Driven malware defence method and device

Abstract

The invention discloses a driven malware defense method and a device; the method comprises the following steps: according to import table information of a driver, replacing function address information related to a system function needing monitoring with address information of a security software monitoring function; using the security software monitoring function to monitor executing action of the driver and send alarm information when the executing action is abnormal. The device comprises a replacement processing module and a monitoring processing module; according to the import table information of the driver, the replacement processing module is used for replacing the function address information related to the system function needing monitoring with the address information of the security software monitoring function; the monitoring processing module is used for using the security software monitoring function replaced by the replacement processing module to monitor the executing action of the driver and sending the alarm information when the executing action is abnormal. The invention has the characteristics of intellectuality, safe and reliable defense performance, unlikeliness of being restored, no influence on the system performance and the like while effectively carrying out defense on the driven malware.

Description

technical field [0001] The invention relates to a drive-type malicious software defense method and device, belonging to the technical field of computer security. Background technique [0002] With the widespread use of computers, the number and types of various computer viruses have also increased rapidly, especially with the development of networks, the spread and harm of viruses have become more serious, causing troubles and losses for computer users. In the existing virus protection, as the security software gradually adopts the behavior-based malicious program determination method, the malicious programs based on the user mode application program gradually develop into the kernel mode driver type, and these malicious programs are loaded into the Windows operating system through the driver mode. In the kernel, the destruction and theft of user data are realized. [0003] In the prior art, there are mainly two monitoring measures taken by the security software for the dri...

AI Technical Summary

Problems solved by technology

For the second measure, firstly, because the hooking method needs to modify the entry code of the monitored system function to make it jump to the monitoring code of the security software for logical judgment, this kind of hooking method is easier to be found. Therefore, it is also easier to be restored. At present, driver-type malware restores the function entry code hooked by the security software by reading the original kernel file on the disk, allowing the function to execute the original logic and avoid the monitoring of the security software; secondly, The hooked system function call may also be a function frequently called by the system itself or normal kernel modules. Each call will execute the judgment logic of the security software, which has a great impact on system performance; in addition, if multiple When using this method to hook the monitored system function, it will cause conflicts, or cause some functions of the security software to fail, or cause the system to crash due to the imprecise judgment logic of the hook

Images