WO2016086767A1 - Method, browser client, and device for achieving browser security - Google Patents

Method, browser client, and device for achieving browser security Download PDF

Info

Publication number
WO2016086767A1
WO2016086767A1 PCT/CN2015/094845 CN2015094845W WO2016086767A1 WO 2016086767 A1 WO2016086767 A1 WO 2016086767A1 CN 2015094845 W CN2015094845 W CN 2015094845W WO 2016086767 A1 WO2016086767 A1 WO 2016086767A1
Authority
WO
WIPO (PCT)
Prior art keywords
browser
window message
security
window
data
Prior art date
Application number
PCT/CN2015/094845
Other languages
French (fr)
Chinese (zh)
Inventor
党壮
吴亮
王天平
梁志辉
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2016086767A1 publication Critical patent/WO2016086767A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems

Definitions

  • the present invention relates to the field of browser technologies, and in particular, to a method for implementing browser security, a browser client, and a device with a browser client.
  • a browser is a piece of software that can display the contents of an HTML (HyperText Mark-up Language) file of a web server or file system and allow users to interact with these files.
  • the web browser mainly interacts with the web server through the HTTP protocol and acquires web pages. These web pages are specified by a URL (Uniform Resource Locator), and the file format is usually HTML.
  • the present invention has been made in order to provide a browser client and corresponding method for implementing browser security that overcomes the above problems or at least partially solves the above problems.
  • a method for implementing browser security including:
  • the system service started by the operating system startup is installed in the operating system of the browser through the browser installation package;
  • a security component is built in the browser, and the system service is invoked by the security component after the browser is started.
  • a browser client including:
  • the installation component is configured to install a system service started by the operating system startup in the operating system of the browser through the browser installation package when the browser is installed;
  • a security component configured to embed a security component in the browser, the browser is invoked by the security component to invoke the system service, and the first process independent of the browser process is blocked from the browser installation file and/or browser data.
  • an apparatus with a browser client comprising:
  • processor and a memory loaded with a plurality of executable instructions, the plurality of instructions including a method of performing the following steps:
  • the system service started by the operating system startup is installed in the operating system of the browser through the browser installation package;
  • a security component is built in the browser, and the system service is invoked by the security component after the browser is started, and the modification of the browser installation file and/or the browser data by the first process independent of the browser process is intercepted.
  • a computer program comprising computer readable code, when the computer readable code is run on a terminal device, causing the terminal device to perform any of the above to implement browser security Methods.
  • a computer readable medium storing a computer program for performing any of the methods for implementing browser security described above.
  • security-related system services can be written into the logic of the browser in the function of the traditional browser, so that the security function becomes a function of the browser itself, and is built in through the browser.
  • the security component invokes the system service to intercept modification of the browser installation file and/or browser data by the first process independent of the browser process, thereby solving the problem that the browser cannot monitor its own security by itself.
  • the problem of protection has the beneficial effect of protecting the security of the browser by the browser itself.
  • FIG. 1 is a flow chart showing a method for implementing browser security according to an embodiment of the present invention
  • FIG. 2 is a flow chart showing a method for implementing browser security according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart diagram of a method for implementing browser security according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of a browser client according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a browser client according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a browser client according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an apparatus with a browser client according to an embodiment of the present invention.
  • Figure 8 shows a block diagram of a terminal device for performing the method according to the invention
  • Figure 9 shows a storage unit for holding or carrying program code implementing the method according to the invention.
  • FIG. 1 it is a schematic flowchart of a method for implementing browser security according to the present invention, which may specifically include:
  • Step 110 When the browser is installed, install a system service started by the operating system startup in the operating system of the browser through the browser installation package;
  • a security component is built in the browser, and the corresponding security component sets a system service to provide system permissions required for security protection.
  • the system service follows the installation logic of the browser in the browser installation package. Installation, the system service only interacts internally with the browser's security components, it does not require an interface for the browser to external applications, and can be secured inside the browser.
  • the system service started by the operating system startup is installed in the operating system of the browser through the browser installation package.
  • the corresponding virtual device level driver may also be installed by the system service control by the browser installation package, and the virtual device level driver belongs to a kernel level program, and has the highest authority of the operating system.
  • the system service can invoke the virtual device level driver to perform operations that intercept modification of the browser installation file and/or browser data by the first process independent of the browser process, as needed.
  • a dll file is generated in the system file, and the relevant parameters of the dll are written into the registry of the operating system service.
  • the virtual device-level driver sys file is installed to the operating system, and the relevant parameters of the sys file are written into the registry.
  • the operating system After the operating system starts, it will start the exe file of the system service and wait for the notification of the security component of the browser.
  • Step 120 A security component is built in the browser, and the system service is invoked by the security component after the browser is started, and the modification of the browser installation file and/or the browser data by the first process independent of the browser process is intercepted.
  • the invention has a security component built on the browser's traditional functional component architecture. After the browser is started, the security component invokes the launched system service to intercept the first process independent of the browser process. The modification of the installation files and/or browser data protects the relevant data of the browser.
  • the invoking the system service by the security component, and modifying the modification of the browser installation file and/or the browser data by the first process independent of the browser process includes:
  • Sub-step 131 the system service is invoked by the security component to control the virtual device-level driver
  • the sequence intercepts modifications to the browser installation files and/or browser data that are independent of the first process of the browser process.
  • the present invention can control the virtual device level driver through the system service, and obtain the kernel level authority, and the kernel level authority is the highest authority, and can perform any operation. Therefore, the browser can perform security protection operations on itself.
  • the browser data includes webpage data accessed by a browser.
  • the webpage data that the user can obtain from the server during the process of accessing the webpage by using the browser then the present invention can protect the webpage data.
  • modifying the browser data independently from the first process of the browser process includes:
  • Sub-step 132 Perform security scanning on the webpage data by calling the system service by the security component for webpage data of the browser.
  • the security component of the embodiment of the present invention invokes the system service through the security component for the webpage data accessed by the browser.
  • the data is scanned for security.
  • the url Uniform Resoure Locator
  • the url Uniform Resoure Locator
  • the cloud server may be used to scan whether the url of the webpage is a secure url, such as whether it is a fraudulent url or a fishing url. If the content is not secure, the content of the webpage corresponding to the url may be obtained, and the user may be prompted to close the webpage.
  • the webpage content corresponding to the url may be obtained.
  • Whether there is an unsafe link in the content such as analyzing a url of the content of the advertisement part in the content of the webpage, determining whether the advertisement url is safe according to the foregoing url URL library, and if not safe, suspending rendering of the advertisement content part or The advertisement content portion is replaced with the security content, and the user may be prompted to prompt the user to close the webpage, and the user continues to access the url when the user chooses to continue to access the webpage.
  • the handling of unsafe urls can be run in a sandbox, ie, the modification of the browser installation file and/or browser data by the first process independent of the browser process includes:
  • sub-step 133 it is determined whether the currently opened webpage is safe. If it is not secure, the webpage process for the webpage is put into a sandbox operation.
  • a sandbox is an execution environment that limits program behavior in accordance with security policies. Since the processing of each webpage data needs to be executed in a webpage process, when it is judged that the webpage data is not secure, the webpage process that processes the webpage data can be put into a sandbox to run, and the running permission is restricted. Avoid the execution of Trojans and malicious scripts in web pages and affect the security of the local system.
  • intercepting the first process independent of the browser process installs files and/or browsers to the browser.
  • Sub-step 134 intercepting the acquisition of the security information in the browser data by the first process independent of the browser process; the security information includes at least one of a web address, a download file, a phone number, a public number, and a live chat number.
  • the browser In the process of using the browser, there is a large amount of data, such as the url when accessing the webpage, the url stored in the favorite folder, the file downloaded by the browser's downloader, the phone number entered by the user in the webpage, and the login micro Personal information such as the public number of social networking sites such as Bo, the instant chat number entered in the web page, bank account information, and the login information such as the login account and password of the user logging in to each website recorded in the cookie.
  • the invention can protect the above personalized information recorded by the browser itself, and intercept the acquisition of the personalized information by the first process independent of the browser process.
  • the present invention can monitor the process of reading browser cookie information at a specified location of the browser, or monitor whether the process of reading the bookmark url is a browser process, and if not, it can be considered to be the first independent of the browser process. Process, then intercept its get action. Or determining whether the current webpage needs to input a webpage of account information (public number, bank account, email account, instant messaging account, etc.), and if so, determine whether the process of obtaining the account information is a browser process, if not , can be considered as the first process independent of the browser process, then intercept its acquisition action.
  • account information public number, bank account, email account, instant messaging account, etc.
  • the method further comprises:
  • the update file in order to prevent the update of the browser, in order to prevent the update file from being tampered with, for example, the update file of the Trojan is added, the update file is obtained when the browser obtains the update file, and the present invention calls the system.
  • the service obtains the update file of the browser. Because the system service itself has high security, when the update file is obtained, the update file is not easily replaced, and the update file can also be detected as a secure update file. When updating, you can make a security update to your browser.
  • the modification of the browser data by the first process independent of the browser process comprises:
  • Sub-step 136 intercepts modification of browser-related configuration parameters in the operating system by the first process independent of the browser process.
  • the browser itself performs relevant configuration in the operating system, such as a default browser set to the operating system, such as a storage browser function configuration parameter.
  • the invention can intercept the modification of the browser-related configuration parameters of the above operating systems by the first process independent of the browser process.
  • the modifying the modification of the browser-related configuration information in the operating system by the first process independent of the browser process comprises:
  • Sub-step 137 intercepting the operation of modifying the association process of the HTTP protocol in the current operating system from the current browser to another processing program by the second process independent of the browser;
  • the invention can intercept the operation of modifying the default browser of the current operating system, and ensure that the current browser is set as the default browser of the operating system.
  • you can intercept the registry The default root value of the HKEY_CLASSES_ROOT ⁇ http ⁇ shell ⁇ open ⁇ command subkey and the modification of the default root value of the KEY_CLASSES_ROOT ⁇ http ⁇ shell ⁇ open ⁇ ddeexec ⁇ Application subkey in the registry.
  • the RegSetValueEx() function to modify the above registry key
  • RegSetValueEx() is a registry modification function whose function prototype is:
  • HKEY hKey / / open the current handle, can also be one of the five root keys of the registry
  • sub-step 138 intercepting modification of the configuration information of the current browser function by the second process independent of the browser.
  • the browser function configuration information such as the configured home page information of the browser, whether to configure the advertisement filter plug-in, the configured toolbar display content, the configured shortcut key function, and the like.
  • the browser homepage as an example, you can intercept the function of modifying the browser homepage key value in the registry.
  • the second process independent of the browser can first find the browser home key value in the registry, for example, by ADVAPI32! RegQueryValueExW or SHDOCVW!
  • the URLSubRegQueryW queries the registry home key value, and then calls the RegSetValueEx() function to modify the key value.
  • the present invention can directly intercept the call of the above function by the second process of the browser.
  • the modification of the browser data by the first process independent of the browser process comprises:
  • Sub-step 138 intercepts the modification of the user personalized data recorded by the current browser independent of the first process of the browser process.
  • the browser locally records personalized data of many users, such as a webpage collected by the user.
  • the URL is generally displayed in the form of a webpage name.
  • the browser may also store cookie information locally, and the cookie may record various information accessed by the user, such as which websites are accessed, which accounts and passwords are logged in, etc., if the browser-independent process obtains the above data. , the user's personalized data is leaked.
  • the present invention can intercept the modification and acquisition of the user personalized data recorded by the browser by the first process independent of the browser process.
  • the modification of the browser data by the first process independent of the browser process comprises:
  • Sub-step 139 using the cloud anti-virus engine to secure the URL for the web address accessed by the browser Determine; if the URL is not secure, intercept it.
  • the present invention in order to reduce the size of the browser, that is, to prevent the browser from performing security protection on itself, the file is particularly large, and the present invention combines the manner of the cloud antivirus engine, that is, after the security component obtains the url.
  • the security module is used to invoke the cloud antivirus engine to determine the security of the url in the cloud antivirus engine, and then the cloud antivirus engine returns the judgment result to the security module, and the security module analyzes the judgment result. If the URL is not secure, the loading of the url is intercepted by the system service, and further, the webpage process corresponding to the url may be put into a sandbox to run. Of course, the user's unsafe state of the url can also be prompted.
  • the modification of the browser data by the first process independent of the browser process comprises:
  • Sub-step 140 Perform security detection on the file by using a cloud antivirus engine for the file downloaded by the browser.
  • the embodiment of the invention can also protect the process of downloading the file by the browser. For example, if the download link triggered by the browser is used, the cloud antivirus engine determines whether the download link is secure. If it is not secure, the security component is notified to prompt the user whether to continue downloading, and the security component simultaneously intercepts the download process through the system service. .
  • the security component can obtain the feature information of the file through the system service, upload the feature information to the cloud antivirus engine to determine whether the file is secure, and the cloud antivirus engine The result of the judgment is returned to the security component of the browser, and then the security component can prompt the file to be safe in the corresponding location of the file in the downloader.
  • the modification of the browser data by the first process independent of the browser process comprises:
  • Sub-step 141 when it is determined that the webpage opened by the browser is an online shopping page, detecting whether the current online shopping environment is safe;
  • the webpage opened by the browser it may be determined whether the webpage is an online shopping page, and when it is determined that the webpage opened by the browser is an online shoppingpage, it is detected whether the system environment is safe.
  • the domain name of each shopping website is analyzed, and the online shopping feature words of each shopping website are extracted, and the online shopping feature words are obtained;
  • the domain name of Taobao is Www.taobao.com, add taobao as Taobao's online shopping feature words to the online shopping feature word set; when the user's current domain name through the terminal browser is paimai.taobao.com, because the keyword included in the domain name
  • the taobao matches the online shopping feature taobao included in the online shopping feature set, and it can be determined that the website currently logged in by the user is a shopping website.
  • this embodiment can also analyze each payment according to the pre-collected payment website collection.
  • the domain name of the website extracting the payment feature words of each payment type website, and obtaining the payment feature word set; for example, the domain name of China Merchants Bank is www.cmbchina.com, and the cmbchina is set as the payment characteristic word of the China Merchants Bank website, and added to The default payment feature word set; when the user's current website domain name is ccclub.cmbchina.com, due to the domain name Payment feature words cmbchina word feature set of keywords comprising cmbchina payment included in the match, then the user may determine that the current landing site payment website, webpage corresponding Can also be understood as a web page.
  • the invention can monitor whether the online shopping environment is safe. For example, it is determined whether the local system environment is secure. For example, a browser-independent process obtains information in the webpage, and if so, adjusts the system environment to a secure system environment for the online shopping page. For example, the security of the online shopping page itself is detected, for example, according to the IP address of the website where the online shopping page is located. If the IP address is included in the blacklist of the IP address, it is determined that the website is a dangerous webpage, and the online shopping page is also a dangerous page.
  • the hash value of the URL is calculated according to the uniform resource locator URL of the online shopping page, and if the calculated hash value is included in the hash value blacklist, determining that the online shopping page is a dangerous page; For example, in an actual application, according to the URL of the dangerous webpage included in the blacklist website list, the referent chain address of the URL of each dangerous webpage is detected, and the hash value of the referential chain address of each dangerous webpage is calculated, and the hash value is obtained.
  • the blacklist is a blacklist; therefore, when the currently visited website is an online shopping page, the referent address of the URL of the online shopping page is obtained, and the hash value of the referential chain address of the online shopping page is calculated, and if the online chaining page is the referent chain address, The hash value is in the blacklist of the above hash values, and it is determined that the risk probability of the online shopping page is large.
  • Sub-step 142 generating a protection ticket number in the secure system environment for the current online shopping page.
  • the present invention when the user uses the browser for online shopping, the present invention can provide additional compensation protection for the online shopping behavior of the user.
  • the present invention can Generate a protection number in the current secure system environment, record the user's online shopping behavior, and transmit it to the server. If the user is deceived, he may apply for compensation to the server. After receiving the application, the server according to the The protection order number determines whether the compensation condition is met to compensate.
  • the modification of the browser installation file and/or the browser data by the first process independent of the browser process comprises:
  • Sub-step 144 intercepting the first process independent of the browser, injecting code into the browser to hijack the browser.
  • the present invention can invoke the system service through the security component to intercept the first browser-independent process to inject the code of the hijacking browser into the browser.
  • the modification in the modification of the browser installation file and/or the browser data may be understood as tampering or obtaining.
  • the modification of the browser installation file and/or the browser data by the first process independent of the browser process includes:
  • Sub-step 145 utilizing the system service, intercepts modification of the browser installation file and/or browser data by a first device process independent of the browser process by invoking a virtual device level driver.
  • the foregoing interception process may be invoked by the system service virtual
  • the device-level driver intercepts, and intercepts it through kernel-level permissions to ensure the success rate of interception.
  • a new modification is also made to the browser architecture, on the traditional architecture of the browser, that is, the traditional components of the browser: user interface components, including address bar, back/forward button, bookmark directory, etc. , in addition to the main window used to display the page you are requesting; the browser engine component, the interface used to query and manipulate the rendering engine; the rendering engine component to display the requested content, for example, if requested
  • the content is html, which is responsible for parsing html and css, and displaying the parsed result; network component, used to complete network calls, such as http request; UI backend component, used to draw similar combination selection boxes and dialog boxes, etc.
  • JS interpreter component to explain the execution of JS code
  • data storage component the browser needs to save various data like cookie on the hard disk; on the architecture of the component, add security component, and set the security component accordingly
  • System service the security component protects the data generated during the working process of the above components through system services, and improves The autonomy and flexibility of browser security protection does not depend on third-party anti-virus software.
  • FIG. 2 it is a schematic flowchart of a method for implementing browser security according to the present invention, which may specifically include:
  • Step 210 When the browser is installed, install a system service started by the operating system startup in the operating system of the browser through the browser installation package;
  • Step 220 A security component is built in the browser, and the system service is invoked by the security component after the browser is started.
  • the intercepting and intercepting the first process independent of the browser injects code into the browser to hijack the browser, including:
  • Step S222 copying the source layered service provider linked list of the current browser to obtain a first hierarchical service provider linked list
  • LSP Layered Service Provider
  • LSP DLL Dynamic Link Library
  • the LSP DLL is written into the registry (for example, written in the corresponding location of the registry HKEY_LOCAL_MACHINE ⁇ SYSTEM ⁇ CurrentControlSet ⁇ Services ⁇ WinSock2 ⁇ Parameter), and the relevant configuration information is written into the configuration information of the source LSP linked list of the browser. In the configuration information, information such as the registry location of the above dll is recorded.
  • the source LSP linked list is loaded according to the configuration information of the source LSP linked list of the browser, that is, the dll of each node in the LSP linked list is loaded, and then the network request of the browser is Starting from the first LSP node in the source LSP list, the LSP nodes are transmitted one by one until they are transmitted to other protocol layers, such as the TCP/IP protocol layer.
  • the present invention first converts the source LSP linked list before the first network request of the browser is issued. First copy a source LSP linked list, such as an ordered dll file in the source LSP list. A copy is copied, and the duplicate version is used as the first LSP linked list for subsequent processing.
  • a source LSP linked list such as an ordered dll file in the source LSP list.
  • a copy is copied, and the duplicate version is used as the first LSP linked list for subsequent processing.
  • the source LSP list is: A.dll->B.dll->C.dll->D.dll
  • the first LSP list obtained by copying is A.dll->B.dll->C.dll->D. Dll.
  • the path of each source node recorded in the registry may be searched through the configuration information of the source LSP linked list of the browser, and then the source nodes of the source LSP linked list are copied through the path.
  • Step S224 Convert the source node that is not allowed to access in the first hierarchical service provider linked list to a virtual node, to obtain a converted second hierarchical service provider linked list; and the virtual hierarchical service provider node implements each Layer the service provider interface and return a null value;
  • the first LSP linked list obtained by the foregoing copy may be judged one by one whether each node in the first LSP linked list is a source node that is not allowed to access.
  • the judgment of the source node can be determined by the name of the node.
  • the name of an LSP node is mswsock.dll, which can be judged by a whitelist or a blacklist.
  • the nodes in the first LSP linked list are not allowed to access the whitelist, or the dll of the LSP node is not allowed to be loaded.
  • only the default LSP node name in the initial situation of the system can be written to the white list.
  • the name of the LSP node injected by other secure applications can be written in the white list, and the white list can be performed by the server. Update.
  • a blacklist of LSP nodes can also be constructed.
  • the embodiment of the present invention converts it into a virtual node, that is, fake.dll, and the virtual LSP node can implement all interfaces of the LSP, and then the network request transmitted by the previous node of the virtual node can be
  • the virtual node is normally accessed, and the virtual node does not process the network request, that is, returns a null value NULL, and then continues to transmit the network request downward. Therefore, the virtual node does not generate an abnormality in the network request transmission, resulting in failure to access the Internet. Then, after replacing the source node that does not allow access with the foregoing virtual node, the second LSP linked list is obtained.
  • converting the source node in the first hierarchical service provider linked list that is not allowed to access into a virtual node includes:
  • Sub-step S2241 Obtain identity information of each source node of the source layered service provider linked list by using configuration information of the source layered service provider linked list;
  • the identity of each source node of the first hierarchical service provider linked list can be obtained by reading the configuration information of the source LSP linked list in the browser. information.
  • the identity information of the source node is generally stored, for example, the information of the registry key and the record name and sequence recorded by each node, and the embodiment of the present invention can determine the identity of each node by using the configuration information. Information, such as its name.
  • the identity information of each node in each first LSP linked list can be obtained as A, B, C, and D.
  • Sub-step S2242 matching the identity information of each source node with a preset identity information list, and determining a source node that is not allowed to access according to the matching result;
  • the identity information white list or the identity information blacklist may be constructed, and the identity information of each source node is matched. For example, if [A, D] is set in the white list, then A, B, C, and D will be used. After matching with the above whitelist respectively, it is determined that the source nodes of the names B and C are not allowed to access.
  • Sub-step S2243 converting the path of the source node that is not allowed to access in the registry to the path of the virtual node, to obtain a second hierarchical service provider linked list;
  • a virtual node such as fake.dll, may be preset to store and specify a path.
  • the source node needs to be loaded through the source node path recorded in the corresponding registry entry in the registry, and then the source node that is not allowed to access may be in the registry corresponding to the path of the registry entry. Replace with the path of the virtual node.
  • a virtual node may be set for all source nodes that are not allowed to access, and the path of the corresponding registry key in the registry may be replaced with the path of the virtual node in the registry, for example, all of them are replaced.
  • the virtual node that is initially set is used as a blueprint, and the corresponding number of virtual nodes are copied, and the file names of the virtual nodes are modified to be different, for example, the foregoing example has B, C two nodes, then you can copy the two virtual nodes fakel.dll, fake2.dll, each has a path, then the B.dll registry path is modified to the path of fakel.dll, the registry of C.dll Change the path to the path to fake2.dll.
  • the path of converting the path of the source node that is not allowed to access in the registry to the virtual node includes:
  • Sub-step A2242 the system service receives a registry path setting request sent by the security component to the system service, and sends an I/O request packet to the virtual device-level driver according to the registry path setting request;
  • the system service is started up with the system startup, and is always running, and the listener receives the request sent by the browser. If the registry path setting request sent by the browser is received, the registration is performed according to the registration.
  • the table path setting request creates an I/O request packet (IRP) to be delivered to the virtual device level driver. Because the Windows operating system transfers instructions from the application layer to the underlying driver through the I/O request packet.
  • the system service invokes the virtual device-level driver in the embodiment of the present invention, and the target needs to construct the IRP with the device-level driver as the target, and then delivers the IRP to the device-level driver.
  • the IRP includes an instruction to control the device-level driver to convert a path of the source node that is not allowed to access in the registry to a path of the virtual node, for example, including registry key information that does not allow access to the node, corresponding to Information such as the path of the virtual node that allows access to the node.
  • Sub-step A2243 after receiving the I/O request packet, the virtual device-level driver invokes a registry modification function to convert the path of the source node that is not allowed to access in the registry to the path of the virtual node.
  • the virtual device level determining program After receiving the I/O request packet delivered by the system service, the virtual device level determining program parses the instruction in the I/O request packet to obtain registry key information that does not allow access to the node, and correspondingly It is not allowed to access the path information of the virtual node of the node, then the registry modification function can be called, which will not allow The path of the source node that is accessed is converted to the path of the virtual node in the registry.
  • the network request of the browser it can be controlled to transmit through the second LSP linked list.
  • the transmitting, by the current browser, the network request by using the second hierarchical service provider linked list comprises:
  • Sub-step S2261 searching, by the registry, the dynamic link library of each node of the second hierarchical service provider linked list and loading by using the configuration information of the source layered service provider linked list.
  • the embodiment of the present invention does not modify the configuration information of the source layer service provider list of the browser, but only modifies the node path and the node content corresponding to the configuration information, and the browser obtains the corresponding dll according to the configuration information of the original LSP linked list.
  • the browser obtains the corresponding dll according to the configuration information of the original LSP linked list.
  • For the source node configuration information of the replaced path it loads the virtual node from the path recorded in its registry key, and finally loads the second LSP linked list, and does not load the dll of the real source node that is not allowed to access.
  • the security component may invoke a virtual device-level driver to convert a source node that is not allowed to access in the first hierarchical service provider linked list into a virtual node by using a system service.
  • the path of the source node that is not allowed to access in the registry can be converted into the path of the virtual node by the registry modification function RegSetValueEx() function.
  • the browser's network request outgoing transmission it needs to be processed by the LSP linked list before it can be transmitted down to the communication protocol layer (such as the TCP/IP layer) and then transmitted to the outside. Then the traditional technology can go to the LSP list. Injecting a custom LSP node to hijack and process the browser's network request may cause security risks and other issues.
  • the source LSP linked list of the LSP node injected by the application in the system is replaced by the LSP node of the application before the browser sends the first network request, in the embodiment of the present invention.
  • the second LSP linked list in which the source node that does not need to be accessed is replaced by a virtual node, and how many LSP nodes are injected by the application, and the network request sent by the browser is transmitted through the secure LSP linked list. , improve the security of the browser.
  • FIG. 3 it is a schematic flowchart of a method for implementing browser security according to the present invention, which may specifically include:
  • Step 310 When the browser is installed, install a system service started by the operating system startup in the operating system of the browser through the browser installation package;
  • Step 320 A security component is built in the browser, and the system service is invoked by the security component after the browser is started.
  • the intercepting and intercepting the first process independent of the browser injects code into the browser to hijack the browser, including:
  • Step S321 loading a window message hook function for intercepting the window message
  • the CBT hook function WH_CBT is loaded, and the window message of the WH_CBT hook function when the windows window is activated, created, released (closed), minimized, maximized, or changed, can be intercepted by the WH_CBT.
  • the present invention can then load the above CBT hook function.
  • the loading of the window message hook function for intercepting the window message comprises:
  • Sub-step S3211 calling a dynamic link library load function to load the dynamic link library in which the window message hook function is located to load the window message hook function.
  • WH_CBT needs to be installed through the SetWindowsHookEx function.
  • the function prototype is: SetWindowsHookEx(
  • HOOKPROC lpfn is a pointer to the / hook procedure, that is, the preprocessing process after intercepting the specified system message, which must be defined in the DLL;
  • HINSTANCE hMod the handle of the application instance, which can be the DLL where the CBT hook is located;
  • HINSTANCE hMod this parameter is set to 0, indicating that this hook is a global hook for all threads of the monitoring system.
  • the DLL of the CBT hook can be loaded by the dynamic link library loading function LoadLibrary, and the execution logic of the CBT hook is also loaded.
  • the prototype of the LoadLibrary function is as follows:
  • the DLL where the CBT hook function is located is loaded, so that the CBT hook function is loaded and the processing logic after the hook is fetched to the window message.
  • the loading of the window message hook function for intercepting the window message comprises:
  • Sub-step A322 the system service receives a load request sent by the security component to the system service, and creates an I/O request packet to be delivered to the virtual device-level driver according to the load request;
  • the system service is started when the system is started, and is always running, and the listener receives the request sent by the browser. If the loading request sent by the browser is received, the I is created according to the loading request.
  • An I/O Request Packet (IRP) is delivered to the virtual device level driver. Because the Windows operating system transfers instructions from the application layer to the underlying driver through the I/O request packet.
  • the system service invokes the virtual device-level driver in the embodiment of the present invention, and the target needs to construct the IRP with the device-level driver as the target, and then delivers the IRP to the device-level driver.
  • the IRP includes control
  • the device level driver loads information about the CBT hook function, such as the path of the dll where the CBT hook function is located.
  • Sub-step A323 after receiving the I/O request packet, the virtual device-level driver invokes a dynamic link library load function to load a window message hook function for intercepting a window message.
  • the virtual device level determining program After receiving the I/O request packet delivered by the system service, the virtual device level determining program parses the instruction in the I/O request packet to obtain the information of the dll where the CBT hook function is located, and then the dynamic link can be invoked.
  • the library load function loads the dynamic link library in which the window message hook function is located to load the window message hook function. In the above way, the CBT hook function is loaded.
  • Step S322 for the window message in the operating system, intercepting by using the window message hook function
  • an application when an application injects an unsafe dynamic link library into the browser, it controls the operating system to inject the browser through the window message, and the present invention can pass the CBT when sending the window message.
  • the hook function intercepts it.
  • Step S323 it is determined whether the window message is a window message of the hijacking browser; if the window message is a window message of the hijacking browser, the process proceeds to step S324;
  • whether the window message of the browser is hijacked may be determined according to the window handle of the intercepted window message.
  • the determining whether the window message is a window message of a hijacking browser comprises:
  • Sub-step S3231 matching the window handle name to which the window message belongs to the preset window handle list; if the window handle matches, determining that the window message is a window message of the hijacking browser.
  • an application other than the browser if an application other than the browser is to inject a dll that hijacks the browser to the browser, it needs to start a corresponding window and the like through a window message, and send an execution dll injection under the window.
  • the windows system processes the received window message, such as executing the dll installation process, writing the dll to the specified location of the browser, and writing the relevant parameters of the dll into the registry key associated with the browser.
  • Each window has a window handle, so the present invention can pre-register the window handle initiated by the application that injects the dll that does not meet the security requirement to the browser, and generate a blacklist of the window handle.
  • the present invention can directly obtain the window handle to which it belongs by using the window message, and match it with the window handle in the blacklist. If it matches, the window message is determined to be a hijacking browser.
  • the window message that is, whether the window message is a window message of the hijacking browser can be determined by the matching result of the window handle.
  • the preset window handle list of the present invention can be continuously updated according to the analysis of the application, and can be updated to the client through the cloud server.
  • the method further comprises:
  • Sub-step S3232 obtaining a verification signature of the application to which the window handle belongs
  • Sub-step S3233 verifying the verification signature, and if the verification fails, determining that the window message is a hijacking browser window message.
  • the window message is released.
  • the window message may also obtain the verification signature of the application to which the window handle belongs, such as the verification signature of the third-party security platform. Then the digital signature is matched with the pre-recorded verification signature. If it matches, the dll of the application installed by the window handle is safe and can be allowed to be installed. If the verification fails, the application of the window handle can be considered. The installed dll is not secure and refuses to install it.
  • the verification signature can also be updated by the cloud server.
  • the combination of the sub-step S3231, the sub-step S3232, and the sub-step S3233 can perform multiple judgments on the window message, so that the interception range of the window message can be flexibly configured, allowing the secure application to inject the dll into the browser, and does not allow unsafe.
  • the application injects dll into the browser and also protects the security of the browser.
  • the intercepting by the window message hook function for the window message in the operating system includes:
  • Sub-step S3234 for the window message of the creation window in the operating system, intercepting by the window message hook function.
  • the window message for creating the window may be intercepted, and the window message of the application that injects the unsafe dll into the browser may be determined.
  • the window message for creating a window in the operating system is intercepted by the window message hook function, including:
  • Sub-step 321 is performed by the window message hook function for the WM_CREATE message of the creation window in the operating system.
  • WM_CREATE is a window message in windows that is sent when an application requests a window creation via the CreateWindowEx function or the CreateWindow function.
  • the WM_CREATE message is also sent when the application creates an installation window that injects the dll into the browser. Then, the present invention can intercept the WM_CREATE message of the installation window created by the application through the CBT hook.
  • only the window message for creating the window can be intercepted.
  • the creation of the corresponding window can be stopped, thereby preventing the application from Insecure dll injection into the browser.
  • the window message that creates the window is intercepted, other types of window messages are not intercepted, the scope of the interception is reduced, and excessive system resources are avoided.
  • Step S324 stopping transmission of the window message.
  • the window message is released.
  • the window message intercepted by the CBT hook is a window message for hijacking the browser. It can be stopped. The subsequent transmission process of the message is not allowed for subsequent processing. For example, the window message is deleted.
  • a pop-up box may also be generated, prompting the user to have an application inject an unsafe dll into the browser, waiting for the user to select whether to run the window message to continue the transmission, if the user selects If the transmission continues, the interception is aborted, and if the user chooses not to continue the transmission, the transmission of the window message may be stopped.
  • the embodiment of the present invention can intercept an application that wants to inject a DLL into a browser, when it creates a window, or sends a window message under the window where it is located, that is, before the application executes a specific dll injection process. Intercepting, and then judging the window message, when judging that it is a message hijacking the browser according to the window message, stopping the transmission of the window message, preventing the subsequent operation, and directly preventing the application from injecting into the browser Secure dll, which protects the security of the browser.
  • FIG. 4 it is a schematic structural diagram of a browser client according to the present invention, which may specifically include:
  • the installation component 410 is configured to install a system service started by the operating system startup in the operating system of the browser through the browser installation package when the browser is installed;
  • the security component 420 is configured to include a security component in the browser, and the system service is invoked by the security component after the browser is started, and the first process independent of the browser process is blocked from the browser installation file and/or the browser. Modification of the data.
  • the browser data includes webpage data accessed by a browser
  • the security component includes:
  • the webpage security module is configured to perform a security scan on the webpage data by calling the system service through the security component for webpage data accessed by the browser.
  • the security component comprises:
  • the security information intercepting module is configured to intercept the acquisition of the security information in the browser data by the first process independent of the browser process; the security information includes a web address, a download file, a phone number, a public number, and a live chat number. at least one.
  • the method further comprises:
  • a security update module configured to invoke a system service to obtain a secure update file of the browser for updating.
  • the security component comprises:
  • the protection module is configured to intercept modification of the browser-related configuration parameters in the operating system by the first process independent of the browser process.
  • the configuration protection module comprises:
  • a default browser protection module configured to intercept an operation in which the second process independent of the browser changes the association processing procedure of the HTTP protocol in the current operating system from the current browser to another processing program
  • the browser function configures a protection module configured to intercept a second process pair independent of the browser Modification of the configuration information of the current browser function.
  • the security component comprises:
  • the personalized data protection module is configured to intercept the modification of the user personalized data recorded by the current browser by the first process independent of the browser process.
  • the security component comprises:
  • the URL cloud protection module is configured to perform a security determination on the web address by using a cloud antivirus engine for the web address accessed by the browser, and intercept the web address if the web address is not secure.
  • the security component comprises:
  • the file protection module is configured to perform security detection on the file by using a cloud antivirus engine for files downloaded through the browser.
  • the security component comprises:
  • the online shopping protection module is configured to detect whether the current online shopping environment is safe when determining that the webpage opened by the browser is an online shopping page;
  • the protection number generation module is configured to generate a protection ticket number in the secure system environment for the current online shopping page.
  • the security component comprises:
  • the sandbox running module is configured to determine whether the currently opened webpage is safe. If it is not secure, the webpage process for the webpage is put into a sandbox operation.
  • the security component comprises:
  • An interception module is configured to intercept the first process independent of the browser to inject code into the browser to hijack the browser.
  • the security component comprises:
  • the first security module is configured to utilize the system service to intercept modification of the browser installation file and/or browser data by a first device-level driver independent of the browser process.
  • FIG. 5 it is a schematic structural diagram of a browser client according to the present invention, which may specifically include:
  • the installation component 510 is configured to: when the browser is installed, install a system service initiated by the operating system startup in the operating system of the browser through the browser installation package;
  • the security component 520 is configured to include a security component in the browser, and the system service is invoked by the security component after the browser is started, and the first process independent of the browser process is blocked from the browser installation file and/or the browser. Modifications to the data, including:
  • the injection intercepting module 521 is configured to intercept the first process independent of the browser and inject code into the browser to hijack the browser, including:
  • Linked list replication module 5211 configured to copy the source layered service provider chain of the current browser Table, obtaining the first hierarchical service provider linked list;
  • a linked list conversion module 5212 configured to convert a source node that is not allowed to be accessed in the first hierarchical service provider linked list into a virtual node, to obtain a converted second hierarchical service provider linked list;
  • the service provider node implements each layered service provider interface and returns a null value;
  • the request control module 5213 is configured to transmit the network request of the current browser through the second hierarchical service provider linked list.
  • the linked list conversion module 5212 includes:
  • a node identity obtaining module configured to obtain identity information of each source node of the source layered service provider linked list by using configuration information of the source layered service provider linked list;
  • a node identity determining module configured to match identity information of each source node with a preset identity information list, and determine a source node that is not allowed to access according to the matching result
  • a node conversion module configured to convert the path of the source node that is not allowed to access in the registry into a path of the virtual node.
  • the linked list conversion module 5212 includes:
  • a request receiving module configured to receive a registry path setting request sent by the first operating system service security module, and send an I/O request packet to the virtual device according to the registry path setting request Level driver
  • a second conversion module configured to: after the virtual device-level driver receives the I/O request packet, invoke a registry modification function to convert the path of the source node that is not allowed to access in the registry to The path to the virtual node.
  • FIG. 6 is a schematic structural diagram of a browser client according to the present invention, which may specifically include:
  • the installation component 610 is configured to: when the browser is installed, install a system service that is started by the operating system startup in the operating system of the browser through the browser installation package;
  • the security component 620 is configured to include a security component in the browser, and the system service is invoked by the security component after the browser is started, and the first process independent of the browser process is blocked from the browser installation file and/or the browser. Modifications to the data, including:
  • the injection intercepting module 621 is configured to intercept the first process independent of the browser and inject code into the browser to hijack the browser, including:
  • a hook loading module 6212 configured to load a window message hook function for intercepting a window message
  • the window information intercepting module 6213 is configured to intercept the window message in the operating system by using the window message hook function
  • the window information determining module 6214 is configured to determine whether the window message is a window message of a hijacking browser
  • the window information processing module 6215 is configured to stop the transmission of the window message if the window message is a window message that hijacks the browser.
  • the hook loading module comprises:
  • the first hook loading module is configured to invoke a dynamic link library loading function to load the dynamic link library in which the window message hook function is located to load the window message hook function.
  • the window information determining module comprises:
  • the handle matching module is configured to match the window handle name to which the window message belongs to the preset window handle list; if the window handle matches, the window message is determined to be a window message of the hijacking browser.
  • the method further comprises:
  • a signature acquisition module configured to obtain a verification signature of an application to which the window handle belongs
  • the signature verification module is configured to verify the verification signature, and if the verification fails, determine that the window message is a hijacking browser window message.
  • the window information intercepting module comprises:
  • An interception module is configured to be configured to intercept the window message of the created window in the operating system by using the window message hook function.
  • the hook loading module 6212 includes:
  • a request receiving module configured to receive a load request sent by the security component by the first operating system service, and create an I/O request packet to be delivered to the virtual device level driver according to the load request;
  • the driver loading module is configured to: after the virtual device level driver receives the I/O request packet, invoke a dynamic link library load function to load a window message hook function for intercepting the window message.
  • FIG. 7 is a schematic structural diagram of a device with a browser client according to the present invention.
  • the device 700 may specifically include:
  • the system service started by the operating system startup is installed in the operating system of the browser through the browser installation package;
  • a security component is built in the browser, and the system service is invoked by the security component after the browser is started, and the modification of the browser installation file and/or the browser data by the first process independent of the browser process is intercepted.
  • the browser data includes webpage data accessed by a browser
  • modifying the browser data independently from the first process of the browser process includes:
  • the security service component invokes the system service to perform security scanning on the webpage data.
  • the modification of the browser installation file and/or the browser data by the first process independent of the browser process comprises:
  • the security information includes at least one of a web address, a download file, a phone number, a public number, and a live chat number.
  • the method further comprises: invoking the system service to obtain a secure update file of the browser for updating.
  • the modification of the browser data by the first process independent of the browser process comprises:
  • the modification of the browser-related configuration information in the operating system by the first process independent of the browser process comprises:
  • the modification of the browser installation file and/or the browser data by the first process independent of the browser process comprises:
  • Intercepting the first process independent of the browser injects code into the browser to hijack the browser.
  • the intercepting the browser independent of the browser to inject code into the browser to hijack the browser comprises:
  • the network request of the current browser is transmitted through the second hierarchical service provider linked list.
  • the intercepting the browser independent of the browser to inject code into the browser to hijack the browser comprises:
  • window message is a window message that hijacks the browser, then the transmission of the window message is stopped.
  • the plurality of instructions also include a method of performing the various steps described above.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of some or all of the components of the browser security device in accordance with embodiments of the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • FIG. 8 illustrates a terminal device that can implement browser security in accordance with the present invention.
  • the terminal device conventionally includes a processor 810 and a computer program product or computer readable medium in the form of a memory 820.
  • the memory 820 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 820 has a memory space 830 for program code 831 for performing any of the method steps described above.
  • storage space 830 for program code may include various program code 831 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include such as hard disk, compact disk A program code carrier such as a (CD), a memory card, or a floppy disk.
  • a computer program product is typically a portable or fixed storage unit as described with reference to FIG.
  • the storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 820 in the terminal device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 831', i.e., code readable by a processor, such as 810, that when executed by the terminal device causes the terminal device to perform each of the methods described above step.

Abstract

Disclosed are a method and browser client for achieving browser security, relating to the technical field of browsers. The method comprises: when a browser is being installed, a system service that launches with the operating system is installed, by means of the browser installation package, on the operating system on which the browser is installed; the browser has a built-in security component; after launching, the browser invokes said system service by means of the security component; a first process independent of the browser process is intercepted from modifying browser installation files and/or browser data. In the method for achieving browser security of the present invention, a system service related to security is written to the logic of the browser, such that a security function becomes a function of the browser itself; the security component built in to the browser invokes said system service to protect the security of the browser itself, thus resolving the problem of a browser being unable to monitor and protect its security by its own means.

Description

实现浏览器安全的方法、浏览器客户端和装置Method for implementing browser security, browser client and device 技术领域Technical field
本发明涉及浏览器技术领域,具体涉及一种实现浏览器安全的方法、浏览器客户端和一种带有浏览器客户端的装置。The present invention relates to the field of browser technologies, and in particular, to a method for implementing browser security, a browser client, and a device with a browser client.
背景技术Background technique
浏览器是指可以显示网页服务器或者文件系统的HTML(超文本标记语言,HyperText Mark-up Language))文件内容,并让用户与这些文件交互的一种软件。网页浏览器主要通过HTTP协议与网页服务器交互并获取网页,这些网页由URL(统一资源定位符,Uniform Resource Locator)指定,文件格式通常为HTML。A browser is a piece of software that can display the contents of an HTML (HyperText Mark-up Language) file of a web server or file system and allow users to interact with these files. The web browser mainly interacts with the web server through the HTTP protocol and acquires web pages. These web pages are specified by a URL (Uniform Resource Locator), and the file format is usually HTML.
但是传统的浏览器对于自身的安全很少能进行监控和处理,需要借助于第三方的杀毒软件对浏览器的进行安全保护,由于需要与其他软件进行交互,其需要将很多浏览器接口开放给第三方程序,而很多不安全的程序也可以利用这些接口,导致浏览器的信息和操作很容易被劫持,使用户在使用浏览器过程中存在潜在的不安全性,其浏览器安全保护的自主性、灵活性差。However, traditional browsers rarely monitor and process their own security. They need to use third-party anti-virus software to protect the browser. Because they need to interact with other software, they need to open many browser interfaces. Third-party programs, and many unsafe programs can also use these interfaces, which makes the information and operations of the browser easy to be hijacked, which makes the user insecure during the process of using the browser, and the security of the browser security protection. Sexuality and flexibility.
发明内容Summary of the invention
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的浏览器客户端和相应的实现浏览器安全的方法。In view of the above problems, the present invention has been made in order to provide a browser client and corresponding method for implementing browser security that overcomes the above problems or at least partially solves the above problems.
依据本发明的一个方面,提供了一种实现浏览器安全的方法,包括:According to an aspect of the present invention, a method for implementing browser security is provided, including:
在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;When the browser is installed, the system service started by the operating system startup is installed in the operating system of the browser through the browser installation package;
在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,A security component is built in the browser, and the system service is invoked by the security component after the browser is started.
拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。Blocking changes to browser installation files and/or browser data by a first process that is independent of the browser process.
依据本发明的另外一个方面,提供了一种浏览器客户端,包括:According to another aspect of the present invention, a browser client is provided, including:
安装组件,其配置为在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;The installation component is configured to install a system service started by the operating system startup in the operating system of the browser through the browser installation package when the browser is installed;
安全组件,其配置为在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。a security component configured to embed a security component in the browser, the browser is invoked by the security component to invoke the system service, and the first process independent of the browser process is blocked from the browser installation file and/or browser data. Modifications.
依据本发明的另外一个方面,提供了一种带有浏览器客户端的装置,包括:According to another aspect of the present invention, an apparatus with a browser client is provided, comprising:
处理器,以及加载有多条可执行指令的存储器,所述多条指令包括执行以下步骤的方法:a processor, and a memory loaded with a plurality of executable instructions, the plurality of instructions including a method of performing the following steps:
在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务; When the browser is installed, the system service started by the operating system startup is installed in the operating system of the browser through the browser installation package;
在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。A security component is built in the browser, and the system service is invoked by the security component after the browser is started, and the modification of the browser installation file and/or the browser data by the first process independent of the browser process is intercepted.
根据本发明的又一个方面,提供了一种计算机程序,其包括计算机可读代码,当所述计算机可读代码在终端设备上运行时,导致所述终端设备执行上述的任一个实现浏览器安全的方法。According to still another aspect of the present invention, a computer program is provided, comprising computer readable code, when the computer readable code is run on a terminal device, causing the terminal device to perform any of the above to implement browser security Methods.
根据本发明的再一个方面,提供了一种计算机可读介质,其中存储了执行上述的任一个实现浏览器安全的方法的计算机程序。According to still another aspect of the present invention, there is provided a computer readable medium storing a computer program for performing any of the methods for implementing browser security described above.
根据本发明的实现浏览器安全的方法,可在传统浏览器的功能上,将与安全相关的系统服务写入浏览器的逻辑中,使安全功能成为浏览器本身的一个功能,通过浏览器内置的安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改,由此解决了浏览器无法通过自身对自己的安全性进行监控和保护的问题,取得了可以由浏览器自身对浏览器的安全进行保护的有益效果。According to the method for implementing browser security of the present invention, security-related system services can be written into the logic of the browser in the function of the traditional browser, so that the security function becomes a function of the browser itself, and is built in through the browser. The security component invokes the system service to intercept modification of the browser installation file and/or browser data by the first process independent of the browser process, thereby solving the problem that the browser cannot monitor its own security by itself. The problem of protection has the beneficial effect of protecting the security of the browser by the browser itself.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solutions of the present invention, and the above-described and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below.
附图说明DRAWINGS
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图1示出了根据本发明一个实施例的一种实现浏览器安全的方法的流程示意图;1 is a flow chart showing a method for implementing browser security according to an embodiment of the present invention;
图2示出了根据本发明一个实施例的一种实现浏览器安全的方法的流程示意图;2 is a flow chart showing a method for implementing browser security according to an embodiment of the present invention;
图3示出了根据本发明一个实施例的一种实现浏览器安全的方法的流程示意图;FIG. 3 is a schematic flowchart diagram of a method for implementing browser security according to an embodiment of the present invention; FIG.
图4示出了根据本发明一个实施例的一种浏览器客户端的结构示意图;FIG. 4 is a schematic structural diagram of a browser client according to an embodiment of the present invention; FIG.
图5示出了根据本发明一个实施例的一种浏览器客户端的结构示意图;FIG. 5 is a schematic structural diagram of a browser client according to an embodiment of the present invention; FIG.
图6示出了根据本发明一个实施例的一种浏览器客户端的结构示意图;FIG. 6 is a schematic structural diagram of a browser client according to an embodiment of the present invention;
图7示出了根据本发明一个实施例的一种带有浏览器客户端的装置的结构示意图;FIG. 7 is a schematic structural diagram of an apparatus with a browser client according to an embodiment of the present invention; FIG.
图8示出了用于执行根据本发明的方法的终端设备的框图; Figure 8 shows a block diagram of a terminal device for performing the method according to the invention;
图9示出了用于保持或者携带实现根据本发明的方法的程序代码的存储单元。Figure 9 shows a storage unit for holding or carrying program code implementing the method according to the invention.
具体实施方式detailed description
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the embodiments of the present invention have been shown in the drawings, the embodiments Rather, these embodiments are provided so that this disclosure will be more fully understood and the scope of the disclosure will be fully disclosed.
实施例一Embodiment 1
参照图1,其示出了本发明一种实现浏览器安全的方法的流程示意图,具体可以包括:Referring to FIG. 1 , it is a schematic flowchart of a method for implementing browser security according to the present invention, which may specifically include:
步骤110,在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;Step 110: When the browser is installed, install a system service started by the operating system startup in the operating system of the browser through the browser installation package;
在本发明实施例中,将浏览器中会内置一个安全组件,对应安全组件会设置一个系统服务,提供安全保护需要的系统权限,该系统服务在浏览器安装包中跟随浏览器的安装逻辑一起安装,该系统服务只与浏览器的安全组件进行内部交互,其不需要适于浏览器针对外部应用程序的接口,可以在浏览器内部进行安全保护。In the embodiment of the present invention, a security component is built in the browser, and the corresponding security component sets a system service to provide system permissions required for security protection. The system service follows the installation logic of the browser in the browser installation package. Installation, the system service only interacts internally with the browser's security components, it does not require an interface for the browser to external applications, and can be secured inside the browser.
那么,在本发明实施例中,在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务。在安装所述系统服务时,还可由浏览器安装包由所述系统服务控制安装对应的虚拟的设备级驱动程序,虚拟的设备级驱动程序属于内核级程序,其具有操作系统的最高权限,所述系统服务可以在需要时调用所述虚拟的设备级驱动程序去执行拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改的操作。Then, in the embodiment of the present invention, when the browser is installed, the system service started by the operating system startup is installed in the operating system of the browser through the browser installation package. When the system service is installed, the corresponding virtual device level driver may also be installed by the system service control by the browser installation package, and the virtual device level driver belongs to a kernel level program, and has the highest authority of the operating system. The system service can invoke the virtual device level driver to perform operations that intercept modification of the browser installation file and/or browser data by the first process independent of the browser process, as needed.
在系统服务安装时会在系统文件中生成一个dll文件,并将该dll的相关参数写入操作系统服务的注册表中。同时,会将虚拟的设备级驱动程序的sys文件安装至操作系统,并将sys文件的相关参数写入注册表中。操作系统启动后,会启动系统服务的exe文件,等待浏览器的安全组件的通知。When the system service is installed, a dll file is generated in the system file, and the relevant parameters of the dll are written into the registry of the operating system service. At the same time, the virtual device-level driver sys file is installed to the operating system, and the relevant parameters of the sys file are written into the registry. After the operating system starts, it will start the exe file of the system service and wait for the notification of the security component of the browser.
步骤120,在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。Step 120: A security component is built in the browser, and the system service is invoked by the security component after the browser is started, and the modification of the browser installation file and/or the browser data by the first process independent of the browser process is intercepted.
本发明在浏览器传统的功能组件架构之上,还内置了一个安全组件,浏览器启动后通过该安全组件调用所述启动后的系统服务,以拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改,即对浏览器的相关数据进行保护。The invention has a security component built on the browser's traditional functional component architecture. After the browser is started, the security component invokes the launched system service to intercept the first process independent of the browser process. The modification of the installation files and/or browser data protects the relevant data of the browser.
优选地,所述通过该安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:Preferably, the invoking the system service by the security component, and modifying the modification of the browser installation file and/or the browser data by the first process independent of the browser process includes:
子步骤131,通过该安全组件调用所述系统服务,控制虚拟的设备级驱动程 序拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。Sub-step 131, the system service is invoked by the security component to control the virtual device-level driver The sequence intercepts modifications to the browser installation files and/or browser data that are independent of the first process of the browser process.
对于安全保护来说,很多的操作需要系统的高级权限,比如对于windows系统,其至少分为内核级权限和用户级权限,对于浏览器这个用户层的程序来说,其属于用户级权限,其操作受到很多限制,比如修改拦截其他进程的操作、修改某些注册表的操作在用户级权限的定义中均被认为是不允许的,其无法实现对浏览器的安全保护操作。那么本发明则可以通过系统服务去控制虚拟的设备级驱动,得到内核级权限,而内核级权限是最高权限,可以进行任意操作。因此,可以实现浏览器对自身的安全保护操作。For security protection, many operations require advanced privileges of the system. For example, for windows systems, it is at least divided into kernel-level permissions and user-level permissions. For the user-level program of the browser, it belongs to user-level permissions. The operation is subject to many restrictions. For example, modifying the operation of intercepting other processes and modifying some registry operations are considered to be impermissible in the definition of user-level permissions, which cannot implement security protection operations for the browser. Then, the present invention can control the virtual device level driver through the system service, and obtain the kernel level authority, and the kernel level authority is the highest authority, and can perform any operation. Therefore, the browser can perform security protection operations on itself.
优选地,所述浏览器数据包括浏览器访问的网页数据。Preferably, the browser data includes webpage data accessed by a browser.
在本发明实施例中,用户在使用浏览器访问网页过程中可从服务器获得的网页数据,那么本发明可对网页数据进行保护。In the embodiment of the present invention, the webpage data that the user can obtain from the server during the process of accessing the webpage by using the browser, then the present invention can protect the webpage data.
进一步的,所述拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:Further, the modifying the browser data independently from the first process of the browser process includes:
子步骤132,针对浏览器访的网页数据,通过所述安全组件调用系统服务,对所述网页数据进行安全扫描。Sub-step 132: Perform security scanning on the webpage data by calling the system service by the security component for webpage data of the browser.
在用户使用浏览器发起网络访问请求,获取网页数据进行解析、渲染的过程中,本发明实施例的安全组件则针对浏览器访的网页数据,通过所述安全组件调用系统服务,对所述网页数据进行安全扫描。在扫描时,可以根据预先在云端服务器搜集和统计得到的url(Uniform Resoure Locator:统一资源定位符)网址库,扫描所述网页的url是否为安全的url,比如是否为诈骗的url、钓鱼url等,如果不安全,则可获取所述url对应的网页内容,提示用户关闭所述网页,当用户选择继续访问所述网页时才继续获取所述url对应的网页内容;也可以扫描所述网页内容中是否存在不安全的链接,比如分析所述网页内容中的广告部分内容的url,根据前述url网址库判断所述广告url是否安全,如果不安全,则可暂停渲染所述广告内容部分或者将广告内容部分替换为安全内容,还可提示用户提示用户关闭所述网页,当用户选择继续访问所述网页时才继续访问所述url。In the process of the user initiating the network access request by using the browser to obtain the webpage data for parsing and rendering, the security component of the embodiment of the present invention invokes the system service through the security component for the webpage data accessed by the browser. The data is scanned for security. When scanning, the url (Uniform Resoure Locator) URL library collected and counted in the cloud server may be used to scan whether the url of the webpage is a secure url, such as whether it is a fraudulent url or a fishing url. If the content is not secure, the content of the webpage corresponding to the url may be obtained, and the user may be prompted to close the webpage. When the user chooses to continue to access the webpage, the webpage content corresponding to the url may be obtained. Whether there is an unsafe link in the content, such as analyzing a url of the content of the advertisement part in the content of the webpage, determining whether the advertisement url is safe according to the foregoing url URL library, and if not safe, suspending rendering of the advertisement content part or The advertisement content portion is replaced with the security content, and the user may be prompted to prompt the user to close the webpage, and the user continues to access the url when the user chooses to continue to access the webpage.
也可以对网页中调用的的js文件进行判断,判断该js文件是否安全,如果不安全,则禁止所述js文件的调用。It is also possible to judge the js file called in the webpage, determine whether the js file is safe, and if it is not secure, prohibit the call of the js file.
当然对于不安全的url的处理可以将其放入沙箱中运行,即优选的,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:Of course, the handling of unsafe urls can be run in a sandbox, ie, the modification of the browser installation file and/or browser data by the first process independent of the browser process includes:
子步骤133,判断当前打开的网页是否安全,如果不安全,则将所述网页对于的网页进程放入沙箱运行。In sub-step 133, it is determined whether the currently opened webpage is safe. If it is not secure, the webpage process for the webpage is put into a sandbox operation.
沙箱是一种按照安全策略限制程序行为的执行环境。由于每个网页数据的处理均需要在一个网页进程中执行,那么当判断该网页数据不安全时,可以将处理该网页数据的网页进程放入沙箱中运行,限制其运行权限。避免网页中的木马、恶意脚本的执行而影响到本地系统的安全。A sandbox is an execution environment that limits program behavior in accordance with security policies. Since the processing of each webpage data needs to be executed in a webpage process, when it is judged that the webpage data is not secure, the webpage process that processes the webpage data can be put into a sandbox to run, and the running permission is restricted. Avoid the execution of Trojans and malicious scripts in web pages and affect the security of the local system.
优选地,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数 据的修改包括:Preferably, intercepting the first process independent of the browser process installs files and/or browsers to the browser The modifications included:
子步骤134,拦截独立于浏览器进程的第一进程对浏览器数据中的安全信息的获取;所述安全信息包括网址、下载文件、电话号码、公众号、即时聊天号其中至少一个。Sub-step 134, intercepting the acquisition of the security information in the browser data by the first process independent of the browser process; the security information includes at least one of a web address, a download file, a phone number, a public number, and a live chat number.
在浏览器的使用过程中,其存在大量的数据,比如访问网页时的url,收藏夹中收藏的url,由浏览器的下载器所下载的文件,用户在网页中输入的电话号码、登录微博等社交网站的公众号、在网页中输入的即时聊天号、银行账户信息等个性化信息,以及cookie中记录的用户登录各个网站的登录账号和密码等登录信息。本发明对浏览器本身记录的上述个性化信息均可进行保护,拦截独立于浏览器进程的第一进程对所述个性化信息的获取。本发明可以监控在浏览器指定位置读取浏览器cookie信息的进程,或者监控读取收藏夹的url的进程是否为浏览器进程,如果不是,则可认为其是独立于浏览器进程的第一进程,那么拦截其获取动作。或者判断当前网页是否需要输入账号信息(公众号、银行账户、邮箱账户、即时通讯账户等信息)的网页,如果是,则判断是否有获取所述账号信息的进程是否为浏览器进程,如果不是,则可认为其是独立于浏览器进程的第一进程,那么拦截其获取动作。In the process of using the browser, there is a large amount of data, such as the url when accessing the webpage, the url stored in the favorite folder, the file downloaded by the browser's downloader, the phone number entered by the user in the webpage, and the login micro Personal information such as the public number of social networking sites such as Bo, the instant chat number entered in the web page, bank account information, and the login information such as the login account and password of the user logging in to each website recorded in the cookie. The invention can protect the above personalized information recorded by the browser itself, and intercept the acquisition of the personalized information by the first process independent of the browser process. The present invention can monitor the process of reading browser cookie information at a specified location of the browser, or monitor whether the process of reading the bookmark url is a browser process, and if not, it can be considered to be the first independent of the browser process. Process, then intercept its get action. Or determining whether the current webpage needs to input a webpage of account information (public number, bank account, email account, instant messaging account, etc.), and if so, determine whether the process of obtaining the account information is a browser process, if not , can be considered as the first process independent of the browser process, then intercept its acquisition action.
优选地,还包括:Preferably, the method further comprises:
子步骤135,调用系统服务获取浏览器的安全的更新文件,以进行更新。Sub-step 135, invoking the system service to obtain a secure update file of the browser for updating.
在本发明实施例中,对于浏览器的更新,为了防止有被篡改了内容的更新文件,比如加入了木马的更新文件,在浏览器获取更新文件时获取到上述更新文件,本发明则调用系统服务获取浏览器的更新文件,因为系统服务本身具备较高的安全性,其获取更新文件时,其更新文件不容易被替换,同时也可检测所述更新文件是否是安全的更新文件,那么进行更新时,能对浏览器进行安全更新。In the embodiment of the present invention, in order to prevent the update of the browser, in order to prevent the update file from being tampered with, for example, the update file of the Trojan is added, the update file is obtained when the browser obtains the update file, and the present invention calls the system. The service obtains the update file of the browser. Because the system service itself has high security, when the update file is obtained, the update file is not easily replaced, and the update file can also be detected as a secure update file. When updating, you can make a security update to your browser.
优选地,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:Preferably, the modification of the browser data by the first process independent of the browser process comprises:
子步骤136,拦截独立于浏览器进程的第一进程对操作系统中与浏览器相关的配置参数的修改。Sub-step 136 intercepts modification of browser-related configuration parameters in the operating system by the first process independent of the browser process.
在本发明实施例中,浏览器本身在操作系统中会进行相关的配置,比如设置为操作系统的默认浏览器,比如存储浏览器功能配置参数。In the embodiment of the present invention, the browser itself performs relevant configuration in the operating system, such as a default browser set to the operating system, such as a storage browser function configuration parameter.
本发明则可拦截独立于浏览器进程的第一进程对上述这些操作系统中与浏览器相关的配置参数的修改。The invention can intercept the modification of the browser-related configuration parameters of the above operating systems by the first process independent of the browser process.
进一步的,优选地,所述拦截独立于浏览器进程的第一进程对操作系统中与浏览器相关的配置信息的修改包括:Further, preferably, the modifying the modification of the browser-related configuration information in the operating system by the first process independent of the browser process comprises:
子步骤137,拦截独立于浏览器的第二进程将当前操作系统中HTTP协议的关联处理程序从当前浏览器修改为其他处理程序的操作;Sub-step 137, intercepting the operation of modifying the association process of the HTTP protocol in the current operating system from the current browser to another processing program by the second process independent of the browser;
本发明可以拦截修改当前操作系统默认浏览器的操作,保证当前浏览器设置为操作系统的默认浏览器。在拦截过程中,可以拦截对注册表中 HKEY_CLASSES_ROOT\http\shell\open\command子键的默认根值项和注册表中KEY_CLASSES_ROOT\http\shell\open\ddeexec\Application子键的默认根值项的修改操作。比如当有独立于浏览器的第二进程调用RegSetValueEx()函数,修改上述注册表项时,则对该进程的调用进行拦截,不让其调用。The invention can intercept the operation of modifying the default browser of the current operating system, and ensure that the current browser is set as the default browser of the operating system. In the interception process, you can intercept the registry The default root value of the HKEY_CLASSES_ROOT\http\shell\open\command subkey and the modification of the default root value of the KEY_CLASSES_ROOT\http\shell\open\ddeexec\Application subkey in the registry. For example, when a second process independent of the browser calls the RegSetValueEx() function to modify the above registry key, the call to the process is intercepted and is not allowed to be called.
其中RegSetValueEx()为注册表修改函数,其函数原型为:Where RegSetValueEx() is a registry modification function whose function prototype is:
RegSetValueEx(RegSetValueEx(
HKEY hKey,//打开当前句柄,也可以是注册表五个根键之一HKEY hKey, / / open the current handle, can also be one of the five root keys of the registry
LPCTSTR lpValueName,//字符串类型指针,指向设置键值的值项名称LPCTSTR lpValueName, / / string type pointer, point to the value item name of the set key value
LPDWORD lpReserved,//保留置,通常为0LPDWORD lpReserved, / / reserved, usually 0
DWORD dwType,//要设置键值项数值的类型DWORD dwType, / / to set the type of the key value
const BYTE*lpData,//指向设置的数值所在的缓冲区指针,如果不想设置可设为NULLConst BYTE * lpData, / / pointer pointer to the set value, if you do not want to set can be set to NULL
DWORD cbData);//指定lpData数据的缓冲区的长度,以字节为单位。DWORD cbData) ;/ / Specifies the length of the buffer of lpData data, in bytes.
和/或,子步骤138,拦截独立于浏览器的第二进程对当前浏览器功能的配置信息的修改。And/or, sub-step 138, intercepting modification of the configuration information of the current browser function by the second process independent of the browser.
另外,也可以对浏览器功能配置信息的修改,比如配置的浏览器的首页页信息,配置的是否打开广告过滤插件,配置的工具栏显示内容,配置的快捷键的功能等等功能配置信息。以浏览器首页为例,可以拦截修改注册表中浏览器首页键值的函数,独立于浏览器的第二进程可以先查找注册表中浏览器首页键值,比如通过当ADVAPI32!RegQueryValueExW或者SHDOCVW!URLSubRegQueryW查询注册表首页键值,然后调用RegSetValueEx()函数修改所述键值,本发明则可直接对浏览器的第二进程对上述函数的调用进行拦截。In addition, it is also possible to modify the browser function configuration information, such as the configured home page information of the browser, whether to configure the advertisement filter plug-in, the configured toolbar display content, the configured shortcut key function, and the like. Take the browser homepage as an example, you can intercept the function of modifying the browser homepage key value in the registry. The second process independent of the browser can first find the browser home key value in the registry, for example, by ADVAPI32! RegQueryValueExW or SHDOCVW! The URLSubRegQueryW queries the registry home key value, and then calls the RegSetValueEx() function to modify the key value. The present invention can directly intercept the call of the above function by the second process of the browser.
优选地,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:Preferably, the modification of the browser data by the first process independent of the browser process comprises:
子步骤138,拦截独立于浏览器进程的第一进程对当前浏览器记录的用户个性化数据的修改。Sub-step 138 intercepts the modification of the user personalized data recorded by the current browser independent of the first process of the browser process.
在本发明实施例中,浏览器本地会记录很多用户的个性化数据,比如用户收藏的网页,在收藏是一般是以网页名字的形式显示URL。那么可能有独立于浏览器进程的第一进程在网页名字的基础之下把内部的URL修改了,那么用户点在收藏夹中击该网页名字时,访问的并不是其收藏时的网页,而是修改后的网页,其存在安全风险。另外,浏览器本地也可能存储cookie信息,而cookie中可能记录了用户访问的各种信息,比如访问了哪些网站、登录了哪些账户和密码等,那么独立于浏览器的进程如果获取到上述数据,则用户的个性化数据则泄密了。In the embodiment of the present invention, the browser locally records personalized data of many users, such as a webpage collected by the user. In the collection, the URL is generally displayed in the form of a webpage name. Then there may be a first process independent of the browser process to modify the internal URL under the name of the webpage, then the user clicks on the webpage name in the favorites, and does not access the webpage in the collection, but It is a modified web page that poses a security risk. In addition, the browser may also store cookie information locally, and the cookie may record various information accessed by the user, such as which websites are accessed, which accounts and passwords are logged in, etc., if the browser-independent process obtains the above data. , the user's personalized data is leaked.
那么,本发明则可拦截独立于浏览器进程的第一进程对上述浏览器记录的用户个性化数据的修改以及获取。Then, the present invention can intercept the modification and acquisition of the user personalized data recorded by the browser by the first process independent of the browser process.
优选地,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:Preferably, the modification of the browser data by the first process independent of the browser process comprises:
子步骤139,对于浏览器访问的网址,利用云杀毒引擎对所述网址进行安全 判定;如果所述网址不安全,则进行拦截。Sub-step 139, using the cloud anti-virus engine to secure the URL for the web address accessed by the browser Determine; if the URL is not secure, intercept it.
在本发明实施例中,为了降低浏览器的规模,即避免浏览器对自己进行安全保护时,其文件特别大,本发明则结合了云杀毒引擎的方式,即安全组件获取到所述url后,通过所述安全模组调用云杀毒引擎,在云杀毒引擎中对所述url的安全性进行判断,然后云杀毒引擎将判断结果返回给安全模组,安全模组则分析所述判断结果,如果所述URL不安全,则通过系统服务拦截所述url的加载,进一步的,还可将所述url对应的网页进程放入沙箱中运行。当然,也可以提示用户的该url的不安全状态。In the embodiment of the present invention, in order to reduce the size of the browser, that is, to prevent the browser from performing security protection on itself, the file is particularly large, and the present invention combines the manner of the cloud antivirus engine, that is, after the security component obtains the url. The security module is used to invoke the cloud antivirus engine to determine the security of the url in the cloud antivirus engine, and then the cloud antivirus engine returns the judgment result to the security module, and the security module analyzes the judgment result. If the URL is not secure, the loading of the url is intercepted by the system service, and further, the webpage process corresponding to the url may be put into a sandbox to run. Of course, the user's unsafe state of the url can also be prompted.
优选地,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:Preferably, the modification of the browser data by the first process independent of the browser process comprises:
子步骤140,对于通过浏览器下载的文件,利用云杀毒引擎对所述文件进行安全检测。Sub-step 140: Perform security detection on the file by using a cloud antivirus engine for the file downloaded by the browser.
在用户使用浏览器的过程中,也可能通过浏览器的下载器以下载文件,本发明实施例也可对浏览器下载文件的过程进行安全保护。比如对浏览器触发的下载链接,通过云杀毒引擎判断所述下载链接是否安全,如果不安全,则通知安全组件,提示用户是否需要继续下载,安全组件同时通过系统服务对所述下载过程进行拦截。对于浏览器下载器中下载完成的文件,安全组件则可以通过系统服务获取所述文件的特征信息,系将所述特征信息上传至云杀毒引擎以判断所述文件是否安全,并将云杀毒引擎的判断结果返回浏览器的安全组件,然后安全组件则可在下载器中该文件的相应位置提示所述文件是否安全。In the process of using the browser by the user, it is also possible to download the file through the downloader of the browser, and the embodiment of the invention can also protect the process of downloading the file by the browser. For example, if the download link triggered by the browser is used, the cloud antivirus engine determines whether the download link is secure. If it is not secure, the security component is notified to prompt the user whether to continue downloading, and the security component simultaneously intercepts the download process through the system service. . For the downloaded file in the browser downloader, the security component can obtain the feature information of the file through the system service, upload the feature information to the cloud antivirus engine to determine whether the file is secure, and the cloud antivirus engine The result of the judgment is returned to the security component of the browser, and then the security component can prompt the file to be safe in the corresponding location of the file in the downloader.
优选地,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:Preferably, the modification of the browser data by the first process independent of the browser process comprises:
子步骤141,当确定浏览器打开的网页为网购页面时,检测当前的网购环境是否安全;;Sub-step 141, when it is determined that the webpage opened by the browser is an online shopping page, detecting whether the current online shopping environment is safe;
在本发明实施例中对于浏览器打开的网页,还可判断该网页是否为网购页面,当确定浏览器打开的网页为网购页面时,检测系统环境是否安全。In the embodiment of the present invention, for the webpage opened by the browser, it may be determined whether the webpage is an online shopping page, and when it is determined that the webpage opened by the browser is an online shoppingpage, it is detected whether the system environment is safe.
具体的,本实施例中,根据预先收集的购物类网站集合,分析每个购物类网站的域名,提取每个购物类网站的网购特征词,得到网购特征词集合;例如,淘宝网的域名为www.taobao.com,将taobao设为淘宝网的网购特征词添加到网购特征词集合;当用户通过终端浏览器当前登陆的网站域名为paimai.taobao.com时,由于该域名中包括的关键词taobao与网购特征词集合中包括的网购特征词taobao相匹配,则可以确定用户当前登陆的网站为购物类网站,同理,本实施例也可以根据预先收集的支付类网站集合,分析每个支付类网站的域名,提取每个支付类网站的支付特征词,得到支付特征词集合;例如,招商银行的域名为www.cmbchina.com,将cmbchina设为招商银行网站的支付特征词,并添加到预设支付特征词集合中;当用户当前登陆的网站域名为ccclub.cmbchina.com时,由于该域名中包括的关键词cmbchina与支付特征词集合中包括的支付特征词cmbchina相匹配,则可以确定用户当前登陆的网站为支付类网站,其对应的网页 也可以理解为网页页面。Specifically, in this embodiment, according to the collection of shopping websites collected in advance, the domain name of each shopping website is analyzed, and the online shopping feature words of each shopping website are extracted, and the online shopping feature words are obtained; for example, the domain name of Taobao is Www.taobao.com, add taobao as Taobao's online shopping feature words to the online shopping feature word set; when the user's current domain name through the terminal browser is paimai.taobao.com, because the keyword included in the domain name The taobao matches the online shopping feature taobao included in the online shopping feature set, and it can be determined that the website currently logged in by the user is a shopping website. Similarly, this embodiment can also analyze each payment according to the pre-collected payment website collection. The domain name of the website, extracting the payment feature words of each payment type website, and obtaining the payment feature word set; for example, the domain name of China Merchants Bank is www.cmbchina.com, and the cmbchina is set as the payment characteristic word of the China Merchants Bank website, and added to The default payment feature word set; when the user's current website domain name is ccclub.cmbchina.com, due to the domain name Payment feature words cmbchina word feature set of keywords comprising cmbchina payment included in the match, then the user may determine that the current landing site payment website, webpage corresponding Can also be understood as a web page.
那么本发明则可以监控网购环境是否安全。比如判断本地系统环境是否安全,比如有独立于浏览器的进程获取所述网页中的信息,如果有则可将系统环境调整为针对网购页面的安全的系统环境。还比如检测网购页面本身的安全,比如根据所述网购页面所在网站的IP地址,若所述IP地址包括在IP地址黑名单中,则确定所述网站是危险网页,网购页面也是危险页面。又比如根据所述网购页面的统一资源定位符URL,计算所述URL的哈希值,若计算的所述哈希值包括在哈希值黑名单中,则确定所述网购页面是危险页;举例来说,在实际应用中,根据黑名单网站列表中包括的危险网页的URL,检测每个危险网页的URL的refer链地址,计算每个危险网页的refer链地址的哈希值,得到哈希值黑名单;因此,当前访问的网站是网购页面时,获取该网购页面的URL的refer链地址,计算该网购页面的refer链地址的哈希值,若该网购页面的refer链地址的哈希值在上述哈希值黑名单中,则确定该网购页面的危险概率较大。Then the invention can monitor whether the online shopping environment is safe. For example, it is determined whether the local system environment is secure. For example, a browser-independent process obtains information in the webpage, and if so, adjusts the system environment to a secure system environment for the online shopping page. For example, the security of the online shopping page itself is detected, for example, according to the IP address of the website where the online shopping page is located. If the IP address is included in the blacklist of the IP address, it is determined that the website is a dangerous webpage, and the online shopping page is also a dangerous page. For example, the hash value of the URL is calculated according to the uniform resource locator URL of the online shopping page, and if the calculated hash value is included in the hash value blacklist, determining that the online shopping page is a dangerous page; For example, in an actual application, according to the URL of the dangerous webpage included in the blacklist website list, the referent chain address of the URL of each dangerous webpage is detected, and the hash value of the referential chain address of each dangerous webpage is calculated, and the hash value is obtained. The blacklist is a blacklist; therefore, when the currently visited website is an online shopping page, the referent address of the URL of the online shopping page is obtained, and the hash value of the referential chain address of the online shopping page is calculated, and if the online chaining page is the referent chain address, The hash value is in the blacklist of the above hash values, and it is determined that the risk probability of the online shopping page is large.
进一步的,还包括:Further, it also includes:
子步骤142,针对当前的网购页面,在所述安全的系统环境生成保护单号。Sub-step 142, generating a protection ticket number in the secure system environment for the current online shopping page.
在本发明实施例中,对于用户使用浏览器进行网购时,本发明可针对用户的网购行为进行额外赔偿保护,当用户在本发明的安全浏览器的架构下网购时被骗之后,本发明可以对其在当前的安全的系统环境下生成保护单号,记录用户的网购行为,并传输至服务器,如果用户被骗,则可以向服务器申请赔偿,服务器接收到所述申请后,则根据所述保护单号判断是否符合赔偿条件以进行赔偿。In the embodiment of the present invention, when the user uses the browser for online shopping, the present invention can provide additional compensation protection for the online shopping behavior of the user. After the user is deceived during online shopping under the framework of the secure browser of the present invention, the present invention can Generate a protection number in the current secure system environment, record the user's online shopping behavior, and transmit it to the server. If the user is deceived, he may apply for compensation to the server. After receiving the application, the server according to the The protection order number determines whether the compensation condition is met to compensate.
优选地,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:Preferably, the modification of the browser installation file and/or the browser data by the first process independent of the browser process comprises:
子步骤144,拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器。Sub-step 144, intercepting the first process independent of the browser, injecting code into the browser to hijack the browser.
在浏览器使用过程中,可能有其他程序向浏览器注入一些动态链接库,以控制浏览器执行自己需要的逻辑,比如网络请求被重定向到不安全网页、收藏夹里自动反复添加不安全网站、IE选项卡中出现不能更改或被隐藏的项目、获取在网页中的登录名和密码等,因此,这些程序注入的动态链接库对于用户的浏览器来说并不安全。而本发明则可通过安全组件调用所述系统服务拦截上述独立于浏览器的第一进程向浏览器注入劫持浏览器的代码。During the use of the browser, there may be other programs that inject some dynamic link libraries into the browser to control the browser to perform the logic that it needs. For example, the network request is redirected to the unsafe webpage, and the favorites are automatically and repeatedly added to the unsafe website. In the IE tab, there are items that cannot be changed or hidden, the login name and password in the web page, etc., so the dynamic link library injected by these programs is not safe for the user's browser. However, the present invention can invoke the system service through the security component to intercept the first browser-independent process to inject the code of the hijacking browser into the browser.
在本发明实施例中,所述对浏览器安装文件和/或浏览器数据的修改中的修改可以理解为对其进行篡改或者获取。In the embodiment of the present invention, the modification in the modification of the browser installation file and/or the browser data may be understood as tampering or obtaining.
所述拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:The modification of the browser installation file and/or the browser data by the first process independent of the browser process includes:
子步骤145,利用所述系统服务,通过调用一虚拟的设备级驱动程序拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。Sub-step 145, utilizing the system service, intercepts modification of the browser installation file and/or browser data by a first device process independent of the browser process by invoking a virtual device level driver.
在本发明实施例中,前述提及的拦截过程,可以通过所述系统服务调用虚拟 的设备级驱动进行拦截,其通过内核级权限进行拦截,保证拦截的成功率。In the embodiment of the present invention, the foregoing interception process may be invoked by the system service virtual The device-level driver intercepts, and intercepts it through kernel-level permissions to ensure the success rate of interception.
本发明实施例中,对于浏览器架构也进行了全新的改动,在浏览器的传统架构之上,即在浏览器传统的组件:用户界面组件,包括地址栏、后退/前进按钮、书签目录等,也就是除了用来显示你所请求页面的主窗口之外的其他部分;浏览器引擎组件,用来查询及操作渲染引擎的接口;渲染引擎组件,用来显示请求的内容,例如,如果请求内容为html,它负责解析html及css,并将解析后的结果显示出来;网络组件,用来完成网络调用,例如http请求;UI后端组件,用来绘制类似组合选择框及对话框等基本组件;JS解释器组件,用来解释执行JS代码;数据存储组件,浏览器需要在硬盘中保存类似cookie的各种数据;等组件的架构之上,添加了安全组件,并相应该安全组件设置了系统服务,该安全组件将上述组件工作过程中产生的数据通过系统服务进行保护,提高了浏览器安全保护的自主性、灵活性,不用依赖于第三方的杀毒软件。In the embodiment of the present invention, a new modification is also made to the browser architecture, on the traditional architecture of the browser, that is, the traditional components of the browser: user interface components, including address bar, back/forward button, bookmark directory, etc. , in addition to the main window used to display the page you are requesting; the browser engine component, the interface used to query and manipulate the rendering engine; the rendering engine component to display the requested content, for example, if requested The content is html, which is responsible for parsing html and css, and displaying the parsed result; network component, used to complete network calls, such as http request; UI backend component, used to draw similar combination selection boxes and dialog boxes, etc. Component; JS interpreter component to explain the execution of JS code; data storage component, the browser needs to save various data like cookie on the hard disk; on the architecture of the component, add security component, and set the security component accordingly System service, the security component protects the data generated during the working process of the above components through system services, and improves The autonomy and flexibility of browser security protection does not depend on third-party anti-virus software.
实施例二Embodiment 2
参照图2,其示出了本发明一种实现浏览器安全的方法的流程示意图,具体可以包括:Referring to FIG. 2, it is a schematic flowchart of a method for implementing browser security according to the present invention, which may specifically include:
步骤210,在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;Step 210: When the browser is installed, install a system service started by the operating system startup in the operating system of the browser through the browser installation package;
步骤220,在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器,具体包括:Step 220: A security component is built in the browser, and the system service is invoked by the security component after the browser is started. The intercepting and intercepting the first process independent of the browser injects code into the browser to hijack the browser, including:
步骤S222,复制当前浏览器的源分层服务提供商链表,获得第一分层服务提供商链表;Step S222, copying the source layered service provider linked list of the current browser to obtain a first hierarchical service provider linked list;
在实际应用中,其他应用程序可按照正常方式向浏览器注入LSP(Layered Service Provider,分层服务提供商)节点,即向浏览器注入LSP的DLL(Dynamic Link Library,动态链接库),注入后会将LSP的DLL写入注册表中(比如写入注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parame ters的相应位置中),并将相关配置信息写入浏览器的源LSP链表的配置信息中,该配置信息中记录了上述dll的注册表位置等信息。那么,按照传统的方式,浏览器启动后,向外发送请求之前,会根据浏览器源LSP链表的配置信息加载源LSP链表,即加载LSP链表中各节点的dll,然后浏览器的网络请求会从源LSP链表中的第一个LSP节点开始,向下逐个通过LSP节点进行传输,直到传输到其他协议层,比如TCP/IP协议层。In the actual application, other applications can inject the LSP (Layered Service Provider) node into the browser in the normal way, that is, inject the LSP DLL (Dynamic Link Library) into the browser, after the injection. The LSP DLL is written into the registry (for example, written in the corresponding location of the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameter), and the relevant configuration information is written into the configuration information of the source LSP linked list of the browser. In the configuration information, information such as the registry location of the above dll is recorded. Then, in the traditional manner, after the browser is started, the source LSP linked list is loaded according to the configuration information of the source LSP linked list of the browser, that is, the dll of each node in the LSP linked list is loaded, and then the network request of the browser is Starting from the first LSP node in the source LSP list, the LSP nodes are transmitted one by one until they are transmitted to other protocol layers, such as the TCP/IP protocol layer.
但是本发明在浏览器的第一个网络请求发出之前,会首先对源LSP链表进行转换。首先即复制一份源LSP链表,比如将源LSP链表中的有序的dll文件 复制一份,该复制版本作为第一LSP链表以备后续处理。However, the present invention first converts the source LSP linked list before the first network request of the browser is issued. First copy a source LSP linked list, such as an ordered dll file in the source LSP list. A copy is copied, and the duplicate version is used as the first LSP linked list for subsequent processing.
比如源LSP链表为:A.dll->B.dll->C.dll->D.dll,复制得到的第一LSP链表为A.dll->B.dll->C.dll->D.dll。当然,本发明实施例中可以通过浏览器的源LSP链表的配置信息,查找注册表中记录的各源节点的路径,然后通过所述路径将源LSP链表的各个源节点进行复制。For example, the source LSP list is: A.dll->B.dll->C.dll->D.dll, and the first LSP list obtained by copying is A.dll->B.dll->C.dll->D. Dll. Certainly, in the embodiment of the present invention, the path of each source node recorded in the registry may be searched through the configuration information of the source LSP linked list of the browser, and then the source nodes of the source LSP linked list are copied through the path.
步骤S224,将所述第一分层服务提供商链表中不允许访问的源节点转换为虚拟节点,得到转换后的第二分层服务提供商链表;所述虚拟分层服务提供商节点实现各分层服务提供商接口并返回空值;Step S224: Convert the source node that is not allowed to access in the first hierarchical service provider linked list to a virtual node, to obtain a converted second hierarchical service provider linked list; and the virtual hierarchical service provider node implements each Layer the service provider interface and return a null value;
将前述复制得到的第一LSP链表,可逐个判断所述第一LSP链表中的各个节点是否为不允许访问的源节点。其中,对源节点的判断可以通过节点的名称进行判断,比如一个LSP节点的名称为mswsock.dll,可以通过白名单或者说黑名单进行判断。比如将允许访问的源节点的名称写入白名单,那么第一LSP链表中的各节点不在白名单中时,即不允许访问,或者可以理解为不允许加载该LSP节点的dll。在本发明实施例中,可以只将系统初始情况下默认的LSP节点名称写入白名单,当然还可以将其他安全的应用程序注入的LSP节点名称写入白名单,该白名单可以通过服务器进行更新。同理,也可以构建LSP节点的黑名单。The first LSP linked list obtained by the foregoing copy may be judged one by one whether each node in the first LSP linked list is a source node that is not allowed to access. The judgment of the source node can be determined by the name of the node. For example, the name of an LSP node is mswsock.dll, which can be judged by a whitelist or a blacklist. For example, if the name of the source node that is allowed to access is written to the whitelist, the nodes in the first LSP linked list are not allowed to access the whitelist, or the dll of the LSP node is not allowed to be loaded. In the embodiment of the present invention, only the default LSP node name in the initial situation of the system can be written to the white list. Of course, the name of the LSP node injected by other secure applications can be written in the white list, and the white list can be performed by the server. Update. Similarly, a blacklist of LSP nodes can also be constructed.
对于不允许访问的源节点,本发明实施例则将其转换为虚拟节点,即fake.dll,该虚拟的LSP节点可以实现LSP的所有接口,那么该虚拟节点的上一个节点传输的网络请求可以正常访问该虚拟节点,该虚拟节点对网络请求的不进行处理,即返回空值NULL,然后继续将网络请求向下传输。因此该虚拟节点不会产生网络请求发送的异常,导致不能上网等情况。那么在将不允许访问的源节点替换为前述虚拟节点后,即得到第二LSP链表。For the source node that is not allowed to access, the embodiment of the present invention converts it into a virtual node, that is, fake.dll, and the virtual LSP node can implement all interfaces of the LSP, and then the network request transmitted by the previous node of the virtual node can be The virtual node is normally accessed, and the virtual node does not process the network request, that is, returns a null value NULL, and then continues to transmit the network request downward. Therefore, the virtual node does not generate an abnormality in the network request transmission, resulting in failure to access the Internet. Then, after replacing the source node that does not allow access with the foregoing virtual node, the second LSP linked list is obtained.
优选地,将所述第一分层服务提供商链表中不允许访问的源节点转换为虚拟节点,包括:Preferably, converting the source node in the first hierarchical service provider linked list that is not allowed to access into a virtual node includes:
子步骤S2241,通过所述源分层服务提供商链表的配置信息,获得源分层服务提供商链表的各源节点的身份信息;Sub-step S2241: Obtain identity information of each source node of the source layered service provider linked list by using configuration information of the source layered service provider linked list;
由于第一LSP链表中的各个节点与源LSP链表的各节点完全一致,那么即可通过读取浏览器中源LSP链表的配置信息,获得第一分层服务提供商链表的各源节点的身份信息。在源LSP链表的配置信息中,一般存储了源节点的身份信息,比如对于每个节点记录的注册表项及记录的名称、顺序等信息,那么本发明实施例可以通过配置信息确定各个节点身份信息,比如其名称。比如上述例子中,可以获得各第一LSP链表中各个节点的身份信息按序为A、B、C、D。Since each node in the first LSP linked list is completely consistent with each node of the source LSP linked list, the identity of each source node of the first hierarchical service provider linked list can be obtained by reading the configuration information of the source LSP linked list in the browser. information. In the configuration information of the source LSP linked list, the identity information of the source node is generally stored, for example, the information of the registry key and the record name and sequence recorded by each node, and the embodiment of the present invention can determine the identity of each node by using the configuration information. Information, such as its name. For example, in the above example, the identity information of each node in each first LSP linked list can be obtained as A, B, C, and D.
子步骤S2242,将所述各源节点的身份信息与预置的身份信息名单进行匹配,根据匹配结果确定不允许访问的源节点;Sub-step S2242, matching the identity information of each source node with a preset identity information list, and determining a source node that is not allowed to access according to the matching result;
在本发明实施例中,可以构建身份信息白名单或者身份信息黑名单,对所述各源节点的身份信息进行匹配。比如白名单中设置[A、D],那么将A、B、C、D 分别与上述白名单进行匹配后,确定名称B、C的源节点不允许访问。In the embodiment of the present invention, the identity information white list or the identity information blacklist may be constructed, and the identity information of each source node is matched. For example, if [A, D] is set in the white list, then A, B, C, and D will be used. After matching with the above whitelist respectively, it is determined that the source nodes of the names B and C are not allowed to access.
子步骤S2243,将所述不允许访问的源节点在注册表中的路径转换为虚拟节点的路径,得到第二分层服务提供商链表;Sub-step S2243, converting the path of the source node that is not allowed to access in the registry to the path of the virtual node, to obtain a second hierarchical service provider linked list;
在本发明实施例中,可以预先设置虚拟节点,如fake.dll,存储与指定路径。In the embodiment of the present invention, a virtual node, such as fake.dll, may be preset to store and specify a path.
而源节点如果要使用,则需要通过注册表中对应的注册表项所记录的源节点路径去加载所述源节点,那么可将不允许访问的源节点在注册表中对应注册表项的路径替换为虚拟节点的路径。If the source node is to be used, the source node needs to be loaded through the source node path recorded in the corresponding registry entry in the registry, and then the source node that is not allowed to access may be in the registry corresponding to the path of the registry entry. Replace with the path of the virtual node.
在本发明实施例中,可以针对所有不允许访问的源节点设置一个虚拟节点,将将不允许访问的源节点在注册表中对应注册表项的路径替换为该虚拟节点的路径,比如都替换为fake.dll的路径。当然,也可以根据确定的不允许访问的源节点个数,以初始设置的虚拟节点为蓝本,复制相应个数的虚拟节点,并将各个虚拟节点的文件名修改为不一样,比如前述例子有B、C两个节点,那么可以复制得到两个虚拟节点fakel.dll、fake2.dll,各自有一个路径,那么B.dll的注册表路径修改为fakel.dll的路径,C.dll的注册表路径修改为fake2.dll的路径。In the embodiment of the present invention, a virtual node may be set for all source nodes that are not allowed to access, and the path of the corresponding registry key in the registry may be replaced with the path of the virtual node in the registry, for example, all of them are replaced. The path to fake.dll. Of course, according to the determined number of source nodes that are not allowed to access, the virtual node that is initially set is used as a blueprint, and the corresponding number of virtual nodes are copied, and the file names of the virtual nodes are modified to be different, for example, the foregoing example has B, C two nodes, then you can copy the two virtual nodes fakel.dll, fake2.dll, each has a path, then the B.dll registry path is modified to the path of fakel.dll, the registry of C.dll Change the path to the path to fake2.dll.
如此,得到第二LSP链表,该链表的中允许加载的源节点保留,不允许加载的源节点即转换为了虚拟节点。In this way, a second LSP linked list is obtained, in which the source node that is allowed to be loaded is reserved, and the source node that is not allowed to be loaded is converted into a virtual node.
优选地,所述将所述不允许访问的源节点在注册表中的路径转换为虚拟节点的路径包括:Preferably, the path of converting the path of the source node that is not allowed to access in the registry to the virtual node includes:
子步骤A2242,所述系统服务接收安全组件向系统服务发送的注册表路径设置请求,并根据所述注册表路径设置请求创建I/O请求包下发至所述虚拟的设备级驱动程序;Sub-step A2242, the system service receives a registry path setting request sent by the security component to the system service, and sends an I/O request packet to the virtual device-level driver according to the registry path setting request;
在本发明实施例中,系统服务会随系统启动而启动,并一直维持运行,监听是否收到浏览器发送的请求,如果接收到浏览器发送的注册表路径设置请求,则会根据所述注册表路径设置请求创建I/O请求包(I/O Request Packet,IRP)下发至所述虚拟的设备级驱动。因为windows操作系统从应用层向底层驱动传送指令是通过I/O请求包传输的。系统服务调用本发明实施例中虚拟的设备级驱动,则标需要以所述设备级驱动为目构建IRP,然后将所述IRP下发至所述设备级驱动中。所述IRP包括控制所述设备级驱动将所述不允许访问的源节点在注册表中的路径转换为虚拟节点的路径的指令,比如包括了不允许访问节点的注册表项信息,对应该不允许访问节点的虚拟节点的路径等信息。In the embodiment of the present invention, the system service is started up with the system startup, and is always running, and the listener receives the request sent by the browser. If the registry path setting request sent by the browser is received, the registration is performed according to the registration. The table path setting request creates an I/O request packet (IRP) to be delivered to the virtual device level driver. Because the Windows operating system transfers instructions from the application layer to the underlying driver through the I/O request packet. The system service invokes the virtual device-level driver in the embodiment of the present invention, and the target needs to construct the IRP with the device-level driver as the target, and then delivers the IRP to the device-level driver. The IRP includes an instruction to control the device-level driver to convert a path of the source node that is not allowed to access in the registry to a path of the virtual node, for example, including registry key information that does not allow access to the node, corresponding to Information such as the path of the virtual node that allows access to the node.
子步骤A2243,所述虚拟的设备级驱动程序接收到所述I/O请求包后,调用注册表修改函数将所述不允许访问的源节点在注册表中的路径转换为虚拟节点的路径。Sub-step A2243, after receiving the I/O request packet, the virtual device-level driver invokes a registry modification function to convert the path of the source node that is not allowed to access in the registry to the path of the virtual node.
所述虚拟的设备级确定程序接收到所述系统服务下发的I/O请求包后,解析所述I/O请求包中的指令,得到不允许访问节点的注册表项信息,以及对应该不允许访问节点的虚拟节点的路径信息,那么可以调用注册表修改函数,将该不允 许访问的源节点在注册表中的路径转换为虚拟节点的路径。After receiving the I/O request packet delivered by the system service, the virtual device level determining program parses the instruction in the I/O request packet to obtain registry key information that does not allow access to the node, and correspondingly It is not allowed to access the path information of the virtual node of the node, then the registry modification function can be called, which will not allow The path of the source node that is accessed is converted to the path of the virtual node in the registry.
步骤S226,将当前浏览器的网络请求通过所述第二分层服务提供商链表传输。Step S226, transmitting a network request of the current browser through the second hierarchical service provider linked list.
那么,对于浏览器的网络请求,即可控制其通过所述第二LSP链表进行传输。Then, for the network request of the browser, it can be controlled to transmit through the second LSP linked list.
优选地,所述将当前浏览器的网络请求通过所述第二分层服务提供商链表传输包括:Preferably, the transmitting, by the current browser, the network request by using the second hierarchical service provider linked list comprises:
子步骤S2261,通过所述源分层服务提供商链表的配置信息,从注册表查找第二分层服务提供商链表各节点的动态链接库并进行加载。Sub-step S2261, searching, by the registry, the dynamic link library of each node of the second hierarchical service provider linked list and loading by using the configuration information of the source layered service provider linked list.
由于本发明实施例没有修改浏览器的源分层服务提供商链表的配置信息,只是修改了与配置信息对应的节点路径以及节点内容,浏览器根据原LSP链表的配置信息去获取相应的dll时,对于替换了路径的源节点配置信息,其会从其注册表项中记录的路径加载虚拟节点,最终即加载了第二LSP链表,并未加载不允许访问的真实的源节点的dll。The embodiment of the present invention does not modify the configuration information of the source layer service provider list of the browser, but only modifies the node path and the node content corresponding to the configuration information, and the browser obtains the corresponding dll according to the configuration information of the original LSP linked list. For the source node configuration information of the replaced path, it loads the virtual node from the path recorded in its registry key, and finally loads the second LSP linked list, and does not load the dll of the real source node that is not allowed to access.
在本发明实施例中,可以安全组件可以通过系统服务,去调用虚拟的设备级驱动将所述第一分层服务提供商链表中不允许访问的源节点转换为虚拟节点。其中,可以通过注册表修改函数RegSetValueEx()函数将该不允许访问的源节点在注册表中的路径转换为虚拟节点的路径。In the embodiment of the present invention, the security component may invoke a virtual device-level driver to convert a source node that is not allowed to access in the first hierarchical service provider linked list into a virtual node by using a system service. Among them, the path of the source node that is not allowed to access in the registry can be converted into the path of the virtual node by the registry modification function RegSetValueEx() function.
在浏览器的网络请求向外传输过程中,其需要先通过LSP链表的处理,才能向下传输至通信协议层(比如TCP/IP层),然后再传输至外部,那么传统技术可以向LSP链表中注入自定义的LSP节点,以对浏览器的网络请求进行劫持和处理,可能产生安全风险等问题。而本发明实施例中,无论其他应用程序如何注入LSP节点,本发明实施例中,在浏览器发送第一个网络请求之前,将系统中包括应用程序注入的LSP节点的源LSP链表进行替换为第二LSP链表,其中将不需要访问的源节点替换为虚拟节点,完全不用理会有多少个应用程序注入了多少个LSP节点,也可保证浏览器下发的网络请求通过安全的LSP链表进行传输,提高了浏览器的安全性。In the process of the browser's network request outgoing transmission, it needs to be processed by the LSP linked list before it can be transmitted down to the communication protocol layer (such as the TCP/IP layer) and then transmitted to the outside. Then the traditional technology can go to the LSP list. Injecting a custom LSP node to hijack and process the browser's network request may cause security risks and other issues. In the embodiment of the present invention, the source LSP linked list of the LSP node injected by the application in the system is replaced by the LSP node of the application before the browser sends the first network request, in the embodiment of the present invention. The second LSP linked list, in which the source node that does not need to be accessed is replaced by a virtual node, and how many LSP nodes are injected by the application, and the network request sent by the browser is transmitted through the secure LSP linked list. , improve the security of the browser.
实施例三Embodiment 3
参照图3,其示出了本发明一种实现浏览器安全的方法的流程示意图,具体可以包括:Referring to FIG. 3, it is a schematic flowchart of a method for implementing browser security according to the present invention, which may specifically include:
步骤310,在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;Step 310: When the browser is installed, install a system service started by the operating system startup in the operating system of the browser through the browser installation package;
步骤320,在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器,具体包括:Step 320: A security component is built in the browser, and the system service is invoked by the security component after the browser is started. The intercepting and intercepting the first process independent of the browser injects code into the browser to hijack the browser, including:
步骤S321,加载用于拦截窗口消息的窗口消息钩子函数; Step S321, loading a window message hook function for intercepting the window message;
在本发明实施例中加载CBT钩子函数WH_CBT,该WH_CBT钩子函数当windows窗口激活、创建、释放(关闭)、最小化、最大化或改变窗口时的窗口消息都可通过该WH_CBT进行拦截。本发明则可以加载上述CBT钩子函数。In the embodiment of the present invention, the CBT hook function WH_CBT is loaded, and the window message of the WH_CBT hook function when the windows window is activated, created, released (closed), minimized, maximized, or changed, can be intercepted by the WH_CBT. The present invention can then load the above CBT hook function.
优选地,所述加载用于拦截窗口消息的窗口消息钩子函数,包括:Preferably, the loading of the window message hook function for intercepting the window message comprises:
子步骤S3211,调用动态链接库加载函数加载所述窗口消息钩子函数所在的动态链接库,以加载所述窗口消息钩子函数。Sub-step S3211, calling a dynamic link library load function to load the dynamic link library in which the window message hook function is located to load the window message hook function.
WH_CBT需要通过SetWindowsHookEx函数进行安装,其函数原型为:SetWindowsHookEx(WH_CBT needs to be installed through the SetWindowsHookEx function. The function prototype is: SetWindowsHookEx(
int idHook,Int idHook,
HOOKPROC lpfn,HOOKPROC lpfn,
HINSTANCE hMod,HINSTANCE hMod,
DWORD dwThreadId;DWORD dwThreadId;
其中,int idHook=WH_CBT;Where int idHook=WH_CBT;
HOOKPROC lpfn为/钩子过程的指针,也即拦截到指定系统消息后的预处理过程,须定义在DLL中;HOOKPROC lpfn is a pointer to the / hook procedure, that is, the preprocessing process after intercepting the specified system message, which must be defined in the DLL;
HINSTANCE hMod,应用程序实例的句柄,可以为CBT钩子所在DLL;HINSTANCE hMod, the handle of the application instance, which can be the DLL where the CBT hook is located;
HINSTANCE hMod,该参数被设置为0,表示此钩子为监视系统所有线程的全局钩子。HINSTANCE hMod, this parameter is set to 0, indicating that this hook is a global hook for all threads of the monitoring system.
由于上述安装逻辑需要以dll的方式实现,而对于dll的加载和运行,则可通过动态链接库加载函数LoadLibrary加载CBT钩子所在的dll,并把CBT钩子的执行逻辑也一并加载。LoadLibrary函数原型如下:Because the above installation logic needs to be implemented as a dll, and for the loading and running of the dll, the DLL of the CBT hook can be loaded by the dynamic link library loading function LoadLibrary, and the execution logic of the CBT hook is also loaded. The prototype of the LoadLibrary function is as follows:
LoadLibraryA(LoadLibraryA(
_in LPCSTR lpLibFileName_in LPCSTR lpLibFileName
););
其中lpLibFileName为dll的名称。Where lpLibFileName is the name of the dll.
那么通过上述方式,把CBT钩子函数所在的dll进行加载,从而即加载了CBT钩子函数以及其钩取到窗口消息后的处理逻辑。Then, by the above method, the DLL where the CBT hook function is located is loaded, so that the CBT hook function is loaded and the processing logic after the hook is fetched to the window message.
优选地,所述加载用于拦截窗口消息的窗口消息钩子函数,包括:Preferably, the loading of the window message hook function for intercepting the window message comprises:
子步骤A322,所述系统服务接收安全组件向系统服务发送的加载请求,根据所述加载请求创建I/O请求包下发至所述虚拟的设备级驱动程序;Sub-step A322, the system service receives a load request sent by the security component to the system service, and creates an I/O request packet to be delivered to the virtual device-level driver according to the load request;
在本发明实施例中,系统服务会随系统启动而启动,并一直维持运行,监听是否收到浏览器发送的请求,如果接收到浏览器发送的加载请求,则会根据所述加载请求创建I/O请求包(I/O Request Packet,IRP)下发至所述虚拟的设备级驱动。因为windows操作系统从应用层向底层驱动传送指令是通过I/O请求包传输的。系统服务调用本发明实施例中虚拟的设备级驱动,则标需要以所述设备级驱动为目构建IRP,然后将所述IRP下发至所述设备级驱动中。所述IRP包括控制 所述设备级驱动加载CBT钩子函数的信息,比如CBT钩子函数所在dll的路径。In the embodiment of the present invention, the system service is started when the system is started, and is always running, and the listener receives the request sent by the browser. If the loading request sent by the browser is received, the I is created according to the loading request. An I/O Request Packet (IRP) is delivered to the virtual device level driver. Because the Windows operating system transfers instructions from the application layer to the underlying driver through the I/O request packet. The system service invokes the virtual device-level driver in the embodiment of the present invention, and the target needs to construct the IRP with the device-level driver as the target, and then delivers the IRP to the device-level driver. The IRP includes control The device level driver loads information about the CBT hook function, such as the path of the dll where the CBT hook function is located.
子步骤A323,所述虚拟的设备级驱动程序接收到所述I/O请求包后,调用动态链接库加载函数加载用于拦截窗口消息的窗口消息钩子函数。Sub-step A323, after receiving the I/O request packet, the virtual device-level driver invokes a dynamic link library load function to load a window message hook function for intercepting a window message.
所述虚拟的设备级确定程序接收到所述系统服务下发的I/O请求包后,解析所述I/O请求包中的指令,得到CBT钩子函数所在dll的信息,那么可以调用动态链接库加载函数,加载所述窗口消息钩子函数所在的动态链接库,以加载所述窗口消息钩子函数。通过上述方式,即加载CBT钩子函数。After receiving the I/O request packet delivered by the system service, the virtual device level determining program parses the instruction in the I/O request packet to obtain the information of the dll where the CBT hook function is located, and then the dynamic link can be invoked. The library load function loads the dynamic link library in which the window message hook function is located to load the window message hook function. In the above way, the CBT hook function is loaded.
步骤S322,针对操作系统中的窗口消息,通过所述窗口消息钩子函数进行拦截;Step S322, for the window message in the operating system, intercepting by using the window message hook function;
在本发明实施例中,当有应用程序向浏览器注入不安全的动态链接库时,其是通过窗口消息控制操作系统向浏览器注入,那么本发明可以在其发送窗口消息时即可通过CBT钩子函数对其进行拦截。In the embodiment of the present invention, when an application injects an unsafe dynamic link library into the browser, it controls the operating system to inject the browser through the window message, and the present invention can pass the CBT when sending the window message. The hook function intercepts it.
步骤S323,判断所述窗口消息是否为劫持浏览器的窗口消息;如果所述窗口消息是劫持浏览器的窗口消息,转入步骤S324;Step S323, it is determined whether the window message is a window message of the hijacking browser; if the window message is a window message of the hijacking browser, the process proceeds to step S324;
在本发明实施例中,可以根据拦截的窗口消息的窗口句柄判断其是否为劫持浏览器的窗口消息。In the embodiment of the present invention, whether the window message of the browser is hijacked may be determined according to the window handle of the intercepted window message.
优选地,所述判断所述窗口消息是否为劫持浏览器的窗口消息,包括:Preferably, the determining whether the window message is a window message of a hijacking browser comprises:
子步骤S3231,将所述窗口消息所属的窗口句柄名与预置的窗口句柄名单进行匹配;如果所述窗口句柄匹配上,则确定所述窗口消息为劫持浏览器的窗口消息。Sub-step S3231, matching the window handle name to which the window message belongs to the preset window handle list; if the window handle matches, determining that the window message is a window message of the hijacking browser.
在本发明实施例中,对于浏览器之外的其他应用程序,如果要向浏览器注入劫持浏览器的dll,其需要通过窗口消息启动相应的窗口等操作,在该窗口之下发送执行dll注入过程,windows系统则对接收到窗口消息进行处理,比如执行dll安装过程,将该dll写入浏览器指定位置,将dll的相关参数写入与浏览器相关的注册表项中。而每个窗口均有窗口句柄,那么本发明可以预先对向浏览器注入不符合安全要求的dll的应用程序启动的窗口句柄进行统计,生成窗口句柄黑名单。那么本发明对于拦截到的窗口消息,可以直接通过所述窗口消息获取其所属的窗口句柄,将其与黑名单中的窗口句柄进行匹配,如果匹配上,则确定所述窗口消息为劫持浏览器的窗口消息,即可以通过窗口句柄的匹配结果确定所述窗口消息是否为劫持浏览器的窗口消息。In the embodiment of the present invention, if an application other than the browser is to inject a dll that hijacks the browser to the browser, it needs to start a corresponding window and the like through a window message, and send an execution dll injection under the window. The process, the windows system processes the received window message, such as executing the dll installation process, writing the dll to the specified location of the browser, and writing the relevant parameters of the dll into the registry key associated with the browser. Each window has a window handle, so the present invention can pre-register the window handle initiated by the application that injects the dll that does not meet the security requirement to the browser, and generate a blacklist of the window handle. Then, for the intercepted window message, the present invention can directly obtain the window handle to which it belongs by using the window message, and match it with the window handle in the blacklist. If it matches, the window message is determined to be a hijacking browser. The window message, that is, whether the window message is a window message of the hijacking browser can be determined by the matching result of the window handle.
当然,本发明预置的窗口句柄名单,可以不断根据对应用程序的分析进行更新,其可以通过云服务器更新到客户端中。Of course, the preset window handle list of the present invention can be continuously updated according to the analysis of the application, and can be updated to the client through the cloud server.
优选地,还包括:Preferably, the method further comprises:
子步骤S3232,获取所述窗口句柄所属应用程序的验证签名;Sub-step S3232, obtaining a verification signature of the application to which the window handle belongs;
子步骤S3233,对所述验证签名进行验证,如果所述验证失败,则确定所述窗口消息为劫持浏览器才窗口消息。 Sub-step S3233, verifying the verification signature, and if the verification fails, determining that the window message is a hijacking browser window message.
如果验证成功,则放行所述窗口消息。If the verification is successful, the window message is released.
在本发明实施例中,对于窗口消息,在判断其窗口句柄在预置的窗口句柄名单之内后,还可以获取所述窗口句柄所属应用程序的验证签名,比如第三方安全平台的验证签名,然后对该数字签名与预先记录的验证签名进行匹配,如果匹配上,则说明该窗口句柄的应用程序安装的dll安全,可以允许其进行安装,如果验证失败,则可认为该窗口句柄的应用程序安装的dll不安全,拒绝其进行安装。当然,所述验证签名也可以通过云端服务器进行更新。In the embodiment of the present invention, after determining that the window handle is within the preset window handle list, the window message may also obtain the verification signature of the application to which the window handle belongs, such as the verification signature of the third-party security platform. Then the digital signature is matched with the pre-recorded verification signature. If it matches, the dll of the application installed by the window handle is safe and can be allowed to be installed. If the verification fails, the application of the window handle can be considered. The installed dll is not secure and refuses to install it. Of course, the verification signature can also be updated by the cloud server.
子步骤S3231、子步骤S3232、子步骤S3233的组合可对窗口消息进行多重判断,使对窗口消息的拦截范围可以灵活的进行配置,允许安全的应用程序向浏览器注入dll,不允许不安全的应用程序向浏览器注入dll,也保护了浏览器的安全性。The combination of the sub-step S3231, the sub-step S3232, and the sub-step S3233 can perform multiple judgments on the window message, so that the interception range of the window message can be flexibly configured, allowing the secure application to inject the dll into the browser, and does not allow unsafe. The application injects dll into the browser and also protects the security of the browser.
优选地,所述针对操作系统中的窗口消息,通过所述窗口消息钩子函数进行拦截包括:Preferably, the intercepting by the window message hook function for the window message in the operating system includes:
子步骤S3234,针对操作系统中的创建窗口的窗口消息,通过所述窗口消息钩子函数进行拦截。Sub-step S3234, for the window message of the creation window in the operating system, intercepting by the window message hook function.
在本发明实施例中,可以理解,当一个应用程序要向浏览器注入dll时,其需要执行安装过程,而安装过程在windows系统首先需要创建一个安装用的窗口,本发明实施例则可只拦截创建窗口的窗口消息,本发明实施例则可只拦截创建窗口的窗口消息,可判断其是否为向浏览器注入不安全的dll的应用程序的窗口消息。In the embodiment of the present invention, it can be understood that when an application wants to inject a dll into a browser, it needs to perform an installation process, and the installation process first needs to create a window for installation in the windows system, and the embodiment of the present invention can only In the embodiment of the present invention, the window message for creating the window may be intercepted, and the window message of the application that injects the unsafe dll into the browser may be determined.
优选地,所述针对操作系统中的创建窗口的窗口消息,通过所述窗口消息钩子函数进行拦截包括:Preferably, the window message for creating a window in the operating system is intercepted by the window message hook function, including:
子步骤321,针对操作系统中的创建窗口的WM_CREATE消息,通过所述窗口消息钩子函数进行拦截。Sub-step 321 is performed by the window message hook function for the WM_CREATE message of the creation window in the operating system.
WM_CREATE是windows中一个窗口消息,当一个应用程序通过CreateWindowEx函数或者CreateWindow函数请求创建窗口时发送此消息。那么应用程序创建向浏览器注入dll的安装窗口时,也会发送WM_CREATE消息。那么本发明即可通过CBT钩子就可拦截到应用程序创建的所述安装窗口的WM_CREATE消息。WM_CREATE is a window message in windows that is sent when an application requests a window creation via the CreateWindowEx function or the CreateWindow function. The WM_CREATE message is also sent when the application creates an installation window that injects the dll into the browser. Then, the present invention can intercept the WM_CREATE message of the installation window created by the application through the CBT hook.
本实施例则可只拦截创建窗口的窗口消息,当其为预先记录的要向浏览器注入不安全dll的应用程序发送的创建窗口的消息,则可停止对应窗口的创建,从而避免应用程序将不安全的dll注入浏览器。并且由于只拦截创建窗口的窗口消息,不拦截其他类型的窗口消息,降低了拦截的范围,避免占用过多的系统资源。In this embodiment, only the window message for creating the window can be intercepted. When it is a message for creating a window sent by an application that is pre-recorded to inject an unsafe dll into the browser, the creation of the corresponding window can be stopped, thereby preventing the application from Insecure dll injection into the browser. And because only the window message that creates the window is intercepted, other types of window messages are not intercepted, the scope of the interception is reduced, and excessive system resources are avoided.
步骤S324,停止所述窗口消息的传输。Step S324, stopping transmission of the window message.
如果所述窗口消息不是劫持浏览器的窗口消息,则放行所述窗口消息。If the window message is not a window message that hijacks the browser, the window message is released.
那么对于确定CBT钩子拦截的窗口消息为劫持浏览器的窗口消息后,即可停 止该消息的后续传输过程,不让其进行后续处理。比如将所述窗口消息删除。Then, after determining that the window message intercepted by the CBT hook is a window message for hijacking the browser, it can be stopped. The subsequent transmission process of the message is not allowed for subsequent processing. For example, the window message is deleted.
当然,确定所述窗口消息为劫持浏览器的窗口消息后,还可生成弹出框,提示用户有应用程序向浏览器注入不安全的dll,等待用户选择是否运行该窗口消息继续传输,如果用户选择继续传输,则放弃拦截,如果用户选择不继续传输,则可停止所述窗口消息的传输。Certainly, after determining that the window message is a hijacking window message of the browser, a pop-up box may also be generated, prompting the user to have an application inject an unsafe dll into the browser, waiting for the user to select whether to run the window message to continue the transmission, if the user selects If the transmission continues, the interception is aborted, and if the user chooses not to continue the transmission, the transmission of the window message may be stopped.
本发明实施例可针对想将dll注入浏览器的应用程序,在其创建窗口、或者在其所在窗口之下发送窗口消息时即对其进行拦截,即在应用程序执行具体的dll注入过程之前就进行拦截,然后对窗口消息进行判断,当根据窗口消息判断其为劫持浏览器的消息时,则停止窗口消息的传输,不让其进行后续操作,可以直接防止所述应用程序对浏览器注入不安全的dll,从而保护了浏览器的安全性。The embodiment of the present invention can intercept an application that wants to inject a DLL into a browser, when it creates a window, or sends a window message under the window where it is located, that is, before the application executes a specific dll injection process. Intercepting, and then judging the window message, when judging that it is a message hijacking the browser according to the window message, stopping the transmission of the window message, preventing the subsequent operation, and directly preventing the application from injecting into the browser Secure dll, which protects the security of the browser.
实施例四Embodiment 4
参照图4,其示出了本发明一种浏览器客户端的结构示意图,具体可以包括:Referring to FIG. 4, it is a schematic structural diagram of a browser client according to the present invention, which may specifically include:
安装组件410,其配置为在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;The installation component 410 is configured to install a system service started by the operating system startup in the operating system of the browser through the browser installation package when the browser is installed;
安全组件420,其配置为在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。The security component 420 is configured to include a security component in the browser, and the system service is invoked by the security component after the browser is started, and the first process independent of the browser process is blocked from the browser installation file and/or the browser. Modification of the data.
优选地,所述浏览器数据包括浏览器访问的网页数据,Preferably, the browser data includes webpage data accessed by a browser,
进一步的,所述安全组件包括:Further, the security component includes:
网页安全模组,其配置为针对浏览器访的网页数据,通过所述安全组件调用系统服务,对所述网页数据进行安全扫描。The webpage security module is configured to perform a security scan on the webpage data by calling the system service through the security component for webpage data accessed by the browser.
优选地,所述安全组件包括:Preferably, the security component comprises:
安全信息拦截模组,其配置为拦截独立于浏览器进程的第一进程对浏览器数据中的安全信息的获取;所述安全信息包括网址、下载文件、电话号码、公众号、即时聊天号其中至少一个。The security information intercepting module is configured to intercept the acquisition of the security information in the browser data by the first process independent of the browser process; the security information includes a web address, a download file, a phone number, a public number, and a live chat number. at least one.
优选地,还包括:Preferably, the method further comprises:
安全更新模组,其配置为调用系统服务获取浏览器的安全的更新文件,以进行更新。A security update module configured to invoke a system service to obtain a secure update file of the browser for updating.
优选地,所述安全组件包括:Preferably, the security component comprises:
配置保护模组,其配置为拦截独立于浏览器进程的第一进程对操作系统中与浏览器相关的配置参数的修改。The protection module is configured to intercept modification of the browser-related configuration parameters in the operating system by the first process independent of the browser process.
优选地,所述配置保护模组包括:Preferably, the configuration protection module comprises:
默认浏览器保护模组,其配置为拦截独立于浏览器的第二进程将当前操作系统中HTTP协议的关联处理程序从当前浏览器修改为其他处理程序的操作;a default browser protection module configured to intercept an operation in which the second process independent of the browser changes the association processing procedure of the HTTP protocol in the current operating system from the current browser to another processing program;
和/或,浏览器功能配置保护模组,其配置为拦截独立于浏览器的第二进程对 当前浏览器功能的配置信息的修改。And/or, the browser function configures a protection module configured to intercept a second process pair independent of the browser Modification of the configuration information of the current browser function.
优选地,所述安全组件包括:Preferably, the security component comprises:
个性化数据保护模组,其配置为拦截独立于浏览器进程的第一进程对当前浏览器记录的用户个性化数据的修改。The personalized data protection module is configured to intercept the modification of the user personalized data recorded by the current browser by the first process independent of the browser process.
优选地,所述安全组件包括:Preferably, the security component comprises:
网址云保护模组,其配置为对于浏览器访问的网址,利用云杀毒引擎对所述网址进行安全判定;如果所述网址不安全,则进行拦截。The URL cloud protection module is configured to perform a security determination on the web address by using a cloud antivirus engine for the web address accessed by the browser, and intercept the web address if the web address is not secure.
优选地,所述安全组件包括:Preferably, the security component comprises:
下载文件保护模组,其配置为对于通过浏览器下载的文件,利用云杀毒引擎对所述文件进行安全检测。The file protection module is configured to perform security detection on the file by using a cloud antivirus engine for files downloaded through the browser.
优选地,所述安全组件包括:Preferably, the security component comprises:
网购保护模组,其配置为当确定浏览器打开的网页为网购页面时,检测当前的网购环境是否安全;;The online shopping protection module is configured to detect whether the current online shopping environment is safe when determining that the webpage opened by the browser is an online shopping page;
进一步的,还包括:Further, it also includes:
保护单号生成模组,其配置为针对当前的网购页面,在所述安全的系统环境生成保护单号。The protection number generation module is configured to generate a protection ticket number in the secure system environment for the current online shopping page.
优选地,所述安全组件包括:Preferably, the security component comprises:
沙箱运行模组,其配置为判断当前打开的网页是否安全,如果不安全,则将所述网页对于的网页进程放入沙箱运行。The sandbox running module is configured to determine whether the currently opened webpage is safe. If it is not secure, the webpage process for the webpage is put into a sandbox operation.
