Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Execution method and device for registry operation

A registry and execution logic technology, applied in the direction of program control devices, computer security devices, program control design, etc., can solve problems such as incompatibility of security software, weak resistance to driver-level malicious programs, and lack of kernel mode capabilities of the operating system. Achieve the effect of avoiding the potential possibility of incompatibility and enhancing the confrontation ability

Active Publication Date: 2012-11-14
三六零数字安全科技集团有限公司
View PDF2 Cites 13 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0015] Although traditional security software vendors are aware of the possibility of various registry operations being hijacked, most of the existing solutions only consider the hijacking risk of the user state of the operating system, and the attack and defense of the kernel state of the operating system often show a more obvious Lack of capability, weak against driver-level malicious programs (Rootkit)
[0016] Therefore, a technical problem that needs to be urgently solved by those skilled in the art is: to propose an execution mechanism for registry operations to enhance the ability to resist attacks and defenses against driver-level malicious programs, and to avoid interference between security software due to registry operation interference. potential for incompatibility

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Execution method and device for registry operation
  • Execution method and device for registry operation
  • Execution method and device for registry operation

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0084] In order to make the above objects, features and advantages of the present invention more comprehensible, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

[0085] One of the core concepts of the embodiments of the present invention is to build a trusted environment for registry operations based on the entire life cycle of registry behaviors, and implement a set of registry operation call libraries in the user mode interface of the operating system. Inspect the request from the user state, simulate the behavior of the kernel execution layer, detect / recover the object resolution hook, block the kernel registry callback mechanism, etc., so that the third-party driver can be penetrated (or called bypass, bypass) , so as to ensure the authenticity and credibility of the registry operation request environment. Moreover, the kernel synchronous call returns the user mode handle information a...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides an execution method for registry operation, which comprises the steps that a registry operation request is acquired, wherein the request comprises a caller input parameter; kernel executing logics of a registry are set according to the caller input parameter, wherein the kernel executing logics include a tampering point detecting and restoring logic and a registry function calling logic; the tampering point detecting and restoring logic is executed, more specifically, a preset kernel executing flow tampering point is detected, and the original value of the kernel executing flow tampering point is restored when the original value of the kernel executing flow tampering point is changed; and a corresponding registry function is called by the registry function calling logic. According to the method and the device disclosed by the invention, the counterforce of defending a driving stage malicious program can be enhanced, and potential possibility of incompatibility of security software caused by registry operation interference is avoided.

Description

technical field [0001] The invention relates to the technical field of operating system penetration, in particular to a registry operation execution method and a registry operation execution device. Background technique [0002] When faced with complex problems, people tend to use the method of divide and conquer to divide and narrow the scope of the problem. This is also the case in the design of the operating system. This approach brings advantages such as portability and scalability. However, due to the security flaws in the design theory (for example, the lack of an integrity verification mechanism, etc.), another aspect of high scalability also means that there are a large number of possibilities for the system to be tampered with. For example, when security software operates (creates, opens, enumerates, reads and writes, deletes, etc.) the registry key values ​​of itself, the system, or malicious programs, it often hopes that the access process is authentic and credib...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F9/44G06F21/00
CPCG06F9/44505G06F21/568
Inventor 王宇郑文彬潘剑锋
Owner 三六零数字安全科技集团有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products