[go: up one dir, main page]

CN109033820A - User rs credentials guard method, device and equipment - Google Patents

User rs credentials guard method, device and equipment Download PDF

Info

Publication number
CN109033820A
CN109033820A CN201810701188.0A CN201810701188A CN109033820A CN 109033820 A CN109033820 A CN 109033820A CN 201810701188 A CN201810701188 A CN 201810701188A CN 109033820 A CN109033820 A CN 109033820A
Authority
CN
China
Prior art keywords
user
reading process
credentials
safety detection
detection result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810701188.0A
Other languages
Chinese (zh)
Inventor
何博
彭岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201810701188.0A priority Critical patent/CN109033820A/en
Publication of CN109033820A publication Critical patent/CN109033820A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/031Protect user input by software means

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The present invention provides a kind of user rs credentials guard method, device and equipment, wherein this method comprises: being read out when monitor user rs credentials, obtains reading process;Safety detection is carried out to the reading process, obtains safety detection result;Security protection processing is carried out to the user rs credentials according to safety detection result.The protection to user rs credentials may be implemented in technical solution provided by the invention, reduces threat suffered by the property and terminal security of user.

Description

用户凭据保护方法、装置与设备User credential protection method, device and equipment

技术领域technical field

本发明涉及计算机技术领域,尤其涉及一种用户凭据保护方法、装置与设备。The present invention relates to the field of computer technology, in particular to a user credential protection method, device and equipment.

背景技术Background technique

凭据管理是Windows提供的一项功能,在Windows系统中,当用户第一次输入用户名和密码以访问某服务器的时候,Windows的凭据管理器可以将这些访问凭据保存在本地,这样再次访问该服务器时,windows就会自动帮忙完成凭据的认证过程,以方便用户使用。Credential management is a function provided by Windows. In the Windows system, when the user enters the user name and password to access a server for the first time, the Windows credential manager can save these access credentials locally, so that the server can be accessed again. At this time, windows will automatically help to complete the authentication process of the credentials to facilitate the user's use.

然而,微软并没有对本地保存的用户凭据做过多的保护,这样有些恶意程序就可以通过微软提供的接口,直接读取这些凭据,盗取使用,给用户的财产和终端安全带来严重威胁。However, Microsoft did not protect the user credentials stored locally, so that some malicious programs can directly read these credentials through the interface provided by Microsoft, steal them and use them, posing a serious threat to users' property and terminal security. .

发明内容Contents of the invention

有鉴于此,本发明提供一种用户凭据保护方法、装置与设备,用于对用户凭据进行安全防护。In view of this, the present invention provides a user credential protection method, device, and equipment for security protection of user credential.

为了实现上述目的,第一方面,本发明实施例提供一种用户凭据保护方法,包括:In order to achieve the above purpose, in the first aspect, the embodiment of the present invention provides a user credential protection method, including:

当监控到用户凭据被读取时,获取读取进程;When it is monitored that user credentials are read, obtain the reading process;

对所述读取进程进行安全性检测,得到安全性检测结果;Performing security testing on the reading process to obtain a security testing result;

根据安全性检测结果对所述用户凭据进行安全防护处理。Perform security protection processing on the user credentials according to the security detection result.

通过在监控到用户凭据被读取时,获取读取进程;对读取进程进行安全性检测,根据安全性检测结果对用户凭据进行安全防护处理,可以实现对用户凭据的保护,降低用户的财产和终端安全所受的威胁。By obtaining the reading process when the user credential is read through monitoring; performing security detection on the reading process, and performing security protection processing on the user credential according to the security detection result, the protection of the user credential can be realized and the user's property can be reduced and threats to endpoint security.

作为本发明实施例一种可选的实施方式,在所述当监控到用户凭据被读取时,获取读取进程之前,所述方法还包括;As an optional implementation manner of the embodiment of the present invention, before acquiring the reading process when monitoring that the user credential is read, the method further includes;

监控预设的应用程序编程接口API函数;Monitor preset application programming interface API functions;

当监控到所述预设的API函数中的任意一个API函数被调用时,确定所述用户凭据被读取。When it is monitored that any one of the preset API functions is called, it is determined that the user credentials are read.

通过监控预设的API函数,可以及时的发现读取用户凭据的操作,提高用户凭据的安全性。By monitoring the preset API functions, the operation of reading user credentials can be discovered in time to improve the security of user credentials.

作为本发明实施例一种可选的实施方式,所述预设的API函数包括:读取进程在读取所述用户凭据时可调用的所有API函数。As an optional implementation manner of the embodiment of the present invention, the preset API functions include: all API functions that the reading process can call when reading the user credentials.

这样可以提高读取进程检测的全面性,进而提高用户凭据的安全性。This improves the comprehensiveness of reading process detection, which in turn increases the security of user credentials.

作为本发明实施例一种可选的实施方式,所述预设的API函数包括:凭据集枚举函数、域凭据读取函数和最佳凭据集搜索函数。As an optional implementation of the embodiment of the present invention, the preset API functions include: a credential set enumeration function, a domain credential reading function, and an optimal credential set search function.

作为本发明实施例一种可选的实施方式,所述对所述读取进程进行安全性检测,得到安全性检测结果,包括:As an optional implementation manner of the embodiment of the present invention, performing security detection on the reading process to obtain a security detection result includes:

提取所述读取进程的特征信息;extracting characteristic information of the reading process;

将所述读取进程与预设的黑白名单中的特征信息进行匹配;Matching the reading process with the feature information in the preset black and white lists;

根据匹配结果确定所述安全性检测结果。The security detection result is determined according to the matching result.

通过采用特征匹配方法进行安全性检测,可以提高读取进程安全性检测结果的准确性。By adopting the feature matching method for security detection, the accuracy of reading process security detection results can be improved.

作为本发明实施例一种可选的实施方式,所述根据安全性检测结果对所述用户凭据进行安全防护处理,包括:As an optional implementation manner of the embodiment of the present invention, the performing security protection processing on the user credential according to the security detection result includes:

当所述安全性检测结果指示所述读取进程为风险进程时,输出风险提示信息,并提示用户是否阻止所述读取进程;When the security detection result indicates that the reading process is a risky process, output risk prompt information and prompt the user whether to block the reading process;

当接收到用户的阻止所述读取进程的指令时,阻止所述读取进程继续读取用户凭据。When an instruction from the user to prevent the reading process is received, the reading process is prevented from continuing to read user credentials.

上述实施方式中,根据用户的操作指令确定如何处理读取进程,可以在保护用户凭据的同时,提高用户体验度。In the above implementation manner, how to handle the reading process is determined according to the user's operation instruction, which can improve user experience while protecting user credentials.

作为本发明实施例一种可选的实施方式,所述方法还包括:As an optional implementation manner of the embodiment of the present invention, the method further includes:

弹窗提供全盘查杀的接口,以供用户选择是否对系统进行全盘查杀。The pop-up window provides an interface for scanning and killing the entire system for the user to choose whether to perform a full-scale scanning and killing of the system.

通过提供全盘查杀的接口供用户选择,可以更好的对系统进行全面保护,并提高用户体验度。By providing a full-scale scanning and killing interface for users to choose, the system can be better protected in an all-round way and user experience can be improved.

第二方面,本发明实施例提供一种用户凭据保护装置,包括:In a second aspect, an embodiment of the present invention provides a user credential protection device, including:

获取模块,用于当监控到用户凭据被读取时,获取读取进程;The obtaining module is used to obtain the reading process when the user credentials are monitored to be read;

检测模块,用于对所述获取模块获取的读取进程进行安全性检测,得到安全性检测结果;A detection module, configured to perform security detection on the reading process obtained by the acquisition module, and obtain a security detection result;

处理模块,用于根据检测模块检测出的安全性检测结果对所述用户凭据进行安全防护处理。The processing module is configured to perform security protection processing on the user credential according to the security detection result detected by the detection module.

作为本发明实施例一种可选的实施方式,所述装置还包括;As an optional implementation manner of the embodiment of the present invention, the device further includes;

监控模块,用于监控预设的应用程序编程接口API函数;当监控到所述预设的API函数中的任意一个API函数被调用时,确定所述用户凭据被读取。A monitoring module, configured to monitor preset application programming interface API functions; when any one of the preset API functions is monitored to be called, determine that the user credentials are read.

作为本发明实施例一种可选的实施方式,所述预设的API函数包括:读取进程在读取所述用户凭据时可调用的所有API函数。As an optional implementation manner of the embodiment of the present invention, the preset API functions include: all API functions that the reading process can call when reading the user credentials.

作为本发明实施例一种可选的实施方式,所述预设的API函数包括:凭据集枚举函数、域凭据读取函数和最佳凭据集搜索函数。As an optional implementation of the embodiment of the present invention, the preset API functions include: a credential set enumeration function, a domain credential reading function, and an optimal credential set search function.

作为本发明实施例一种可选的实施方式,所述检测模块具体用于:As an optional implementation manner of the embodiment of the present invention, the detection module is specifically used for:

提取所述获取模块获取的读取进程的特征信息;extracting the feature information of the reading process acquired by the acquiring module;

将所述读取进程与预设的黑白名单中的特征信息进行匹配;Matching the reading process with the feature information in the preset black and white lists;

根据匹配结果确定所述安全性检测结果。The security detection result is determined according to the matching result.

作为本发明实施例一种可选的实施方式,所述装置还包括:提示模块,所述处理模块具体用于:As an optional implementation manner of the embodiment of the present invention, the device further includes: a prompt module, and the processing module is specifically configured to:

当所述检测模块检测出的安全性检测结果指示所述读取进程为风险进程时,指示所述提示模块输出风险提示信息,并提示用户是否阻止所述读取进程;When the security detection result detected by the detection module indicates that the reading process is a risky process, instruct the prompting module to output risk prompt information, and prompt the user whether to block the reading process;

当接收到用户的阻止所述读取进程的指令时,阻止所述读取进程继续读取用户凭据。When an instruction from the user to prevent the reading process is received, the reading process is prevented from continuing to read user credentials.

作为本发明实施例一种可选的实施方式,所述提示模块还用于:As an optional implementation manner of the embodiment of the present invention, the prompt module is also used for:

弹窗提供全盘查杀的接口,以供用户选择是否对系统进行全盘查杀。The pop-up window provides an interface for scanning and killing the entire system for the user to choose whether to perform a full-scale scanning and killing of the system.

上述第二方面以及上述第二方面的各可能的实施方式所提供的装置,其有益效果可以参见上述第一方面和第一方面的各可能的实施方式所带来的有益效果,在此不再赘述。The beneficial effects of the device provided by the above second aspect and each possible implementation manner of the above second aspect can be referred to the beneficial effects brought by the above first aspect and each possible implementation manner of the first aspect, and will not be repeated here. repeat.

第三方面,本发明实施例提供一种用户凭据保护设备,包括:存储器和处理器,存储器用于存储计算机程序;处理器用于在调用计算机程序时执行上述第一方面或第一方面的任一实施方式所述的方法。In a third aspect, an embodiment of the present invention provides a user credential protection device, including: a memory and a processor, the memory is used to store a computer program; the processor is used to execute any one of the first aspect or the first aspect when calling the computer program The method described in the embodiment.

上述第三方面以及上述第三方面的各可能的实施方式所提供的设备,其有益效果可以参见上述第一方面和第一方面的各可能的实施方式所带来的有益效果,在此不再赘述。The beneficial effects of the equipment provided by the above third aspect and each possible implementation manner of the above third aspect can be referred to the beneficial effects brought by the above first aspect and each possible implementation manner of the first aspect, and will not be repeated here. repeat.

第四方面,本发明实施例提供一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现上述第一方面或第一方面的任一实施方式所述的方法。In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, the method described in the first aspect or any implementation manner of the first aspect is implemented.

上述第四方面以及上述第四方面的各可能的实施方式所提供的计算机可读存储介质,其有益效果可以参见上述第一方面和第一方面的各可能的实施方式所带来的有益效果,在此不再赘述。For the beneficial effects of the computer-readable storage medium provided by the above fourth aspect and each possible implementation manner of the above fourth aspect, please refer to the above first aspect and the beneficial effects brought by each possible implementation manner of the first aspect, I won't repeat them here.

附图说明Description of drawings

图1为本发明实施例提供的用户凭据保护方法的流程示意图;FIG. 1 is a schematic flowchart of a user credential protection method provided by an embodiment of the present invention;

图2为本发明实施例提供的一种提示界面示意图;Fig. 2 is a schematic diagram of a prompt interface provided by an embodiment of the present invention;

图3为本发明实施例提供的用户凭据保护装置的结构示意图;FIG. 3 is a schematic structural diagram of a user credential protection device provided by an embodiment of the present invention;

图4为本发明实施例提供的用户凭据保护设备的结构示意图。Fig. 4 is a schematic structural diagram of a user credential protection device provided by an embodiment of the present invention.

具体实施方式Detailed ways

Windows凭据管理器可以将用户访问服务器时输入的用户名和密码等信息保存在本地,以便再次访问该服务器时自动完成凭据的认证过程。保存在本体的凭据一般显示的内容有:网站地址、用户名和密码等信息。The Windows credential manager can save information such as the user name and password entered by the user when accessing the server locally, so that the credential authentication process can be automatically completed when the server is accessed again. The credentials stored in Ontology generally display information such as website address, user name, and password.

而有些恶意程序可以通过微软提供的接口,直接读取这些凭据。Windows XP及以后的系统,攻击者一般可以通过如下两种方式直接获取用户凭据:第一种,通过凭据集枚举函数(CredEnumerate),枚举当前账户关联的所有凭据;第二种,通过域凭据读取函数(CredReadDomainCredentials),读取当前账户关联的域凭据。Windows Vista及以后的系统,攻击者可通过最佳凭据集搜索函数(CredFindBestCredential)从凭据管理器中搜索与当前登录会话关联且最符合指定目标资源的通用凭据集。And some malicious programs can directly read these credentials through the interface provided by Microsoft. For Windows XP and later systems, attackers can directly obtain user credentials in the following two ways: first, enumerate all credentials associated with the current account through the credential set enumeration function (CredEnumerate); second, through domain The credential read function (CredReadDomainCredentials) reads the domain credentials associated with the current account. For Windows Vista and later systems, attackers can use the best credential set search function (CredFindBestCredential) to search the credential manager for the common credential set that is associated with the current login session and best matches the specified target resource.

恶意程序盗用这些凭据后,就可能进行一些非法操作或者勒索用户,从而会给用户的财产和终端安全带来严重威胁。After the malicious program steals these credentials, it may perform some illegal operations or blackmail the user, which will pose a serious threat to the user's property and terminal security.

为了解决上述技术问题,本发明实施例提供一种用户凭据保护方法、装置与设备,主要通过在监控到用户凭据被读取时,获取读取进程;对读取进程进行安全性检测,根据安全性检测结果对用户凭据进行安全防护处理,来实现对用户凭据的保护,降低用户的财产和终端安全所受的威胁。In order to solve the above technical problems, the embodiments of the present invention provide a user credential protection method, device and equipment, mainly by obtaining the reading process when the user credential is read through monitoring; performing security detection on the reading process, according to the security Security protection processing is performed on user credentials based on security detection results to protect user credentials and reduce threats to user property and terminal security.

下面结合附图,对本发明的实施例进行描述。Embodiments of the present invention will be described below in conjunction with the accompanying drawings.

图1为本发明实施例提供的用户凭据保护方法的流程示意图,该方法的执行主体可以是用户凭据保护装置或设备。如图1所示,本实施例提供的方法可以包括如下步骤:FIG. 1 is a schematic flowchart of a user credential protection method provided by an embodiment of the present invention, and the method may be executed by a user credential protection device or device. As shown in Figure 1, the method provided in this embodiment may include the following steps:

S101、当监控到用户凭据被读取时,获取读取进程。S101. Obtain a reading process when it is monitored that the user credential is read.

本实施例中,为了保护用户凭据,对用户凭据的读取操作进行监控。在具体实现时,可以监控预设的应用程序编程接口(Application Programming Interface,API)函数;当监控到预设的API函数中的任意一个API函数被调用时,确定用户凭据被读取。In this embodiment, in order to protect the user credentials, the read operation of the user credentials is monitored. During specific implementation, preset application programming interface (Application Programming Interface, API) functions may be monitored; when any one of the preset API functions is monitored to be called, it is determined that the user credentials are read.

其中,预设的API函数包括:读取进程在读取用户凭据时可调用的所有API函数。具体的,预设的API函数可以包括:凭据集枚举函数(CredEnumerate)、域凭据读取函数(CredReadDomainCredentials)和最佳凭据集搜索函数(CredFindBestCredential)。其中,CredEnumerate函数具体又包括:CredEnumerateA函数和CredEnumerateW函数,CredReadDomainCredentials函数具体包括:CredReadDomainCredentialsA函数和CredReadDomainCredentialsW函数,CredFindBestCredential函数具体包括CredFindBestCredentialA函数和CredFindBestCredentialW函数。Wherein, the preset API functions include: all API functions that can be called by the reading process when reading the user credentials. Specifically, the preset API functions may include: a credential set enumeration function (CredEnumerate), a domain credential reading function (CredReadDomainCredentials), and a best credential set search function (CredFindBestCredential). Among them, the CredEnumerate function specifically includes: CredEnumerateA function and CredEnumerateW function, the CredReadDomainCredentials function specifically includes: CredReadDomainCredentialsA function and CredReadDomainCredentialsW function, and the CredFindBestCredential function specifically includes CredFindBestCredentialA function and CredFindBestCredentialW function.

当监控到上述预设的API函数中的任意一个被调用时,获取读取用户凭据的读取进程,也就是,获取调用上述API函数的进程。When it is monitored that any one of the above-mentioned preset API functions is called, the reading process of reading the user credentials is obtained, that is, the process of calling the above-mentioned API functions is obtained.

S102、对读取进程进行安全性检测,得到安全性检测结果。S102. Perform security detection on the reading process to obtain a security detection result.

具体的,当获取到读取进程后,可以调用木马查杀引擎检测该读取进程的安全性,通过安全性检测结果确定该插读取进程是否安全后,再决定如何处理该读取进程的读取操作。Specifically, when the reading process is acquired, the Trojan horse detection and killing engine can be called to detect the security of the reading process, and after determining whether the insertion and reading process is safe through the security detection results, it is decided how to deal with the reading process. read operation.

在具体检测时,可以先提取读取进程的特征信息;再将读取进程与预设的黑白名单中的特征信息进行匹配;然后根据匹配结果确定安全性检测结果。In specific detection, the characteristic information of the reading process can be extracted first; then the reading process can be matched with the characteristic information in the preset black and white list; and then the security detection result can be determined according to the matching result.

其中,读取进程的特征信息可以包括读取进程的名称、信息摘要算法(MessageDigest Algorithm 5,MD5)值、大小、内容、签名和版本信息等。Wherein, the characteristic information of the reading process may include the name of the reading process, message digest algorithm (Message Digest Algorithm 5, MD5) value, size, content, signature and version information, and the like.

黑白名单中可以存储风险进程的特征信息,也可以存储安全进程的特征信息,还可以同时存储风险进程和安全进程的特征信息,本实施例中对此不做特别限定。The black and white lists can store characteristic information of risky processes, can also store characteristic information of safe processes, and can also store characteristic information of risky processes and safe processes at the same time, which is not particularly limited in this embodiment.

在将读取进程的特征信息与黑白名单中的特征信息进行匹配时,可以根据一个特征信息(例如签名)进行匹配,也可以采用多个特征信息(例如:名称、MD5值、签名和版本)进行匹配;当采用多个特征信息进行匹配时,可以是多个特征信息都匹配上表示匹配成功,也可以是多个特征信息中预设数量的特征信息匹配上即表示匹配成功,具体可以根据实际需要确定,本实施例对此不做特别限定。When matching the characteristic information of the reading process with the characteristic information in the black and white list, it can be matched according to one characteristic information (such as signature), or multiple characteristic information (such as: name, MD5 value, signature and version) Matching; when using multiple feature information for matching, it can be that the matching of multiple feature information indicates that the matching is successful, and it can also be that the matching of the preset number of feature information in the multiple feature information indicates that the matching is successful. It needs to be determined actually, and this embodiment does not specifically limit it.

以黑白名单中存储风险进程的特征信息为例,当匹配成功时,表示当前读取用户凭据的读取进程为风险进程;当匹配不成功时,表示用户凭据的读取进程为安全进程,即安全性检测结果可以指示读取进程是风险进程还是安全进程。Take the characteristic information of the risky process stored in the black and white list as an example. When the matching is successful, it means that the reading process of the current user credential is a risky process; when the matching is unsuccessful, it means that the reading process of the user credential is a safe process. The security detection result may indicate whether the reading process is a risky process or a safe process.

S103、根据安全性检测结果对用户凭据进行安全防护处理。S103. Perform security protection processing on the user credential according to the security detection result.

在得到安全性检测结果后,就可以根据安全性检测结果对用户凭据进行安全防护处理。After the security detection result is obtained, the user credential can be processed for security protection according to the security detection result.

具体的,当安全性检测结果指示读取进程为风险进程时,可以阻止读取进程继续读取用户凭据,或者也可以输出风险提示信息,并提示用户是否阻止读取进程;在接收到用户的阻止读取进程的指令时,阻止读取进程继续读取用户凭据,以便在保护用户凭据的同时,提升用户体验度。Specifically, when the security detection result indicates that the reading process is a risky process, the reading process can be prevented from continuing to read user credentials, or a risk prompt message can be output, and the user can be prompted whether to block the reading process; When blocking the instructions of the reading process, prevent the reading process from continuing to read user credentials, so as to improve user experience while protecting user credentials.

在进行提示时,可以采用弹窗的方式提示,也可以采用语音方式提示,还可以采用弹窗加语音等其他方式提示。图2为本发明实施例提供的一种提示界面示意图,如图2所示,图中示例性的示出了一种弹窗的界面示意图,弹窗中可以显示风险提示信息,例如可以包括标题:“有程序正在获取您的账号密码,建议阻止”和具体提示内容:“账号密码被可疑程序读取,可能会导致您账号相关的内容被冒用和盗取,给您造成损失,如果不是您主动授权,建立阻止”。其中,具体提示内容中还可以包括读取进程的相关信息,例如可以显示:“可疑程序:C\Trojan.exe”。弹窗中一并提供提示用户是否阻止读取进程的操作选项,例如:“允许”和“阻止”;为了方便用户使用,还可以选择其中一个操作选项作为预设时间未接收到用户操作指令的默认选择项,例如图中的“阻止”,操作选项上可以显示剩余选择时间。弹窗中还可以显示其他提高用户体验度的信息,例如:弹窗右上角可以显示关闭按钮“×”,供用户点击以关闭弹窗,本实施例对此不做限制。When prompting, it can be prompted in the form of a pop-up window, can also be prompted in a voice mode, or can be prompted in other ways such as a pop-up window plus voice. Fig. 2 is a schematic diagram of a prompt interface provided by an embodiment of the present invention. As shown in Fig. 2, the figure schematically shows a schematic diagram of a pop-up window interface, and risk prompt information can be displayed in the pop-up window, for example, it can include a title : "A program is obtaining your account password, it is recommended to stop" and the specific prompt content: "Account password is read by a suspicious program, which may lead to fraudulent use and theft of your account-related content, causing you losses, if not You actively authorize, establish block". Wherein, the specific prompt content may also include information about the reading process, for example, it may display: "Suspicious program: C\Trojan.exe". The pop-up window also provides operation options to prompt the user whether to block the reading process, such as: "Allow" and "Block". For default selection items, such as "block" in the figure, the remaining selection time can be displayed on the operation options. The pop-up window may also display other information to improve user experience, for example, a close button “×” may be displayed in the upper right corner of the pop-up window for the user to click to close the pop-up window, which is not limited in this embodiment.

本实施例中,当安全性检测结果指示读取进程为风险进程时,说明系统中存在风险文件,此时还可以弹窗提供全盘查杀的接口,以供用户选择是否对系统进行全盘查杀,以便更好的对系统进行保护。In this embodiment, when the security detection result indicates that the reading process is a risky process, it means that there are risky files in the system. At this time, a pop-up window can also provide a full-scale scanning and killing interface for the user to choose whether to perform a full-scale scanning and killing of the system. , in order to better protect the system.

其中,全盘查杀的接口可以在上述图2所示的弹窗中合并显示,也可以增加一个新的弹窗显示,具体实现方式本实施例不做特别限定。Wherein, the interface for scanning and killing the entire disk may be combined and displayed in the pop-up window shown in FIG. 2 above, or may be displayed in a new pop-up window. The specific implementation method is not particularly limited in this embodiment.

当用户选择全盘查杀的接口时,设备将调用各查杀引擎对全部盘符进行扫描。When the user selects the interface of full-disk scanning and killing, the device will invoke each scanning and killing engine to scan all drive letters.

本实施例提供的用户凭据保护方法,通过在监控到用户凭据被读取时,获取读取进程;对读取进程进行安全性检测,根据安全性检测结果对用户凭据进行安全防护处理,可以实现对用户凭据的保护,降低用户的财产和终端安全所受的威胁。In the user credential protection method provided in this embodiment, by obtaining the reading process when the user credential is read through monitoring; performing security detection on the reading process, and performing security protection processing on the user credential according to the security detection result, it can realize The protection of user credentials reduces the threat to user property and terminal security.

图3为本发明实施例提供的用户凭据保护装置的结构示意图,如图3所示,本实施例提供的装置包括:Fig. 3 is a schematic structural diagram of a user credential protection device provided by an embodiment of the present invention. As shown in Fig. 3, the device provided by this embodiment includes:

获取模块110,用于当监控到用户凭据被读取时,获取读取进程;The obtaining module 110 is used to obtain the reading process when monitoring that the user credentials are read;

检测模块120,用于对获取模块110获取的读取进程进行安全性检测,得到安全性检测结果;The detection module 120 is configured to perform security detection on the reading process acquired by the acquisition module 110, and obtain a security detection result;

处理模块130,用于根据检测模块120检测出的安全性检测结果对用户凭据进行安全防护处理。The processing module 130 is configured to perform security protection processing on the user credential according to the security detection result detected by the detection module 120 .

作为本发明实施例一种可选的实施方式,装置还包括;As an optional implementation manner of the embodiment of the present invention, the device further includes;

监控模块140,用于监控预设的应用程序编程接口API函数;当监控到预设的API函数中的任意一个API函数被调用时,确定用户凭据被读取。The monitoring module 140 is configured to monitor preset application programming interface API functions; when any API function in the preset API functions is monitored, it is determined that the user credentials are read.

作为本发明实施例一种可选的实施方式,预设的API函数包括:读取进程在读取用户凭据时可调用的所有API函数。As an optional implementation manner of the embodiment of the present invention, the preset API functions include: all API functions that the reading process can call when reading the user credentials.

作为本发明实施例一种可选的实施方式,预设的API函数包括:凭据集枚举函数、域凭据读取函数和最佳凭据集搜索函数。As an optional implementation of the embodiment of the present invention, the preset API functions include: a credential set enumeration function, a domain credential reading function, and an optimal credential set search function.

作为本发明实施例一种可选的实施方式,检测模块120具体用于:As an optional implementation manner of the embodiment of the present invention, the detection module 120 is specifically used for:

提取获取模块110获取的读取进程的特征信息;Extracting the feature information of the reading process acquired by the acquiring module 110;

将读取进程与预设的黑白名单中的特征信息进行匹配;Match the reading process with the feature information in the preset black and white lists;

根据匹配结果确定安全性检测结果。A security detection result is determined according to the matching result.

作为本发明实施例一种可选的实施方式,装置还包括:提示模块150,处理模块130具体用于:As an optional implementation manner of the embodiment of the present invention, the device further includes: a prompt module 150, and the processing module 130 is specifically used for:

当检测模块120检测出的安全性检测结果指示读取进程为风险进程时,指示提示模块150输出风险提示信息,并提示用户是否阻止读取进程;When the safety detection result detected by the detection module 120 indicates that the reading process is a risky process, the instruction prompt module 150 outputs risk prompt information, and prompts the user whether to block the reading process;

当接收到用户的阻止读取进程的指令时,阻止读取进程继续读取用户凭据。When a user's instruction to prevent the reading process is received, the reading process is prevented from continuing to read user credentials.

作为本发明实施例一种可选的实施方式,提示模块150还用于:As an optional implementation manner of the embodiment of the present invention, the prompting module 150 is also used to:

弹窗提供全盘查杀的接口,以供用户选择是否对系统进行全盘查杀。The pop-up window provides an interface for scanning and killing the entire system for the user to choose whether to perform a full-scale scanning and killing of the system.

本发明实施例提供的用户凭据保护装置可以是单独的设备,也可以集成在用户凭据保护设备中,本实施例对此不做特别限定。The user credential protection device provided in this embodiment of the present invention may be a separate device, or may be integrated into a user credential protection device, which is not particularly limited in this embodiment.

本实施例提供的用户凭据保护装置可以执行上述方法实施例,其实现原理与技术效果类似,此处不再赘述。The user credential protection device provided in this embodiment can execute the above-mentioned method embodiment, and its implementation principle and technical effect are similar, and will not be repeated here.

图4为本发明实施例提供的用户凭据保护设备的结构示意图,如图4所示,本实施例提供的用户凭据保护设备包括:存储器210和处理器220,存储器210用于存储计算机程序;处理器220用于在调用计算机程序时执行上述方法实施例所述的方法。FIG. 4 is a schematic structural diagram of a user credential protection device provided by an embodiment of the present invention. As shown in FIG. The device 220 is configured to execute the methods described in the above method embodiments when calling a computer program.

本实施例提供的用户凭据保护设备可以执行上述方法实施例,其实现原理与技术效果类似,此处不再赘述。The user credential protection device provided in this embodiment can execute the above-mentioned method embodiment, and its implementation principle and technical effect are similar, and will not be repeated here.

本发明实施例还提供一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现上述方法实施例所述的方法。An embodiment of the present invention also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method described in the foregoing method embodiments is implemented.

本领域技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

存储器可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。存储器是计算机可读介质的示例。Memory may include non-permanent storage in computer readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read only memory (ROM) or flash RAM. The memory is an example of a computer readable medium.

计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape magnetic disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes Other elements not expressly listed, or elements inherent in the process, method, commodity, or apparatus are also included. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus that includes the element.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.

Claims (10)

1. a kind of user rs credentials guard method characterized by comprising
It is read out when monitoring user rs credentials, obtains reading process;
Safety detection is carried out to the reading process, obtains safety detection result;
Security protection processing is carried out to the user rs credentials according to safety detection result.
2. being obtained the method according to claim 1, wherein being read out described when monitoring user rs credentials Before reading process, the method also includes;
Monitor preset application programming interface api function;
When monitor any one api function in the preset api function it is called when, determine that the user rs credentials are read It takes.
3. according to the method described in claim 2, it is characterized in that, the preset api function includes: that reading process is being read All api functions that can be called when the user rs credentials.
4. according to the method described in claim 3, it is characterized in that, the preset api function includes: that authority collection enumerates letter Number, domain authority function reading and best authority collection search function.
5. being obtained the method according to claim 1, wherein described carry out safety detection to the reading process To safety detection result, comprising:
Extract the characteristic information of the reading process;
The reading process is matched with the characteristic information in preset black and white lists;
The safety detection result is determined according to matching result.
6. method according to claim 1-5, which is characterized in that it is described according to safety detection result to described User rs credentials carry out security protection processing, comprising:
When the safety detection result indicates that the reading process is risk process, indicating risk information is exported, and prompt Whether user prevents the reading process;
When receiving the instruction of the prevention reading process of user, the reading process is prevented to continue to read user rs credentials.
7. according to the method described in claim 6, it is characterized in that, the method also includes:
Pop-up provides the interface of overall killing, whether carries out overall killing to system for selection by the user.
8. a kind of user rs credentials protective device characterized by comprising
Module is obtained, is read out for user rs credentials ought to be monitored, reading process is obtained;
Detection module obtains safety detection result for carrying out safety detection to the reading process;
Processing module, for carrying out security protection processing to the user rs credentials according to safety detection result.
9. a kind of user rs credentials protect equipment characterized by comprising memory and processor, the memory is for storing Computer program;The processor is used to executed when calling the computer program as claim 1-7 is described in any item Method.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program The method according to claim 1 to 7 is realized when being executed by processor.
CN201810701188.0A 2018-06-29 2018-06-29 User rs credentials guard method, device and equipment Pending CN109033820A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810701188.0A CN109033820A (en) 2018-06-29 2018-06-29 User rs credentials guard method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810701188.0A CN109033820A (en) 2018-06-29 2018-06-29 User rs credentials guard method, device and equipment

Publications (1)

Publication Number Publication Date
CN109033820A true CN109033820A (en) 2018-12-18

Family

ID=65521019

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810701188.0A Pending CN109033820A (en) 2018-06-29 2018-06-29 User rs credentials guard method, device and equipment

Country Status (1)

Country Link
CN (1) CN109033820A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113536307A (en) * 2021-06-10 2021-10-22 安徽安恒数智信息技术有限公司 Identification method and system for credential scanning process

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101408917A (en) * 2008-10-22 2009-04-15 厦门市美亚柏科资讯科技有限公司 Method and system for detecting application program behavior legality
CN103679035A (en) * 2012-09-24 2014-03-26 腾讯科技(深圳)有限公司 Safety detection method and device
CN104156661A (en) * 2014-07-26 2014-11-19 珠海市君天电子科技有限公司 Device and method for preventing account passwords from being tampered
US20150319183A1 (en) * 2009-04-22 2015-11-05 Trusted Knight Corporation System and method for protecting against point of sale malware using memory scraping

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101408917A (en) * 2008-10-22 2009-04-15 厦门市美亚柏科资讯科技有限公司 Method and system for detecting application program behavior legality
US20150319183A1 (en) * 2009-04-22 2015-11-05 Trusted Knight Corporation System and method for protecting against point of sale malware using memory scraping
CN103679035A (en) * 2012-09-24 2014-03-26 腾讯科技(深圳)有限公司 Safety detection method and device
CN104156661A (en) * 2014-07-26 2014-11-19 珠海市君天电子科技有限公司 Device and method for preventing account passwords from being tampered

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113536307A (en) * 2021-06-10 2021-10-22 安徽安恒数智信息技术有限公司 Identification method and system for credential scanning process

Similar Documents

Publication Publication Date Title
US9846776B1 (en) System and method for detecting file altering behaviors pertaining to a malicious attack
US11068591B2 (en) Cybersecurity systems and techniques
US8225394B2 (en) Method and system for detecting malware using a secure operating system mode
US8347380B1 (en) Protecting users from accidentally disclosing personal information in an insecure environment
CN104268476B (en) A kind of method for running application program
US20170346843A1 (en) Behavior processing method and device based on application program
WO2016015680A1 (en) Security detection method and security detection apparatus for mobile terminal input window
US9516056B2 (en) Detecting a malware process
CN102882875B (en) Active defense method and device
WO2019153857A1 (en) Asset protection method and apparatus for digital wallet, electronic device, and storage medium
EP3270318B1 (en) Dynamic security module terminal device and method for operating same
US9202050B1 (en) Systems and methods for detecting malicious files
CN104268475B (en) A kind of system for running application program
CN110245495B (en) BIOS checking method, configuration method, device and system
Marforio et al. Evaluation of personalized security indicators as an anti-phishing mechanism for smartphone applications
WO2017036345A1 (en) Information input method and device
US11003746B1 (en) Systems and methods for preventing electronic form data from being electronically transmitted to untrusted domains
US9807103B2 (en) Data communication
US11671422B1 (en) Systems and methods for securing authentication procedures
US9571497B1 (en) Systems and methods for blocking push authentication spam
US20200327229A1 (en) Method, apparatus, electronic device and storage medium for protecting private key of digital wallet
WO2016197827A1 (en) Method and apparatus for processing malicious bundled software
US9959411B2 (en) Detecting security vulnerabilities on computing devices
WO2016095671A1 (en) Method and device for processing application-based message
CN109033820A (en) User rs credentials guard method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181218

RJ01 Rejection of invention patent application after publication