Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Driven malware defence method and device

A malware-driven technology, applied in the field of computer security, can solve problems such as system crashes, imprecise judgment logic, and failure of security software functions, and achieve the effect of preventing attacks

Inactive Publication Date: 2009-12-09
北京东方微点信息技术有限责任公司
View PDF0 Cites 15 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

For the second measure, firstly, because the hooking method needs to modify the entry code of the monitored system function to make it jump to the monitoring code of the security software for logical judgment, this kind of hooking method is easier to be found. Therefore, it is also easier to be restored. At present, driver-type malware restores the function entry code hooked by the security software by reading the original kernel file on the disk, allowing the function to execute the original logic and avoid the monitoring of the security software; secondly, The hooked system function call may also be a function frequently called by the system itself or normal kernel modules. Each call will execute the judgment logic of the security software, which has a great impact on system performance; in addition, if multiple When using this method to hook the monitored system function, it will cause conflicts, or cause some functions of the security software to fail, or cause the system to crash due to the imprecise judgment logic of the hook

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Driven malware defence method and device
  • Driven malware defence method and device
  • Driven malware defence method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0019] figure 1 It is a flow chart of the first embodiment of the drive-type malware defense method of the present invention, as figure 1 As shown, the method of the present embodiment includes:

[0020] Step 101, according to the import table information of the driver, replace the function address information related to the system function to be monitored with the address information of the security software monitoring function;

[0021] When the driver is loaded, there will be a point in time. At this point in time, the driver has been loaded into the system kernel, and the import table information of the driver is also obtained through parsing. The next step is to call the system function required by the driver. , so as to realize the driving function. Installing the safety software monitoring function at this point in time can replace the system function that the driver needs to call with the safety software monitoring function before the driver program is executed. The...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a driven malware defense method and a device; the method comprises the following steps: according to import table information of a driver, replacing function address information related to a system function needing monitoring with address information of a security software monitoring function; using the security software monitoring function to monitor executing action of the driver and send alarm information when the executing action is abnormal. The device comprises a replacement processing module and a monitoring processing module; according to the import table information of the driver, the replacement processing module is used for replacing the function address information related to the system function needing monitoring with the address information of the security software monitoring function; the monitoring processing module is used for using the security software monitoring function replaced by the replacement processing module to monitor the executing action of the driver and sending the alarm information when the executing action is abnormal. The invention has the characteristics of intellectuality, safe and reliable defense performance, unlikeliness of being restored, no influence on the system performance and the like while effectively carrying out defense on the driven malware.

Description

technical field [0001] The invention relates to a drive-type malicious software defense method and device, belonging to the technical field of computer security. Background technique [0002] With the widespread use of computers, the number and types of various computer viruses have also increased rapidly, especially with the development of networks, the spread and harm of viruses have become more serious, causing troubles and losses for computer users. In the existing virus protection, as the security software gradually adopts the behavior-based malicious program determination method, the malicious programs based on the user mode application program gradually develop into the kernel mode driver type, and these malicious programs are loaded into the Windows operating system through the driver mode. In the kernel, the destruction and theft of user data are realized. [0003] In the prior art, there are mainly two monitoring measures taken by the security software for the dri...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/00G06F9/46G06F21/56
Inventor 郭强
Owner 北京东方微点信息技术有限责任公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com