[go: up one dir, main page]

CN114547613A - Malicious program intercepting method and device, electronic equipment and storage medium - Google Patents

Malicious program intercepting method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114547613A
CN114547613A CN202210168480.7A CN202210168480A CN114547613A CN 114547613 A CN114547613 A CN 114547613A CN 202210168480 A CN202210168480 A CN 202210168480A CN 114547613 A CN114547613 A CN 114547613A
Authority
CN
China
Prior art keywords
specified
malicious
terminal
request
acceleration chip
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210168480.7A
Other languages
Chinese (zh)
Inventor
李石磊
刘新成
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202210168480.7A priority Critical patent/CN114547613A/en
Publication of CN114547613A publication Critical patent/CN114547613A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides a malicious program intercepting method and device, electronic equipment and a storage medium, which are used for accelerating a chip, and the method comprises the following steps: acquiring memory information of a terminal; mapping the memory information to the acceleration chip; setting a hook function for the specified address in the memory information based on the mapping result in the acceleration chip; and calling the hook function to intercept the specified malicious request in response to the terminal receiving the specified malicious request aiming at the specified address. According to the technical scheme, early defense and active defense for the malicious program are achieved, the technical problem that the initiative and the effectiveness are lack when the malicious program is defended in the related technology is solved, and the timeliness and the effectiveness of defense for the malicious program are improved.

Description

Malicious program interception method and device, electronic equipment and storage medium
[ technical field ] A method for producing a semiconductor device
The present application relates to the field of computer network security technologies, and in particular, to a malicious program intercepting method and apparatus, an electronic device, and a storage medium.
[ background of the invention ]
At present, most of coping methods aiming at malicious programs are quite passive, and remedial measures are usually considered after the malicious programs are executed, so that coping is too slow. Moreover, even if the repair of sensitive locations such as registry entries and service entries is completed after the malicious program is executed and the virus itself is deleted, the invasion may still destroy very important files in the system, and cause irreversible damage.
In addition, the existing coping method for malicious programs is often attached to the system, and the operation and monitoring actions of the coping method occupy a large amount of system resources, so that the system is blocked and the user experience is influenced.
Therefore, how to accurately and efficiently perform active defense on malicious programs becomes a technical problem to be solved urgently at present.
[ summary of the invention ]
The embodiment of the application provides a malicious program intercepting method and device, electronic equipment and a storage medium, and aims to solve the technical problem that in the related art, initiative and effectiveness are lacked when a malicious program is defended.
In a first aspect, an embodiment of the present application provides a malicious program intercepting method, where the method is applied to an acceleration chip, and the method includes: acquiring memory information of a terminal; mapping the memory information to the acceleration chip; setting a hook function for the specified address in the memory information based on the mapping result in the acceleration chip; and calling the hook function to intercept the specified malicious request in response to the terminal receiving the specified malicious request aiming at the specified address.
In an embodiment of the present application, optionally, the mapping the memory information to the acceleration chip includes: extracting all callable addresses from the memory information of the terminal; and transmitting all the tunable addresses to the acceleration chip as the mapping result.
In an embodiment of the present application, optionally, the acceleration chip is a PCIE interface chip.
In an embodiment of the application, optionally, before the responding to the terminal receiving a specified malicious request for the specified address and calling the hook function to intercept the specified malicious request, the method further includes: acquiring a request to be identified received by the terminal; and if the request to be identified carries a change instruction of the specified address or a hook instruction of any interface associated with the specified address, determining that the request to be identified received by the specified terminal is a specified malicious request aiming at the specified address.
In the embodiment of the present application, optionally, the method further includes: and after the hook function is called to intercept the specified malicious request, generating alarm information.
In a second aspect, an embodiment of the present application provides a malicious program intercepting apparatus, where the apparatus is applied to an acceleration chip, and the apparatus includes: the memory information acquisition unit is used for acquiring the memory information of the terminal; the memory mapping unit is used for mapping the memory information to the acceleration chip; a hook function setting unit, configured to set a hook function for the specified address in the memory information based on the mapping result in the acceleration chip; a hook function calling unit, configured to, in response to the terminal receiving a specified malicious request for the specified address, call the hook function to intercept the specified malicious request.
In an embodiment of the present application, optionally, the memory mapping unit is configured to: extracting all callable addresses from the memory information of the terminal; and transmitting all the tunable addresses to the acceleration chip as the mapping result.
In an embodiment of the present application, optionally, the acceleration chip is a PCIE interface chip.
In the embodiment of the present application, optionally, the method further includes: a request to be identified acquiring unit, configured to acquire a request to be identified received by the terminal before the hook function calling unit calls the hook function to intercept the specified malicious request; and the malicious request identification unit is used for determining that the request to be identified received by the specified terminal is a specified malicious request aiming at the specified address if the request to be identified carries a change instruction of the specified address or a hook instruction of any interface associated with the specified address.
In the embodiment of the present application, optionally, the method further includes: and the interception alarm unit is used for generating alarm information after the hook function is called to intercept the specified malicious request.
In a third aspect, an embodiment of the present application provides an electronic device, including: an acceleration chip, at least one processor; and a memory communicatively coupled to the acceleration chip and the at least one processor; wherein the memory stores instructions executable by the acceleration chip, the instructions being arranged to perform the method of any of the first aspects above.
In a fourth aspect, an embodiment of the present application provides a storage medium storing computer-executable instructions for performing the method process described in any one of the above first aspects.
According to the technical scheme, the malicious requests can be intercepted before the designated malicious requests are subjected to malicious behaviors such as tampering designated addresses, active defense on malicious programs is achieved, and the initiative and the effectiveness in defense of the malicious programs are improved. Meanwhile, the defense function with larger resource consumption is transferred to the acceleration chip for implementation, and a large amount of system resources of the terminal are not occupied any more, so that the occupation of memory resources of the terminal can be reduced to a certain extent, and the interference and influence of functions such as malicious program monitoring and interception on a terminal system are reduced.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 shows a flow diagram of a malware interception method according to one embodiment of the present application;
FIG. 2 shows a block diagram of a malware intercepting apparatus according to one embodiment of the present application;
FIG. 3 shows a block diagram of an electronic device according to an embodiment of the application.
[ detailed description ] embodiments
For better understanding of the technical solutions of the present application, the following detailed descriptions of the embodiments of the present application are provided with reference to the accompanying drawings.
It should be understood that the embodiments described are only a few embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terminology used in the embodiments of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the examples of this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
Fig. 1 shows a flowchart of a malicious program intercepting method according to an embodiment of the present application.
As shown in fig. 1, a malicious program intercepting method according to an embodiment of the present application is applied to an acceleration chip.
In the related art, a coping method for malicious programs is often attached to a system of a terminal, and the operation and monitoring actions of the coping method occupy a large amount of system resources, which may cause the system of the terminal to be stuck during operation and affect user experience. Therefore, the acceleration chip can be physically connected with the terminal for subsequent malicious program defense operation. Therefore, when the malicious program is defended, the memory space of the acceleration chip can be occupied to execute the operation on the terminal, so that the memory of the terminal is saved, the occupation of system resources of the terminal is reduced, the system blockage can be avoided, the negative influence on the user experience is reduced, and a resource supply basis is laid for intercepting the malicious request quickly and conveniently in the follow-up process.
On the basis, the method comprises the following steps:
and 102, acquiring the memory information of the terminal.
The acceleration chip is in physical connection with the terminal, and can acquire the memory information of the terminal from the physical layer for subsequent malicious program defense operation. The acceleration chip is a chip independent of a CPU (central processing unit) of the terminal and outside an operating system, is specially used for defending malicious programs aiming at the terminal, and does not occupy the memory of the terminal.
In one possible design, the acceleration chip is a PCIE interface chip.
Specifically, before the memory information of the terminal is read, a PCIE interface card and a PCIE slot of the terminal may be connected, and connection based on a hardware layer of the terminal is established. Among them, PCIE, that is, PCI-Express, is a bus specification, and can support a plurality of interface modes with different speeds, and meet the memory reading requirements for terminals with different memory sizes.
And step 104, mapping the memory information to the acceleration chip.
Since the malicious program interception operation of the terminal is to be transferred from the system interior of the terminal to the acceleration chip, in order to ensure that the terminal can smoothly execute the malicious program interception operation through the acceleration chip, information required by the terminal to execute the malicious program interception operation needs to be mapped from the memory information of the terminal to the acceleration chip, so that the acceleration chip is convenient to use. In other words, the second memory information is information required by the terminal to execute the malicious program intercepting operation.
In one possible design, the second memory information includes all callable addresses in the memory information of the terminal, that is, all callable addresses can be extracted from the memory information of the terminal; and transmitting all the tunable addresses to the acceleration chip as the mapping result.
On the basis, the acceleration chip is used for monitoring malicious requests faced by the terminal to prevent malicious programs, and the malicious requests are often related to accessible addresses in the terminal, for example, the malicious requests can be requests for modifying the addresses. Therefore, all the tunable addresses in the memory information of the terminal are stored in the acceleration chip, and effective monitoring of all the tunable addresses in the acceleration chip is facilitated. Upon detecting a malicious request for an accessible address, subsequent interception operations may be performed.
And 106, setting a hook function for the specified address in the memory information based on the mapping result in the acceleration chip.
Furthermore, a designated address meeting the actual safety protection requirement can be selected from all the called addresses in the memory information of the terminal, so that the designated address can be monitored and the malicious request can be intercepted. Of course, the designated address may be any address within all callable addresses in the terminal.
Then, the specified address is hooked. In particular, hook means hook, and is an interrupt mechanism for intercepting and processing a message or a specific event in the system, in other words, hook can capture the message or the specific event in the system before reaching the target window, thereby gaining control over the message or the specific event.
Step 108, in response to the terminal receiving the designated malicious request for the designated address, calling the hook function to intercept the designated malicious request.
On the basis of setting a hook function for the specified address, when the terminal receives a specified malicious request aiming at the specified address, an acceleration chip is triggered to work, the acceleration chip can call the hook function to intercept the specified malicious request aiming at the specified address, and the hook function can intercept the specified malicious request before the specified malicious request is executed by a system of the terminal, so that the system of the terminal does not execute the specified malicious request, and the specified address is protected.
In another possible design, when the terminal receives a specified malicious request for the specified address, defense notification information is generated and transmitted to an acceleration chip for defending against malicious programs. After receiving the defense notification information, the acceleration chip calls the hook function to intercept the specified malicious request aiming at the specified address based on the specified address and the specified malicious request shown in the defense notification information.
In still another possible design, when the terminal receives any one of the to-be-identified requests for the designated address, defense judgment information is generated and transmitted to an acceleration chip for defending against malicious programs. After receiving the defense judgment information, the acceleration chip judges whether the request to be identified shown in the defense judgment information belongs to the specified malicious request, if so, the hook function is called to intercept the specified malicious request aiming at the specified address, and otherwise, the interception processing is not executed.
In still another possible design, when the terminal receives any one to-be-identified request for any one of the addresses, defense judgment information is generated and transmitted to an acceleration chip for defending against malicious programs. After receiving the defense judgment information, the acceleration chip judges whether any address shown in the defense judgment information is a designated address. If any address is a designated address, whether the request to be identified shown in the defense judgment information belongs to a designated malicious request is judged, if the request to be identified belongs to the designated malicious request, the hook function is called to intercept the designated malicious request aiming at the designated address, and otherwise, the interception processing is not executed.
Therefore, when the terminal acquires the designated malicious request, namely before the designated malicious request is executed to tamper malicious behaviors such as the designated address, the designated malicious request can be intercepted, active defense for malicious programs is realized, and the initiative and the effectiveness in the defense for the malicious programs are improved. Meanwhile, the defense function with larger resource consumption is transferred to the acceleration chip for implementation, so that a large amount of system resources of the terminal are not occupied, the occupation of memory resources of the terminal can be reduced to a certain extent, and the interference and influence of functions such as malicious program monitoring and interception on a terminal system are reduced.
In addition, whether the request to be identified is malicious or not is judged, and the specific mode comprises the following steps: acquiring a request to be identified received by the terminal; and if the request to be identified carries a change instruction of the specified address or a hook instruction of any interface associated with the specified address, determining that the request to be identified received by the specified terminal is a specified malicious request aiming at the specified address.
Normal security requests generally do not tamper with addresses or call functions of hook interfaces and the like, and therefore, if a request to be identified carries a change instruction for the specified address or a hook instruction for any interface associated with the specified address, the request is considered as a specified malicious request. Then, the designated malicious request can passively trigger a hook function, and the call of the hook function is executed in the acceleration chip, so that the interception of the designated malicious request can be realized, that is, in the acceleration chip, a function for calling the hook function is executed in response to the designated malicious request, so that the designated malicious request is intercepted by the hook function.
In addition, it is necessary to supplement that after the hook function is called to intercept the specified malicious request, an alarm message may be generated to warn a tampering action attempted to be implemented by a malicious program, so that an end user or a remote administrator can protect the terminal.
Fig. 2 shows a block diagram of a malicious program intercepting apparatus according to an embodiment of the present application.
As shown in fig. 2, an embodiment of the present application provides a malicious program intercepting apparatus 200, where the malicious program intercepting apparatus 200 is applied to an acceleration chip, and includes: a memory information obtaining unit 202, configured to obtain memory information of a terminal; a memory mapping unit 204, configured to map the memory information into the acceleration chip; a hook function setting unit, configured to set a hook function for the specified address in the memory information based on the mapping result in the acceleration chip; a hook function calling unit, configured to, in response to the terminal receiving a specified malicious request for the specified address, call the hook function to intercept the specified malicious request.
In an embodiment of the present application, optionally, the memory mapping unit 204 is configured to: extracting all callable addresses from the memory information of the terminal; and transmitting all the tunable addresses to the acceleration chip as the mapping result.
In an embodiment of the present application, optionally, the acceleration chip is a PCIE interface chip.
In the embodiment of the present application, optionally, the method further includes: a to-be-identified request obtaining unit, configured to obtain the to-be-identified request received by the terminal before the hook function calling unit 208 calls the hook function to intercept the specified malicious request; and the malicious request identification unit is used for determining that the request to be identified received by the specified terminal is a specified malicious request aiming at the specified address if the request to be identified carries a change instruction of the specified address or a hook instruction of any interface associated with the specified address.
In an embodiment of the present application, optionally, the method further includes: and the interception alarm unit is used for generating alarm information after the hook function is called to intercept the specified malicious request.
The malicious program intercepting apparatus 200 uses the scheme described in any of the above embodiments, and therefore, has all the technical effects described above, and is not described herein again.
FIG. 3 shows a block diagram of an electronic device of an embodiment of the application.
As shown in fig. 3, an electronic device 300 of one embodiment of the present application includes at least one memory 302; and a processor 304 communicatively coupled to the at least one memory 302, and an acceleration chip 306; wherein the memory stores instructions executable by the acceleration chip 306, the instructions being configured to perform the scheme described in any of the above embodiments. Therefore, the electronic device 300 has the same technical effects as any of the above embodiments, and will not be described herein again.
The electronic device of the embodiments of the present application exists in various forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
In addition, a storage medium is provided in an embodiment of the present application, and stores computer-executable instructions for executing the method flow described in any of the above embodiments.
The technical scheme of the application is explained in detail in the above with the help of the attached drawings, and can intercept the designated malicious request before the designated malicious request carries out malicious behaviors such as tampering the designated address, so that the active defense of the malicious program is realized, and the initiative and the effectiveness in the defense of the malicious program are improved. Meanwhile, the defense function with larger resource consumption is transferred to the acceleration chip for implementation, and a large amount of system resources of the terminal are not occupied any more, so that the occupation of memory resources of the terminal can be reduced to a certain extent, and the interference and influence of functions such as malicious program monitoring and interception on a terminal system are reduced.
It should be understood that although the terms first, second, etc. may be used to describe the memory information in the embodiments of the present application, the memory information should not be limited by these terms. These terms are only used to distinguish one memory information item from another. For example, the memory information may also be referred to as second memory information, and similarly, the second memory information may also be referred to as memory information without departing from the scope of the embodiments of the present application.
The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the methods according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (8)

1. A malicious program intercepting method is applied to an acceleration chip and is characterized by comprising the following steps:
acquiring memory information of a terminal;
mapping the memory information to the acceleration chip;
setting a hook function for the specified address in the memory information based on the mapping result in the acceleration chip;
and calling the hook function to intercept the specified malicious request in response to the terminal receiving the specified malicious request aiming at the specified address.
2. The malware interception method of claim 1, wherein the mapping the memory information into the acceleration chip comprises:
extracting all callable addresses from the memory information of the terminal;
and transmitting all the tunable addresses to the acceleration chip as the mapping result.
3. The malware interception method of claim 1,
the acceleration chip is a PCIE interface chip.
4. The malware interception method of any one of claims 1 to 3, wherein before the responding to the terminal receiving a specified malicious request aiming at the specified address and calling the hook function to intercept the specified malicious request, the method further comprises:
acquiring a request to be identified received by the terminal;
and if the request to be identified carries a change instruction of the specified address or a hook instruction of any interface associated with the specified address, determining that the request to be identified received by the specified terminal is a specified malicious request aiming at the specified address.
5. The malware interception method of claim 4, further comprising:
and generating alarm information after calling the hook function to intercept the specified malicious request.
6. A malicious program intercepting device, which is applied to an acceleration chip, is characterized by comprising:
the memory information acquisition unit is used for acquiring the memory information of the terminal;
the memory mapping unit is used for mapping the memory information to the acceleration chip;
a hook function setting unit, configured to set a hook function for the specified address in the memory information based on the mapping result in the acceleration chip;
a hook function calling unit, configured to, in response to the terminal receiving a specified malicious request for the specified address, call the hook function to intercept the specified malicious request.
7. An electronic device, comprising: an acceleration chip, at least one processor; and a memory communicatively coupled to the acceleration chip and the at least one processor;
wherein the memory stores instructions executable by the acceleration chip, the instructions being arranged to perform the method of any of the preceding claims 1 to 5.
8. A storage medium having stored thereon computer-executable instructions for performing the method flow of any of claims 1-5.
CN202210168480.7A 2022-02-23 2022-02-23 Malicious program intercepting method and device, electronic equipment and storage medium Pending CN114547613A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210168480.7A CN114547613A (en) 2022-02-23 2022-02-23 Malicious program intercepting method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210168480.7A CN114547613A (en) 2022-02-23 2022-02-23 Malicious program intercepting method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114547613A true CN114547613A (en) 2022-05-27

Family

ID=81678484

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210168480.7A Pending CN114547613A (en) 2022-02-23 2022-02-23 Malicious program intercepting method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114547613A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116232723A (en) * 2023-02-28 2023-06-06 杭州默安科技有限公司 A honeypot and its attack detection method, system, device and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116232723A (en) * 2023-02-28 2023-06-06 杭州默安科技有限公司 A honeypot and its attack detection method, system, device and storage medium

Similar Documents

Publication Publication Date Title
CN109117250B (en) Simulator identification method, simulator identification equipment and computer readable medium
WO2020019483A1 (en) Emulator identification method, identification device, and computer readable medium
AU2018229557A1 (en) Methods and apparatus for identifying and removing malicious applications
CN109062667B (en) Simulator identification method, simulator identification equipment and computer readable medium
EP2317454A2 (en) Providing authenticated anti-virus agents a direct access to scan memory
CN109561085A (en) A kind of auth method based on EIC equipment identification code, server and medium
CN111131221B (en) Interface checking device, method and storage medium
WO2020019482A1 (en) Function hook detection method, function hook detection device, and computer-readable medium
CN111177726B (en) A system vulnerability detection method, device, equipment and medium
CN106203092B (en) Method and device for intercepting shutdown of malicious program and electronic equipment
CN111459673A (en) Secure memory expansion and release method and device and electronic equipment
CN105868625B (en) Method and device for intercepting restart deletion of file
CN110505246B (en) Client network communication detection method, device and storage medium
CN114547613A (en) Malicious program intercepting method and device, electronic equipment and storage medium
CN107070878B (en) System and method for virus isolation of monitored application
CN106022117A (en) Method and device for preventing system environment variable from being modified and electronic equipment
CN111382441B (en) Application processor, coprocessor and data processing equipment
CN111651763A (en) Process monitoring method and device, electronic equipment and storage medium
CN112989323B (en) Process detection method, device, terminal and storage medium
US10452817B1 (en) File input/output redirection in an API-proxy-based application emulator
US12282544B2 (en) Resource monitoring device and method using hardware abstraction layer
CN108875362B (en) Sample behavior obtaining method and device, storage medium and electronic equipment
CN111651764B (en) Process monitoring method and device, electronic equipment and storage medium
CN113646763B (en) shellcode detection method and device
CN110597557B (en) System information acquisition method, terminal and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination