Process monitoring method

A process monitoring and process technology, applied in the direction of instruments, electronic digital data processing, platform integrity maintenance, etc., can solve problems such as unfavorable promotion and application, system damage, cumbersome HOOKObReferenceObjectByHandle, etc., and achieve a clear and easy-to-understand effect

Inactive Publication Date: 2011-08-10
北京思创银联科技股份有限公司
View PDF2 Cites 26 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] However, because the ObReferenceObjectByHandle API is a function at the bottom of the system, when HOOKing ObReferenceObjectByHandle, some irrelevant processes in the system kernel are also intercepted, causing damage to the system. Good for promotion and application

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Process monitoring method
  • Process monitoring method
  • Process monitoring method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0032] The specific implementation manners of the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. The following examples are used to illustrate the present invention, but are not intended to limit the scope of the present invention.

[0033] The process creation method in the existing windows system comprises the following steps:

[0034] 1: Open the executable file;

[0035] In this step, you need to obtain FILE_EXECUTE access permission;

[0036] 2: Load the executable image (Executable image) into memory;

[0037] 3: Create a Process Executive Object;

[0038] In this step, the process execution objects include EPROCESS, KPROCESS and PEB structures.

[0039] 4: Allocate address space for the newly created process;

[0040] 5: Create the thread execution object (Thread ExecutiveObject) of the main thread of the process;

[0041] In this step, the thread execution objects include ETHREAD, KTHREAD...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a process monitoring method, relating to the field of a process monitoring technology. The method comprises the following steps: S1: obtaining the API (application programming interface) address of NtCreateSection and replacing the original NtCreateSection with DetourNtCreateSection; S2: monitoring processes to be created according to the DetourNtCreateSection. The method provided by the invention can be used for intercepting the processes being created in the process of creation rather than after creation, thus enabling the system to be more secure. As the hooked sites are unavoidable paths for process creation, and can not be easily bypassed by Trojans, virus and the like. As a result, the safety can be ensured. In addition, the method is not as complicated as the HOOK ObReferenceObjectByHandle method, and only one API is hooked in the whole process, thus causing the process to be clear and easily understood. The NtCreateSection used in the method provided the invention is placed at a high inner core level and only intercepts processes being created, thus not affecting other valid processes in operation in the system.

Description

technical field [0001] The invention relates to the technical field of process monitoring, in particular to a process monitoring method. Background technique [0002] At present, the general method of process monitoring is to register the callback function of the system. When the system detects that a process is created, it will call the registered callback function. At this time, the process ID, even the process name and process path and other information can be obtained according to the parameters in the callback function. [0003] But the defect of this method is that when we get the information of this process, this process has been created successfully, if it is a virus process or Trojan process, it has begun to endanger our software, system or computer. If we want to destroy this process, we need to use some APIs (Application Programming Interface, Application Programming Interface) provided by Microsoft. It is cumbersome to implement and not easy to operate. [000...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/22G06F21/52
Inventor 于晓军万雪松赵辰清
Owner 北京思创银联科技股份有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap