2020-12-30 | 2020-12-30 | Method, apparatus, electronic device, medium, and program product for protecting a process |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114691220A true CN114691220A (en) | 2022-07-01 |
Family
ID=82135547
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011642755.3A Pending CN114691220A (en) | 2020-12-30 | 2020-12-30 | Method, apparatus, electronic device, medium, and program product for protecting a process |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114691220A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105893085A (en) * | 2016-03-30 | 2016-08-24 | 百度在线网络技术(北京)有限公司 | Method and device for loading kernel module |
| WO2017020748A1 (en) * | 2015-08-06 | 2017-02-09 | 中兴通讯股份有限公司 | Method and device for processing signalling tracking task |
| CN107193590A (en) * | 2017-05-10 | 2017-09-22 | 北京海杭通讯科技有限公司 | A kind of anti-root methods based on android |
| CN108052327A (en) * | 2017-12-11 | 2018-05-18 | 北京奇虎科技有限公司 | A kind of kernel module compiling, loading method and device |
| KR20180065535A (en) * | 2016-12-08 | 2018-06-18 | 동국대학교 산학협력단 | System and method for detecting kernel rootkit |
| CN109857520A (en) * | 2019-01-18 | 2019-06-07 | 四川大学 | A kind of virtual machine examine oneself in Semantics Reconstruction improved method and system |
| CN111259386A (en) * | 2018-12-03 | 2020-06-09 | 阿里巴巴集团控股有限公司 | Kernel security detection method, device, equipment and storage medium |
| EP3671508A1 (en) * | 2020-03-19 | 2020-06-24 | CyberArk Software Ltd. | Customizing operating system kernels with secure kernel modules |
| CN111400702A (en) * | 2020-03-24 | 2020-07-10 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
| CN111931192A (en) * | 2020-09-10 | 2020-11-13 | 杭州海康威视数字技术股份有限公司 | rootkit detection method and device and electronic equipment |
-
2020
- 2020-12-30 CN CN202011642755.3A patent/CN114691220A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017020748A1 (en) * | 2015-08-06 | 2017-02-09 | 中兴通讯股份有限公司 | Method and device for processing signalling tracking task |
| CN105893085A (en) * | 2016-03-30 | 2016-08-24 | 百度在线网络技术(北京)有限公司 | Method and device for loading kernel module |
| KR20180065535A (en) * | 2016-12-08 | 2018-06-18 | 동국대학교 산학협력단 | System and method for detecting kernel rootkit |
| CN107193590A (en) * | 2017-05-10 | 2017-09-22 | 北京海杭通讯科技有限公司 | A kind of anti-root methods based on android |
| CN108052327A (en) * | 2017-12-11 | 2018-05-18 | 北京奇虎科技有限公司 | A kind of kernel module compiling, loading method and device |
| CN111259386A (en) * | 2018-12-03 | 2020-06-09 | 阿里巴巴集团控股有限公司 | Kernel security detection method, device, equipment and storage medium |
| CN109857520A (en) * | 2019-01-18 | 2019-06-07 | 四川大学 | A kind of virtual machine examine oneself in Semantics Reconstruction improved method and system |
| EP3671508A1 (en) * | 2020-03-19 | 2020-06-24 | CyberArk Software Ltd. | Customizing operating system kernels with secure kernel modules |
| CN111400702A (en) * | 2020-03-24 | 2020-07-10 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
| CN111931192A (en) * | 2020-09-10 | 2020-11-13 | 杭州海康威视数字技术股份有限公司 | rootkit detection method and device and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| FRIDAY@ORTIZ: "Creatingan Unkillable process by Abusing Character Devices", pages 1 - 7, Retrieved from the Internet <URL:https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10032024B2 (en) | System and method for virtual partition monitoring | |
| US8176485B2 (en) | Launching hypervisor under running operating system | |
| JP6185487B2 (en) | Keeping secure data isolated from non-secure access when switching between domains | |
| AU2017290267B2 (en) | Performance variability reduction using an opportunistic hypervisor | |
| US7293251B2 (en) | Initiating and debugging a process in a high assurance execution environment | |
| US7793153B2 (en) | Checkpointing and restoring user space data structures used by an application | |
| US20120222051A1 (en) | Shared resource access verification | |
| US10210331B2 (en) | Executing full logical paths for malware detection | |
| US20090178103A1 (en) | Specifying and enforcing at least one run-time policy for at least one computer process executing on a computer system | |
| US8935516B2 (en) | Enabling portions of programs to be executed on system z integrated information processor (zIIP) without requiring programs to be entirely restructured | |
| US8209707B2 (en) | Gathering state information for an application and kernel components called by the application | |
| US6968410B2 (en) | Multi-threaded processing of system management interrupts | |
| US8677187B2 (en) | Performing network core dump without drivers | |
| CN114691220A (en) | Method, apparatus, electronic device, medium, and program product for protecting a process | |
| US20090183181A1 (en) | Gathering pages allocated to an application to include in checkpoint information | |
| CN113704179B (en) | File monitoring method, device, computer system and storage medium | |
| CN111159782B (en) | Safety task processing method and electronic equipment | |
| US10884831B2 (en) | Composable system | |
| CN113704753A (en) | Method and device for intercepting and replacing system call, electronic equipment and medium | |
| US11068302B2 (en) | Method for regulating system management mode function calls and system therefor | |
| US9098356B2 (en) | Hook re-entry prevention device and recording medium, in which program for executing method thereof in computer is recorded thereon | |
| CN113722002A (en) | Method and system for obtaining command line parameters, electronic device and storage medium | |
| CN112784276A (en) | Method and device for realizing credibility measurement | |
| GB2503920A (en) | Using a tag to identify the application context for a program object | |
| CN117744082A (en) | Method and device for detecting malicious software in operating system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |