Kernel hook based process behavior monitoring method

A process and behavior technology, applied in the field of process behavior monitoring based on kernel hooks, can solve problems such as infringement, ordinary user layer protection is difficult to achieve file security protection, and file security protection cannot achieve satisfactory results, so as to improve security Effect

Active Publication Date: 2015-11-18
FUZHOU BOKE WANGAN INFORMATION TECH CO LTD
View PDF6 Cites 30 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The common methods of file security protection are information encryption and setting access rights. However, due to the loopholes of application software and the infringement of viruses, these methods cannot achieve satisfactory results in file security protection.
Some malicious applications mostly use the way of loading drivers for intrusive access operations, and the protection of ordinary user layers is difficult to achieve the purpose of file security protection

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Kernel hook based process behavior monitoring method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0030] The present invention will be further described below in conjunction with the accompanying drawings and embodiments.

[0031] Such as figure 1 As shown, the present embodiment provides a process behavior monitoring method based on kernel hook, which specifically includes the following steps:

[0032] Step S1: Start the monitoring program and determine whether the user has loaded the driver program. If not, prompt the user to load the driver program and proceed to step S2; if it has been loaded, proceed to step S3;

[0033] Step S2: perform an initialization operation, and load the driver;

[0034] Step S3: The driver performs related initialization operations;

[0035] Step S4: The monitoring program sends its own process ID through DeviceIoControl to the driver for process protection to prevent malicious programs from forcibly stopping the monitoring program;

[0036] Step S5: the monitoring program selects a monitored process, the monitored process is an executable...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a kernel hook based process behavior monitoring method. Firstly a monitoring program is started and whether a user loads a driving program is judged, if the user does not load the driving program, the user is prompted to load the driving program, then initialization operation is performed, and the monitoring program sends a process ID of the monitoring program to the driving program through DeviceIoControl and performs process protection; the monitoring program selects a monitored process and creates a message receiving thread for receiving a message of the driving program; the driving program monitors behaviors of the monitored process and sub-processes, and sends a monitoring result to the monitoring program; the message receiving thread of the monitoring program displays and records the received monitoring result; and when the monitored process and the sub-processes are all exited or the monitoring program selects stopping of monitoring, the monitored process and the sub-processes are ended, the message receiving thread of the monitoring program is exited, the current monitoring is ended, and the steps are repeated for performing a new round of monitoring. According to the method, the occurrence of malicious process behaviors can be effectively prevented.

Description

technical field [0001] The invention relates to the software technical field of system security, in particular to a kernel hook-based process behavior monitoring method. Background technique [0002] During the continuous development of the Internet, while surfing the Internet, netizens are always at risk of being attacked by malicious programs. Malware emerges in an endless stream, which seriously threatens the security of Internet users' host systems. The traditional signature scanning technology urgently needs to be improved due to its lag and high false positive rate, while the behavior monitoring technology is widely used in various host defense systems for its effective identification and accuracy of unknown malicious programs. [0003] The well-known Kaspersky and 360 Security Guard of the domestic security company 360 have added active defense functions. When malicious programs produce suspicious behaviors such as remote thread injection and adding users, they will ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F11/30G06F21/56
Inventor 王琦黄可臻蔡滨海张冬青
Owner FUZHOU BOKE WANGAN INFORMATION TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap