CN115567315A - A network protection method, device and electronic equipment - Google Patents

Abstract

The application discloses a network protection method, a network protection device and electronic equipment, wherein the method comprises the following steps: obtaining a first access instruction, wherein the first access instruction is a request instruction for accessing a first physical page, the first physical page comprises first data, and a hook is configured in the first physical page; controlling the first working mode to switch into a second working mode; and returning a second physical page corresponding to the first physical page, wherein the second physical page comprises the first data. The scheme performs data processing based on the first physical page containing the hook when the instruction stream is normally executed so as to perform network protection; and when an access instruction aiming at the first physical page is received, the second physical page containing the original data of the first physical page before the hook is not configured is controlled to be returned, so that traceless of the hook is realized, malicious tampering, bypassing and other behaviors are prevented, and the safety protection level is further improved.

Description

Translated fromChinese

一种网络防护方法、装置及电子设备A network protection method, device and electronic equipment

技术领域technical field

本申请涉及网络安全技术领域，更具体的说，是涉及一种网络防护方法、装置及电子设备。The present application relates to the technical field of network security, and more specifically, relates to a network protection method, device and electronic equipment.

背景技术Background technique

在很多企业的网络场景中，需要对网络访问做策略限制，如添加黑名单和白名单，允许/阻止指定的进程、域名、IP、端口等访问网络。In many enterprise network scenarios, policy restrictions on network access are required, such as adding blacklists and whitelists, allowing/blocking specified processes, domain names, IPs, ports, etc. to access the network.

发明内容Contents of the invention

有鉴于此，本申请提供如下技术方案：In view of this, the application provides the following technical solutions:

一种网络防护方法，包括：A network protection method, comprising:

获得第一访问指令，所述第一访问指令为访问第一物理页的请求指令，所述第一物理页中包括第一数据，且所述第一物理页中配置有钩子；Obtaining a first access instruction, the first access instruction is a request instruction to access a first physical page, the first physical page includes first data, and a hook is configured in the first physical page;

控制由第一工作模式切换进入第二工作模式；Control switching from the first working mode to the second working mode;

返回与所述第一物理页对应的第二物理页，所述第二物理页中包括所述第一数据。Returning a second physical page corresponding to the first physical page, where the second physical page includes the first data.

可选地，还包括：Optionally, also include:

预先在因特网协议栈的第一分层中配置钩子。Hooks are pre-configured in the first layer of the Internet protocol stack.

可选地，所述预先在因特网协议栈的第一分层中配置钩子，包括：Optionally, the pre-configuring the hook in the first layer of the Internet protocol stack includes:

在因特网协议栈的第一分层中配置第二物理页；configuring the second physical page in the first layer of the internet protocol stack;

将第一物理页的第一数据拷贝至所述第二物理页，所述第一数据为与数据收发相关的数据；copying the first data of the first physical page to the second physical page, the first data being data related to data sending and receiving;

在所述第一物理页中配置钩子。A hook is configured in the first physical page.

可选地，在所述第一物理页中配置钩子后，还包括：Optionally, after the hook is configured in the first physical page, it further includes:

初始化虚拟机配置文件VMX，包括：Initialize the virtual machine configuration file VMX, including:

将所述第一物理页配置为仅可执行，将所述第二物理页配置为可读写。Configuring the first physical page to be executable only, and configuring the second physical page to be readable and writable.

可选地，将所述第一物理页配置为仅可执行，将所述第二物理页配置为可读写，包括：Optionally, configuring the first physical page to be executable only and configuring the second physical page to be readable and writable includes:

设置扩展页表，将所述扩展页表中所述第一物理页设置为可读写，将所述扩展页表中所述第二物理页设置为只可执行。Setting an extended page table, setting the first physical page in the extended page table as readable and writable, and setting the second physical page in the extended page table as executable only.

可选地，所述第一分层包括网络层和传输层中的至少一种。Optionally, the first layer includes at least one of a network layer and a transport layer.

可选地，所述第一分层包括网络层，还包括：Optionally, the first layer includes a network layer, and also includes:

通过添加在网络层中所述第一物理页的钩子从访问数据中提取出地址标识数据，所述地址标识数据包括域名、IP地址、端口标识中的任意一项；Extracting the address identification data from the access data by adding the hook of the first physical page in the network layer, the address identification data including any one of domain name, IP address, and port identification;

基于所述地址标识数据确定当前访问属于非法访问；determining that the current access is an illegal access based on the address identification data;

拦截所述当前访问。Intercept said current access.

可选地，所述第一分层包括传输层，还包括：Optionally, the first layer includes a transport layer, and further includes:

通过配置在传输层中所述第一物理页的钩子获得当前进程的进程标识；Obtaining the process identification of the current process by configuring the hook of the first physical page in the transport layer;

基于所述进程标识确定当前进程属于非法进程；determining that the current process is an illegal process based on the process identifier;

拦截所述当前进程。Intercept said current process.

本申请还公开了一种网络防护装置，包括：The application also discloses a network protection device, comprising:

指令获得模块，用于获得第一访问指令，所述第一访问指令为访问第一物理页的请求指令，所述第一物理页中包括第一数据，且所述第一物理页中配置有钩子；An instruction obtaining module, configured to obtain a first access instruction, the first access instruction is a request instruction for accessing a first physical page, the first physical page includes first data, and the first physical page is configured with hook;

模式切换模块，用于控制由第一工作模式切换进入第二工作模式；A mode switching module, configured to control switching from the first working mode to the second working mode;

指令响应模块，用于返回与所述第一物理页对应的第二物理页，所述第二物理页中包括所述第一数据。An instruction response module, configured to return a second physical page corresponding to the first physical page, where the second physical page includes the first data.

进一步的，本申请还公开了一种电子设备，包括：Further, this application also discloses an electronic device, including:

处理器；processor;

存储器，用于存储所述处理器的可执行程序指令；a memory for storing executable program instructions of the processor;

其中，所述可执行程序指令包括：获得第一访问指令，所述第一访问指令为访问第一物理页的请求指令，所述第一物理页中包括第一数据，且所述第一物理页中配置有钩子；控制由第一工作模式切换进入第二工作模式；返回与所述第一物理页对应的第二物理页，所述第二物理页中包括所述第一数据。Wherein, the executable program instructions include: obtaining a first access instruction, the first access instruction is a request instruction for accessing a first physical page, the first physical page includes first data, and the first physical page A hook is configured in the page; the control switches from the first working mode to the second working mode; and a second physical page corresponding to the first physical page is returned, and the second physical page includes the first data.

经由上述的技术方案可知，本申请实施例公开了一种网络防护方法、装置及电子设备，方法包括：获得第一访问指令，所述第一访问指令为访问第一物理页的请求指令，所述第一物理页中包括第一数据，且所述第一物理页中配置有钩子；控制由第一工作模式切换进入第二工作模式；返回与所述第一物理页对应的第二物理页，所述第二物理页中包括所述第一数据。上述方案在正常执行指令流时基于包含钩子的第一物理页进行数据处理，以进行网络防护；而当接收到针对第一物理页的访问指令时，会控制返回包含第一物理页没有配置钩子之前的原始数据的第二物理页，从而实现钩子的无痕化，防止了恶意篡改和绕行等行为，进一步提升了安全防护级别。It can be seen from the above technical solutions that the embodiment of the present application discloses a network protection method, device and electronic equipment. The method includes: obtaining a first access instruction, the first access instruction is a request instruction for accessing the first physical page, so The first physical page includes the first data, and the first physical page is configured with a hook; the control is switched from the first working mode to the second working mode; and the second physical page corresponding to the first physical page is returned , the second physical page includes the first data. The above solution performs data processing based on the first physical page containing the hook when the instruction flow is normally executed for network protection; and when an access instruction for the first physical page is received, the control returns that the first physical page contains no hook configured. The second physical page of the previous original data, so as to realize the traceless hook, prevent malicious tampering and circumvention, and further improve the level of security protection.

附图说明Description of drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本申请的实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present application, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

图1为本申请实施例公开的一种网络防护方法的流程图；FIG. 1 is a flowchart of a network protection method disclosed in an embodiment of the present application;

图2为本申请实施例公开的在因特网协议栈中配置钩子的流程图；Fig. 2 is the flow chart of configuring hook in the Internet protocol stack disclosed by the embodiment of the present application;

图3为本申请实施例公开的VMX下系统实现安全防护的工作原理示意图；Fig. 3 is the schematic diagram of the operating principle of the system under the VMX disclosed in the embodiment of the application to realize security protection;

图4为本申请实施例公开的钩子实现安全防护的实现原理示意图；Fig. 4 is a schematic diagram of the implementation principle of the hook disclosed in the embodiment of the present application to realize security protection;

图5为本申请实施例公开的一种网络防护装置的结构示意图；FIG. 5 is a schematic structural diagram of a network protection device disclosed in an embodiment of the present application;

图6为本申请实施例公开的一种电子设备的结构示意图。FIG. 6 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application.

具体实施方式detailed description

为了引用和清楚起见，下文中使用的技术名词的说明、简写或缩写总结如下：For reference and clarity, descriptions, abbreviations or abbreviations of technical terms used in the following text are summarized as follows:

钩子：也称为hook，是一种实现Windows平台下类似于中断的机制。HOOK机制允许应用程序拦截并处理Windows消息或指定事件，当指定的消息发出后，HOOK程序就可以在消息到达目标窗口之前将其捕获，从而得到对消息的控制权，进而可以对该消息进行处理或修改，加入所需的功能。Hook: Also known as hook, it is a mechanism that implements an interrupt similar to Windows platform. The HOOK mechanism allows the application to intercept and process Windows messages or specified events. When the specified message is sent, the HOOK program can capture the message before it reaches the target window, so as to gain control over the message and then process the message. Or modify to add the required functions.

VMX：virtual–machine extensions的缩写，虚拟机扩展。VMX: Acronym for virtual–machine extensions, virtual machine extensions.

下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本申请一部分实施例，而不是全部的实施例。基于本申请中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

本申请实施例可以应用于联网的电子设备，本申请对该电子设备的产品形式不做限定，可以包括但并不局限于智能手机、平板电脑、可穿戴设备、个人计算机(personalcomputer，PC)、上网本等，可以依据应用需求选择。The embodiments of the present application can be applied to networked electronic devices, and the present application does not limit the product form of the electronic devices, which may include but not limited to smartphones, tablet computers, wearable devices, personal computers (personal computers, PCs), Netbooks, etc., can be selected according to application requirements.

图1为本申请实施例公开的一种网络防护方法的流程图。参见图1所示，网络防护方法可以包括：FIG. 1 is a flowchart of a network protection method disclosed in an embodiment of the present application. Referring to Figure 1, network protection methods may include:

步骤101：获得第一访问指令，所述第一访问指令为访问第一物理页的请求指令，所述第一物理页中包括第一数据，且所述第一物理页中配置有钩子。Step 101: Obtain a first access instruction, the first access instruction is a request instruction to access a first physical page, the first physical page includes first data, and a hook is configured in the first physical page.

其中，所述第一物理页为非分页内存，配置为仅可执行页，也即系统运行时只能执行第一物理页中的代码函数，而无法对其进行访问。第一物理页中的第一数据包括与收发数据相关的一些函数，因此系统在正常运行过程中，通过执行第一物理页中存储的代码函数，可以实现数据收发功能。与收发数据相关的一些函数，可以包括许多指令，系统运行过程中正是通过不断的执行这些执行从而实现相应的功能。通过在这些与收发数据相关的函数的关键位置配置钩子，使得系统在运行到第一物理页中的上述关键位置时，运行钩子的代码函数，实现对于特定数据的拦截和处理，实现特定功能。其中，所述关键位置可以是收发数据的接口位置或出口位置。钩子拦截的数据可以是从外网接收的数据，也可以是内部发向外网的数据。Wherein, the first physical page is a non-paged memory configured as an executable page only, that is, the code function in the first physical page can only be executed when the system is running, but cannot be accessed. The first data in the first physical page includes some functions related to sending and receiving data. Therefore, during normal operation of the system, the data sending and receiving function can be realized by executing the code functions stored in the first physical page. Some functions related to sending and receiving data can include many instructions, and the corresponding functions are realized by continuously executing these executions during the system operation. By configuring hooks at the key positions of these functions related to sending and receiving data, the system runs the code function of the hook when it runs to the above key positions in the first physical page, so as to intercept and process specific data and realize specific functions. Wherein, the key position may be an interface position or an exit position for sending and receiving data. The data intercepted by the hook can be the data received from the external network, or the data sent internally to the external network.

可以理解的，一些用户或应用为了解除网络防护或限制，想要确定系统中哪部分设置了防护功能以及设置了怎样的防护功能，因此需要访问与数据收发有关的配置数据或运行数据，从而发出针对第一物理页的第一访问指令，以确定系统中的什么位置设置了怎样的安全防护功能。并可选地进一步针对性的设计解除限制的方案。其中，所述第一访问指令可以是针对第一物理页的读取指令或写指令，所述写指令包括但不限于增加、删除、修改等。It is understandable that in order to remove network protection or restrictions, some users or applications want to determine which part of the system has set up protection functions and what kind of protection functions have been set up. Therefore, they need to access configuration data or operating data related to data transmission and reception, so as to issue The first access instruction for the first physical page is used to determine what security protection function is set at what position in the system. And optionally further design a solution for lifting restrictions. Wherein, the first access instruction may be a read instruction or a write instruction for the first physical page, and the write instruction includes but is not limited to add, delete, modify, and the like.

所述第一访问指令可来源于一些杀毒软件、安全软件等，这些防护软件在扫描系统的过程中，会将系统安装包和物理页中的内容进行比对，确定出任何原本不属于系统运行所必须的数据内容。当内容相同时，认为系统不存在安全威胁；当内容不同时，则会认为系统存在安全威胁，并向用户反馈相关信息，反馈内容如可以是系统存在病毒或存在钩子等提示信息。The first access instruction may come from some antivirus software, security software, etc. During the process of scanning the system, these protection software will compare the contents of the system installation package with the content of the physical page, and determine any information that does not originally belong to the system running. required data content. When the content is the same, it is considered that there is no security threat in the system; when the content is different, it is considered that there is a security threat in the system, and relevant information is fed back to the user. The feedback content can be prompt information such as the existence of a virus or a hook in the system.

步骤102：控制由第一工作模式切换进入第二工作模式。Step 102: Control switching from the first working mode to the second working mode.

为了使得用户不能够发现物理页中配置的钩子，实现钩子的无痕化，本申请方案中，采用虚拟机扩展VMX技术。在VMX技术实现中，系统具有两种工作模式，一种是主机HOST工作模式，一种是客机GUEST工作模式。其中系统正常运行时，也即正常执行指令流时，处于GUEST工作模式；当需要执行一些更加全面或高级的处理时，系统会进入权限更高的HOST工作模式。其中所述第一工作模式对应GUEST工作模式，第二工作模式对应HOST工作模式。在前述获得第一访问指令时，系统处于GUEST工作模式。In order to make the user unable to find the hook configured in the physical page and realize the traceless hook, in the solution of this application, the virtual machine extension VMX technology is adopted. In the implementation of VMX technology, the system has two working modes, one is the host machine HOST mode, and the other is the guest machine GUEST mode. Among them, when the system is running normally, that is, when the instruction flow is executed normally, it is in the GUEST working mode; when it needs to perform some more comprehensive or advanced processing, the system will enter the HOST working mode with higher authority. Wherein the first working mode corresponds to the GUEST working mode, and the second working mode corresponds to the HOST working mode. When the aforementioned first access command is obtained, the system is in the GUEST working mode.

本申请实施例中，由于第一物理页为仅可执行物理页，不可读写，因此当接收到第一物理页的访问指令时，无法响应所述访问指令。此时系统会触发CPU的中断保护，使得系统由GUEST工作模式切换到权限更高的HOST工作模式，在HOST工作模式下针对所述第一访问指令进行相应的处理。In the embodiment of the present application, since the first physical page is only an executable physical page and cannot be read and written, when an access instruction of the first physical page is received, the access instruction cannot be responded to. At this time, the system will trigger the interrupt protection of the CPU, so that the system will switch from the GUEST working mode to the HOST working mode with higher authority, and perform corresponding processing on the first access instruction in the HOST working mode.

步骤103：返回与所述第一物理页对应的第二物理页，所述第二物理页中包括所述第一数据。Step 103: Return a second physical page corresponding to the first physical page, where the second physical page includes the first data.

在HOST工作模式下，系统针对第一访问执行，会控制返回第二物理页。其中，所述第二物理页中的数据内容包括所述第一物理页在配置钩子之前的原始数据内容。也即，所述第二物理页对所述第一物理页在配置钩子之前的原始数据进行了备份，备份后，还需要存储所述第一物理页和所述第二物理页之间的对应关系，以在后续有针对第一物理页的访问时，快速关联到第二物理页。其中，备份过程可在第一物理页配置钩子之前进行。In the HOST working mode, the system will control the execution of the first access and return to the second physical page. Wherein, the data content in the second physical page includes the original data content of the first physical page before the hook is configured. That is, the second physical page backs up the original data of the first physical page before the hook is configured, and after the backup, the correspondence between the first physical page and the second physical page needs to be stored. relationship, so that when there is a subsequent access to the first physical page, it can be quickly associated to the second physical page. Wherein, the backup process can be performed before the first physical page configuration hook.

这样，发出第一访问指令的第一主体得到的反馈内容为第二物理页，其中没有钩子，第一用户也不会知晓系统中哪里设置了安全防护功能。也即，针对第一访问指令，系统控制返回的是“虚假”的内容数据，从而系统中配置的钩子对于访问用户来说是不可见的，即使其想要绕过或破解网络防护功能也无从下手，因此该方案实现了网络访问的无痕防穿透保护。In this way, the feedback content obtained by the first subject who issues the first access command is the second physical page, without hooks, and the first user will not know where the security protection function is set in the system. That is to say, for the first access command, the system controls to return "false" content data, so the hook configured in the system is invisible to the access user, even if they want to bypass or crack the network protection function. Therefore, this solution realizes the traceless anti-penetration protection of network access.

本实施例所述网络防护方法在正常执行指令流时基于包含钩子的第一物理页进行数据处理，以进行网络防护；而当接收到针对第一物理页的访问指令时，会控制返回包含第一物理页没有配置钩子之前的原始数据的第二物理页，从而实现钩子的无痕化，防止了恶意篡改和绕行等行为，进一步提升了安全防护级别。The network protection method described in this embodiment performs data processing based on the first physical page containing the hook when the instruction flow is normally executed, so as to perform network protection; The first physical page does not have the second physical page of the original data before the hook is configured, so that the hook is invisible, preventing malicious tampering and bypassing, and further improving the level of security protection.

上述实施例所述网络防护方法在实施之前，系统中已经配置了钩子，实现了网络安全防护。因此在网络防护方法实施之前，还包括预先在因特网协议栈的第一分层中配置钩子的操作。Before the implementation of the network protection method described in the above embodiments, hooks have been configured in the system to realize network security protection. Therefore, before the implementation of the network protection method, the operation of pre-configuring the hook in the first layer of the Internet protocol stack is also included.

图2为本申请实施例公开的在因特网协议栈中配置钩子的流程图。参见图2所示，所述预先在因特网协议栈的第一分层中配置钩子，可以包括：Fig. 2 is a flow chart of configuring hooks in the Internet protocol stack disclosed in the embodiment of the present application. Referring to Fig. 2, the pre-configured hook in the first layer of the Internet protocol stack may include:

步骤201：在因特网协议栈的第一分层中配置第二物理页。Step 201: Configure a second physical page in the first layer of the Internet protocol stack.

其中，所述第一分层包括网络层和传输层中的至少一种。领域内技术人员可知，设置在传输层的钩子，可以对网络进程施加限制，实现安全防护；设置在网络层的钩子，可以针对IP、端口和域名施加限制，实现安全防护。具体实现中，可根据实际应用场景需求，选择仅在网络层或传输层配置钩子，或者考虑防护的全面性，同时在网络层和传输层配置相应的钩子。Wherein, the first layer includes at least one of a network layer and a transport layer. Those skilled in the art know that the hook set at the transport layer can impose restrictions on network processes to achieve security protection; the hook set at the network layer can impose restrictions on IP, port and domain name to achieve security protection. In specific implementation, according to the requirements of actual application scenarios, you can choose to configure hooks only at the network layer or transport layer, or consider the comprehensiveness of protection, and configure corresponding hooks at the network layer and transport layer at the same time.

对于在因特网协议栈中配置的所有钩子，都需要做无痕化处理。实现钩子无痕化的基础准备工作包括图2所示流程。首先，在对需要添加钩子的物理页添加钩子前，首先分配一个第二物理页，该第二物理页用于存储没有添加钩子前的第一物理页的原始数据。所述第二物理页可以仅保存所述第一物理页的原始数据；或者，除了保存所述第一物理页的原始数据外，第二物理页还可以存储其他的运行数据，本申请对此并不限定。For all hooks configured in the Internet protocol stack, incognito processing is required. The basic preparatory work for realizing the traceless hook includes the process shown in Figure 2. First, before adding the hook to the physical page to which the hook needs to be added, a second physical page is first allocated, and the second physical page is used to store the original data of the first physical page before the hook is added. The second physical page may only store the original data of the first physical page; or, in addition to storing the original data of the first physical page, the second physical page may also store other running data, and this application Not limited.

步骤202：将第一物理页的第一数据拷贝至所述第二物理页，所述第一数据为与数据收发相关的数据。Step 202: Copy the first data of the first physical page to the second physical page, the first data is data related to data sending and receiving.

将第一物理页的第一数据拷贝至所述第二物理页，也即将没有添加钩子前的第一物理页的原始数据进行备份。而后，可以进一步保存第一物理页和第二物理页之间的对应关系，这样后期在有针对第一物理页的访问指令时，可将没有配置钩子的第二物理页的相关内容返回给访问者，实现对已经配置的钩子的隐藏。The first data of the first physical page is copied to the second physical page, that is, the original data of the first physical page before adding the hook is backed up. Then, the corresponding relationship between the first physical page and the second physical page can be further saved, so that when there is an access instruction for the first physical page later, the relevant content of the second physical page without a hook can be returned to the access Or, to hide the configured hooks.

步骤203：在所述第一物理页中配置钩子。Step 203: Configure a hook in the first physical page.

将第一物理页中的原始数据备份后，可以在第一物理页中配置钩子，这样，后续系统在基于第一物理页运行时，在处理收发数据时，均可以通过运行钩子的代码函数拦截相应的网络数据，并判断拦截的网络数据是否被允许，进而做出放行或阻止的操作。具体的，可通过钩子自建的派遣函数从网络数据中提取出相应的标识信息，如IP、域名、进程等，通过判断这些表示信息是否合法，确定是否对网络数据放行。After backing up the original data in the first physical page, you can configure a hook in the first physical page, so that when the subsequent system runs based on the first physical page, when processing data sending and receiving, it can be intercepted by running the code function of the hook Corresponding network data, and judge whether the intercepted network data is allowed, and then make a release or block operation. Specifically, the corresponding identification information, such as IP, domain name, process, etc., can be extracted from the network data through the self-built dispatch function of the hook, and whether to release the network data can be determined by judging whether the information indicated is legal.

需要说明的是，系统工作时，基于第一物理页运行；而第二物理页，起作用仅用于保存第一物理页添加钩子之前的原始数据，并在第一物理页被访问时，“冒充”第一物理页返回给访问主体。It should be noted that when the system is working, it runs based on the first physical page; while the second physical page is only used to save the original data before the hook is added to the first physical page, and when the first physical page is accessed, " Masquerading as "the first physical page is returned to the accessing subject.

本实施例介绍了实现钩子无痕化的基础准备工作的流程，这些基础工作为系统运行前的配置工作，相应配置完成后，后续系统运行过程中才能够基于该配置信息处理工作，实现钩子无痕化的网络安全防护功能。This embodiment introduces the process of basic preparatory work for realizing the traceless hook. These basic tasks are the configuration work before the system runs. Traceable network security protection function.

此外，为了保证钩子无痕化的实现，在第一物理页中配置钩子后，还需要初始化与钩子无痕化相关的配置文件。因此实现钩子无痕化的基础准备工作还包括：初始化虚拟机配置文件VMX。初始化的操作也在系统运行前实施完成。In addition, in order to ensure the implementation of the traceless hook, after configuring the hook on the first physical page, it is also necessary to initialize the configuration file related to the traceless hook. Therefore, the basic preparatory work for realizing the traceless hook also includes: initializing the virtual machine configuration file VMX. The initialization operation is also implemented before the system runs.

具体的，可以将所述第一物理页配置为仅可执行，使得除了系统内部操作人员外，任何没有授权的用户都没有办法看到第一物理页。此外，将所述第二物理页配置为可读写，使得其具有被访问的权限。由此后续系统运行时基于第一物理页处理指令流，而在第一物理页被访问时，不会返回真正的第一物理页，而是返回没有配置钩子的第二物理页。Specifically, the first physical page may be configured to be executable only, so that any unauthorized user, except internal system operators, has no way to see the first physical page. In addition, the second physical page is configured to be readable and writable, so that it has the right to be accessed. Therefore, when the subsequent system is running, the instruction flow is processed based on the first physical page, and when the first physical page is accessed, the real first physical page is not returned, but the second physical page without a hook is returned.

基于以上内容，将所述第一物理页配置为仅可执行，将所述第二物理页配置为可读写，可以包括：设置扩展页表，将所述扩展页表中所述第一物理页设置为可读写，将所述扩展页表中所述第二物理页设置为只可执行。Based on the above content, configuring the first physical page to be executable only, and configuring the second physical page to be readable and writable may include: setting an extended page table, and configuring the first physical page in the extended page table The page is set as readable and writable, and the second physical page in the extended page table is set as executable only.

前文所述相应的配置工作完成后，必须进行相关文件的初始化，以使得之前的配置工作能够在后续的系统运行中真正发挥其作用，实现钩子的无痕化。After the corresponding configuration work mentioned above is completed, the relevant files must be initialized so that the previous configuration work can really play its role in the subsequent system operation and realize the traceless hook.

图3为本申请实施例公开的VMX下系统实现安全防护的工作原理示意图。结合图3所示，一个具体实现中，实现VMX无痕防穿透保护的过程可以包括：FIG. 3 is a schematic diagram of the working principle of implementing security protection of the system under VMX disclosed in the embodiment of the present application. As shown in Figure 3, in a specific implementation, the process of realizing VMX traceless anti-penetration protection may include:

1、在配置钩子的驱动入口函数中，添加所有钩子之前，分配非分页内存PagesA，将待被配置钩子的成员函数所处物理页PagesB(对应第一物理页)代码段内容拷贝到新分配物理页PagesA(对应第二物理页)中；1. In the driver entry function of the configuration hook, before adding all the hooks, allocate non-paged memory PagesA, and copy the code segment content of the physical page PagesB (corresponding to the first physical page) where the member function to be configured with the hook is located to the newly allocated physical page Page PagesA (corresponding to the second physical page);

2、初始化所有CPU核心的VMX，其中关键一步是设置扩展页表EPT，将扩展页表EPT中PagesB所对应的页表项属性设置为只可执行，PagesA所对应得页表项属性设置为可读写；扩展页表EPT初始化完毕，再触发PagesB页面的所有钩子；然后开启扩展页表EPT及VMX，CPU状态由HOST进入GUEST；其中，初始化所有CPU核心的VMX，可通过延迟过程调用进行初始化。2. Initialize the VMX of all CPU cores, the key step is to set the extended page table EPT, set the page table item attribute corresponding to PagesB in the extended page table EPT to be executable only, and set the page table item attribute corresponding to PagesA to be executable Read and write; the extended page table EPT is initialized, and then trigger all the hooks of the PagesB page; then open the extended page table EPT and VMX, and the CPU state changes from HOST to GUEST; among them, VMX of all CPU cores can be initialized by delaying the procedure call .

3、CPU正常执行指令流时，对应已添加钩子施加网络访问控制的物理页面PagesB；当因CRC(Cyclic Redundancy Check，循环冗余校验)校验、脱钩、逆向等操作，需读取物理页面PagesB时，会触发EptViolation(一种CPU中断保护)，导致CPU状态由GUEST退回到HOST；3. When the CPU executes the instruction flow normally, it corresponds to the physical page PagesB that has added hooks to impose network access control; when due to CRC (Cyclic Redundancy Check, cyclic redundancy check) verification, decoupling, reverse and other operations, it is necessary to read the physical page When PagesB, EptViolation (a kind of CPU interrupt protection) will be triggered, causing the CPU state to return from GUEST to HOST;

4、在HOST的ExitHandler处理函数中，处理EptViolation以返回有可读写权限的PagesA，而PagesA为未添加钩子的原始物理页；以此实现执行与读写页面分离，达到无痕防穿透的效果。4. In the ExitHandler processing function of HOST, EptViolation is processed to return PagesA with read and write permissions, and PagesA is the original physical page without hooks added; in this way, the separation of execution and read and write pages is achieved to achieve traceless anti-penetration Effect.

本实施例方案的实现不采用任何过滤驱动，而是采用无痕化的钩子来实现网络安全防护，极难被任何应用发现和绕过，从而安全防护效果更佳，能够满足许多高级别安全场景的使用需求。The realization of the solution in this embodiment does not use any filter driver, but uses a traceless hook to realize network security protection, which is extremely difficult to be discovered and bypassed by any application, so that the security protection effect is better, and it can meet many high-level security scenarios usage requirements.

因特网协议栈中的包括五个分层，由上而下依次为应用层、传输层、网络层、链路层和物理层。其中，应用层处于用户态，其余四层处于内核态。应用层处于用户空间，也即处于用户态，因此没有配置钩子的必要性；物理层为一些硬件结构，与软件层面没有关系；而在链路层已经区分了不同的网卡，如有线网卡、无线网卡、A公司网卡、B公司网卡等，不同的网卡对应不同的驱动，只会流经对应网卡的网络数据，因此无法针对全局的网络数据进行处理，因而也不会在链路层配置钩子。The Internet protocol stack includes five layers, from top to bottom are the application layer, transport layer, network layer, link layer and physical layer. Among them, the application layer is in the user state, and the other four layers are in the kernel state. The application layer is in the user space, that is, in the user state, so there is no need to configure hooks; the physical layer is some hardware structure, which has nothing to do with the software layer; and in the link layer, different network cards have been distinguished, such as wired network cards and wireless network cards. Network card, network card of company A, network card of company B, etc. Different network cards correspond to different drivers, and only the network data of the corresponding network card will flow through, so the global network data cannot be processed, so hooks will not be configured in the link layer.

因此本申请实施例中，仅在因特网协议栈的第一分层中配置钩子。其中的第一分层可以包括一个分层，也可以包括两个分层，也即包括网络层和传输层中的至少一个。Therefore, in the embodiment of the present application, the hook is only configured in the first layer of the Internet protocol stack. The first layer may include one layer or two layers, that is, at least one of the network layer and the transport layer.

一个实现中，前文所述第一分层包括网络层，则网络防护方法还可以包括：通过添加在网络层中所述第一物理页的钩子从访问数据中提取出地址标识数据，所述地址标识数据包括域名、IP地址、端口标识中的任意一项；基于所述地址标识数据确定当前访问属于非法访问；拦截所述当前访问。In one implementation, the above-mentioned first layer includes a network layer, then the network protection method may further include: extracting address identification data from the access data by adding a hook of the first physical page in the network layer, the address The identification data includes any one of domain name, IP address, and port identification; determining that the current access is illegal based on the address identification data; and intercepting the current access.

当从外网接收到数据时，数据的流动方向是从物理层接收，然后依次传送到链路层、网络层和传输层，最终到达应用层。链路层会将来自于不同网卡的数据汇总统一发往网络层。由于来自外网的数据中均携带有IP、域名、端口号等信息，因此配置在网络层的钩子可以从流经数据中提取出相应标识，并基于预先配置在系统中的策略(如白名单和黑名单)对携带有相应标识的数据进行处理，实时数据拦截或数据放行。When data is received from the external network, the flow direction of the data is received from the physical layer, then transmitted to the link layer, network layer, and transport layer in turn, and finally reaches the application layer. The link layer will aggregate the data from different network cards and send them to the network layer. Since the data from the external network carries information such as IP, domain name, port number, etc., the hook configured at the network layer can extract the corresponding identifier from the passing data, and based on the pre-configured policies in the system (such as white list) and blacklist) to process the data with the corresponding identification, real-time data interception or data release.

另一个实现中，所述第一分层包括传输层，网络防护方法还可以包括：通过配置在传输层中所述第一物理页的钩子获得当前进程的进程标识；基于所述进程标识确定当前进程属于非法进程；拦截所述当前进程。In another implementation, the first layer includes a transport layer, and the network protection method may further include: obtaining the process identifier of the current process through a hook configured on the first physical page in the transport layer; determining the current process identifier based on the process identifier Process is an illegal process; intercept said current process.

数据经过网络层，通过网络层端口上传到传输层。由于传输层直接对接应用程序，其明确应用层的哪个进程调用了网络层的哪个端口，因此可以基于接收数据的网络层端口关联到对应的进程。从而提取出相应的进程标识，并基于预先配置在系统中的策略(对携带有相应标识的数据进行处理，实时数据拦截或数据放行。The data passes through the network layer and is uploaded to the transport layer through the network layer port. Since the transport layer is directly connected to the application program, it is clear which process of the application layer calls which port of the network layer, so it can be associated with the corresponding process based on the network layer port receiving data. In this way, the corresponding process identification is extracted, and based on the policy pre-configured in the system (processing the data with the corresponding identification, real-time data interception or data release.

本质上，通过传输层的网络数据中也包含IP、端口、域名等信息，原则上也可以通过在传输层配置钩子针对IP、端口和域名施加限制。本申请方案中，之所以在更底层的网络层配置钩子针对IP、端口和域名施加限制，是为了避免一些安全隐患在网络层就能够实施。若一些安全隐患在网络层能够实施，则在网络数据传送到传输层之前，就已经对系统构成了安全威胁，而如果在网络层添加钩子实施限制，则在安全威胁实施前就能够及时检查出并拦截，从而扩大安全防护范围。In essence, the network data passing through the transport layer also includes information such as IP, port, and domain name. In principle, it is also possible to impose restrictions on IP, port, and domain name by configuring hooks at the transport layer. In this application solution, the reason why hooks are configured at the lower network layer to impose restrictions on IP, port and domain name is to avoid some security risks that can be implemented at the network layer. If some security risks can be implemented at the network layer, they will pose a security threat to the system before the network data is transmitted to the transport layer. And intercept, thereby expanding the scope of security protection.

当从系统内部向外网发送数据时，数据流向从首先从应用层发出，然后依次传送到传输层、网络层和链路层，最终到达物理层通过硬件发送环发送至外网。其与从外网接收数据的流向相反，但设置在传输层和网络层的钩子的工作原理相似。When sending data from inside the system to the external network, the data flow direction is first sent from the application layer, then transmitted to the transport layer, network layer and link layer in turn, and finally reaches the physical layer and sent to the external network through the hardware sending ring. It is the opposite of the flow of receiving data from the external network, but the hooks set at the transport layer and network layer work similarly.

综上，在第一分层添加钩子后，当有网络收发数据时，钩子会从相应数据中提取出的进程、域名、IP地址或端口的标识数据，进而判断该标识数据是否存在于黑名单或白名单中，若在黑名单中则禁止数据继续收发；若在白名单中则放行收发数据。通过在网络层和传输层均设置钩子，使得系统的网络安全防护更加全面，安全防护范围更广。To sum up, after the hook is added to the first layer, when there is a network to send and receive data, the hook will extract the identification data of the process, domain name, IP address or port from the corresponding data, and then judge whether the identification data exists in the blacklist Or in the white list, if it is in the black list, the data will be prohibited from sending and receiving; if it is in the white list, the data will be sent and received. By setting hooks at both the network layer and the transport layer, the network security protection of the system is more comprehensive and the scope of security protection is wider.

图4为本申请实施例公开的钩子实现安全防护的实现原理示意图。结合图4所示，具体实现中，Tcpip.sys(传输层的驱动模块)工作于传输层，tcpip.sys会创建“\device\tcp”，“\device\udp”，“\device\RawIp”等设备，在访问控制模块中通过钩子劫持上述所有设备的IRP_MJ_CREATE(用于实现创建功能的派遣函数)派遣函数，在钩子的自定义派遣函数中，通过PsGetCurrentProcessId获取当前进程标识然后检索策略数据库，若策略数据库未命中，则放行或拦截，反之则拦截或放行，据此实现针对进程施加访问控制。Fig. 4 is a schematic diagram of the realization principle of the safety protection implemented by the hook disclosed in the embodiment of the present application. As shown in Figure 4, in the specific implementation, Tcpip.sys (the driver module of the transport layer) works at the transport layer, and tcpip.sys will create "\device\tcp", "\device\udp", "\device\RawIp" In the access control module, hijack the IRP_MJ_CREATE (dispatch function used to implement the creation function) dispatch function of all the above-mentioned devices through the hook. In the custom dispatch function of the hook, obtain the current process ID through PsGetCurrentProcessId and then retrieve the policy database. If If the policy database misses, it will be allowed or blocked, otherwise it will be blocked or released, so as to implement access control for the process.

Ndis.sys(网络层的驱动模块)网络层通过钩子劫持ndis.sys中结构体NDIS_PROTOCOL_CHARACTERISTICS的ReceiveHandler、WanReceiveHandler、ReceivePacketHandler、SendHandler、SendPacketsHandler等派遣函数，在钩子的自定义派遣函数中，根据从原派遣函数参数提取到的ip、端口等标识信息，查询策略数据库。若策略数据库中配置了白名单，则标识信息命中，则放行数据；标识信息未命中，则拦截数据。若策略数据库配置了黑名单，则标识信息命中，则拦截数据；标识信息未命中，则放行数据。Ndis.sys (the driver module of the network layer) the network layer hijacks dispatch functions such as ReceiveHandler, WanReceiveHandler, ReceivePacketHandler, SendHandler, and SendPacketsHandler of the structure NDIS_PROTOCOL_CHARACTERISTICS in ndis.sys through hooks. In the custom dispatch function of the hook, according to the original dispatch function The IP, port and other identification information extracted from the parameters are used to query the policy database. If the whitelist is configured in the policy database, if the identification information matches, the data will be released; if the identification information does not match, the data will be intercepted. If the policy database is configured with a blacklist, if the identification information matches, the data will be intercepted; if the identification information does not match, the data will be released.

需要说明的是，在网络层或传输层设置的钩子并不是只有一个，具体的，针对不同的设备、结构体或派遣函数，可以分别设置对应的钩子，因此，网络层中可以设置多个钩子，传输层中也可以设置多个钩子。网络层或传输层设置的多个钩子，可以在同一个物理页中设置，也可以在不同的物理页设置，本申请对此并不做固定限制。但只要涉及到配置钩子的物理页，在其添加钩子前均会分配一个物理页备份其包含的原始数据并保存两个物理页之间的关联关系。It should be noted that there is not only one hook set at the network layer or transport layer. Specifically, corresponding hooks can be set for different devices, structures or dispatch functions. Therefore, multiple hooks can be set in the network layer , multiple hooks can also be set in the transport layer. Multiple hooks set by the network layer or the transport layer can be set on the same physical page, or can be set on different physical pages, and this application does not set a fixed limit on this. But as long as the physical page of the configuration hook is involved, before adding the hook, a physical page will be allocated to back up the original data it contains and the association between the two physical pages will be saved.

本申请实施例所述网络防护方法可以同时在网络层和传输层关键位置施加钩子；双层钩子目的是：传输层施加钩子可获取到进程信息，可针对进程施加限制；网络层施加钩子可针对“ip、端口、域名”等施加限制；实际应用中钩子不易被发现和绕过；进一步的，本申请对施加了钩子的物理页面，进一步添加了VMX保护，以做到完全的无痕防穿透，实现了防护范围更广的、防护登记更高级别方案。The network protection method described in the embodiment of the present application can apply hooks at the key positions of the network layer and the transport layer at the same time; the purpose of double-layer hooks is: applying hooks at the transport layer can obtain process information, and can impose restrictions on processes; applying hooks at the network layer can target Restrictions are imposed on "ip, port, domain name" and so on; hooks are not easy to be found and bypassed in practical applications; further, this application further adds VMX protection to the physical pages to which hooks are applied, so as to achieve complete traceless anti-penetration It realizes a scheme with a wider protection scope and a higher level of protection registration.

对于前述的各方法实施例，为了简单描述，故将其都表述为一系列的动作组合，但是本领域技术人员应该知悉，本申请并不受所描述的动作顺序的限制，因为依据本申请，某些步骤可以采用其他顺序或者同时进行。其次，本领域技术人员也应该知悉，说明书中所描述的实施例均属于优选实施例，所涉及的动作和模块并不一定是本申请所必须的。For the aforementioned method embodiments, for the sake of simple description, they are expressed as a series of action combinations, but those skilled in the art should know that the application is not limited by the described action sequence, because according to the application, Certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification belong to preferred embodiments, and the actions and modules involved are not necessarily required by this application.

上述本申请公开的实施例中详细描述了方法，对于本申请的方法可采用多种形式的装置实现，因此本申请还公开了一种装置，下面给出具体的实施例进行详细说明。The method is described in detail in the above-mentioned embodiments disclosed in the present application, and the method of the present application can be realized by various forms of devices. Therefore, the present application also discloses a device, and a specific embodiment is given below to describe in detail.

图5为本申请实施例公开的一种网络防护装置的结构示意图。参见图5所示，网络防护装置50可以包括：FIG. 5 is a schematic structural diagram of a network protection device disclosed in an embodiment of the present application. Referring to Fig. 5, thenetwork protection device 50 may include:

指令获得模块501，用于获得第一访问指令，所述第一访问指令为访问第一物理页的请求指令，所述第一物理页中包括第一数据，且所述第一物理页中配置有钩子。Aninstruction obtaining module 501, configured to obtain a first access instruction, the first access instruction is a request instruction for accessing a first physical page, the first physical page includes first data, and the first physical page configures There are hooks.

模式切换模块502，用于控制由第一工作模式切换进入第二工作模式。Amode switching module 502, configured to control switching from the first working mode to the second working mode.

指令响应模块503，用于返回与所述第一物理页对应的第二物理页，所述第二物理页中包括所述第一数据。Aninstruction response module 503, configured to return a second physical page corresponding to the first physical page, where the second physical page includes the first data.

本实施例所述网络防护装置在正常执行指令流时基于包含钩子的第一物理页进行数据处理，以进行网络防护；而当接收到针对第一物理页的访问指令时，会控制返回包含第一物理页没有配置钩子之前的原始数据的第二物理页，从而实现钩子的无痕化，防止了恶意篡改和绕行等行为，进一步提升了安全防护级别。The network protection device described in this embodiment performs data processing based on the first physical page containing the hook when the instruction flow is normally executed, so as to perform network protection; and when receiving an access instruction for the first physical page, it will control and return The first physical page does not have the second physical page of the original data before the hook is configured, so that the hook is invisible, preventing malicious tampering and bypassing, and further improving the level of security protection.

一个实现中，网络防护装置还可以包括：钩子配置模块，用于预先在因特网协议栈的第一分层中配置钩子。In an implementation, the network protection device may further include: a hook configuration module, configured to pre-configure hooks in the first layer of the Internet protocol stack.

一个实现中，钩子配置模块具体可用于：在因特网协议栈的第一分层中配置第二物理页；将第一物理页的第一数据拷贝至所述第二物理页，所述第一数据为与数据收发相关的数据；在所述第一物理页中配置钩子。In one implementation, the hook configuration module can be specifically configured to: configure the second physical page in the first layer of the Internet protocol stack; copy the first data of the first physical page to the second physical page, and the first data For data related to data sending and receiving; configure a hook in the first physical page.

一个实现中，网络防护装置还可以包括：初始化模块，用于在第一物理页中配置钩子后，初始化虚拟机配置文件VMX，包括：将所述第一物理页配置为仅可执行，将所述第二物理页配置为可读写。In one implementation, the network protection device may further include: an initialization module, configured to initialize the virtual machine configuration file VMX after configuring the hook in the first physical page, including: configuring the first physical page to be executable only, and configuring all The second physical page is configured as readable and writable.

一个实现中，初始化模块具体可用于：设置扩展页表，将所述扩展页表中所述第一物理页设置为可读写，将所述扩展页表中所述第二物理页设置为只可执行。In one implementation, the initialization module may be specifically configured to: set an extended page table, set the first physical page in the extended page table as readable and writable, and set the second physical page in the extended page table as only executable.

一个实现中，所述第一分层包括网络层和传输层中的至少一种。In one implementation, the first layer includes at least one of a network layer and a transport layer.

一个实现中，所述第一分层包括传输层，网络防护装置还可以包括钩子实施模块，具体可用于：通过配置在传输层中所述第一物理页的钩子获得当前进程的进程标识；基于所述进程标识确定当前进程属于非法进程；拦截所述当前进程。In an implementation, the first layer includes a transport layer, and the network protection device may further include a hook implementation module, specifically configured to: obtain the process identifier of the current process by configuring the hook of the first physical page in the transport layer; The process identifier determines that the current process is an illegal process; and intercepts the current process.

一个实现中，所述第一分层包括网络层，钩子实施模块具体可用于：通过添加在网络层中所述第一物理页的钩子从访问数据中提取出地址标识数据，所述地址标识数据包括域名、IP地址、端口标识中的任意一项；基于所述地址标识数据确定当前访问属于非法访问；拦截所述当前访问。In one implementation, the first layer includes a network layer, and the hook implementation module is specifically configured to: extract address identification data from access data by adding a hook of the first physical page in the network layer, and the address identification data Including any one of domain name, IP address, and port identification; determining that the current access is illegal based on the address identification data; intercepting the current access.

以上网络防护装置以及各个模块的具体实现以及其他可能的实现方式在方法实施例中相应部分均有详细的内容介绍，在此不再重复赘述。The specific implementation of the above network protection device and each module, as well as other possible implementation manners, are described in detail in the corresponding parts of the method embodiments, and will not be repeated here.

上述实施例中的所述的任意一种网络防护装置包括处理器和存储器，上述实施例中的指令获得模块、模式切换模块、指令响应模块、钩子配置模块、初始化模块等均作为程序模块存储在存储器中，由处理器执行存储在所述存储器中的上述程序模块来实现相应的功能。Any one of the network protection devices in the above embodiments includes a processor and a memory, and the command acquisition module, mode switching module, command response module, hook configuration module, initialization module, etc. in the above embodiments are all stored as program modules in the In the memory, the processor executes the above-mentioned program modules stored in the memory to realize corresponding functions.

处理器中包含内核，由内核去存储器中调取相应的程序模块。内核可以设置一个或多个，通过调整内核参数来实现回访数据的处理。The processor includes a kernel, and the kernel fetches corresponding program modules from the memory. The kernel can set one or more, and realize the processing of return visit data by adjusting the kernel parameters.

存储器可能包括计算机可读介质中的非永久性存储器，随机存取存储器(RAM)和/或非易失性内存等形式，如只读存储器(ROM)或闪存(flash RAM)，存储器包括至少一个存储芯片。Memory may include non-permanent memory in computer-readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM), and memory includes at least one memory chip.

在示例性实施例中，还提供了一种计算机可读存储介质，可直接加载到计算机的内部存储器，其中含有软件代码，该计算机程序经由计算机载入并执行后能够实现上述网络防护方法任一实施例所示步骤。In an exemplary embodiment, there is also provided a computer-readable storage medium, which can be directly loaded into the internal memory of a computer, and contains software codes. After the computer program is loaded and executed by the computer, any one of the above-mentioned network protection methods can be implemented. The steps shown in the examples.

在示例性实施例中，还提供一种计算机程序产品，可直接加载到计算机的内部存储器，其中含有软件代码，该计算机程序经由计算机载入并执行后能够实现上述所述的网络防护方法任一实施例所示步骤。In an exemplary embodiment, a computer program product is also provided, which can be directly loaded into the internal memory of a computer, and contains software codes. After the computer program is loaded and executed by the computer, any one of the above-mentioned network protection methods can be implemented. The steps shown in the examples.

进一步，本申请实施例提供了一种电子设备。图6为本申请实施例公开的一种电子设备的结构示意图。参见图6所示，电子设备包括至少一个处理器601、以及与处理器连接的至少一个存储器602、总线603；其中，处理器、存储器通过总线完成相互间的通信；处理器用于调用存储器中的程序指令，以执行上述的网络防护方法。Further, the embodiment of the present application provides an electronic device. FIG. 6 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application. Referring to Fig. 6, the electronic device includes at least oneprocessor 601, at least onememory 602 connected to the processor, and abus 603; wherein, the processor and the memory communicate with each other through the bus; the processor is used to call the memory in the memory Program instructions to perform the above-mentioned network protection method.

其中，所述程序指令可以包括：获得第一访问指令，所述第一访问指令为访问第一物理页的请求指令，所述第一物理页中包括第一数据，且所述第一物理页中配置有钩子；控制由第一工作模式切换进入第二工作模式；返回与所述第一物理页对应的第二物理页，所述第二物理页中包括所述第一数据。Wherein, the program instruction may include: obtaining a first access instruction, the first access instruction is a request instruction for accessing a first physical page, the first physical page includes first data, and the first physical page A hook is configured in; the control is switched from the first working mode to the second working mode; and the second physical page corresponding to the first physical page is returned, and the second physical page includes the first data.

本说明书中各个实施例采用递进的方式描述，每个实施例重点说明的都是与其他实施例的不同之处，各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言，由于其与实施例公开的方法相对应，所以描述的比较简单，相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.

还需要说明的是，在本文中，诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来，而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且，术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含，从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素，而且还包括没有明确列出的其他要素，或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下，由语句“包括一个……”限定的要素，并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that in this article, relational terms such as first and second etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that these entities or operations Any such actual relationship or order exists between. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块，或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the methods or algorithms described in conjunction with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other Any other known storage medium.

对所公开的实施例的上述说明，使本领域专业技术人员能够实现或使用本申请。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的，本文中所定义的一般原理可以在不脱离本申请的精神或范围的情况下，在其它实施例中实现。因此，本申请将不会被限制于本文所示的这些实施例，而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the application. Therefore, the present application will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

Translated fromChinese

1.一种网络防护方法，包括：1. A network protection method, comprising:获得第一访问指令，所述第一访问指令为访问第一物理页的请求指令，所述第一物理页中包括第一数据，且所述第一物理页中配置有钩子；Obtaining a first access instruction, the first access instruction is a request instruction to access a first physical page, the first physical page includes first data, and a hook is configured in the first physical page;控制由第一工作模式切换进入第二工作模式；Control switching from the first working mode to the second working mode;返回与所述第一物理页对应的第二物理页，所述第二物理页中包括所述第一数据。Returning a second physical page corresponding to the first physical page, where the second physical page includes the first data.2.根据权利要求1所述的网络防护方法，还包括：2. The network protection method according to claim 1, further comprising:预先在因特网协议栈的第一分层中配置钩子。Hooks are pre-configured in the first layer of the Internet protocol stack.3.根据权利要求2所述的网络防护方法，所述预先在因特网协议栈的第一分层中配置钩子，包括：3. The network protection method according to claim 2, said configuring hooks in the first layer of the Internet protocol stack in advance, comprising:在因特网协议栈的第一分层中配置第二物理页；configuring the second physical page in the first layer of the internet protocol stack;将第一物理页的第一数据拷贝至所述第二物理页，所述第一数据为与数据收发相关的数据；copying the first data of the first physical page to the second physical page, the first data being data related to data sending and receiving;在所述第一物理页中配置钩子。A hook is configured in the first physical page.4.根据权利要求3所述的网络防护方法，在所述第一物理页中配置钩子后，还包括：4. The network protection method according to claim 3, after configuring the hook in the first physical page, further comprising:初始化虚拟机配置文件VMX，包括：Initialize the virtual machine configuration file VMX, including:将所述第一物理页配置为仅可执行，将所述第二物理页配置为可读写。Configuring the first physical page to be executable only, and configuring the second physical page to be readable and writable.5.根据权利要求4所述的网络防护方法，将所述第一物理页配置为仅可执行，将所述第二物理页配置为可读写，包括：5. The network protection method according to claim 4, configuring the first physical page to be executable only, and configuring the second physical page to be readable and writable, comprising:设置扩展页表，将所述扩展页表中所述第一物理页设置为可读写，将所述扩展页表中所述第二物理页设置为只可执行。Setting an extended page table, setting the first physical page in the extended page table as readable and writable, and setting the second physical page in the extended page table as executable only.6.根据权利要求2所述的网络防护方法，所述第一分层包括网络层和传输层中的至少一种。6. The network protection method according to claim 2, wherein the first layer comprises at least one of a network layer and a transport layer.7.根据权利要求6所述的网络防护方法，所述第一分层包括网络层，还包括：7. The network protection method according to claim 6, wherein the first layer comprises a network layer, further comprising:通过添加在网络层中所述第一物理页的钩子从访问数据中提取出地址标识数据，所述地址标识数据包括域名、IP地址、端口标识中的任意一项；Extracting address identification data from the access data by adding a hook of the first physical page in the network layer, the address identification data including any one of domain name, IP address, and port identification;基于所述地址标识数据确定当前访问属于非法访问；determining that the current access is an illegal access based on the address identification data;拦截所述当前访问。Intercept said current visit.8.根据权利要求6所述的网络防护方法，所述第一分层包括传输层，还包括：8. The network protection method according to claim 6, wherein the first layer comprises a transport layer, further comprising:通过配置在传输层中所述第一物理页的钩子获得当前进程的进程标识；Obtaining the process identification of the current process by configuring the hook of the first physical page in the transport layer;基于所述进程标识确定当前进程属于非法进程；determining that the current process is an illegal process based on the process identifier;拦截所述当前进程。Intercept said current process.9.一种网络防护装置，包括：9. A network protection device, comprising:指令获得模块，用于获得第一访问指令，所述第一访问指令为访问第一物理页的请求指令，所述第一物理页中包括第一数据，且所述第一物理页中配置有钩子；An instruction obtaining module, configured to obtain a first access instruction, the first access instruction is a request instruction for accessing a first physical page, the first physical page includes first data, and the first physical page is configured with hook;模式切换模块，用于控制由第一工作模式切换进入第二工作模式；A mode switching module, configured to control switching from the first working mode to the second working mode;指令响应模块，用于返回与所述第一物理页对应的第二物理页，所述第二物理页中包括所述第一数据。An instruction response module, configured to return a second physical page corresponding to the first physical page, where the second physical page includes the first data.10.一种电子设备，包括：10. An electronic device comprising:处理器；processor;存储器，用于存储所述处理器的可执行程序指令；a memory for storing executable program instructions of the processor;其中，所述可执行程序指令包括：获得第一访问指令，所述第一访问指令为访问第一物理页的请求指令，所述第一物理页中包括第一数据，且所述第一物理页中配置有钩子；控制由第一工作模式切换进入第二工作模式；返回与所述第一物理页对应的第二物理页，所述第二物理页中包括所述第一数据。Wherein, the executable program instructions include: obtaining a first access instruction, the first access instruction is a request instruction for accessing a first physical page, the first physical page includes first data, and the first physical page A hook is configured in the page; the control switches from the first working mode to the second working mode; and a second physical page corresponding to the first physical page is returned, and the second physical page includes the first data.

Images