Method and device for scanning system process

A scanning system and process technology, applied in the field of scanning system process, can solve problems such as computer threats, and achieve the effect of improving system security

Active Publication Date: 2019-09-03
FUJIAN TQ DIGITAL
View PDF6 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

This is how some viruses and Trojans hide themselves through the RootKit technology, causing potential or actual threats to computers.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for scanning system process
  • Method and device for scanning system process

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0056] In order to explain in detail the technical content, structural features, achieved goals and effects of the technical solution, the following will be described in detail in conjunction with specific embodiments and accompanying drawings.

[0057] see figure 1 , which is a flowchart of a method for scanning system processes according to an embodiment of the present invention; the method includes the following steps:

[0058] S1. Obtain system version information;

[0059] S2, load the ntdll.dll file in memory;

[0060] S3. Obtain the private API function information required by the enumeration process and the ECX offset information under Win7;

[0061] S4. View the source code corresponding to the private API function under ntdll.dll through disassembly;

[0062] S5. Realize calling from R3 to R0 according to the private API function information through assembly;

[0063] S6. Traversing the system handle table to obtain all kernel handle information of the system, an...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a system process scanning method for finding out hidden processes that are ignored by a process activity link but essentially executed. The method comprises the steps of loading an ntdll.dll file in a memory and obtaining private API function information required by an enumeration process and ECX shift information in Win7; viewing a source code corresponding to the private API function in ntdll.dll through disassembling, and performing calling from R3 to R0 according to the private API function information through disassembling; and traversing a handle table of a system to obtain all kernel handle information of the system, judging whether handles are process handles or not one by one, and if yes, performing copying and recording and then obtaining process information. The invention also provides a system process scanning apparatus for realizing the method. According to the scheme, system processes including certain processes hidden through specific pathways can be effectively and comprehensively scanned, so that the purpose of improving the system security is achieved.

Description

technical field [0001] The invention relates to the field of computer software, in particular to a method and device for scanning system processes. Background technique [0002] RootKit is a tool used by computer attackers to hide their tracks. The current common methods of hiding rootkits are as follows: [0003] 1) Replace or modify key system files on the operating system. [0004] 2) Based on the hook technology, memory patches are applied to loaded applications and some operating system components such as the system call table. [0005] 3) By dynamically modifying the kernel object. [0006] The operating system enumerates the current process of the system through its Natvie API function ZwQuerySystemInfomation by operating the process activity list. The specific process is as follows: [0007] First, get the pointer of any current process, for example, get the PEPROCESS pointer of the current process through PsGetCurrentProcess(). [0008] Then, locate to the Acti...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56
Inventor 张春双刘德建陈宏展方振华李上杰
Owner FUJIAN TQ DIGITAL
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap