Summary of the invention
The embodiment of the invention discloses a kind of data processing method and devices, are tampered to avoid hardware data, and then leadIt causes terminal data to be destroyed, influences user experience.Concrete scheme is as follows:
On the one hand, the embodiment of the invention provides a kind of data processing methods, are applied to the first application program, the methodInclude:
The data manipulation instruction about hardware data of the second application program transmission is intercepted and captured, is taken in the data manipulation instructionIdentification information with second application program and the action type to operation performed by the hardware data;
Judge whether the action type is default protection type;
When the action type is default protection type, according to the identification information of second application program, reallyDetermine the corresponding target process path of second application program;
Judge whether the target process path belongs to default process path set;
If so, abandoning the data manipulation instruction.
Preferably, the default process path set includes at least one process for predefining the malicious applicationPath.
Preferably, also carrying the types value of the hardware data in the data manipulation instruction;
In the identification information according to second application program, the corresponding mesh of second application program is determinedBefore marking process path, a kind of data processing method provided by the embodiment of the present invention further include:
Judge that the types value whether there is in preset kind value set, if so, executing described according to described secondThe identification information of application program, the step of determining second application program corresponding target process path.
Preferably, the data manipulation instruction about hardware data intercepting and capturing the second application program and sending, comprising:
Based on the NtSystemDebugControl function linked up in advance, second application program is intercepted and captured described inThe data manipulation instruction about the hardware data that NtSystemDebugControl function is sent.
Preferably, a kind of data processing method provided by the embodiment of the present invention further include:
When the action type is not default protection type, the NtSystemDebugControl function is called, is heldThe row data manipulation instruction.
Preferably, the action type includes write operation type or read operation type;
The predetermined protection type, comprising: write operation type.
On the other hand, the embodiment of the invention also provides a kind of data processing equipments, are applied to the first application program, describedDevice includes: operational order interception module, action type judgment module, target process path determination module, target process pathJudgment module and operational order discard module;
The operational order interception module: for intercepting and capturing the data manipulation about hardware data of the second application program transmissionIt instructs, carries the identification information of second application program in the data manipulation instruction and to performed by the hardware dataThe action type of operation;
The action type judgment module: for judging whether the action type is default protection type;As the behaviourMaking type is when presetting protection type, to trigger the target process path determination module;
The target process path determination module: it for the identification information according to second application program, determinesThe corresponding target process path of second application program;
Target process path judgment module: for judging whether the target process path belongs to default process pathSet, if so, triggering the operational order discard module;
The operational order discard module: for abandoning the data manipulation instruction.
Preferably, the default process path set includes at least one process for predefining the malicious applicationPath.
Preferably, also carrying the types value of the hardware data in the data manipulation instruction;
Described device further includes types value judgment module;
The types value judgment module: for judging that the types value whether there is in preset kind value set, ifIt is to trigger the target process path determination module.
Preferably, the operational order interception module is specifically used for:
Based on the NtSystemDebugControl function linked up in advance, second application program is intercepted and captured described inThe data manipulation instruction about the hardware data that NtSystemDebugControl function is sent.
Preferably, a kind of data processing equipment provided by the embodiment of the present invention further includes operational order execution module;
The operational order execution module: for when the action type is not default protection type, described in callingNtSystemDebugControl function executes the data manipulation instruction.
Preferably, the action type includes write operation type or read operation type;
The predetermined protection type, comprising: write operation type.
In the present solution, intercepting and capturing the data manipulation instruction about hardware data of the second application program transmission, which is graspedInstruct the identification information for carrying second application program and the action type to operation performed by the hardware data;JudgementWhether the action type is default protection type;When the action type is default protection type, according to second application programThe identification information, determine the corresponding target process path of second application program;Judge whether the target process path belongs toDefault process path set;If so, abandoning the data manipulation instruction.It is tampered to avoid hardware data, and then leads to terminalData be destroyed, influence user experience.Certainly, it implements any of the products of the present invention or method must be not necessarily required to reach simultaneouslyAll the above advantage.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, completeSite preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based onEmbodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every otherEmbodiment shall fall within the protection scope of the present invention.
The embodiment of the invention provides a kind of data processing method and devices, are tampered to avoid hardware data, and then leadIt causes terminal data to be destroyed, influences user experience.
A kind of data processing method is provided for the embodiments of the invention first below to be introduced.
It should be noted that a kind of data processing method provided by the embodiment of the present invention can be applied to first using journeySequence, which can be installed in any terminal, such as computer and mobile phone.And it is possible to realize at the dataThe functional software of reason method can be special client software, be also possible to the plug-in unit of other security softwares.
As shown in Figure 1, may include step the embodiment of the invention provides a kind of data processing method:
S101: the data manipulation instruction about hardware data that the second application program is sent, the data manipulation instruction are intercepted and capturedThe middle identification information for carrying second application program and the action type to operation performed by the hardware data;
It is understood that first application program can be installed in any terminal, which passes through spyDetermine mode can obtain the second application program transmission the data manipulation instruction about hardware data, wherein this second apply journeySequence can be any application program that can send data manipulation instruction being installed in same terminal with first application program.Also, first application program can obtain second application program and refer to for the data manipulation of any hardware data of the terminalIt enables.
S102: judging whether the action type is default protection type, if so, executing S103:
It is understood that being previously stored with default protection class in the terminal for being equipped with first application programType, the default protection type can be independently arranged by the terminal user, can also be write from memory by the terminal according to first application programRecognize setting.Wherein, after intercepting and capturing the data manipulation instruction about hardware data that the second application program is sent, it can be determined that the dataWhether operational order is default protection type to the action type of operation performed by the hardware data, i.e., by the action type and thisDefault protection type is matched, if successful match, is judged as YES, is continued subsequent flow chart of data processing, if matchingIt is unsuccessful, then it is judged as NO, then terminates flow chart of data processing.
S103: according to the identification information of second application program, the corresponding target process of the second application program is determinedPath;
In practical applications, can according to the identification information of second application program, using the prior art determine thisThe corresponding Process identifier of two application programs, and then it is corresponding according to the Process identifier can to find second application programTarget process path.
S104: judging whether the target process path belongs to default process path set, if so, executing S105;
It should be noted that a default process path set can be stored in advance, wrapped in the default process path setProcess path containing application program corresponding to the data manipulation instruction in need for being intercepted (discarding).By the target process roadDiameter is matched one by one with each of default process path set process path, if successful match, judges the targetProcess path belongs to default process path set, continues subsequent data protection process;If matching is unsuccessful, judgement shouldTarget process path is not belonging to default process path set, sends and executes the data manipulation instruction.Wherein, the default process roadIt may include the process path that at least one predefines the malicious application in diameter set.To avoid malicious applicationDestruction to the data in terminal.This predefines the malicious application can be all kinds of according to what is occurred in the practical applicationApplication program determines.
S105: the data manipulation instruction is abandoned.
It should be noted that after judging that the target process path belongs to default process path set, it is believed that shouldData manipulation instruction will operate hardware data for the application program (such as malicious application) in terminal, and for hardwareFor data, which is not intended to be carried out, at this point it is possible to be lost the data manipulation instruction using the prior artIt abandons.
In addition, abandoning the data manipulation for the safe condition for the terminal for preferably making user know itself to be held and referring toAfter order, prompt information can also be exported, there are security risks to prompt the user terminal.Wherein, which can be soundSound prompt can prompt for screen intensity, can be Word message prompting, prompt, etc., the present invention can also be jumped for interfaceEmbodiment is not defined the prompt form of the prompt information.Wherein, second application can be carried in the prompt informationThe identification information of program, to play the role of positioning second application program, user can be according to the prompt informationSecond application program is handled, permission limitation is unloaded or be arranged.Or the form that is jumped with interface of the prompt information intoRow prompt, can be the program unloading interface for jumping directly to the terminal, is located in second application program, so as to the terminalUser is handled.Etc., this is all reasonable.
Using the embodiment of the present invention, the data manipulation instruction about hardware data that the second application program is sent is intercepted and captured, it shouldThe identification information of second application program and the operation class to operation performed by the hardware data are carried in data manipulation instructionType;Judge whether the action type is default protection type;When the action type is default protection type, second answered according to thisWith the identification information of program, the corresponding target process path of second application program is determined;Judging the target process path isIt is no to belong to default process path set, wherein the default process path set includes that at least one predetermined malice out is answeredWith the process path of program;If so, abandoning the data manipulation instruction.It is tampered to avoid hardware data, and then influences terminalData be destroyed, influence user experience.
Further, in practical applications, when data manipulation instruction is directed to the hardware data, corresponding action type canTo include write operation type or read operation type.In order to improve the efficiency of the data processing, do not need to grasp all dataMake instruction to be handled, the data manipulation instruction about corresponding action type for write operation type can be only handled, at this point, shouldPredetermined protection type may include write operation type.It is write operation type to the action type of operation performed by the hardware dataWhen, it just will continue to subsequent flow chart of data processing, otherwise, can send and execute the data manipulation instruction.
Further, for the hardware data in terminal, corresponding to system to terminal safetyThere is also points of height for criticality.It, can be according to corresponding to hardware data in order to preferably provide the efficiency of data processingTo the criticality of the safety of the system of terminal, a preset kind value set is stored in advance, includes the hardware in the setIt is more than type corresponding to the hardware data of certain threshold value to the criticality of the safety of the system of terminal corresponding to dataValue.Wherein, types value included in the preset kind value set can be adjusted according to the actual situation.It needs to illustrate, after judging the data manipulation instruction and being to the action type of operation performed by the hardware data default protection type,It can also continue to judge the types value of the hardware data whether in preset kind value set, when judging in preset kind value collectionWhen in conjunction, otherwise continuing follow-up data process flow terminates the flow chart of data processing, to reduce the data of follow-up data processingAmount.Specifically, as shown in Fig. 2, the types value of the hardware data can also be carried in the data manipulation instruction;
In described identification information according to second application program, the corresponding target process of the second application program is determinedBefore path (S103), a kind of data processing method provided by the embodiment of the present invention can also include:
S201: judging that such offset whether there is in preset kind value set, if so, executing S103.
In practical applications, it is able to achieve and the function of operating function is carried out there are a variety of, in a kind of specific reality to hardware dataIn existing mode, as shown in figure 3, the data manipulation instruction about hardware data intercepting and capturing the second application program and sending(S101), may include:
S1011: based on the NtSystemDebugControl function linked up in advance, second application program is intercepted and captured by being somebody's turn to doData manipulation instruction about the hardware data that NtSystemDebugControl function is sent.
It should be noted that can be according to system service descriptor table (System Services DescriptorTable-SSDT) the NtSystemDebugControl function is linked up in advance, what is linked up in advanceIn NtSystemDebugControl function, function NtSystemDebugControl can be called to send the data manipulation and referred toIt enables, and executes the movement of data manipulation, which can also be abandoned, prevent it from being further continued for carrying out subsequent numberAccording to the movement of operation.
It is understood that first application program can intercept and capture it is all about hard transmitted by second application programThe data manipulation instruction of number of packages evidence, also, second application program can be and be equipped in the terminal of first application programAny application program that can send the data manipulation instruction about hardware data.Data processing provided by the embodiment of the present inventionInstruction can abandon the data processing instructions for meeting various Rule of judgment, for the various judgements in the embodiment of the present inventionIn condition, which does not meet any one Rule of judgment therein at least, and the embodiment of the present invention can't be to itIt is abandoned.Specifically, as shown in figure 3, a kind of data processing method provided by the embodiment of the present invention can also include:
S301: when the action type is not default protection type, the NtSystemDebugControl function is called, is heldThe row data manipulation instruction.
It is understood that this can be called directly in the NtSystemDebugControl function linked up in advanceNtSystemDebugControl function executes the data manipulation instruction.
A kind of data processing method is provided for the embodiments of the invention below by specific embodiment to be introduced.
In user computer, there are one second application program A, the first application program B, and link up in advanceNtSystemDebugControl function.When the second application program A calls NtSystemDebugControl function to send numberAccording to operational order 1, which should by calling the NtSystemDebugControl function linked up in advance to intercept and captureData manipulation instruction 1, through judging, which is that malicious application (the second application program A) is directed to hardware dataIt issuing, write operation is carried out to the hardware data, then first application program abandons the data manipulation instruction 1, withHardware data is avoided to be tampered, and then the data for influencing terminal are destroyed, and influence user experience.
Corresponding to above method embodiment, the embodiment of the invention provides a kind of data processing equipments, can be applied toOne application program, as shown in figure 4, the apparatus may include: operational order interception module 401, action type judgment module402, target process path determination module 403, target process path judgment module 404 and operational order discard module 405;
The operational order interception module 401: for intercepting and capturing the data about hardware data of the second application program transmissionOperational order carries the identification information of second application program in the data manipulation instruction and to the hardware data instituteExecute the action type of operation;
The action type judgment module 402: for judging whether the action type is default protection type;When describedWhen action type is default protection type, the target process path determination module 303 is triggered;
The target process path determination module 403: for the identification information according to second application program, reallyDetermine the corresponding target process path of second application program;
Target process path judgment module 404: for judging whether the target process path belongs to default processSet of paths, if so, triggering the operational order discard module 405;
The operational order discard module 405: for abandoning the data manipulation instruction.
Using the embodiment of the present invention, the data manipulation instruction about hardware data that the second application program is sent is intercepted and captured, it shouldThe identification information of second application program and the operation class to operation performed by the hardware data are carried in data manipulation instructionType;Judge whether the action type is default protection type;When the action type is default protection type, second answered according to thisWith the identification information of program, the corresponding target process path of second application program is determined;Judge the target process pathWhether default process path set is belonged to, wherein the default process path set includes that at least one predefines the malice of going outThe process path of application program;If so, abandoning the data manipulation instruction.It is tampered, and then is influenced eventually to avoid hardware dataThe data at end are destroyed, and influence user experience.
Specifically, the default process path set may include that at least one predefines the malicious application of going outProcess path.
Specifically, also carrying the types value of the hardware data in the data manipulation instruction;
As shown in figure 5, a kind of data processing equipment provided by the embodiment of the present invention can also include that types value judge mouldBlock 501;
The types value judgment module 501: for judging that the types value whether there is in preset kind value set, such asFruit is to trigger the target process path determination module 403.
Specifically, the operational order interception module 401 is specifically used for:
Based on the NtSystemDebugControl function linked up in advance, second application program is intercepted and captured described inThe data manipulation instruction about the hardware data that NtSystemDebugControl function is sent.
Specifically, a kind of data processing equipment provided by the embodiment of the present invention can also include that operational order executes mouldBlock;
The operational order execution module: for when the action type is not default protection type, described in callingNtSystemDebugControl function executes the data manipulation instruction.
Specifically, the action type includes write operation type or read operation type;
The predetermined protection type, comprising: write operation type.
For systems/devices embodiment, since it is substantially similar to the method embodiment, so the comparison of description is simpleSingle, the relevent part can refer to the partial explaination of embodiments of method.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a realityBody or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operationIn any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended toNon-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including thoseElement, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipmentIntrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded thatThere is also other identical elements in process, method, article or equipment including the element.
Those of ordinary skill in the art will appreciate that all or part of the steps in realization above method embodiment is canIt is completed with instructing relevant hardware by program, the program can store in computer-readable storage medium,The storage medium designated herein obtained, such as: ROM/RAM, magnetic disk, CD.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is allAny modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present inventionIt is interior.