Search

CN-115686791-B - Process processing method and device

CN115686791BCN 115686791 BCN115686791 BCN 115686791BCN-115686791-B

Abstract

The application provides a process processing method and device. The method is applied to the client and comprises the steps of monitoring loading behaviors of components in a process in real time, judging whether the components are third-party irrelevant components, if so, identifying file operation initiated by the third-party irrelevant components, and setting file objects of the file operation to be in a state of not adopting encryption and decryption functions. Compared with the prior art, the method and the device have higher flexibility and safety by adopting the same strategy mode regardless of the third-party irrelevant component of the trusted process or the third-party irrelevant component of the untrusted process.

Inventors

  • QIU ZHIBIN
  • TU GAOYUAN
  • GUO YONGXING
  • LU YUNYAN
  • SHEN TINGQIANG

Assignees

  • 厦门天锐科技股份有限公司

Dates

Publication Date
20260505
Application Date
20221107

Claims (8)

  1. 1. A method for processing a process, wherein the method is applied to a client, and comprises: monitoring loading behaviors of components in a process in real time, and judging whether the components are third-party irrelevant components; If yes, identifying file operation initiated by the third-party irrelevant component; setting the file object of the file operation to be in a state of not adopting encryption and decryption functions; the determining whether the component is a third party independent component includes: Acquiring a characteristic value of the loaded component; matching the characteristic value with the characteristic value in the characteristic library, and judging whether the component is an irrelevant component according to whether the characteristic value is matched with the characteristic value in the characteristic library; the setting of the file object of the file operation is a state of not adopting encryption and decryption functions, and specifically comprises the following steps: scanning a trusted process in a running state at present, and recording the address space of each thread component; Determining a trusted process operation file according to the address space, and judging whether a judging process of whether the trusted process operation file is an irrelevant component thread or not based on the state of the file; If the related component thread is judged to be needed to be encrypted according to the strategy, if the operation type is to create a new file and cover an original file, call stack information of the operation is obtained, and addresses in a stack are traced back; If a space address is in the address space of an unrelated component, then the file is considered to be generated as an unrelated component, and the file is not encrypted.
  2. 2. The method of claim 1, wherein the identifying the file operation initiated by the third party independent component comprises: Acquiring an address space of the third party independent component; And determining file operation initiated by the third-party irrelevant component according to the address space.
  3. 3. The method of claim 1, wherein prior to determining whether the component is a third party independent component based on loading behavior of the component in the real-time monitoring process, the method further comprises: And creating a third-party independent component feature library, wherein the third-party independent component feature library comprises feature values of the third-party independent components.
  4. 4. The method of claim 3, wherein the characteristic values include at least file characteristic elements of file name, file attribute, copyright, version, signature, file content.
  5. 5. The method according to claim 1, characterized in that the method further comprises: And updating the feature library based on the file feature elements of the third-party irrelevant components collected by the client and the file feature elements issued by the server.
  6. 6. A process processing apparatus, comprising: the judging module is used for monitoring the loading behavior of the component in the process in real time and judging whether the component is a third-party irrelevant component or not; the identification module is used for identifying file operation initiated by the third-party irrelevant component; the setting module is used for setting the file object of the file operation to a state of not adopting encryption and decryption functions; the determining whether the component is a third party independent component includes: Acquiring a characteristic value of the loaded component; matching the characteristic value with the characteristic value in the characteristic library, and judging whether the component is an irrelevant component according to whether the characteristic value is matched with the characteristic value in the characteristic library; The setting module is further configured to: scanning a trusted process in a running state at present, and recording the address space of each thread component; Determining a trusted process operation file according to the address space, and judging whether a judging process of whether the trusted process operation file is an irrelevant component thread or not based on the state of the file; If the related component thread is judged to be needed to be encrypted according to the strategy, if the operation type is to create a new file and cover an original file, call stack information of the operation is obtained, and addresses in a stack are traced back; If a space address is in the address space of an unrelated component, then the file is considered to be generated as an unrelated component, and the file is not encrypted.
  7. 7. The processing equipment of the process is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; a memory for storing a computer program; a processor for implementing the steps of the method for processing a process according to any one of claims 1 to 5 when executing a program stored on a memory.
  8. 8. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the processing method of the process according to any one of claims 1-5.

Description

Process processing method and device Technical Field The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for processing a process. Background With the development of information technology, the existing transparent encryption and decryption scheme basically takes the process as a unit to carry out policy management and control in terms of the difficulty level of policy configuration and maintenance and the running stability, namely, after one process is run, if the process is judged to be a trusted process (the process requiring the application of encryption and decryption functions), the behaviors of all components of the process are the same policy, namely, the identification of the trusted process is basically identified and matched by the special value of the corresponding executable program (such as EXE under Windows), and then the behaviors of all components of the whole process (such as DLL under Windows) are regarded as the behaviors of the process, and the management and control are carried out according to the policies of the corresponding executable program in a unified way. However, many functional components independent of the software, such as input methods, plug-ins of interface beautification types, and the like (hereinafter collectively referred to as third party independent components), have some plug-ins injected into other software to run, and the behavior of the plug-ins is practically independent of the injected software, and practically no encryption and decryption need to be applied, but because the components are added and executed in the trusted process, the behavior of the components is also governed by the policy of the trusted process in which the components are applied. Because the third-party independent component can be injected into the trusted process and the untrusted process, in the processes applying different strategies, the third-party independent component has the same behavior, such as reading and writing the same files, if the component creates some encrypted files in the trusted process, if the component operates the files in the untrusted process, the functions of the third-party independent component can not be normally used or the injected software crashes because the functions of the third-party independent component can not be normally analyzed. Disclosure of Invention In order to solve the technical problems or at least partially solve the technical problems, the application provides a process processing method and a process processing device. In a first aspect, an embodiment of the present application provides a method for processing a process, where the method is applied to a client, including: monitoring loading behaviors of components in a process in real time, and judging whether the components are third-party irrelevant components; If yes, identifying file operation initiated by the third-party irrelevant component; And setting the file object of the file operation to be in a state of not adopting an encryption and decryption function. In an optional embodiment of the application, the determining whether the component is a third party independent component includes: Acquiring a characteristic value of the loaded component; And matching the characteristic value with the characteristic value in the characteristic library, and judging whether the component is an irrelevant component according to whether the characteristic value is matched with the characteristic value in the characteristic library. In an alternative embodiment of the present application, the identifying the file operation initiated by the third party independent component includes: Acquiring an address space of the third party independent component; and determining file operation initiated by the third-party irrelevant component according to the address space. In an optional embodiment of the present application, before the monitoring the loading behavior of the component in real time and determining whether the component is a third party independent component, the method further includes: and creating a third-party irrelevant component feature library, wherein the third-party irrelevant component feature library comprises feature values of the third-party irrelevant components. In an alternative embodiment of the present application, the characteristic values include at least file characteristic elements including file name, file attribute, copyright, version, signature, and file content. In an alternative embodiment of the present application, the method further includes: and updating the feature library based on the collected file feature elements and the file feature elements issued by the server. In an alternative embodiment of the present application, the method further includes: scanning a trusted process in a running state at present, and recording the address space of each thread component; Determining a trusted pr