CN103077350A - Searching and killing method and system for malicious code - Google Patents
Searching and killing method and system for malicious codeDownload PDFInfo
- Publication number
- CN103077350A CN103077350ACN2012105400567ACN201210540056ACN103077350ACN 103077350 ACN103077350 ACN 103077350ACN 2012105400567 ACN2012105400567 ACN 2012105400567ACN 201210540056 ACN201210540056 ACN 201210540056ACN 103077350 ACN103077350 ACN 103077350A
- Authority
- CN
- China
- Prior art keywords
- operating system
- terminal
- external storage
- startupoptions
- boot files
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Stored Programmes (AREA)
Abstract
Description
Technical field
The present invention relates to computer security technique, be specifically related to a kind of checking and killing method and system of malicious code.
Background technology
After terminal was infected by malicious codes such as virus, wooden horses, malicious code can be invaded the operating system of this terminal, the data on the destruction hard disk etc.And on the initiating sequence of the operating system of this terminal, the process of fail-safe software is usually located at after the process of malicious code, comes Execution driven so that the process of malicious code can have precedence over the process of fail-safe software.
Therefore the preferential Execution driven of the process of malicious code can carry out certain operations to avoid it by killing in system.For example, malicious code can be hidden the data such as the file, process, module of self, thereby so that fail-safe software when scanning system, can't scan the data of malicious code.And for example, malicious code can the attack operation system, revises the trusted domain of fail-safe software, stops the fail-safe software networking, revises the killing result of fail-safe software etc., thereby so that fail-safe software occurs loading failure or killing unsuccessfully waits situation, and then so that malicious code reaches the purpose of avoiding by killing.
Therefore, after terminal is infected by malicious code, the ineffective situation of fail-safe software will appear, so that fail-safe software can't be guaranteed the safety of terminal.
Summary of the invention
In view of the above problems, the present invention has been proposed in order to provide a kind of killing system of the malicious code that overcomes the problems referred to above or address the above problem at least in part and the checking and killing method of corresponding malicious code.
According to one aspect of the present invention, a kind of checking and killing method of malicious code is provided, dispose the first operating system in the terminal, dispose the second operating system in the external storage, in described the second operating system fail-safe software is installed, described method comprises:
In the startup item of terminal, add in advance the startupoptions of described the second operating system;
After entering the startup item of described terminal, select the startupoptions of described the second operating system, to enter the second operating system that is disposed in the memory device;
Start the fail-safe software in described the second operating system, described terminal is scanned with the killing malicious code.
In the embodiment of the invention, the described startupoptions that in the startup item of terminal, adds in advance described the second operating system, comprising: write boot files in the system disk of terminal, described boot files points to described the second operating system; In the startup item of terminal, add a startupoptions, described startupoptions is pointed to described boot files.
In the embodiment of the invention, the startupoptions of described the second operating system of described selection is disposed at the second operating system in the memory device to enter, and comprising: by selecting the startupoptions of described the second operating system, trigger described boot files; Adopt described boot files to search described external storage; Read data or configuration file in the described external storage, start described the second operating system.
In the embodiment of the invention, described external storage possesses some device types, and the described boot files of described employing is searched described external storage, comprising: described boot files triggering system boot files, obtain the hardware device of terminal; From described hardware device, search described external storage according to described device type parameter.
In the embodiment of the invention, described external storage is bootable memory device, then there is Main Boot Record in the described bootable memory device, described data or the configuration file that reads in the described external storage, start described the second operating system, comprise: read data or the configuration file of described external storage, search whether there is described Main Boot Record; If there is described Main Boot Record, then starts described Main Boot Record and enter described the second operating system.
In the embodiment of the invention, described data or the configuration file that reads described external storage searches whether there is described Main Boot Record, comprising: the data or the configuration file that read arbitrary sector in the described external storage; Type according to each partition table in the described sector determines whether to exist described Main Boot Record.
In the embodiment of the invention, described external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card.
According to a further aspect in the invention, provide a kind of killing system of malicious code, comprised terminal and external storage, wherein, dispose the first operating system in the terminal, dispose the second operating system in the external storage, dispose fail-safe software in described the second operating system;
Described terminal comprises:
Add module, be used for adding in startup item in advance the startupoptions of described the second operating system;
Start module, after being used for entering the startup item of described terminal, select the startupoptions of described the second operating system, be disposed at the second operating system in the memory device to enter;
Described external storage comprises:
The killing module, the fail-safe software for starting described the second operating system carries out killing to the malicious code in the described terminal.
In the embodiment of the invention, described interpolation module comprises: write submodule, be used for writing boot files at the system disk of terminal, described boot files points to described the second operating system; Add submodule, be used for adding a startupoptions in the startup item of terminal, described startupoptions is pointed to described boot files.
In the embodiment of the invention, described startup module comprises: trigger module is used for triggering described boot files by selecting the startupoptions of described the second operating system; Search submodule, be used for adopting described boot files to search described external storage; Reading submodule, data or configuration file for reading described external storage start described the second operating system.
In the embodiment of the invention, described external storage possesses some device types; The described submodule of searching specifically is used for described boot files triggering system boot files, obtains the hardware device of terminal; From described hardware device, search described external storage according to described device type parameter.
In the embodiment of the invention, described external storage is bootable memory device, then has Main Boot Record in the described bootable memory device, and then described external storage also comprises: bootstrap module; Described bootstrap module is used for entering described the second operating system according to described Main Boot Record; Then described reading submodule specifically for the data or the configuration file that read described external storage, searches whether there is described Main Boot Record; If there is described Main Boot Record, then start described Main Boot Record.
In the embodiment of the invention, described reading submodule is concrete for reading data or the configuration file of the arbitrary sector of described external storage; Type according to each partition table in the described sector determines whether to exist described Main Boot Record.
In the embodiment of the invention, described external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card.
Dispose the first operating system in the embodiment of the invention terminal, dispose the second operating system in the external storage, in described the second operating system fail-safe software is installed.Therefore can in the startup item of terminal, add the startupoptions of described the second operating system, thereby when starting terminal, enter described the second operating system, adopt the fail-safe software in the second operating system, described terminal is scanned with the killing malicious code.When using the first operating system of terminal; the data of the second operating system are suitable for the terminal isolation; even therefore terminal is invaded by malicious code, the data in the second operating system are safe, so fail-safe software wherein can be protected the safety of data in terminal.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 shows the checking and killing method process flow diagram according to the described malicious code of one embodiment of the invention;
Fig. 2 shows the described according to an embodiment of the invention second operating system method flow diagram that enters;
Fig. 3 shows the described boot files operational flowchart of the embodiment of the invention;
Fig. 4 shows the killing system construction drawing according to the described malicious code of one embodiment of the invention;
Fig. 5 shows according to the described terminal structure figure of one embodiment of the invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
After terminal was infected by malicious codes such as virus, wooden horses, malicious code can be invaded the operating system of this terminal, destroys the data on the hard disk, steals user profile etc.Therefore for the safety of protected data, user's privacy can adopt fail-safe software that virus is carried out killing.Wherein, described fail-safe software be a kind of can be to all known program means that have the malicious code of harm to remove to computing machine such as virus, wooden horse.Such as antivirus software, system tool and anti rogue software etc.
But; malicious code for fear of own by killing; usually can change the initiating sequence of the operating system of this terminal; so that malicious process is positioned at the front of initiating sequence; thereby the process that causes fail-safe software is positioned at after the process of malicious code, comes Execution driven so that the process of malicious code can have precedence over the process of fail-safe software.
Therefore the preferential Execution driven of the process of malicious code can carry out certain operations to avoid it by killing in system.For example, malicious code can be hidden the data such as the file, process, module of self, thereby so that fail-safe software when scanning system, can't scan the data of malicious code.And for example, malicious code can the attack operation system, revises the trusted domain of fail-safe software, stops the fail-safe software networking, revises the killing result of fail-safe software etc., thereby so that fail-safe software occurs loading failure or killing unsuccessfully waits situation, and then so that malicious code reaches the purpose of avoiding by killing.
Therefore, after terminal is infected by malicious code, the ineffective situation of fail-safe software will appear, so that fail-safe software can't be guaranteed the safety of terminal.
The embodiment of the invention is for above-mentioned situation, a kind of checking and killing method of malicious code is provided, can introduce operating system in the external storage for terminal, thereby adopt the fail-safe software in this operating system that terminal is scanned, so that the malicious code in the terminal is carried out killing.
In the embodiment of the invention; operating system in the terminal is called the first operating system; operating system in the external storage is called the second operating system, and in the second operating system, fail-safe software is installed, thereby can adopt the safety of described fail-safe software protected data.Certainly, also antivirus software can be installed in the first operating system, thereby when using the first operating system, can safeguard the data security in the terminal.
Therefore, dispose the first operating system in the described terminal, dispose the second operating system in the external storage, and in described the second operating system, fail-safe software is installed.Wherein, described the first operating system and the second operating system can be Windows, Linux etc., and the embodiment of the invention is not done restriction to this.
Fig. 1 shows the checking and killing method process flow diagram according to the described malicious code of one embodiment of the invention.
Because after infecting virus, the fail-safe software in the first operating system of terminal can continue the safety of protection system, therefore in order to ensure the safety of data in terminal, can introduce the second external operating system.Described the second operating system is disposed in the external storage, thereby the data in the second operating system itself are independent of terminal, if therefore terminal does not connect external storage when infecting malicious code, then the second operating system can not infect virus, and namely the data in the second operating system are safe.
If after this terminal is called this second operating system, just can use the fail-safe software in the second operating system, the data in terminal and the external storage are scanned, thus the safety of data in protection terminal and the external storage.Wherein, described terminal is called the second operating system, can be understood as in terminal to start and enter the second operating system.
Can be introduced into startup item during starting terminal, in startup item, can select the position enter by startupoptions, such as safe mode, the first operating system or the second operating system etc.Therefore, in the startup item of terminal, add in advance the startupoptions of described the second operating system, namely in the startup item of terminal, add a startupoptions, adopt this startupoptions to point to the second operating system of external storage.
Then in the embodiment of the invention, the described startupoptions that adds in advance described the second operating system in the startup item of terminal comprises:
Write boot files in the system disk of terminal, described boot files points to described the second operating system; In the startup item of terminal, add a startupoptions, described startupoptions is pointed to described boot files.
At first can in the system disk of terminal, write boot files, for example adopt WriteFile that boot files is put in the system disk.Wherein, system disk is in the hard disk of terminal, is mainly used in the data of operating system in the terminal etc. are stored, and coils such as C.Described boot files is used for guiding and enters corresponding operating system, is a kind of executable file.
Boot files described in the embodiment of the present application points to the second operating system in the external storage, namely after calling this boot files, can adopt this boot files to be directed to the second operating system.
Then, can in the startup item of terminal, add a startupoptions, described startupoptions is pointed to described boot files, thereby follow-uply described startupoptions can be pointed in the described boot files by described startupoptions.Concrete, because the difference of the first operating system, the operation of adding startupoptions in startup item is also different.
Take in the Windows system as example, if described the first operating system is Windows XP or Windows 2003, then can adopt system file boot.ini in system, to add startupoptions.Concrete, application programming interface (ApplicationProgramming Interface that can calling system when using boot.ini, API) add startup item, wherein API specifically can comprise: GetPrivateProfileInt, WritePrivateProfileString, GetPrivateProfileString and WritePrivateProfileTnt.
And for example, in vista, win7 and win8 system, can adopt this system tool of bcdedit.exe.Finish the interpolation of startupoptions, wherein the function that uses of bcdedit.exe can comprise: 1, copy{current}; 2, displayorder; 3, addlast.
After in the startup item of described terminal, having added the startupoptions of the second operating system, can be after starting terminal and entering the startup item of described terminal, select the startupoptions of described the second operating system, thereby trigger the boot files that described startupoptions points to, and then enter the second operating system in the external storage by boot files.
Fig. 2 shows according to the described second operating system method flow diagram that enters of one embodiment of the invention.
Wherein, the startupoptions of described the second operating system of described selection is disposed at the second operating system in the memory device to enter, and comprising:
Step 201 by selecting the startupoptions of described the second operating system, triggers described boot files.
After starting terminal and entering startup item, can select the startupoptions of described the second operating system, the startupoptions of described the second operating system points to described boot files, thereby can trigger described boot files.
Step 202 adopts described boot files to search described external storage.
After boot files is triggered, just can carry out associative operation according to the configuration in the described boot files, concrete at first described boot files can be searched described external storage.
Wherein, different files can adopt the suffix of file to distinguish, such as .exe, and .ini etc., so the boot files that configures in the embodiment of the invention can be searched by title, suffix etc.
In the actual treatment, hardware device often comprises polytype, such as hard disk, external storage, video card, sound card, network interface card, display, keyboard, mouse and printer etc., or flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card etc.
Therefore, in terminal, can adopt the device type parameter to come each hardware device is distinguished.
Development along with technology, external storage also become also come more various, such as disk, hard disk etc., and for example flash disk, DVD CD etc., therefore can adopt device type that different external storage is distinguished, be that described external storage possesses some device types, then in terminal, can adopt the device type parameter to come the device type of each external storage of mark.
The described boot files of described employing is searched described external storage, comprising:
Described boot files triggering system boot files obtains the hardware device of terminal; From described hardware device, search described external storage according to described device type parameter.
Wherein, described system boot files can be NTDETECT.COM, is used for the information of each hardware device of collection terminal, thereby the hardware device in the terminal is enumerated.
For example: can collect the hardware information that comprises such as Types Below by NTDETECT.COM: system firmware information, such as time and date etc., the type of bus adapter, the type of video card adapter, keyboard, communication port, disk, floppy disk, input equipment, mouse for example, parallel port, be installed in the ISA equipment in the ISA groove, and operating system such as Windows XP can be on screen the startup process etc. of prompting user Windows.
In the embodiment of the invention, described boot files meeting triggering system boot files, described system boot files can be enumerated hardware device in the terminal according to each device type parameter, namely can obtain various types of hardware devices in the terminal, can certainly be according to the device type parameter, from described hardware device, find the external storage of each device type, as search disk or hard disk, even search the more flash disk of the USB type of details.
Step 203 reads the data in the described external storage, starts described the second operating system.
Then can read the data in the described external storage, thereby get access to and start relevant data, start the second operating system.
In the embodiment of the invention, described external storage is bootable memory device, then has Main Boot Record in the described bootable memory device.
Described bootable memory device is a kind of memory device that can start etc. by guiding operation.Then there is Main Boot Record (Master Boot Record in the bootable memory device, MBR), be also referred to as main bootstrap program, described Main Boot Record generally is divided into MBR two kinds of broad sense and narrow senses: the MBR of broad sense comprises whole sector (boot, partition table and separation sign); And the MBR of narrow sense only refers to boot.
Terminal energising start, after the mainboard self check was finished, MBR was positioned at by first position that reads.Namely be positioned at 0 magnetic head, 0 magnetic track, 1 sector of hard disk, its size is 512 bytes, does not belong to any one operating system, can not read with the disk commands that operating system provides.The leading viruses multiparasitization that the DOS epoch overflow is in this.
Then described data or the configuration file that reads in the described external storage starts described the second operating system, comprising:
Read data or the configuration file of described external storage, search whether there is described Main Boot Record; If there is described Main Boot Record, then starts described Main Boot Record and enter described the second operating system.
Several external storage may have been inserted in the terminal, therefore can search one by one external storage, and read successively data or the configuration file of each external storage, search whether there is described MBR, if there is not described MBR, then continues to read next external storage and search.If there is described MBR, then start described MBR, can enter described the second operating system by described MBR.
Further, described data or the configuration file that reads described external storage searches whether there is described Main Boot Record, comprising:
Read data or the configuration file of arbitrary sector in the described external storage; Type according to each partition table in the described sector determines whether to exist described Main Boot Record.
Take the first sector as example, first sector that described the first sector is memory device, it normally 512 last 2 bytes of byte are 55AA.In the embodiment of the invention, when in the system disk of terminal, writing boot files, also can insert external storage, write the relevant data of guiding to described external storage, can write self-defining mark in the 3rd and the 4th byte reciprocal such as first sector, such as 360F.Therefore, when boot files finds external storage, and when reading in first sector data or configuration file, can judge the data 360F whether in the 3rd and the 4th byte reciprocal.If just think to have complete boot, namely have Main Boot Record.And described external storage can be configured to bootable external storage, the external storage that namely can start voluntarily.
Suppose that Main Boot Record is disposed in the first sector of memory device, then can search the first sector in the described external storage, then read data or configuration file in described the first sector, then according to the type of each partition table in the first sector, concrete, can according to the self-defining mark that writes in advance in the external memory, determine the type of this partition table, whether there are bootable data thereby search, namely determine whether to exist described Main Boot Record.
Certainly, described self-defining mark also can write in other sectors of external storage, such as certain position in second sector or the 3rd sector.Therefore, if search do not have Main Boot Record in the first sector after, can also search other sectors.If described self-defining mark is write other sectors, then the operation of associative search Main Boot Record first sector that coexists is searched basically identical, only owing to discussing for example, should not be understood as the restriction to the embodiment of the invention for the associative operation of in the first sector, searching Main Boot Record.
For example, external storage is flash disk, a kind of in the disk of USB type, can read the data of described flash disk, arbitrary sector of described flash disk is read in concrete meeting, search according to the type of each partition table in the described sector whether to have bootable data be MBR, after finding MBR, can enter the second operating system by the MBR guiding.
In the actual treatment, the process of starting terminal is usually:
1. terminal energising start, the mainboard self check;
2. mainboard BIOS starts from floppy disk, hard disk or CD-ROM drive according to the boot sequence of appointment in the terminal;
3.BIOS Main Boot Record (MBR) is read in internal memory;
4.BIOS give MBR with control;
5.MBR can check the partition table state, the subregion of searching activity;
6. main bootstrap program is given control the leader record of active partition, by the startup file of described leader record load operation system, starts corresponding operating system.
