CN100520797C - Apparatus and method for preventing virus dynamic state attack program - Google Patents
Apparatus and method for preventing virus dynamic state attack program Download PDFInfo
- Publication number
- CN100520797C CN100520797C CNB2007100321093A CN200710032109A CN100520797C CN 100520797 C CN100520797 C CN 100520797C CN B2007100321093 A CNB2007100321093 A CN B2007100321093A CN 200710032109 A CN200710032109 A CN 200710032109A CN 100520797 C CN100520797 C CN 100520797C
- Authority
- CN
- China
- Prior art keywords
- desktop
- protected
- program
- monitoring
- thread
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention relates to the computer virus defending techniques, in particular to a device and method for preventing a virus from dynamically attacking a program. The device for preventing the virus from dynamically attacking the program is characterized in that: the device comprises a desktop manager and a protective module for margin of desktop, the desktop manager is a list of desktop protected by the protective module for margin of desktop; the protective module for margin of desktop is used for monitoring and carrying out related operation of the protected desktop. Due to the aforesaid technical proposal, the invention can prevent the virus from attacking the operation between desktops, for example, fishing attack with Hooks, information and false windows on the programs on other desktops, thus, the programs on other desktops are protected from dynamic attack by the ID stealing trojan and other viruses.
Description
Technical field
The present invention relates to the computer virus prevention technology, particularly a kind of apparatus and method that prevent virus dynamic state attack program.
Background technology
Along with spreading unchecked that virus, worm, wooden horse, back door and mixing threaten, it is more faster than in the past that current attack at new leak produces speed; And since the hacker no longer be satisfied with from the network paralysis that virus outbreak causes and obtained sense of accomplishment, but wish therefrom to obtain economic interests, therefore present virus more trends towards malicious code and attacks, and comprises spyware, network fraud, based on the attack of mail and malice Web website etc.For example former, minority is the trojan horse program that has control and steal function in the type of virus, therefore has tangible destruction more; And present most active viral major part is the malicious code of hiding, and makes every effort to do not noted in attack, and purpose is to wish to steal and Long-distance Control acquisition economic interests by information; Identity information is stolen category code and is then begun by means of the phishing technology, and by stealing online credit card, account No. password, and user's information such as fictious assets such as network game account number cause damage to the economic interests of user's real world.These attack often disguise as valid application program and e-mail messages, are designed to user cheating and expose sensitive information, download and installation rogue program, and traditional fail-safe software is difficult to be stopped, often needs advanced detection and safety technique.
Summary of the invention
One object of the present invention is, a kind of device that prevents virus dynamic state attack program is provided.
This purpose of the present invention is achieved by the following technical solution:
A kind of device that prevents virus dynamic state attack program is characterized in that, described device comprises:
Desktop handler and desktop boundary protection module, described desktop handler are one to be subjected to the tabulation of the desktop of described desktop boundary protection module protection;
Described desktop boundary protection module is used to monitor the operation relevant with protected desktop.
Described desktop boundary protection module comprises that thread or process are to the program authorization administration module of the execution of protected desktop associative operation in monitoring and/or the intercepting system.
Thread or process comprise in following three class behaviors one or more to the behavior of the execution of protected desktop associative operation in monitoring of described program authorization administration module and/or the intercepting system: open protected desktop; Thread or process be set on protected desktop move; With process creation on protected desktop.
Especially, described desktop boundary protection module also comprises, the program that needs are entered described protected desktop is carried out the desktop boundary scan module of safety detection.
Described device also comprises, the program that operates on the described protected desktop is carried out the desktop internal Protection module that behavior is isolated.
Another object of the present invention is, a kind of method that prevents virus dynamic state attack program is provided.
This purpose of the present invention is achieved by the following technical solution:
A kind of method that prevents virus dynamic state attack program is characterized in that, it comprises following process:
Create a desktop handler; Described desktop handler is one to be subjected to the tabulation of the desktop of desktop boundary protection module protection;
Create a desktop;
Described desktop is joined described desktop handler;
Utilize pair operation relevant of described desktop boundary protection module to face control, described desktop is protected with described desktop.
Described desktop boundary protection module comprises that thread or process are to the program authorization administration module of the execution of protected desktop associative operation in monitoring and/or the intercepting system.
