Process blacklist and whitelist control method based on Windows system

A control method, black and white list technology, applied in the fields of instruments, digital data processing, platform integrity maintenance, etc., can solve problems such as inability to identify correctly, reduce the probability of viruses or illegal intrusions, ensure effectiveness, and ensure security. Effect

Active Publication Date: 2013-01-02
FUJIAN CENTM INFORMATION
View PDF4 Cites 33 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

This method generally only judges the parent process, and it cannot be correctly identified when the program modifies the token

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Process blacklist and whitelist control method based on Windows system
  • Process blacklist and whitelist control method based on Windows system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0034] The present invention adopts PsSetCreateProcessNotifyRoutine registration process notification callback, hooks NtCreateSection, NtClose, NtCreateProcess functions, and is used for intercepting and monitoring process creation process. The purpose of intercepting the NtCreateSection and NtClose functions is to ensure the correctness of the obtained process path. At the same time, it is also necessary to intercept the functions NtCreateProcess and NtCreateProcessEx executed when creating a process, to judge whether the created process is allowed to run, and to intercept illegal process creation. When the system calls the "process notification callback function", it will judge the process being created again to ensure that the user name corresponding to the process can be accurately obtained, and realize whether the process is allowed to run according to the user. In summary, in order to achieve effective process control, it is necessary to hook the NtCreateSection, NtClose...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a process blacklist and whitelist control method based on a Windows system. A PsSetCreateProcessNotifyRoutine registered process notification callback function is used and NtCreateSection, NtClose, NtCreateProcess functions are linked up for intercepting and monitoring a process creation process; at the same time, NtCreateProcess and NtCreateProcessEx functions which are executed during process creation are needed to be intercepted for judging whether a created process is allowed to run or not, so as to intercept illegal process creation; and when a system calls the process notification callback function, the process under creation is judged again to guarantee to accurately obtain a username corresponding to the process, so as to realize the goal of controlling the process to run or not according to users. The process blacklist and whitelist control method provided by the invention is high-efficiency.

Description

【Technical field】 [0001] The invention relates to a process black and white list control method based on Windows system. 【Background technique】 [0002] At present, the process monitoring technology on the Windows system is mostly realized by PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine registered process creation callback and image loading callback, or by Hook NtCreateSection or NtCreateProcess. [0003] PsSetCreateProcessNotifyRoutine realizes process monitoring by registering a callback function. At this time, the process is actually running, and the process cannot be prevented from running before the process is running. PsSetLoadImageNotifyRoutine and NtCreateSection will also be called when the process is not created, so whether the current process is created It is more troublesome to judge, and it is impossible to accurately obtain the user who currently creates the process, and it is impossible to control the use authority of the process according to t...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/51G06F21/54
Inventor 张辉
Owner FUJIAN CENTM INFORMATION
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap