CN102982281B - Program state testing method and system - Google Patents

Abstract

The embodiment of the present invention discloses a program status detection method and system to solve the problem that a malicious program loads a malicious DLL file with a program in a credible white list, so that the active defense cannot normally intercept the malicious program. Wherein, the system includes a client and a server, wherein the client includes: a feature information acquisition module; a feature information upload module; the server includes: a matching module; an upgrade module, which is suitable for regularly detecting whether the cloud authentication condition meets the upgrade condition , if satisfied, then obtain a new authentication condition, and complete the upgrade update of the cloud authentication condition by reloading the new authentication condition; wherein, the upgrade condition is configured in the server; the client also includes: a determination module, suitable for receiving The matching result returned by the server, and according to the matching result, it is determined whether there is a hijacked DLL file in the program to be executed. The embodiments of the present invention can more effectively intercept malicious programs.

Description

Program condition detection method and system

technical field

The invention relates to the technical field of network security, in particular to a program status detection method and system.

Background technique

Malicious program is an umbrella term for any software program intentionally created to perform unauthorized and often harmful acts. Computer viruses, backdoor programs, keyloggers, password stealers, Word and Excel macro viruses, boot sector viruses, script viruses (batch, windowsshell, java, etc.), Trojan horses, crimeware, spyware and adware, etc., are all are some examples of what could be called malicious programs.

Nowadays, the number of malicious programs in the world is increasing geometrically. In order to adapt to the update speed of malicious programs and quickly identify and kill malicious programs, active defense technologies are generally used to kill malicious programs. Active defense technology is a real-time protection technology based on independent analysis and judgment based on the behavior of the program. Starting from the most original definition, it directly uses the behavior of the program as the basis for judging malicious programs, and then derives the local Behavior thresholds and local heuristic anti-virus methods are used to identify and block the behavior of malicious programs, so as to achieve the purpose of protecting client devices to a certain extent.

However, in order to minimize the impact on program performance, the active defense technology only detects the exe file of the program, and does not check the dynamic link library (DynamicLinkLibrary, DLL) file loaded by the program. Therefore, some malicious programs take advantage of this, and use DLL hijacking technology to package the DLL file of the malicious program with the programs in the trusted white list (such as the programs that come with the operating system). When the user chooses to execute the white list When the program in the program is installed, the DLL file of the malicious program will be loaded, so that the active defense technology cannot successfully intercept the malicious program.

Contents of the invention

In view of the above problems, the present invention is proposed to provide a program status detection system and a corresponding program status detection method that overcome the above problems or at least partially solve the above problems.

According to one aspect of the present invention, a program status detection method is provided, including:

When the creation process of the program to be executed is detected, the characteristic information of the program to be executed is acquired;

uploading the feature information of the program to be executed to the server, and the server matches the feature information of the program to be executed with the pre-set cloud authentication conditions to obtain a matching result;

receiving the matching result returned by the server, and determining whether there is a hijacked DLL file in the program to be executed according to the matching result;

The server regularly detects whether the cloud authentication condition meets the upgrade condition, and if so, the server obtains a new authentication condition, and completes the upgrade update of the cloud authentication condition by reloading the new authentication condition;

Wherein, the upgrade conditions are configured in the server.

In the embodiment of the present invention, the program status detection method further includes:

If it exists, the hijacked DLL file is checked and killed by the server;

Perform corresponding operations on the program to be executed according to the server killing result.

In the embodiment of the present invention, the matching result is the DLL file information that the program to be executed needs to check,

The determining whether there is a hijacked DLL file in the program to be executed according to the matching result includes:

Judging whether there is the DLL file information that needs to be checked under the specified directory, if it exists, then determine that there is a hijacked DLL file in the program to be executed; wherein, the hijacked DLL file is a DLL file that exists under the specified directory, The specified directory is the current directory or a specified relative directory.

In the embodiment of the present invention, the cloud identification conditions include a plurality of specific program matching conditions and specific DLL file information to be checked after the specific program matching conditions are met.

In the embodiment of the present invention, the server matches the feature information of the program to be executed with the pre-set cloud identification conditions to obtain the matching result, including:

matching the feature information of the program to be executed with the matching condition of the specific program through the server;

Obtain the specific DLL file information that needs to be checked after the specific program matching condition is met through the server;

The specific DLL file information is used as the DLL file information to be checked by the program to be executed.

In the embodiment of the present invention, the specific program matching condition includes at least one of the following information:

File name information, file size information, file feature value information, file icon information, product name information, internal name information, original file name information, and process command line information, process path information, and parent process path information;

The characteristic information of the program to be executed includes at least one of the following information:

The file name information, file size information, file feature value information, file icon information, product name information, internal name information, original file name information of the program to be executed, as well as the command line information, process path information and process path information of the process created by the program to be executed Parent process path information.

In the embodiment of the present invention, before checking and killing the hijacked DLL file by the server, it also includes:

Obtain the EXE file corresponding to the program to be executed;

Upload the information of the EXE file corresponding to the program to be executed and the information of the hijacked DLL file to the server;

Said checking and killing the hijacked DLL file through the server includes:

Obtain the level of the EXE file and the level of the hijacked DLL file through the server, the level includes a security level, an unknown level, a suspicious/highly suspicious level, and a malicious level;

The hijacked DLL file is scanned and killed according to the level of the EXE file and the level of the hijacked DLL file.

In the embodiment of the present invention, the hijacked DLL file is one or more,

Perform corresponding operations on the program to be executed according to the server killing result, including:

When at least one of the level of the EXE file and the level of the hijacked DLL file is a malicious level, intercept the execution of the program to be executed;

When the level of the EXE file and the level of the hijacked DLL file are both security levels, the execution of the program to be executed is allowed;

When there is no malicious level in the level of the EXE file and the level of the hijacked DLL file, and at least one level of the hijacked DLL file is higher than the level of the EXE file, the highest level is obtained, and the Modify the level of the EXE file to the highest level, allow the execution of the program to be executed, and intercept suspicious operations initiated after the program to be executed is executed.

In the embodiment of the present invention, the suspicious operation is any of the following:

File operations, registry operations, process operations, and network operations.

In the embodiment of the present invention, the program to be executed is a program in the white list.

In the embodiment of the present invention, the cloud authentication conditions are stored in the server.

According to another aspect of the present invention, a program status detection system is provided, including a client and a server, wherein,

Clients include:

A feature information acquisition module, adapted to acquire feature information of the program to be executed when a creation process of the program to be executed is detected;

A characteristic information uploading module, adapted to upload the characteristic information of the program to be executed to the server;

The servers include:

The matching module is adapted to match the feature information of the program to be executed with the pre-set cloud identification conditions to obtain a matching result;

The upgrade module is adapted to regularly detect whether the cloud authentication condition meets the upgrade condition, and if so, obtains a new authentication condition, and completes the upgrade update of the cloud authentication condition by reloading the new authentication condition;

Wherein, the upgrade condition is configured in the server;

The client also includes:

The determining module is adapted to receive the matching result returned by the server, and determine whether there is a hijacked DLL file in the program to be executed according to the matching result.

In the embodiment of the present invention, the server also includes:

The checking and killing module is suitable for checking and killing the hijacked DLL file when the checking result of the determination module of the client is existence;

The client also includes:

The processing module is adapted to perform a corresponding operation on the program to be executed according to the result of the killing of the server.

In the embodiment of the present invention, the matching result is the DLL file information that the program to be executed needs to check,

Identify modules include:

The judging submodule is adapted to judge whether the DLL file information to be checked exists under the specified directory, and if it exists, it is determined that there is a hijacked DLL file in the program to be executed; wherein, the hijacked DLL file is a specified directory The DLL file exists under, and the specified directory is the current directory or a specified relative directory.

In the embodiment of the present invention, the cloud identification conditions include a plurality of specific program matching conditions and specific DLL file information to be checked after the specific program matching conditions are met.

In the embodiment of the present invention, the matching module includes:

a matching submodule, adapted to match the characteristic information of the program to be executed with the specific program matching condition;

The specific DLL file information acquisition sub-module is suitable for obtaining specific DLL file information that needs to be checked after matching specific program matching conditions are met;

The determining submodule is adapted to use the specific DLL file information as the DLL file information to be checked by the program to be executed.

In the embodiment of the present invention, the specific program matching condition includes at least one of the following information:

File name information, file size information, file feature value information, file icon information, product name information, internal name information, original file name information, and process command line information, process path information, and parent process path information;

The characteristic information of the program to be executed includes at least one of the following information:

The file name information, file size information, file feature value information, file icon information, product name information, internal name information, original file name information of the program to be executed, as well as the command line information, process path information and process path information of the process created by the program to be executed Parent process path information.

In the embodiment of the present invention, the client also includes:

The file acquisition module is adapted to obtain the EXE file corresponding to the program to be executed before the killing module of the server checks and kills the hijacked DLL file;

The file information upload module is adapted to upload the information of the EXE file corresponding to the program to be executed and the information of the hijacked DLL file to the server;

The killing module includes:

The level query submodule is adapted to inquire about the level of the EXE file and the level of the hijacked DLL file, and the level includes a security level, an unknown level, a suspicious/highly suspicious level, and a malicious level;

The killing sub-module is suitable for killing the hijacked DLL file according to the level of the EXE file and the level of the hijacked DLL file.

In the embodiment of the present invention, the hijacked DLL file is one or more,

Processing modules include:

The program interception submodule is adapted to intercept the execution of the program to be executed when at least one of the level of the EXE file and the level of the hijacked DLL file is a malicious level;

An execution submodule, adapted to allow the execution of the program to be executed when the level of the EXE file and the level of the hijacked DLL file are both security levels;

Suspicious operation intercepting submodule, suitable for when there is no malicious level in the level of the EXE file and the level of the hijacked DLL file, and at least one level of the hijacked DLL file is higher than the level of the EXE file, Obtain the highest level among them, modify the level of the EXE file to the highest level, allow the execution of the program to be executed, and intercept suspicious operations initiated after the program to be executed is executed.

In the embodiment of the present invention, the suspicious operation is any of the following:

File operations, registry operations, process operations, and network operations.

In the embodiment of the present invention, the program to be executed is a program in the white list.

In the embodiment of the present invention, the cloud authentication conditions are stored in the server.

According to the program status detection method and system of the present invention, when detecting the creation process of the program to be executed, it can check whether there is a hijacked DLL file in the program to be executed through the cloud authentication condition preset by the server, if the program to be executed exists and is hijacked The DLL file of the hijacked DLL file is checked and killed through the server, and then the corresponding operation is performed on the program to be executed according to the result of the server checking and killing. This solves the problem that the malicious program loads the malicious DLL file with the program in the credible white list, so that the active defense cannot normally intercept the malicious program, and achieves the beneficial effect of more effectively intercepting the malicious program.

Secondly, the cloud identification conditions of the present invention are stored in the server, and when the upgrade conditions are satisfied, the entire network can be upgraded immediately, the upgrade speed is fast, and the client upgrade file is not required to take effect, which is very good for sudden malicious programs. Intercept the effect, so as to avoid the loss of users.

The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same components. In the attached picture:

FIG. 1 shows a flowchart of a program status detection method according to an embodiment of the present invention;

FIG. 2 shows a flowchart of a program status detection method according to an embodiment of the present invention;

FIG. 3 shows a flowchart of a program status detection method according to an embodiment of the present invention;

Fig. 4 shows a schematic diagram of cloud identification conditions according to an embodiment of the present invention;

FIG. 5 shows a structural block diagram of a program status detection system according to an embodiment of the present invention; and

Fig. 6 shows a structural block diagram of a program status detection system according to an embodiment of the present invention.

detailed description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

The invention is applicable to computer systems/servers that are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments and/or configurations suitable for use with computer systems/servers include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, handheld or laptop devices, Microprocessor-based systems, set-top boxes, programmable consumer electronics, networked personal computers, small computer systems, mainframe computer systems, and distributed cloud computing technology environments including any of the foregoing, and the like.

Computer systems/servers may be described in the general context of computer system-executable instructions, such as program modules, being executed by the computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc., that perform particular tasks or implement particular abstract data types. The computer system/server can be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computing system storage media including storage devices.

Embodiment one:

Referring to FIG. 1 , it shows a flow chart of a program status detection method according to an embodiment of the present invention, and the method may specifically include:

Step S101, when a creation process of a program to be executed is detected, feature information of the program to be executed is acquired.

Step S102, uploading the feature information of the program to be executed to the server, and the server matches the feature information of the program to be executed with the pre-set cloud identification conditions to obtain a matching result.

Step S103, receiving the matching result returned by the server, and determining whether there is a hijacked DLL file in the program to be executed according to the matching result.

The specific process of the program status detection method proposed in this embodiment will be described in detail in the following embodiments.

Through the above steps S101-S103, it is possible to use the cloud identification conditions in the server to detect whether there is a hijacked DLL file in the program to be executed, and then the program to be executed can be processed based on the detection results. If it is detected that there is a hijacked DLL file in the program to be executed, then the hijacked DLL file can be checked and killed through the server, and then corresponding operations are performed on the program to be executed according to the result of the server’s checking and killing. This solves the problem that malicious programs load malicious DLL files using programs in the trusted white list, resulting in the failure of active defense to intercept malicious programs, and can more effectively block malicious programs.

Embodiment two:

Referring to FIG. 2 , it shows a flowchart of a program status detection method according to an embodiment of the present invention.

In order to adapt to the update speed of malicious programs and quickly identify and kill malicious programs, active defense technologies are generally used to detect and kill malicious programs. Active defense technology is a real-time protection technology that conducts independent analysis and judgment based on the behavior of the program, and protects the key positions of the system by setting interception points at key positions of the system. When a program performs behaviors that modify these key locations (such as writing to the registry, creating scheduled tasks, modifying the browser homepage, modifying the default browser, and registering browser plug-ins, etc.), the program will be intercepted. It is necessary to judge whether the modification behavior is malicious. Usually, the judgment of the behavior is realized by judging whether the program that executes the modification behavior is safe. If the program is malicious, it means that the modification behavior is malicious, so it needs to be intercepted execution of the program.

Generally speaking, the active defense technology detects the security of the program by checking the files of the program. However, when checking the program file, it is necessary to calculate the hash value of the file and access the network. These are time-consuming operations, and the general program will load dozens or even hundreds of DLL files, even if the caching technology is used. Optimization will still significantly prolong the startup time of the program. Therefore, in order to minimize the impact on the performance of the program, the active defense technology only detects the EXE file of the program, and does not check the DLL file loaded by the program. Therefore, some malicious programs take advantage of this, and use DLL hijacking technology to package the DLL file of the malicious program with the programs in the trusted white list (such as the programs that come with the operating system). When the user chooses to execute the white list When the program in the program is installed, the DLL file of the malicious program will be loaded, so that the active defense technology cannot successfully intercept the malicious program.

In order to prevent a malicious program from using a program in a trusted whitelist to break through the active defense and successfully execute, an embodiment of the present invention proposes a program status detection method. Specifically, the program status detection method includes the following steps:

Step S201 , when the creation process of the program to be executed is detected, check whether there is a hijacked DLL file in the program to be executed through the cloud identification condition preset by the server.

It should be noted that this step S201 is a process of checking whether there is a hijacked DLL file in the program to be executed. Compared with the first embodiment above, this step S201 may include steps S101-step S103 in the first embodiment above .

Step S202, if it exists, check and kill the hijacked DLL file through the server.

Step S203, performing corresponding operations on the program to be executed according to the result of the server checking and killing.

Through the above step S201-step S203, when there are hijacked DLL files in the program to be executed, these hijacked DLL files can be further checked and killed through the server, and then corresponding operations are performed on the program to be executed according to the result of the server’s checking and killing . The specific processing procedure will be described in detail in the following embodiments.

The program status detection method proposed by the embodiment of the present invention can solve the problem that a malicious program loads a malicious DLL file by using a program in a trusted white list by checking the hijacked DLL file in the program to be executed, so that the active defense cannot normally intercept the malicious program. problem, and achieved the beneficial effect of blocking malicious programs more effectively.

Embodiment three:

In the following, a specific method for detecting program status will be described in detail.

Referring to FIG. 3 , it shows a flow chart of a program status detection method according to an embodiment of the present invention, the method comprising:

Step S301 , when the creation process of the program to be executed is detected, check whether there is a hijacked DLL file in the program to be executed through the cloud identification condition preset by the server.

The embodiment of the present invention is mainly to increase the query process of the DLL file when the program to be executed is created. It is necessary to check whether the program to be executed has a hijacked DLL file. If it exists, it means that the program to be executed may be used by a malicious program. , so it is necessary to further check whether these hijacked DLL files are safe.

In this embodiment, it is checked whether there is a hijacked DLL file in the program to be executed through the cloud authentication condition preset by the server.

The cloud identification conditions are stored in the server, and the cloud identification conditions include multiple specific program matching conditions and the specific DLL file information that needs to be checked after the specific program matching conditions are met. This embodiment is to combine some characteristic information of the program to be executed with The cloud identification conditions are matched, and then judged based on the matching results. As for the specific matching process, it is executed in the server.

Specifically, this step S301 may include the following sub-steps:

Sub-step a1, acquiring feature information of the program to be executed.

Wherein, the characteristic information of the program to be executed may include at least one of the following information:

The file name information, file size information, file feature value information, file icon information, product name information, internal name information, original file name information of the program to be executed, as well as the command line information, process path information and process path information of the process created by the program to be executed Parent process path information.

Of course, the feature information of the program to be executed may also include other information, which is not limited in this embodiment.

Sub-step a2, uploading the feature information of the program to be executed to the server.

Since this embodiment needs to check whether there is a hijacked DLL file in the program to be executed through the pre-set cloud authentication condition, the cloud authentication condition is stored in the server, so after obtaining the characteristic information of the program to be executed, firstly these The feature information is uploaded to the server, and the server matches the feature information of the program to be executed with the cloud authentication conditions.

In sub-step a3, the server matches the feature information of the program to be executed with the cloud identification condition, obtains the DLL file information that needs to be checked by the program to be executed, and uses the DLL file information that needs to be checked as the matching result;

Next, the process of matching with the cloud authentication condition will be introduced in detail.

It can be known from the above description that the identification conditions in the cloud include multiple specific program matching conditions and the specific DLL file information that needs to be checked after the specific program matching conditions are met. Match the program matching conditions to obtain the information of the DLL file that needs to be checked.

Since the specific program matching condition needs to be matched with the characteristic information of the program to be executed, some information corresponding to the characteristic information of the program may also be included in the specific program matching condition. The characteristic information matches the specific program matching conditions.

In this embodiment, the specific program matching condition may include at least one of the following information:

File name information, file size information, file feature value information, file icon information, product name information, internal name information, original file name information, and process command line information, process path information, and parent process path information. Of course, the specific program matching condition may also include other information, which is not limited in this embodiment.

Specifically, the process of matching conditions for a specific program through the server may include:

(i) matching the feature information of the program to be executed with the specific program matching condition;

(ii) Obtain the specific DLL file information that needs to be checked after meeting the matching specific program matching conditions;

(iii) Using the specific DLL file information as the DLL file information to be checked by the program to be executed.

Specifically, it can be illustrated by the following examples.

As shown in FIG. 4 , it is a schematic diagram of cloud authentication conditions described in the embodiment of the present invention.

As can be seen from the figure, the cloud authentication condition includes two parts, condition and return value, wherein the column of condition contains multiple expressions, and these expressions are the specific program matching conditions described in the embodiment of the present invention, The return value column contains multiple character strings, and these character strings specify specific DLL file information that needs to be checked after corresponding specific program matching conditions are met.

The expression in the condition column can include product name information (hi.GEN), file size information (hi.DSI), internal name information (hi.ITN), original file name information (hi.ORN), process path information ( hi.DST), parent process path information (hi.SRC), process command line information (hi.CLE) and other information (Figure 3 is a partial screenshot of cloud authentication conditions, some of which are not shown in Figure 3), these information It is suitable for matching with the characteristic information of the program to be executed.

After "DLL:" in the character string in the return value column, the specific DLL file information that needs to be checked after meeting the corresponding specific program matching condition is specified. In this embodiment, the DLL file information may be the name of the DLL file. In addition, in the character string in the return value column, multiple specific DLL file information to be checked can be specified, and each DLL file information is separated by commas.

For example, the feature information of the program to be executed is obtained as the product name information "Jinshan Reloading Master", and then the product name information is matched with the cloud identification condition. After judgment, the "(hi.GEN: like, Kingsoft Reloader)" is a condition that matches the product name information "Kingsoft Reinstaller", so you can get the return value corresponding to this condition" (return_extinfo:<hips>DLL:kdump.dll,irrlicht.dll </hips>)" to obtain the DLL file names to be checked are "kdump.dll" and "irrlicht.dll".