Thread or process comprise in following three class behaviors one or more to the behavior of the execution of protected desktop associative operation in monitoring of described program authorization administration module and/or the intercepting system: open protected desktop; Thread or process be set on protected desktop move; With process creation on protected desktop.
Especially, described desktop boundary protection module also comprises, the program that needs are entered described protected desktop is carried out the desktop boundary scan module of safety detection.
Described method also comprises, by desktop internal Protection module the program that operates on the described protected desktop is carried out the behavior isolation.
The present invention is by setting up a desktop handler in computer operating system; and the desktop Border Protection module of monitoring operation relevant with protected desktop in the desktop handler, arrive to look or intercepting system in thread or process protected desktop is carried out operation improperly.Be set on protected desktop as bottom data structure relevant in the modification system under undelegated situation and with thread or process and move with protected desktop; Arrive process creation first-class at protected desktop; Can stop viral cross-desktop to carry out attack operation by technique scheme the present invention, carry out the phishing attack of Hooks, message, counterfeit window etc. as the program on other desktops, to guarantee that the program of moving in these other desktops is difficult to dynamically be attacked by viruses such as steal-number wooden horses.
Description of drawings
Fig. 1 is the principle schematic of device of the present invention;
Fig. 2 is the process flow diagram of the method for the invention;
Fig. 3 is desktop boundary scan process flow diagram described in the present invention.
Embodiment
Embodiment one
Below in conjunction with the concrete Windows operating system of accompanying drawing 1,2, further set forth the technical scheme of wood invention.
As Fig. 1, a kind of device that prevents virus dynamic state attack program, described device comprises: desktop handler and desktop boundary protection module, described desktop handler are one to be subjected to the tabulation of the desktop of described desktop boundary protection module protection; Described desktop boundary protection module is used to monitor the operation relevant with protected desktop.Described desktop boundary protection module comprise at least one be used for monitoring and/or intercepting system thread or process to the program authorization administration module of the execution of protected desktop associative operation.
As everyone knows, utilize the computing machine of Windows operating system, under the normal condition that starts operation, can demonstrate a visual interface, among the present invention this interface is defined as in " top table face "; Described " top table face " also includes the bottom data information that supports above-mentioned visual information, as program listing, registry information, operating system bottom data structure etc. except comprising the various shortcut icons that are presented on this interface, file or folder etc.
As Fig. 2, the present invention is used to prevent that the process of scheme of virus dynamic state attack program is as follows:
Set up a desktop handler in Windows operating system, described desktop handler is one to be subjected to the tabulation of the desktop of described desktop boundary protection module protection;
Set up a safety desktop that is subjected to special protection that is different from above-mentioned " top table face ";
Described safety desktop is joined described desktop handler;
Utilize pair operation relevant of desktop boundary protection module to face control, described safety desktop is protected with described desktop.
In the present embodiment, the function of described desktop boundary protection module be by its inside be used for monitor and/or intercepting system thread or process realize the program authorization administration module of the execution of protected desktop associative operation.Utilize described program authorization administration module that thread in the system or the relevant operation of process access security desktop are monitored or/and tackle, isolated all from other desktops without permission program to the common attack means of described safety desktop, as phishing attack of Hooks, message, counterfeit window etc., be difficult to be subjected to the dynamic attack of above-mentioned virus to guarantee the program of moving in this safety desktop.Safeguarding in described safety desktop has a protected program listing, and when a program is added into safety desktop, promptly this program has been added into the protected program listing of safety desktop, and this tabulation is clear and definite, and which program needs protection.When the program in this tabulation, when being used the protected mode operation, the process that is started will be set as and be subordinated to safety desktop; In this case, the attack operation such as Hook from described top table face will can not influence this process.
Specifically, for the attack of isolated Virus to described safety desktop, described program authorization administration module has been tackled all programs of not passing through safety detection (detecting by methods such as virus killing or online file verifications) switch to described safety desktop operation when operation behavior.Promptly prevent that by desktop Border Protection module the program of process safety detection does not switch to described safety desktop when moving, avoid other programs, obtain the authority of run time version on a described peace desktop by when moving, switching to described safety desktop.
1), attempt to open safety desktop (for example, using OpenDesktop to open the handle of safety desktop) thread or process comprise in following three class behaviors one or more to the behavior of the execution of protected desktop associative operation in monitoring of described program authorization administration module and/or the intercepting system:; 2) attempt to specify a program on safety desktop, to move (for example, thread is set on the safety desktop and moves) by API SetThreadDesktop; And, 3), a process or thread be set to safety desktop go operation (for example, the startup desktop of process is set to safety desktop in CreateProcess).Also comprise an authoring program tabulation in described program authorization administration module, the protected program listing of safeguarding in the content of this tabulation and the described safety desktop is corresponding, is used to judge which program can visit described safety desktop.Be that described program authorization administration module has completely cut off untrusted and appoints the visit of program to safety desktop, this makes the program of unauthenticated or virus killing can't enter safety desktop, has avoided the wooden horse may by what slip into that safety desktop attacks.Present product of the present invention specifically comprises two kinds of ways in realizing, can be wherein any, or the combination of two kinds of methods:
Way 1 is the several relevant system's api functions of interception:
Way 2 is to adopt the function of the desktop API that is used for the system of enumerating in the intercepting system and safety desktop is adopted the method realization of desktop title at random.
Embodiment two
The difference of present embodiment and embodiment one is, also comprises a desktop boundary scan module in the described desktop boundary protection module.As described in embodiment one,, therefore must can let pass through safety detection for the program that enters the safety zone because the cardinal rule of described safety desktop design is to isolate a credible and secure zone in the middle of operating system.This checkout procedure is carried out based on methods such as virus killing or online file verifications; Whether no matter is virus killing or online file verification, all be to be known security procedure in order to inquire about detected program.As further scheme, the present invention is realizing that by the desktop boundary scan module that is under the jurisdiction of described desktop boundary protection module described employing desktop boundary scan module is carried out safety detection to the program that needs enter described safety desktop; Auxiliary described program authorization administration module safeguards that in described safety desktop a believable program listing is arranged.As shown in Figure 3, judge,, then it is added among the safety desktop if be security procedure to being required the program that adds described safety desktop; If be returned as non-security procedure, then refuse this file is added the safety desktop tabulation.If this program the unknown is then being obtained the provider that sends virus killing or online file verification software under the situation that the user agrees by correlation means to.
Embodiment three
The difference of present embodiment and embodiment one is that the described device of virus dynamic state attack program that prevents also comprises a desktop boundary scan module.
For the program of handling the process safety detection of moving in the described safety desktop will be introduced dynamically aggressive viral possibilities such as wooden horse owing to leak or user's reasons such as improper operation; in described device, also comprise a desktop internal Protection module; described desktop internal Protection module is carried out behavior to the risky operation behavior of each process in the described safety desktop and is isolated; prevent because leak infects dynamically other shielded program process of program piggyback of aggressive virus such as wooden horse, promptly prevent each program to other programs carry out the high risk operation may.
Because the existence of described desktop internal Protection module, when a process is carried out the operation that may influence other processes in described safety desktop, described desktop internal Protection module will be stoped or let pass according to its authority size.The process of high authority can carry out influence the low rights process or with the operation of self same level process, the low rights process then can not influence high authority process, Here it is, and above said behavior is isolated.Illustrate: when the IE of low rights browser process attempts to use the safety desktop process of the high authority of APIOpenProcess () visit, because its insufficient permission, then the internal Protection module will stop this operation; Conversely, when the internal module of safety desktop is attempted to use the IE browser process of APIOpenProcess () visit low rights, the internal Protection module will be let pass to this operation.Concrete which module has the authority of which grade, and the strategy that is adopted by specific product determines.Generally speaking, the principle of following is: the content of visit is more numerous and diverse, and the easy program that is broken owing to leak as browser etc., is authorized lower authority; And behavior is comparatively simple consistent, changes lessly, and the program that function is important as the management of process device etc., is authorized higher authority.
Embodiment four
In the computing machine of the operating system of utilizing WindowsNT series, after normal startup is finished, acquiescence can be created a login desktop Winlogon, although generally speaking, because it is higher to operate the required authority of this desktop, virus is difficult to attack this desktop, but after virus is used the authority raising of various leaks with self, just is free to use on the Winlogon desktop means such as phishing attack of Hooks, message, counterfeit window to attack; If by this desktop is joined described desktop handler, even border, described desktop border protection module just can guarantee also can't use the means such as phishing attack of Hooks, message, counterfeit window to attack under the situation that virus improves self authority.