In the embodiment of the invention, be the startupoptions of the second operating system owing to what select in the terminal, therefore, in the 3rd step, BIOS can read in internal memory with boot files, then control is given described boot files.
Fig. 3 shows the described boot files operational flowchart of the embodiment of the invention.
Step 301 is opened external storage.
Step 302 reads the data of n boot section before the external storage or configuration file in the address X of internal memory.
Wherein, described boot section can be understood as the sector of external storage, because the data of 512 bytes can be stored in each sector, the data that therefore read in the internal memory just have the n*512 byte.
Step 303 jumps to data or the address X of configuration file in internal memory in the external storage.
It is the follow-up leader record that control can be given in described front n the boot section of main bootstrap program.
Step 304 after the operations such as the data of address X or configuration file, loads the second operating system.
After being the leader record operation, loaded the startup file of the second operating system by described leader record, start described the second operating system.
Step 103 starts the fail-safe software in described the second operating system, and described terminal is scanned with the killing malicious code.
After entering the second operating system, can start the fail-safe software in described the second operating system, use described fail-safe software that the data of in terminal and the external storage storage space are scanned, thereby detect malicious codes such as whether there being virus.
After can infecting malicious code in the first operating system of terminal in the embodiment of the invention; the fail-safe software of the first operating system can't the situation of protection system safety under; restart described terminal and insert external storage; thereby enter the second operating system, use fail-safe software to carry out the killing of malicious code.
Also can when the described terminal of each startup, all insert first external storage, and after entering the startup item of terminal, select to enter the startup item of the second operating system, thereby enter the second operating system, use fail-safe software to carry out the killing of malicious code.After affirmation is no problem, enter again the first operating system.
In above-mentioned process in order to guarantee the safety of data in the second operating system; thereby so that the fail-safe software in the second operating system can be protected the safety of data in terminal; can also be before entering the second operating system; external storage and the isolation of described terminal of the second operating system will be disposed; thereby so that operation during the first operating system in the terminal; the external storage that disposes the second operating system can not be connected with terminal, thereby guarantees the safety of data in the external storage.
In the embodiment of the invention, external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card.
For example, a kind of malicious code is that the visitor of Taobao drives wooden horse, after terminal infects the described visitor of Taobao driving wooden horse, and the network of meeting disconnected end, the simultaneously driving of wooden horse can be hidden self file and process.Thereby so that fail-safe software can't be connected to the antivirus engine in high in the clouds owing to suspension, thereby can't this wooden horse of killing.
In the embodiment of the invention, suppose that described the second operating system is the WinPE system.After terminal infects malicious code such as the visitor of Taobao and drives wooden horse, can restart described terminal and insert external storage, then enter described WinPE system, thus in the WinPE system to starting fail-safe software, malicious code is carried out killing.The embodiment of the invention need not user's manual configuration BIOS, operates very simple and convenient.
Wherein, WinPE refers to Windows Preinstall Environment, and namely the Windows WindowsPE is the minimum Win32 subsystem with limited service, based on the Windows XP Professional kernel with the protected mode operation.It comprises that operation Windows setup and script, interconnection network are shared, robotization basic process and carry out the required minimum function of hardware verification.
In sum, dispose the first operating system in the embodiment of the invention terminal, dispose the second operating system in the external storage, in described the second operating system fail-safe software is installed.Therefore can in the startup item of terminal, add the startupoptions of described the second operating system, thereby when starting terminal, enter described the second operating system, adopt the fail-safe software in the second operating system, described terminal is scanned with the killing malicious code.When using the first operating system of terminal; the data of the second operating system are suitable for the terminal isolation; even therefore terminal is invaded by malicious code, the data in the second operating system are safe, so fail-safe software wherein can be protected the safety of data in terminal.
Secondly, the embodiment of the invention can write boot files in the system disk of terminal, the startupoptions that adds in the terminal is pointed to described boot files, thereby adopts the boot files guiding to enter the second operating system.The method is simple to operate, can automatically finish the modification of startup item.
Again, can adopt boot files triggering system boot files in the embodiment of the invention, such as NTDETECT.COM, the information of each hardware device in the collection terminal, thereby the hardware device in the terminal is enumerated to obtain the hardware device of terminal, thereby search external storage according to device type, lookup method is simple.
Again, external storage described in the embodiment of the invention is moveable magnetic disc, comprising: flash disk, portable hard drive and storage card.Kind is various, satisfies the demand of all types of user.
Fig. 4 shows the killing system construction drawing according to the described malicious code of one embodiment of the invention.
The embodiment of the invention also provides the killing system with Chinese malicious code, comprise: terminal 1 andexternal storage 2, wherein, dispose the first operating system in theterminal 1, dispose the second operating system in theexternal storage 2, dispose fail-safe software in described the second operating system.