It should be noted that the cloud authentication conditions described in this embodiment can also include other information, such as whether it is valid, the condition number, the application ratio, etc., and those skilled in the art can perform corresponding processing according to the actual situation. Not limited.

Sub-step a4, receiving the DLL file information sent by the server to be checked by the program to be executed.

After the server obtains the DLL file information that needs to be checked by the program to be executed according to the cloud authentication conditions, it needs to send the DLL file information that needs to be checked to the client, and then the client further judges the DLL file information that needs to be checked , to determine the hijacked DLL file of the program to be executed.

In sub-step a5, it is judged whether the DLL file information to be checked exists in the specified directory, and if yes, it is determined that the hijacked DLL file exists in the program to be executed.

Generally speaking, DLL files will be stored in the system directory. If some DLL files need to be called when the program is executed, these DLL files will be stored in the specified directory, so the DLL files stored in the specified directory are the programs. Called DLL file. In this embodiment, the specified directory may be the current directory or a specified relative directory.

Therefore, after the client receives the DLL file information that needs to be checked for the program to be executed delivered by the server, it needs to further determine whether the DLL file information that needs to be checked exists in the specified directory. If the DLL file information that needs to be checked exists in the specified directory, it means that there is a hijacked DLL file in the program to be executed, and the hijacked DLL file is the DLL file that exists in the specified directory, and these hijacked DLL files need to be checked. If there is no DLL file information that needs to be checked in the specified directory, it means that these DLL files will not be loaded by the program to be executed, so there is no need to check and kill them.

For example, still using the above example for illustration, if the DLL file information of the program to be executed sent by the server to the client needs to be checked is the DLL file name "kdump.dll" and "irrlicht.dll", then determine whether these DLLs exist in the specified directory file name.

For example, if it is determined that the name of a DLL file existing in the specified directory is "kdump.dll", then the DLL file "kdump.dll" is used as the hijacked DLL file of the program to be executed.

It should be noted that, corresponding to the first embodiment above, sub-step a1 in this embodiment is the specific process of step S101 in the first embodiment above, and sub-step a2-sub-step a3 are steps of step S102 in the first embodiment above. The specific process, sub-step a4-sub-step a5 is the specific process of step S103 in the first embodiment above, and will not be discussed in detail in this embodiment.

Step S302, acquiring an EXE file corresponding to the program to be executed.

Step S303, if the information of the DLL file to be checked exists in the specified directory, upload the information of the EXE file corresponding to the program to be executed and the information of the hijacked DLL file to the server.

Wherein, the information of the uploaded file may include information such as a hash value of the file, a file path, etc., which is not limited in this embodiment of the present invention.

Since the existing active defense only checks the EXE file of the program and does not check the DLL file of the program, if the malicious program loads the malicious DLL file using the program in the trusted white list, the malicious program can bypass the active defense. intercepted and executed successfully.

Therefore, the embodiment of the present invention proposes not only checking the EXE file of the program, but also checking the DLL file of the program, but not checking all the DLL files, but by matching with the cloud identification conditions, it is determined that the program is identified Hijacked DLL files, and then check and kill these hijacked DLL files.

Specifically, the process of checking and killing the files is performed by the server. Therefore, if it is determined in step S201 that there is a hijacked DLL file in the program to be executed, and the hijacked DLL file is determined, the program to be executed will be executed. The information of the EXE file corresponding to the program and the information of the hijacked DLL file are uploaded to the server, and these files are checked and killed through the server; if it is judged that there is no hijacked DLL file in the program to be executed, it means that the The execution program is not used by malicious programs. At this time, it is only necessary to upload the information of the EXE file corresponding to the program to be executed to the server.

For example, if it is determined in step S301 that the hijacked DLL file of the program to be executed is "kdump. The information of the EXE file is uploaded to the server.

Step S304, checking and killing the hijacked DLL file through the server.

After the server receives the information of the EXE file corresponding to the program to be executed uploaded by the client and the information of the hijacked DLL file, it scans and kills the corresponding file according to the file information.

This step S304 may specifically include:

Sub-step b1, obtain the level of the EXE file and the level of the hijacked DLL file through the server.

In this embodiment, the levels include a safe level, an unknown level, a suspicious/highly suspicious level, and a malicious level. For level setting, you can set level 10-29 as security level (files of this level are white files), level 30-49 as unknown level (files of this level are gray files), level 50-69 Suspicious/highly suspicious level (files with this level are suspicious files), and malicious level (files with this level are malicious files) when the level is greater than or equal to 70. Of course, the levels may also be set in other forms, which are not limited in the present invention.

Sub-step b2, scanning and killing the hijacked DLL file according to the level of the EXE file and the level of the hijacked DLL file.

Specifically, the EXE file and the hijacked DLL file can be checked and killed through a cloud scanning engine for scanning and killing portable executable (PortableExecute, PE) type files, or an artificial intelligence engine (QihooVirtualMachine, QVM). Among them, the PE type file usually refers to the program file on the Windows operating system, and common PE type files include EXE, DLL, OCX, SYS, COM and other types of files.

The antivirus engine can check and kill corresponding files according to the blacklist and/or whitelist stored in the antivirus engine according to the identification result of the file level.

As for the specific killing process, those skilled in the art can perform corresponding processing according to actual experience, and this embodiment will not discuss in detail here.

Step S305, perform corresponding operations on the program to be executed according to the result of checking and killing the server.

After the server acquires the levels of the EXE file and the hijacked DLL file, it sends the acquired levels to the client, and the client performs corresponding operations on the program to be executed according to the results of the server's killing.

Specifically, this step S305 may include the following sub-steps:

Sub-step c1, when at least one of the level of the EXE file and the level of the hijacked DLL file is a malicious level, intercept the execution of the program to be executed.

In this embodiment, the hijacked DLL file is one or more, if there is a malicious level in the level of the obtained EXE file and the level of the hijacked DLL file, it means that the program to be executed is risky , at this time, the execution of the program to be executed needs to be intercepted.

Sub-step c2, when the levels of the EXE file and the level of the hijacked DLL file are both security levels, allowing the execution of the program to be executed.

Sub-step c3, when there is no malicious level in the level of the EXE file and the level of the hijacked DLL file, and when the level of at least one hijacked DLL file is higher than the level of the EXE file, obtain the highest level level, modifying the level of the EXE file to the highest level, allowing the execution of the program to be executed, and intercepting suspicious operations initiated after the program to be executed is executed.

If the level of the EXE file and the level of the hijacked DLL file do not meet the two conditions in the above-mentioned substep c1 and substep c2, then the level of the EXE file is modified to the highest level, and the program to be executed can be allowed At this time, since the EXE file of the program to be executed may also have risks, when the program to be executed executes and initiates suspicious operations, these suspicious operations can be intercepted.

For example, in step S301, it is determined that the hijacked DLL file of the program to be executed is "kdump.dll", the level of the EXE file of the program to be executed obtained through the server is a security level, and the level of "kdump.dll" is suspicious/high Suspicious level, wherein the highest file level is suspicious/highly suspicious level, at this time, modify the level of the EXE file to be suspicious/highly suspicious level.

Moreover, since the level of the EXE file has been modified, when the program to be executed subsequently performs some suspicious operations, it can be judged whether the program is safe through the level of the EXE file. If the EXE file is suspicious, you can check these Suspicious operations are intercepted.

Wherein, the suspicious operation may be any one of the following: file operation, registry operation, process operation and network operation.

For example, the file operation can be the file related to the windows operating system, or some application software with a relatively large load (such as QQ, Ali Wangwang, etc.), or the operation of the desktop shortcut;

The operation of the registry can be that the program writes the registry to automatically load, and destroys the registry, etc.;

For process operations, it can be mutual injection between processes (one process inserts and executes some code in another process), process remote thread operation, end process (for example, some malicious programs end the QQ process, and re-login will intercept the password, or Some subsequent operations of the process), etc.;

For network operations, it can be installing drivers or services, global hook injection, recording keyboard operations, modifying web page content in the browser, etc.

Of course, some other operations may also be included, which are not limited in this embodiment of the present invention.

It should be noted that this embodiment mainly deals with the situation that a malicious program utilizes a program in a trusted whitelist to load a malicious DLL file. Therefore, the level of the EXE file should be a security level. If there is a DLL file with a level higher than If the level of the EXE file is changed, modify the level of the EXE file.

In step S306, the server regularly detects whether the cloud authentication condition meets the upgrade condition, and if so, the server obtains a new authentication condition, and completes the update of the cloud authentication condition by reloading the new authentication condition.

The cloud identification conditions in this embodiment need to be regularly updated. Specifically, the upgrade condition can be configured in the server, and the server periodically detects whether the cloud authentication condition meets the upgrade condition. When it is satisfied, the server directly obtains the new cloud authentication condition, and replaces the original cloud authentication condition with the new cloud authentication condition , so as to upgrade and update the original cloud identification conditions.

Wherein, the upgrade condition can be judged according to the file version of the local authentication condition, such as upgrading when there is a newer version, or specifying that when the local version satisfies a certain condition, it will be upgraded to a specified version, which is not imposed in the embodiment of the present invention. limit.

For example, if a new exploited program (QQ game) is found, but the program does not exist in the cloud identification condition, a specific program matching condition can be added to the cloud identification condition, which includes the characteristic information of the program ("QQ game") and the DLL file information that needs to be checked after the specific program matching condition is met.

Of course, other ways can also be used to upgrade and update the cloud authentication condition, which is not limited in this embodiment.

Since the authentication conditions in the cloud are stored in the server, when the upgrade conditions are met, the client upgrade file will not be required to take effect, so the entire network can be upgraded immediately, and the upgrade speed is fast, and it has a good interception effect on sudden malicious programs. , so as to avoid the loss of users.

Finally, it should be noted that the embodiment of the present invention mainly deals with the situation that a malicious program loads a malicious DLL file by using a program in the trusted white list. If the program to be executed is a program in the trusted white list, the active defense technology will only check the EXE file of the program at this time, and will judge that the program is safe and allow it to execute. However, if the malicious program uses the program in the white list If the program loads a malicious DLL file, the malicious program will also be executed successfully.

Therefore, for this situation, the embodiment of the present invention checks whether there is a hijacked DLL file in the program to be executed through the cloud identification condition preset by the server when the program to be executed is detected. For the hijacked DLL file, the hijacked DLL file is checked and killed through the server, and then corresponding operations are performed on the program to be executed according to the result of the server checking and killing. This solves the problem that the malicious program loads the malicious DLL file with the program in the credible white list, so that the active defense cannot normally intercept the malicious program, and achieves the beneficial effect of more effectively intercepting the malicious program.

It should be noted that, for the foregoing method embodiments, for the sake of simple description, they are expressed as a series of action combinations, but those skilled in the art should know that the present application is not limited by the described action sequence, because Depending on the application, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification belong to preferred embodiments, and the actions involved are not necessarily required by this application.

Embodiment four:

Referring to FIG. 5 , it shows a structural block diagram of a program status detection system according to an embodiment of the present invention, and the system includes a client 501 and a server 502 .

Wherein, the client includes: a feature information acquiring module 5011 , a feature information uploading module 5012 and a determining module 5013 , and the server includes: a matching module 5021 .

The feature information acquiring module 5011 is adapted to acquire the feature information of the program to be executed when the creation process of the program to be executed is detected;

The characteristic information uploading module 5012 is adapted to upload the characteristic information of the program to be executed to the server;

The matching module 5021 is adapted to match the feature information of the program to be executed with the pre-set cloud identification conditions to obtain a matching result;

The determining module 5013 is adapted to receive the matching result returned by the server, and determine whether there is a hijacked DLL file in the program to be executed according to the matching result.

Through the above modules, it is possible to use the cloud identification conditions in the server to detect whether there is a hijacked DLL file in the program to be executed. If it is detected that the program to be executed has a hijacked DLL file, then the hijacked DLL file can be checked through the server. kill, and then perform corresponding operations on the program to be executed according to the result of the server check and kill. Therefore, it can solve the problem that the malicious program loads the malicious DLL file by using the program in the trusted white list, which causes the active defense to fail to intercept the malicious program normally, and intercepts the malicious program more effectively.

Embodiment five:

Referring to FIG. 6 , it shows a structural block diagram of a program status detection system according to an embodiment of the present invention, and the system includes a client 601 and a server 602 .

Wherein, the client 601 includes: a check module 6011, an EXE file acquisition module 6012, an upload module 6013 and a processing module 6014;

The checking module 6011 is adapted to check whether the program to be executed has a hijacked DLL file through the cloud identification condition preset by the server when the creation process of the program to be executed is detected;

It should be noted that the above-mentioned checking module is mainly suitable for checking whether there is a hijacked DLL file in the program to be executed. Compared with the above-mentioned fourth embodiment, the function of the checking module can correspond to the features in the above-mentioned fourth embodiment The information acquisition module 5011, the feature information upload module 5012, the matching module 5021 and the determination module 5013 are functions realized by several modules.

Wherein, the program to be executed is a program in the white list, and the cloud authentication condition is stored in the server.

The checking module 6011 includes:

A feature information acquisition submodule, adapted to acquire feature information of the program to be executed;

Wherein, the feature information of the program to be executed may include at least one of the following information:

The file name information, file size information, file feature value information, file icon information, product name information, internal name information, original file name information of the program to be executed, as well as the command line information, process path information and process path information of the process created by the program to be executed Parent process path information.

The characteristic information uploading submodule is adapted to upload the characteristic information of the program to be executed to the server.

The server 602 includes:

The DLL file information obtaining module 6021 is adapted to obtain the DLL file information that needs to be checked by the program to be executed by matching the characteristic information of the program to be executed with the cloud identification condition, and obtain the information of the DLL file that needs to be checked as a match result;

Wherein, the cloud authentication condition includes a plurality of specific program matching conditions and specific DLL file information to be checked after the specific program matching condition is satisfied.

The DLL file information acquisition module includes:

a matching submodule, adapted to match the characteristic information of the program to be executed with the specific program matching condition;

The specific program matching condition may include at least one of the following information:

File name information, file size information, file feature value information, file icon information, product name information, internal name information, original file name information, and process command line information, process path information, and parent process path information.

The specific DLL file information acquisition sub-module is suitable for obtaining specific DLL file information that needs to be checked after matching specific program matching conditions are met;

The determining submodule is adapted to use the specific DLL file information as the DLL file information to be checked by the program to be executed.

The checking module 6011 also includes:

The receiving sub-module is adapted to receive the DLL file information that needs to be checked by the program to be executed issued by the server;

The judging submodule is adapted to judge whether the DLL file information to be checked exists under the specified directory, and if it exists, it is determined that there is a hijacked DLL file in the program to be executed; wherein, the hijacked DLL file is a specified directory The DLL file exists under, and the specified directory is the current directory or a specified relative directory.

It should be noted that, corresponding to the fourth embodiment above, the characteristic information acquisition submodule in this embodiment may be a submodule included in the characteristic information acquisition module in the fourth embodiment above, and the characteristic information uploading submodule may be the submodule included in the above embodiment The submodule included in the characteristic information uploading module in the fourth, the DLL file information acquisition submodule can be the submodule included in the matching module in the above-mentioned embodiment four, and the receiving submodule and the judgment submodule can be the submodule in the above-mentioned embodiment four To determine the sub-modules included in the module, this embodiment will not discuss in detail here.

The client 601 also includes:

The file acquisition module 6012 is adapted to acquire the EXE file corresponding to the program to be executed before the killing module of the server checks and kills the hijacked DLL file;

The file information uploading module 6013 is adapted to upload the information of the EXE file corresponding to the program to be executed and the information of the hijacked DLL file to the server;

The server 602 also includes:

The checking and killing module 6022 is suitable for checking and killing the hijacked DLL file when the checking result of the determining module of the client is that it exists;

The killing module 6022 includes:

The level query submodule is adapted to inquire about the level of the EXE file and the level of the hijacked DLL file, and the level includes a security level, an unknown level, a suspicious/highly suspicious level, and a malicious level;

The killing sub-module is suitable for killing the hijacked DLL file according to the level of the EXE file and the level of the hijacked DLL file.

The client also includes:

The processing module 6014 is adapted to perform corresponding operations on the program to be executed according to the server killing result;

Wherein, the hijacked DLL file is one or more, and the processing module 6014 includes:

The program interception submodule is adapted to intercept the execution of the program to be executed when at least one of the level of the EXE file and the level of the hijacked DLL file is a malicious level;

An execution submodule, adapted to allow the execution of the program to be executed when the level of the EXE file and the level of the hijacked DLL file are both security levels;

Suspicious operation intercepting submodule, suitable for when there is no malicious level in the level of the EXE file and the level of the hijacked DLL file, and at least one level of the hijacked DLL file is higher than the level of the EXE file, Obtain the highest level among them, modify the level of the EXE file to the highest level, allow the execution of the program to be executed, and intercept suspicious operations initiated after the program to be executed is executed.

Wherein, the suspicious operation may be any of the following: file operation, registry operation, process operation, and network operation. Of course, the suspicious operation may also be some other operations, which are not limited in the embodiment of the present invention .

The server 602 also includes:

The upgrade module 6023 is adapted to regularly detect whether the cloud authentication condition satisfies the upgrade condition, and if so, obtains a new authentication condition, and completes the upgrade update of the cloud authentication condition by reloading the new authentication condition;

Wherein, the upgrade conditions are configured in the server.

The program status detection system of the embodiment of the present invention can check whether there is a hijacked DLL file in the program to be executed according to the cloud identification conditions, and check and kill the hijacked DLL file of the program to be executed, and then execute the corresponding operation. This solves the problem that the malicious program loads the malicious DLL file with the program in the credible white list, so that the active defense cannot normally intercept the malicious program, and achieves the beneficial effect of more effectively intercepting the malicious program.

Secondly, the cloud identification conditions in the embodiment of the present invention are stored in the server. When the upgrade conditions are met, the upgrade file can be effective without the client upgrade file. Therefore, the entire network can be upgraded immediately, and the upgrade speed is fast, which is useful for sudden malicious programs. Very good interception effect, so as to avoid the loss of users.

As for the above program status detection system embodiment, since it is basically similar to the method embodiment, the description is relatively simple. For the related parts, please refer to the partial description of the method embodiment shown in FIG. 1 , FIG. 2 and FIG. 3 .

Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other.

It is easy for those skilled in the art to think that: any combination of the above-mentioned embodiments is feasible, so any combination of the above-mentioned embodiments is the embodiment of the present application, but due to space limitations, this description will be limited here Not detailed one by one.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings), as well as any method or method so disclosed, may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the program status detection system according to the embodiment of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

This paper discloses A1. A program status detection method, including: when detecting the creation process of the program to be executed, obtaining the characteristic information of the program to be executed; uploading the characteristic information of the program to be executed to the server, and the server will The feature information of the program to be executed is matched with the pre-set cloud identification conditions to obtain a matching result; receiving the matching result returned by the server, and determining whether the hijacked DLL file exists in the program to be executed according to the matching result ; The server regularly detects whether the cloud authentication condition meets the upgrade condition, and if so, the server obtains a new authentication condition, and completes the upgrade update of the cloud authentication condition by reloading the new authentication condition; wherein, the upgrade Conditions are configured in the server. A2. The method according to A1 further includes: if it exists, checking and killing the hijacked DLL file through the server; performing corresponding operations on the program to be executed according to the result of the server checking and killing. A3. According to the method described in A1, the matching result is the DLL file information that the program to be executed needs to check, and determining whether there is a hijacked DLL file in the program to be executed according to the matching result includes: judging Whether there is the DLL file information that needs to be checked under the designated directory, if it exists, then determine that there is a hijacked DLL file in the program to be executed; wherein, the hijacked DLL file is a DLL file that exists under the designated directory, so The specified directory is the current directory or the specified relative directory. A4. According to the method described in A3, the cloud identification conditions include a plurality of specific program matching conditions and specific DLL file information that needs to be checked after the specific program matching conditions are met. A5. According to the method described in A4, the server matches the characteristic information of the program to be executed with the pre-set cloud identification conditions to obtain the matching result, including: matching the characteristic information of the program to be executed with the server through the server The specific program matching condition is matched; the specific DLL file information to be checked after the matching specific program matching condition is obtained through the server; and the specific DLL file information is used as the DLL file information to be checked by the program to be executed. A6. According to the method described in A5, the specific program matching condition includes at least one of the following information: file name information, file size information, file feature value information, file icon information, product name information, internal name information, original File name information, and process command line information, process path information and parent process path information; the feature information of the program to be executed includes at least one of the following information: file name information, file size information, file size information of the program to be executed Feature value information, file icon information, product name information, internal name information, original file name information, command line information, process path information, and parent process path information of the process created by the program to be executed. A7. According to the method described in A2, before checking and killing the hijacked DLL file through the server, it also includes: obtaining the EXE file corresponding to the program to be executed; The information and the information of the hijacked DLL file are uploaded to the server; the described killing of the hijacked DLL file by the server includes: obtaining the level of the EXE file and the hijacked DLL file by the server The level of the hijacked DLL file is checked according to the level of the EXE file and the level of the hijacked DLL file. kill. A8. According to the method described in A7, the hijacked DLL file is one or more, and the corresponding operation is performed on the program to be executed according to the server killing result, including: when the level of the EXE file and When at least one of the levels of the hijacked DLL file is a malicious level, intercept the execution of the program to be executed; when the level of the EXE file and the level of the hijacked DLL file are both security levels, allow Execution of the program to be executed; when there is no malicious level in the level of the EXE file and the level of the hijacked DLL file, and at least one level of the hijacked DLL file is higher than the level of the EXE file, Obtain the highest level among them, modify the level of the EXE file to the highest level, allow the execution of the program to be executed, and intercept suspicious operations initiated after the program to be executed is executed. A9. According to the method described in A8, the suspicious operation is any one of the following: file operation, registry operation, process operation and network operation. A10. According to the method described in A1, the program to be executed is a program in a white list. A11. According to the method described in A1, the cloud authentication condition is stored in the server.

This paper discloses A12, a program status detection system, including a client and a server, wherein the client includes: a feature information acquisition module, adapted to acquire feature information of the program to be executed when the creation process of the program to be executed is detected The characteristic information uploading module is adapted to upload the characteristic information of the program to be executed to the server; the server includes: a matching module adapted to match the characteristic information of the program to be executed with the pre-set cloud identification conditions, Obtain the matching result; the upgrade module is suitable for regularly detecting whether the cloud authentication condition meets the upgrade condition, if so, obtains a new authentication condition, and completes the upgrade update of the cloud authentication condition by reloading the new authentication condition ; Wherein, the upgrade condition is configured in the server; the client also includes: a determination module, adapted to receive the matching result returned by the server, and determine whether the program to be executed is hijacked according to the matching result DLL files. A13, according to the system described in A12, the server also includes: a killing module, adapted to check and kill the hijacked DLL file when the check result of the determination module of the client is present; the client also It includes: a processing module, which is adapted to perform corresponding operations on the program to be executed according to the result of checking and killing the server. A14, according to the system described in A12, the matching result is the DLL file information that the program to be executed needs to be checked, and the determination module includes: a judging sub-module, which is suitable for judging whether there is the DLL that needs to be checked under the specified directory If the file information exists, it is determined that there is a hijacked DLL file in the program to be executed; wherein, the hijacked DLL file is a DLL file existing in a specified directory, and the specified directory is the current directory or a specified relative directory . A15. According to the system described in A14, the cloud identification conditions include a plurality of specific program matching conditions and specific DLL file information that needs to be checked after the specific program matching conditions are met. A16. According to the system described in A15, the matching module includes: a matching submodule, adapted to match the characteristic information of the program to be executed with the matching condition of the specific program; a specific DLL file information acquisition submodule, adapted to Acquire specific DLL file information that needs to be checked after matching specific program matching conditions are met; determine a submodule, and be adapted to use the specific DLL file information as the DLL file information that needs to be checked by the program to be executed. A17. According to the system described in A16, the specific program matching condition includes at least one of the following information: file name information, file size information, file feature value information, file icon information, product name information, internal name information, original File name information, and process command line information, process path information and parent process path information; the feature information of the program to be executed includes at least one of the following information: file name information, file size information, file size information of the program to be executed Feature value information, file icon information, product name information, internal name information, original file name information, command line information, process path information, and parent process path information of the process created by the program to be executed. A18. According to the system described in A13, the client also includes: a file acquisition module, adapted to acquire the EXE corresponding to the program to be executed before the killing module of the server checks and kills the hijacked DLL file File; a file information upload module, adapted to upload the information of the EXE file corresponding to the program to be executed and the information of the hijacked DLL file to the server; the killing module includes: a grade query submodule, suitable for query The level of the EXE file and the level of the hijacked DLL file, the level includes security level, unknown level, suspicious/highly suspicious level and malicious level; killing submodules, suitable for according to the level of the EXE file The level and the level of the hijacked DLL file are checked and killed for the hijacked DLL file. A19, according to the system described in A18, there are one or more hijacked DLL files, and the processing module includes: a program interception submodule, suitable for when the level of the EXE file and the hijacked DLL file When at least one of the levels is a malicious level, intercept the execution of the program to be executed; the execution submodule is adapted to allow all the levels of the EXE file and the hijacked DLL file to be a security level The execution of the program to be executed; the suspicious operation intercepting submodule is suitable for when there is no malicious level in the level of the EXE file and the level of the hijacked DLL file, and the level of at least one hijacked DLL file is higher than the level of the hijacked DLL file When the level of the EXE file is described, the highest level is obtained, the level of the EXE file is modified to the highest level, the execution of the program to be executed is allowed, and suspicious operations initiated after the program to be executed are intercepted are intercepted. A20. According to the system described in A19, the suspicious operation is any one of the following: file operation, registry operation, process operation and network operation. A21. According to the system described in A12, the program to be executed is a program in a white list. A22. According to the system described in A12, the cloud authentication condition is stored in a server.

Claims (18)

1. a program state testing method, comprising:

When pending program creation process being detected, obtain the characteristic information of described pending program;

The characteristic information of described pending program is uploaded onto the server, by server, the characteristic information of described pending program is mated with the high in the clouds discrimination condition pre-set, obtain matching result; Wherein, described high in the clouds discrimination condition comprises multiple specific program matching condition and meets the specific dll file information that needs check after this specific program matching condition; Described matching result is the dll file information that described pending program needs to check;

Receive the matching result that described server returns, and determine whether described pending program exists the dll file of being held as a hostage according to described matching result;

Described in server periodic detection, whether high in the clouds discrimination condition meets promotion condition, if meet, then server obtains new discrimination condition, and the upgrading completing described high in the clouds discrimination condition by reloading described new discrimination condition upgrades; Wherein, described promotion condition is configured in the server; Described promotion condition comprises: increased the program that there is the dll file of being held as a hostage newly and there is not specific program matching condition corresponding to this program in the discrimination condition of described high in the clouds, then the new discrimination condition corresponding to this promotion condition increases specific program matching condition corresponding to a newly-increased program relative to described high in the clouds discrimination condition.

2. method according to claim 1, also comprises:

If exist, then by server, killing is carried out to described dll file of being held as a hostage;

According to server killing result, corresponding operation is performed to described pending program.

3. method according to claim 1,

Describedly determine whether described pending program exists the dll file of being held as a hostage, and comprising according to described matching result:

Whether there is the described dll file information needing to check under judging assigned catalogue, if exist, then determine that described pending program exists the dll file of being held as a hostage; Wherein, described in the dll file of being held as a hostage be the dll file existed under assigned catalogue, the relative catalogue that described assigned catalogue is current directory or specifies.

4. method according to claim 3,

Describedly by server, the characteristic information of described pending program to be mated with the high in the clouds discrimination condition pre-set, obtains matching result, comprising:

By server, the characteristic information of described pending program is mated with described specific program matching condition;

The specific dll file information that obtained the specific program matching condition meeting and match by server after, needs check;

Described specific dll file information is needed the dll file information of inspection as described pending program.

5. method according to claim 4,

Described specific program matching condition comprises at least one in following information:

File name information, document size information, file characteristic value information, file icon information, name of product information, inner name information, raw filename information, and the order line information of process, process path information and parent process routing information;

The characteristic information of described pending program comprises at least one in following information:

The file name information of pending program, document size information, file characteristic value information, file icon information, name of product information, inner name information, raw filename information, and the order line information of the process of pending program creation, process path information and parent process routing information.

6. method according to claim 2,

Before by server killing being carried out to described dll file of being held as a hostage, also comprise:

Obtain the EXE file that described pending program is corresponding;

The information of the information of EXE file corresponding for described pending program and described dll file of being held as a hostage is uploaded onto the server;

Describedly by server, killing is carried out to described dll file of being held as a hostage, comprising:

Obtain the grade of described EXE file and the grade of described dll file of being held as a hostage by server, described grade comprises safe class, unknown grade, height suspicion level and malice grade;

According to the grade of described EXE file and the grade of described dll file of being held as a hostage, killing is carried out to described dll file of being held as a hostage.

7. method according to claim 6, described in the dll file of being held as a hostage be one or more,

Described foundation server killing result performs corresponding operation to described pending program, comprising:

When at least one is for malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, tackle the execution of described pending program;

When the grade of described EXE file and the grade of described dll file of being held as a hostage are safe class, allow the execution of described pending program;

When there is no malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, and during the grade of the grade of at least one dll file of being held as a hostage higher than described EXE file, obtain wherein the highest grade, grade the highest described in the grade of described EXE file is revised as, allow the execution of described pending program, and tackle the suspicious operation initiated after pending program performs.

8. method according to claim 7, described suspicious be operating as following any one:

File operation, registry operations, process operation and network operation.

9. method according to claim 1, described pending program is the program in white list.

10. method according to claim 1, described high in the clouds discrimination condition stores in the server.

11. 1 kinds of program condition detecting systems, comprise client and server, wherein,

Client comprises:

Characteristic information acquisition module, is suitable for when pending program creation process being detected, obtains the characteristic information of described pending program;

Transmission module on characteristic information, is suitable for the characteristic information of described pending program to upload onto the server;

Described server comprises:

Matching module, is suitable for the characteristic information of described pending program to mate with the high in the clouds discrimination condition pre-set, obtains matching result; Wherein, described high in the clouds discrimination condition comprises multiple specific program matching condition and meets the specific dll file information that needs check after this specific program matching condition; Described matching result is the dll file information that described pending program needs to check;

Upgraded module, is suitable for high in the clouds discrimination condition described in periodic detection and whether meets promotion condition, if meet, then obtains new discrimination condition, and the upgrading completing described high in the clouds discrimination condition by reloading described new discrimination condition upgrades; Wherein, described promotion condition is configured in the server; Described promotion condition comprises: increased the program that there is the dll file of being held as a hostage newly and there is not specific program matching condition corresponding to this program in the discrimination condition of described high in the clouds, then the new discrimination condition corresponding to this promotion condition increases specific program matching condition corresponding to a newly-increased program relative to described high in the clouds discrimination condition;

Described client also comprises:

Determination module, is suitable for receiving the matching result that described server returns, and determines whether described pending program exists the dll file of being held as a hostage according to described matching result.

12. systems according to claim 11,

Described server also comprises:

Killing module, is suitable for, when the check result of the determination module of client is for existing, carrying out killing to described dll file of being held as a hostage;

Described client also comprises:

Processing module, is suitable for performing corresponding operation according to server killing result to described pending program.

13. systems according to claim 11,

Described determination module comprises:

Judge submodule, whether there is the described dll file information needing to check under being suitable for judging assigned catalogue, if exist, then determine that described pending program exists the dll file of being held as a hostage; Wherein, described in the dll file of being held as a hostage be the dll file existed under assigned catalogue, the relative catalogue that described assigned catalogue is current directory or specifies.

14. systems according to claim 13,

Described matching module comprises:

Matched sub-block, is suitable for the characteristic information of described pending program to mate with described specific program matching condition;

Specific dll file acquisition of information submodule, the specific dll file information that after being suitable for obtaining the satisfied specific program matching condition matched, needs check;

Determine submodule, be suitable for the dll file information described specific dll file information being needed inspection as described pending program.

15. systems according to claim 14,

Described specific program matching condition comprises at least one in following information:

File name information, document size information, file characteristic value information, file icon information, name of product information, inner name information, raw filename information, and the order line information of process, process path information and parent process routing information;

The characteristic information of described pending program comprises at least one in following information:

The file name information of pending program, document size information, file characteristic value information, file icon information, name of product information, inner name information, raw filename information, and the order line information of the process of pending program creation, process path information and parent process routing information.

16. systems according to claim 12,

Described client also comprises:

File acquisition module, the killing module be suitable at server obtains the EXE file that described pending program is corresponding before carrying out killing to described dll file of being held as a hostage;

Transmission module on fileinfo, is suitable for the information of the information of EXE file corresponding for described pending program and described dll file of being held as a hostage to upload onto the server;

Described killing module comprises:

Ranked queries submodule, is suitable for inquiring about the grade of described EXE file and the grade of described dll file of being held as a hostage, and described grade comprises safe class, unknown grade, height suspicion level and malice grade;

Killing submodule, is suitable for carrying out killing according to the grade of described EXE file and the grade of described dll file of being held as a hostage to described dll file of being held as a hostage.

17. systems according to claim 16, described in the dll file of being held as a hostage be one or more,

Described processing module comprises:

Program intercepts submodule, is suitable for, when at least one is for malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, tackling the execution of described pending program;

Implementation sub-module, is suitable for, when the grade of described EXE file and the grade of described dll file of being held as a hostage are safe class, allowing the execution of described pending program;

Suspicious operation intercepting submodule, be suitable for when there is no malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, and during the grade of the grade of at least one dll file of being held as a hostage higher than described EXE file, obtain wherein the highest grade, grade the highest described in the grade of described EXE file is revised as, allow the execution of described pending program, and tackle the suspicious operation initiated after pending program performs.

18. systems according to claim 11, described pending program is the program in white list.