The present invention also has some other distortion, if those skilled in the art is subjected to inspiration of the present invention, does not break away from any modification or partial replacement of spirit and scope of the invention, all should be encompassed in the middle of protection scope of the present invention.
Claims (10)
1, a kind of device that prevents virus dynamic state attack program is characterized in that, described device:
Comprise desktop handler and desktop boundary protection module, described desktop handler is one to be subjected to the tabulation of the desktop of described desktop boundary protection module protection;
Create a desktop, and described desktop is joined described desktop handler;
Described desktop boundary protection module is used to monitor the operation relevant with protected desktop; Described desktop boundary protection module comprises a program authorization administration module, described program authorization administration module according to thread or process in its authoring program that comprises tabulation monitoring and/or the intercepting system to the act of execution of protected desktop associative operation.
2, a kind of device that prevents virus dynamic state attack program according to claim 1, it is characterized in that thread or process comprise in following three class behaviors one or more to the behavior of the execution of protected desktop associative operation in monitoring of described program authorization administration module and/or the intercepting system: open protected desktop; Thread or process be set on the protected desktop move; With process creation to protected desktop.
3, a kind of device that prevents virus dynamic state attack program according to claim 2 is characterized in that, described program authorization administration module is specifically realized by monitoring and/or tackle following api function:
Monitoring and/or interception thread or process are opened protected desktop, need among interception CreateDesktop, OpenDesktop, the OpenInputDesktop one or more; Monitoring and/or interception thread or process are assigned on the protected desktop to be moved, and needs interception SetThreadDesktop; Monitoring and/or interception thread or process are built on the protected desktop, need among interception CreateProcess, NTCreateProcess, the zwCreateProcess one or more.
4, a kind of device that prevents virus dynamic state attack program according to claim 1 is characterized in that, described desktop boundary protection module also comprises, the program that needs are entered described protected desktop is carried out the desktop boundary scan module of safety detection.
5, a kind of device that prevents virus dynamic state attack program according to claim 1 is characterized in that, described device also comprises, the program that operates on the described protected desktop is carried out the desktop internal Protection module that behavior is isolated.
6, a kind of method that prevents virus dynamic state attack program is characterized in that, it comprises following process:
Create a desktop handler; Described desktop handler is one to be subjected to the tabulation of the desktop of desktop boundary protection module protection;
Create a desktop;
Described desktop is joined described desktop handler;
Utilize pair operation relevant of described desktop boundary protection module to monitor, described desktop is protected with described desktop;
Described desktop boundary protection module comprises a program authorization administration module, and described program authorization administration module is according to thread or process in its authoring program that comprises tabulation monitoring and/or the intercepting system pair act of execution with described protected desktop associative operation.
7, a kind of method that prevents virus dynamic state attack program according to claim 6, it is characterized in that thread or process comprise in following three class behaviors one or more to the behavior of the execution of protected desktop associative operation in monitoring of described program authorization administration module and/or the intercepting system: open protected desktop; Thread or process be set on the protected desktop move; With process creation to protected desktop.
8, a kind of method that prevents virus dynamic state attack program according to claim 7 is characterized in that, described program authorization administration module is specifically realized by monitoring and/or tackle following api function:
Monitoring and/or interception thread or process are opened protected desktop, need among interception CreateDesktop, OpenDesktop, the OpenInputDesktop one or more; Monitoring and/or interception thread or process are assigned on the protected desktop to be moved, and needs interception SetThread Desktop; Monitoring and/or interception thread or process are built on the protected desktop, need among interception CreateProcess, NTCreateProcess, the zwCreateProcess one or more.
9, a kind of method that prevents virus dynamic state attack program according to claim 6 is characterized in that, described desktop boundary protection module also comprises, the program that needs are entered described protected desktop is carried out the desktop boundary scan module of safety detection.
10, a kind of method that prevents virus dynamic state attack program according to claim 6 is characterized in that, described method also comprises, by desktop internal Protection module the program that operates on the described protected desktop is carried out the behavior isolation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100321093A CN100520797C (en) | 2007-12-05 | 2007-12-05 | Apparatus and method for preventing virus dynamic state attack program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100321093A CN100520797C (en) | 2007-12-05 | 2007-12-05 | Apparatus and method for preventing virus dynamic state attack program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101178761A CN101178761A (en) | 2008-05-14 |
| CN100520797C true CN100520797C (en) | 2009-07-29 |
Family
ID=39405011
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100321093A Active CN100520797C (en) | 2007-12-05 | 2007-12-05 | Apparatus and method for preventing virus dynamic state attack program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100520797C (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101819619A (en) * | 2010-04-14 | 2010-09-01 | 梁庆生 | Method for preventing virus and Trojan horse |
| CN102024110A (en) * | 2010-12-14 | 2011-04-20 | 汉柏科技有限公司 | Method and system for safely isolating desktop |
| CN102629308B (en) * | 2012-03-09 | 2015-02-18 | 北京奇虎科技有限公司 | Method and device for preventing login information from being stealed |
| CN103488947A (en) * | 2013-10-11 | 2014-01-01 | 北京金山网络科技有限公司 | Method and device for identifying instant messaging client-side account number stealing Trojan horse program |
| CN106529297B (en) * | 2016-11-22 | 2019-08-06 | 北京安云世纪科技有限公司 | Obtain the method and device of application state information |
-
2007
- 2007-12-05 CN CNB2007100321093A patent/CN100520797C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101178761A (en) | 2008-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9798879B2 (en) | Apparatus, system, and method for protecting against keylogging malware | |
| US8316445B2 (en) | System and method for protecting against malware utilizing key loggers | |
| Iqbal et al. | On cloud security attacks: A taxonomy and intrusion detection and prevention as a service | |
| Javaheri et al. | Detection and elimination of spyware and ransomware by intercepting kernel-level system routines | |
| Fernandes et al. | Android ui deception revisited: Attacks and defenses | |
| US9183377B1 (en) | Unauthorized account monitoring system and method | |
| US20100306850A1 (en) | Behavioral engine for identifying patterns of confidential data use | |
| CN110233817B (en) | Container safety system based on cloud computing | |
| CN100520797C (en) | Apparatus and method for preventing virus dynamic state attack program | |
| Vijayalakshmi et al. | Study on emerging trends in malware variants | |
| US8978150B1 (en) | Data recovery service with automated identification and response to compromised user credentials | |
| Ahmed et al. | Survey of Keylogger technologies | |
| Shan et al. | Enforcing mandatory access control in commodity OS to disable malware | |
| CN101753545A (en) | Box cleaning technology | |
| US20150172310A1 (en) | Method and system to identify key logging activities | |
| US10749880B2 (en) | Cloud tenant oriented method and system for protecting privacy data | |
| Arora et al. | Cyber Crime Combating Using KeyLog Detector tool. | |
| Chauhan et al. | A honeypots based anti-phishing framework | |
| Wolf | Ransomware detection | |
| Sijan et al. | A review on e-banking security in Bangladesh: An empirical study | |
| Santwana et al. | Hypervisor based Mitigation Technique for Keylogger Spyware Attacks | |
| Martsenyuk et al. | Features of multifunctional Backdoor technology in the personal space of users. | |
| Abdumalikov | WINDOWS SECURITY IN THE WORLD OF SPREAD VULNERABILITIES | |
| Wang et al. | Coprocessor-based hierarchical trust management for software integrity and digital identity protection | |
| Stoleriu et al. | Modern Cyber Security Attacks, Detection Strategies, and Countermeasures Procedures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Jinshan computer Building No. 8 Jingshan Hill Road, Lane 519015 Zhuhai Jida Lianshan Guangdong city of Zhuhai Province Patentee after: Zhuhai Kingsoft Software Co.,Ltd. Address before: Jinshan computer Building No. 8 Jingshan Hill Road, Lane 519015 Zhuhai Jida Lianshan Guangdong city of Zhuhai Province Patentee before: Zhuhai Kingsoft Software Co.,Ltd. |
|
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20080514 Assignee: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Assignor: Zhuhai Kingsoft Software Co.,Ltd. Contract record no.: 2014990000718 Denomination of invention: Apparatus and method for preventing virus dynamic state attack program Granted publication date: 20090729 License type: Common License Record date: 20140826 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model |