Describedterminal 1 comprises:
Addmodule 11, be used for adding in startup item in advance the startupoptions of described the second operating system;
Describedexternal storage 2 comprises:
Killingmodule 22, the fail-safe software for starting described the second operating system carries out killing to the malicious code in the described terminal.
Fig. 5 shows according to the described terminal structure figure of one embodiment of the invention.
In the embodiment of the invention, describedinterpolation module 11 comprises:
Writesubmodule 111, be used for writing boot files at the system disk of terminal, described boot files points to described the second operating system;
Addsubmodule 112, be used for adding a startupoptions in the startup item of terminal, described startupoptions is pointed to described boot files.
In the embodiment of the invention, describedstartup module 12 comprises:
Reading submodule 123, data or configuration file for reading described external storage start described the second operating system.
In the embodiment of the invention, described external storage possesses some device types; The described submodule 122 of searching specifically is used for described boot files triggering system boot files, obtains the hardware device of terminal; From described hardware device, search described external storage according to described device type parameter.
In the embodiment of the invention, described external storage is bootable memory device, then has Main Boot Record in the described bootable memory device, and then describedexternal storage 2 also comprises:bootstrap module 21;
Describedbootstrap module 21 is used for entering described the second operating system according to described Main Boot Record;
Then described readingsubmodule 122 specifically for the data or the configuration file that read described external storage, searches whether there is described Main Boot Record; If there is described Main Boot Record, then start described Main Boot Record.
In the embodiment of the invention, described readingsubmodule 122 is concrete for reading data or the configuration file of the arbitrary sector of described external storage; Type according to each partition table in the described sector determines whether to exist described Main Boot Record.
In the embodiment of the invention, described external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card
In sum, dispose the first operating system in the embodiment of the invention terminal, dispose the second operating system in the external storage, in described the second operating system fail-safe software is installed.Therefore can in the startup item of terminal, add the startupoptions of described the second operating system, thereby when starting terminal, enter described the second operating system, adopt the fail-safe software in the second operating system, described terminal is scanned with the killing malicious code.When using the first operating system of terminal; the data of the second operating system are suitable for the terminal isolation; even therefore terminal is invaded by malicious code, the data in the second operating system are safe, so fail-safe software wherein can be protected the safety of data in terminal.
Secondly, the embodiment of the invention can write boot files in the system disk of terminal, the startupoptions that adds in the terminal is pointed to described boot files, thereby adopts the boot files guiding to enter the second operating system.The side is simple to operate, can automatically finish the modification of startup item.
Again, can adopt boot files triggering system boot files in the embodiment of the invention, such as NTDETECT.COM, the information of each hardware device in the collection terminal, thereby the hardware device in the terminal is enumerated to obtain the hardware device of terminal, thereby search external storage according to device type, lookup method is simple.
Again, external storage described in the embodiment of the invention is moveable magnetic disc, comprising: flash disk, portable hard drive and storage card.Kind is various, satisfies the demand of all types of user.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be in the situation that there be these details to put into practice.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this instructions (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to the terminal of the embodiment of the invention and some or all some or repertoire of parts in the external storage.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.
Claims (14)
1. the checking and killing method of a malicious code disposes the first operating system in the terminal, disposes the second operating system in the external storage, in described the second operating system fail-safe software is installed, and described method comprises:
In the startup item of terminal, add in advance the startupoptions of described the second operating system;
After entering the startup item of described terminal, select the startupoptions of described the second operating system, to enter the second operating system that is disposed in the memory device;
Start the fail-safe software in described the second operating system, described terminal is scanned with the killing malicious code.
2. the method for claim 1, the described startupoptions that adds in advance described the second operating system in the startup item of terminal comprises:
Write boot files in the system disk of terminal, described boot files points to described the second operating system;
In the startup item of terminal, add a startupoptions, described startupoptions is pointed to described boot files.
3. method as claimed in claim 2, the startupoptions of described the second operating system of described selection is disposed at the second operating system in the memory device to enter, and comprising:
By selecting the startupoptions of described the second operating system, trigger described boot files;
Adopt described boot files to search described external storage;
Read data or configuration file in the described external storage, start described the second operating system.
4. method as claimed in claim 3, described external storage possesses some device types, and the described boot files of described employing is searched described external storage, comprising:
Described boot files triggering system boot files obtains the hardware device of terminal;
From described hardware device, search described external storage according to described device type parameter.
5. such as claim 3 or 4 arbitrary described methods, described external storage is bootable memory device, then has Main Boot Record in the described bootable memory device, described data or the configuration file that reads in the described external storage, start described the second operating system, comprising:
Read data or the configuration file of described external storage, search whether there is described Main Boot Record;
If there is described Main Boot Record, then starts described Main Boot Record and enter described the second operating system.
6. method as claimed in claim 5, described data or the configuration file that reads described external storage searches whether there is described Main Boot Record, comprising:
Read data or the configuration file of arbitrary sector in the described external storage;
Type according to each partition table in the described sector determines whether to exist described Main Boot Record.
7. according to claim 1,3,4,5 or 6 arbitrary described methods, described external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card.
8. the killing system of a malicious code comprises terminal and external storage, wherein, disposes the first operating system in the terminal, disposes the second operating system in the external storage, disposes fail-safe software in described the second operating system;
Described terminal comprises:
Add module, be used for adding in startup item in advance the startupoptions of described the second operating system;
Start module, after being used for entering the startup item of described terminal, select the startupoptions of described the second operating system, be disposed at the second operating system in the memory device to enter;
Described external storage comprises:
The killing module, the fail-safe software for starting described the second operating system carries out killing to the malicious code in the described terminal.
9. system as claimed in claim 8, described interpolation module comprises:
Write submodule, be used for writing boot files at the system disk of terminal, described boot files points to described the second operating system;
Add submodule, be used for adding a startupoptions in the startup item of terminal, described startupoptions is pointed to described boot files.
10. system as claimed in claim 9, described startup module comprises:
Trigger module is used for triggering described boot files by selecting the startupoptions of described the second operating system;
Search submodule, be used for adopting described boot files to search described external storage;
Reading submodule, data or configuration file for reading described external storage start described the second operating system.
11. system as claimed in claim 10, described external storage possesses some device types;
The described submodule of searching specifically is used for described boot files triggering system boot files, obtains the hardware device of terminal; From described hardware device, search described external storage according to described device type parameter.
12. such as claim 10 or 11 arbitrary described systems, described external storage is bootable memory device, then has Main Boot Record in the described bootable memory device, then described external storage also comprises: bootstrap module;
Described bootstrap module is used for entering described the second operating system according to described Main Boot Record;
Then described reading submodule specifically for the data or the configuration file that read described external storage, searches whether there is described Main Boot Record; If there is described Main Boot Record, then start described Main Boot Record.
13. systems approach as claimed in claim 12, described reading submodule is concrete for reading data or the configuration file of the arbitrary sector of described external storage; Type according to each partition table in the described sector determines whether to exist described Main Boot Record.
14. according to claim 8,10,11,12 or 13 arbitrary described systems, described external storage is moveable magnetic disc, comprising: flash disk, portable hard drive, mobile phone, wireless Internet access terminal and storage card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210540056.7ACN103077350B (en) | 2012-12-13 | 2012-12-13 | A kind of checking and killing method of malicious code and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210540056.7ACN103077350B (en) | 2012-12-13 | 2012-12-13 | A kind of checking and killing method of malicious code and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103077350Atrue CN103077350A (en) | 2013-05-01 |
| CN103077350B CN103077350B (en) | 2016-04-20 |
Family
ID=48153877
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210540056.7AActiveCN103077350B (en) | 2012-12-13 | 2012-12-13 | A kind of checking and killing method of malicious code and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103077350B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514015A (en)* | 2013-09-16 | 2014-01-15 | 亚太宝龙科技(湖南)有限公司 | Method and device for booting operation system from storage medium |
| CN104217161A (en)* | 2013-05-30 | 2014-12-17 | 腾讯科技(深圳)有限公司 | Virus scanning method and system and terminal device |
| CN106203142A (en)* | 2016-07-20 | 2016-12-07 | 杭州华澜微电子股份有限公司 | A kind of method and device of the Primary Hard Drive data protecting computer |
| CN112651020A (en)* | 2020-12-15 | 2021-04-13 | 网神信息技术(北京)股份有限公司 | Threat detection method, apparatus, external device, electronic device, medium, and program |
| CN114036579A (en)* | 2021-11-26 | 2022-02-11 | 安天科技集团股份有限公司 | Terminal detection method and device, external storage equipment and computer storage medium |
| CN114138344A (en)* | 2020-09-04 | 2022-03-04 | 青岛海信移动通信技术股份有限公司 | System checking method and terminal |
| CN114138343A (en)* | 2020-09-04 | 2022-03-04 | 青岛海信移动通信技术股份有限公司 | Terminal and terminal starting method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1648814A (en)* | 2005-03-25 | 2005-08-03 | 张�林 | Method for checking and killing new computer virus using independent operation system |
| CN1743990A (en)* | 2005-08-12 | 2006-03-08 | 珠海金山软件股份有限公司 | Transplatform virus detecting and killing method |
| CN101169723A (en)* | 2006-10-25 | 2008-04-30 | 深圳市研祥智能科技股份有限公司 | Embedded type operating system mapping file guiding method and device |
- 2012
- 2012-12-13CNCN201210540056.7Apatent/CN103077350B/enactiveActive
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1648814A (en)* | 2005-03-25 | 2005-08-03 | 张�林 | Method for checking and killing new computer virus using independent operation system |
| CN1743990A (en)* | 2005-08-12 | 2006-03-08 | 珠海金山软件股份有限公司 | Transplatform virus detecting and killing method |
| CN101169723A (en)* | 2006-10-25 | 2008-04-30 | 深圳市研祥智能科技股份有限公司 | Embedded type operating system mapping file guiding method and device |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104217161A (en)* | 2013-05-30 | 2014-12-17 | 腾讯科技(深圳)有限公司 | Virus scanning method and system and terminal device |
| CN103514015A (en)* | 2013-09-16 | 2014-01-15 | 亚太宝龙科技(湖南)有限公司 | Method and device for booting operation system from storage medium |
| CN103514015B (en)* | 2013-09-16 | 2017-12-12 | 广东福能大数据产业园建设有限公司 | A kind of method and apparatus of the start-up operation system from storage medium |
| CN106203142A (en)* | 2016-07-20 | 2016-12-07 | 杭州华澜微电子股份有限公司 | A kind of method and device of the Primary Hard Drive data protecting computer |
| CN114138344A (en)* | 2020-09-04 | 2022-03-04 | 青岛海信移动通信技术股份有限公司 | System checking method and terminal |
| CN114138343A (en)* | 2020-09-04 | 2022-03-04 | 青岛海信移动通信技术股份有限公司 | Terminal and terminal starting method |
| CN114138344B (en)* | 2020-09-04 | 2024-06-04 | 青岛海信移动通信技术有限公司 | System verification method and terminal |
| CN112651020A (en)* | 2020-12-15 | 2021-04-13 | 网神信息技术(北京)股份有限公司 | Threat detection method, apparatus, external device, electronic device, medium, and program |
| CN114036579A (en)* | 2021-11-26 | 2022-02-11 | 安天科技集团股份有限公司 | Terminal detection method and device, external storage equipment and computer storage medium |
| CN114036579B (en)* | 2021-11-26 | 2024-09-24 | 安天科技集团股份有限公司 | Terminal detection method and device, external storage device and computer storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103077350B (en) | 2016-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103077350A (en) | Searching and killing method and system for malicious code | |
| US10460099B2 (en) | System and method of detecting malicious code in files | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| US8719935B2 (en) | Mitigating false positives in malware detection | |
| US8387147B2 (en) | Method and system for detecting and removing hidden pestware files | |
| US20090038011A1 (en) | System and method of identifying and removing malware on a computer system | |
| US11403180B2 (en) | Auxiliary storage device having independent recovery area, and device applied with same | |
| US6907524B1 (en) | Extensible firmware interface virus scan | |
| CN102651061A (en) | System and method of protecting computing device from malicious objects using complex infection schemes | |
| CN102999725B (en) | Malevolence code processing method and system | |
| JP2017527864A (en) | Patch file analysis system and analysis method | |
| US9740864B2 (en) | System and method for emulation of files using multiple images of the emulator state | |
| CN102882875A (en) | Active defense method and device | |
| US20050015606A1 (en) | Malware scanning using a boot with a non-installed operating system and download of malware detection files | |
| CN104123495A (en) | Method for neutralizing malicious software blocking computer operation | |
| US7631357B1 (en) | Detecting and removing rootkits from within an infected computing system | |
| US8572742B1 (en) | Detecting and repairing master boot record infections | |
| CN102857519A (en) | Active defensive system | |
| US9122872B1 (en) | System and method for treatment of malware using antivirus driver | |
| WO2006119233A2 (en) | Method for securing computers from malicious code attacks | |
| US10776490B1 (en) | Verifying an operating system during a boot process using a loader | |
| EP2729893B1 (en) | Security method and apparatus | |
| US20150309885A1 (en) | Method and device for processing data and electronic apparatus | |
| JP4955752B2 (en) | Extending secure management of file attribute information to virtual hard disks | |
| US7917952B1 (en) | Replace malicious driver at boot time |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | Effective date of registration:20220728 Address after:Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before:100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before:Qizhi software (Beijing) Co.,Ltd. | |
| TR01 | Transfer of patent right |