优选地,所述安全组件包括:Preferably, the security component comprises:
注入拦截模组,其配置为拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器。An interception module is configured to intercept the first process independent of the browser to inject code into the browser to hijack the browser.
优选地,所述安全组件包括:Preferably, the security component comprises:
第一安全模组,其配置为利用所述系统服务,通过调用一虚拟的设备级驱动程序拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。The first security module is configured to utilize the system service to intercept modification of the browser installation file and/or browser data by a first device-level driver independent of the browser process.
实施例五Embodiment 5
参照图5,其示出了本发明一种浏览器客户端的结构示意图,具体可以包括:Referring to FIG. 5, it is a schematic structural diagram of a browser client according to the present invention, which may specifically include:
安装组件510,其配置为在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;The installation component 510 is configured to: when the browser is installed, install a system service initiated by the operating system startup in the operating system of the browser through the browser installation package;
安全组件520,其配置为在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改,包括:The security component 520 is configured to include a security component in the browser, and the system service is invoked by the security component after the browser is started, and the first process independent of the browser process is blocked from the browser installation file and/or the browser. Modifications to the data, including:
注入拦截模组521,其配置为拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器,具体包括:The injection intercepting module 521 is configured to intercept the first process independent of the browser and inject code into the browser to hijack the browser, including:
链表复制模组5211,其配置为复制当前浏览器的源分层服务提供商链 表,获得第一分层服务提供商链表;Linked list replication module 5211 configured to copy the source layered service provider chain of the current browser Table, obtaining the first hierarchical service provider linked list;
链表转换模组5212,其配置为将所述第一分层服务提供商链表中不允许访问的源节点转换为虚拟节点,得到转换后的第二分层服务提供商链表;所述虚拟分层服务提供商节点实现各分层服务提供商接口并返回空值;a linked list conversion module 5212, configured to convert a source node that is not allowed to be accessed in the first hierarchical service provider linked list into a virtual node, to obtain a converted second hierarchical service provider linked list; The service provider node implements each layered service provider interface and returns a null value;
请求控制模组5213,其配置为将当前浏览器的网络请求通过所述第二分层服务提供商链表传输。The request control module 5213 is configured to transmit the network request of the current browser through the second hierarchical service provider linked list.
优选地,所述链表转换模组5212包括:Preferably, the linked list conversion module 5212 includes:
节点身份获取模组,其配置为通过所述源分层服务提供商链表的配置信息,获得源分层服务提供商链表的各源节点的身份信息;a node identity obtaining module configured to obtain identity information of each source node of the source layered service provider linked list by using configuration information of the source layered service provider linked list;
节点身份确定模组,其配置为将所述各源节点的身份信息与预置的身份信息名单进行匹配,根据匹配结果确定不允许访问的源节点;a node identity determining module, configured to match identity information of each source node with a preset identity information list, and determine a source node that is not allowed to access according to the matching result;
节点转换模组,其配置为将所述不允许访问的源节点在注册表中的路径转换为虚拟节点的路径。a node conversion module configured to convert the path of the source node that is not allowed to access in the registry into a path of the virtual node.
优选地,所述链表转换模组5212包括:Preferably, the linked list conversion module 5212 includes:
请求接收模组,其配置为所述第一操作系统服务接收安全模组发送的注册表路径设置请求,并根据所述注册表路径设置请求创建I/O请求包下发至所述虚拟的设备级驱动程序;a request receiving module configured to receive a registry path setting request sent by the first operating system service security module, and send an I/O request packet to the virtual device according to the registry path setting request Level driver
第二转换模组,其配置为所述虚拟的设备级驱动程序接收到所述I/O请求包后,调用注册表修改函数将所述不允许访问的源节点在注册表中的路径转换为虚拟节点的路径。a second conversion module configured to: after the virtual device-level driver receives the I/O request packet, invoke a registry modification function to convert the path of the source node that is not allowed to access in the registry to The path to the virtual node.
实施例六Embodiment 6
参照图6,其示出了本发明一种浏览器客户端的结构示意图,具体可以包括:Referring to FIG. 6, which is a schematic structural diagram of a browser client according to the present invention, which may specifically include:
安装组件610,其配置为在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;The installation component 610 is configured to: when the browser is installed, install a system service that is started by the operating system startup in the operating system of the browser through the browser installation package;
安全组件620,其配置为在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改,包括:The security component 620 is configured to include a security component in the browser, and the system service is invoked by the security component after the browser is started, and the first process independent of the browser process is blocked from the browser installation file and/or the browser. Modifications to the data, including:
注入拦截模组621,其配置为拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器,具体包括:The injection intercepting module 621 is configured to intercept the first process independent of the browser and inject code into the browser to hijack the browser, including:
钩子加载模组6212,其配置为加载用于拦截窗口消息的窗口消息钩子函数;a hook loading module 6212 configured to load a window message hook function for intercepting a window message;
窗口信息拦截模组6213,其配置为针对操作系统中的窗口消息,通过所述窗口消息钩子函数进行拦截;The window information intercepting module 6213 is configured to intercept the window message in the operating system by using the window message hook function;
窗口信息判断模组6214,其配置为判断所述窗口消息是否为劫持浏览器的窗口消息;The window information determining module 6214 is configured to determine whether the window message is a window message of a hijacking browser;
窗口信息处理模组6215,其配置为如果所述窗口消息是劫持浏览器的窗口消息,则停止所述窗口消息的传输。 The window information processing module 6215 is configured to stop the transmission of the window message if the window message is a window message that hijacks the browser.
优选地,所述钩子加载模组包括:Preferably, the hook loading module comprises:
第一钩子加载模组,其配置为调用动态链接库加载函数加载所述窗口消息钩子函数所在的动态链接库,以加载所述窗口消息钩子函数。The first hook loading module is configured to invoke a dynamic link library loading function to load the dynamic link library in which the window message hook function is located to load the window message hook function.
优选地,所述窗口信息判断模组包括:Preferably, the window information determining module comprises:
句柄匹配模组,其配置为将所述窗口消息所属的窗口句柄名与预置的窗口句柄名单进行匹配;如果所述窗口句柄匹配上,则确定所述窗口消息为劫持浏览器的窗口消息。The handle matching module is configured to match the window handle name to which the window message belongs to the preset window handle list; if the window handle matches, the window message is determined to be a window message of the hijacking browser.
优选地,还包括:Preferably, the method further comprises:
签名获取模组,其配置为获取所述窗口句柄所属应用程序的验证签名;a signature acquisition module configured to obtain a verification signature of an application to which the window handle belongs;
签名验证模组,其配置为对所述验证签名进行验证,如果所述验证失败,则确定所述窗口消息为劫持浏览器才窗口消息。The signature verification module is configured to verify the verification signature, and if the verification fails, determine that the window message is a hijacking browser window message.
优选地,所述窗口信息拦截模组包括:Preferably, the window information intercepting module comprises:
创建拦截模组,其配置为针对操作系统中的创建窗口的窗口消息,通过所述窗口消息钩子函数进行拦截。An interception module is configured to be configured to intercept the window message of the created window in the operating system by using the window message hook function.
优选地,所述钩子加载模组6212包括:Preferably, the hook loading module 6212 includes:
请求接收模组,其配置为第一操作系统服务接收安全组件发送的加载请求,并根据所述加载请求创建I/O请求包下发至所述虚拟的设备级驱动程序;a request receiving module configured to receive a load request sent by the security component by the first operating system service, and create an I/O request packet to be delivered to the virtual device level driver according to the load request;
驱动加载模组,其配置为所述虚拟的设备级驱动程序接收到所述I/O请求包后,调用动态链接库加载函数加载用于拦截窗口消息的窗口消息钩子函数。The driver loading module is configured to: after the virtual device level driver receives the I/O request packet, invoke a dynamic link library load function to load a window message hook function for intercepting the window message.
实施例七Example 7
参照图7,其示出了本发明一种带有浏览器客户端的装置的结构示意图,所述装置700具体可以包括:FIG. 7 is a schematic structural diagram of a device with a browser client according to the present invention. The device 700 may specifically include:
处理器710,以及加载有多条可执行指令的存储器720,所述多条指令包括执行以下步骤的方法:A processor 710, and a memory 720 loaded with a plurality of executable instructions, the plurality of instructions including a method of performing the following steps:
在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;When the browser is installed, the system service started by the operating system startup is installed in the operating system of the browser through the browser installation package;
在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。A security component is built in the browser, and the system service is invoked by the security component after the browser is started, and the modification of the browser installation file and/or the browser data by the first process independent of the browser process is intercepted.
所述浏览器数据包括浏览器访问的网页数据,The browser data includes webpage data accessed by a browser,
进一步的,所述拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:Further, the modifying the browser data independently from the first process of the browser process includes:
针对浏览器访的网页数据,通过所述安全组件调用系统服务,对所述网页数据进行安全扫描。For the webpage data accessed by the browser, the security service component invokes the system service to perform security scanning on the webpage data.
优选地,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:Preferably, the modification of the browser installation file and/or the browser data by the first process independent of the browser process comprises:
拦截独立于浏览器进程的第一进程对浏览器数据中的安全信息的获取;所述 安全信息包括网址、下载文件、电话号码、公众号、即时聊天号其中至少一个。Intercepting the acquisition of security information in the browser data by the first process independent of the browser process; The security information includes at least one of a web address, a download file, a phone number, a public number, and a live chat number.
优选地,还包括:调用系统服务获取浏览器的安全的更新文件,以进行更新。Preferably, the method further comprises: invoking the system service to obtain a secure update file of the browser for updating.
优选地,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:Preferably, the modification of the browser data by the first process independent of the browser process comprises:
拦截独立于浏览器进程的第一进程对操作系统中与浏览器相关的配置参数的修改。The modification of the browser-related configuration parameters in the operating system by the first process independent of the browser process is intercepted.
优选地,拦截独立于浏览器进程的第一进程对操作系统中与浏览器相关的配置信息的修改包括:Preferably, the modification of the browser-related configuration information in the operating system by the first process independent of the browser process comprises:
拦截独立于浏览器的第二进程将当前操作系统中HTTP协议的关联处理程序从当前浏览器修改为其他处理程序的操作;Intercepting the second process independent of the browser to modify the association process of the HTTP protocol in the current operating system from the current browser to another handler;
和/或,拦截独立于浏览器的第二进程对当前浏览器功能的配置信息的修改。And/or, intercepting modification of configuration information of the current browser function by the second process independent of the browser.
优选地,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:Preferably, the modification of the browser installation file and/or the browser data by the first process independent of the browser process comprises:
拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器。Intercepting the first process independent of the browser injects code into the browser to hijack the browser.
优选地,所述拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器包括:Preferably, the intercepting the browser independent of the browser to inject code into the browser to hijack the browser comprises:
复制当前浏览器的源分层服务提供商链表,获得第一分层服务提供商链表;Copying the source layered service provider linked list of the current browser to obtain a first hierarchical service provider linked list;
将所述第一分层服务提供商链表中不允许访问的源节点转换为虚拟节点,得到转换后的第二分层服务提供商链表;所述虚拟分层服务提供商节点实现各分层服务提供商接口并返回空值;Converting a source node that is not allowed to be accessed in the first hierarchical service provider linked list to a virtual node, and obtaining a converted second hierarchical service provider linked list; the virtual hierarchical service provider node implementing each layered service Provider interface and return null values;
将当前浏览器的网络请求通过所述第二分层服务提供商链表传输。The network request of the current browser is transmitted through the second hierarchical service provider linked list.
优选地,所述拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器包括:Preferably, the intercepting the browser independent of the browser to inject code into the browser to hijack the browser comprises:
加载用于拦截窗口消息的窗口消息钩子函数;Loading a window message hook function for intercepting window messages;
针对操作系统中的窗口消息,通过所述窗口消息钩子函数进行拦截;Blocking the window message in the operating system by using the window message hook function;
判断所述窗口消息是否为劫持浏览器的窗口消息;Determining whether the window message is a window message for hijacking a browser;
如果所述窗口消息是劫持浏览器的窗口消息,则停止所述窗口消息的传输。If the window message is a window message that hijacks the browser, then the transmission of the window message is stopped.
当然,所述多条指令还包括执行前述各个步骤的方法。Of course, the plurality of instructions also include a method of performing the various steps described above.
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays provided herein are not inherently related to any particular computer, virtual system, or other device. Various general purpose systems can also be used with the teaching based on the teachings herein. The structure required to construct such a system is apparent from the above description. Moreover, the invention is not directed to any particular programming language. It is to be understood that the invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多 个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be understood that in order to streamline the present disclosure and to help understand one or more of the various inventive aspects In the above description of the exemplary embodiments of the present invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description. However, the method disclosed is not to be interpreted as reflecting the intention that the claimed invention requires more features than those recited in the claims. Rather, as the following claims reflect, inventive aspects reside in less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the embodiments, and each of the claims as a separate embodiment of the invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are included in other embodiments and not in other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed. For example, in the following claims, any one of the claimed embodiments can be used in any combination.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的实现浏览器安全设备中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components of the browser security device in accordance with embodiments of the present invention. The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
例如,图8示出了可以实现根据本发明的一种实现浏览器安全的终端设备。该终端设备传统上包括处理器810和以存储器820形式的计算机程序产品或者计算机可读介质。存储器820可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器820具有用于执行上述方法中的任何方法步骤的程序代码831的存储空间830。例如,用于程序代码的存储空间830可以包括分别用于实现上面的方法中的各种步骤的各个程序代码831。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘 (CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图9所述的便携式或者固定存储单元。该存储单元可以具有与图8的终端设备中的存储器820类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括计算机可读代码831’,即可以由例如诸如810之类的处理器读取的代码,这些代码当由终端设备运行时,导致该终端设备执行上面所描述的方法中的各个步骤。For example, FIG. 8 illustrates a terminal device that can implement browser security in accordance with the present invention. The terminal device conventionally includes a processor 810 and a computer program product or computer readable medium in the form of a memory 820. The memory 820 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. Memory 820 has a memory space 830 for program code 831 for performing any of the method steps described above. For example, storage space 830 for program code may include various program code 831 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include such as hard disk, compact disk A program code carrier such as a (CD), a memory card, or a floppy disk. Such a computer program product is typically a portable or fixed storage unit as described with reference to FIG. The storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 820 in the terminal device of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 831', i.e., code readable by a processor, such as 810, that when executed by the terminal device causes the terminal device to perform each of the methods described above step.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to be limiting, and that the invention may be devised without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.
此外,还应当注意,本说明书中使用的语言主要是为了可读性和教导的目的而选择的,而不是为了解释或者限定本发明的主题而选择的。因此,在不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于本发明的范围,对本发明所做的公开是说明性的,而非限制性的,本发明的范围由所附权利要求书限定。 In addition, it should be noted that the language used in the specification has been selected for the purpose of readability and teaching, and is not intended to be construed or limited. Therefore, many modifications and changes will be apparent to those skilled in the art without departing from the scope of the invention. The disclosure of the present invention is intended to be illustrative, and not restrictive, and the scope of the invention is defined by the appended claims.

Claims (51)

  1. 一种实现浏览器安全的方法,包括:A method of implementing browser security, including:
    在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;When the browser is installed, the system service started by the operating system startup is installed in the operating system of the browser through the browser installation package;
    在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,A security component is built in the browser, and the system service is invoked by the security component after the browser is started.
    拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。Blocking changes to browser installation files and/or browser data by a first process that is independent of the browser process.
  2. 如权利要求1所述的方法,其特征在于,所述浏览器数据包括浏览器访问的网页数据,The method of claim 1 wherein said browser data comprises web page data accessed by a browser.
    进一步的,所述拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:Further, the modifying the browser data independently from the first process of the browser process includes:
    针对浏览器访的网页数据,通过所述安全组件调用系统服务,对所述网页数据进行安全扫描。For the webpage data accessed by the browser, the security service component invokes the system service to perform security scanning on the webpage data.
  3. 如权利要求1所述的方法,其特征在于,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:The method of claim 1 wherein modifying the browser installation file and/or browser data by the first process independent of the browser process comprises:
    拦截独立于浏览器进程的第一进程对浏览器数据中的安全信息的获取;所述安全信息包括网址、下载文件、电话号码、公众号、即时聊天号其中至少一个。Blocking the acquisition of security information in the browser data by the first process independent of the browser process; the security information includes at least one of a web address, a download file, a phone number, a public number, and an instant chat number.
  4. 如权利要求1所述的方法,其特征在于,还包括:The method of claim 1 further comprising:
    调用系统服务获取浏览器的安全的更新文件,以进行更新。Call the system service to get the browser's secure update file for update.
  5. 如权利要求1所述的方法,其特征在于,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:The method of claim 1 wherein the modifying the browser data by the first process independent of the browser process comprises:
    拦截独立于浏览器进程的第一进程对操作系统中与浏览器相关的配置参数的修改。The modification of the browser-related configuration parameters in the operating system by the first process independent of the browser process is intercepted.
  6. 如权利要求5所述的方法,其特征在于,拦截独立于浏览器进程的第一进程对操作系统中与浏览器相关的配置信息的修改包括:The method of claim 5, wherein the modifying the browser-related configuration information in the operating system by the first process independent of the browser process comprises:
    拦截独立于浏览器的第二进程将当前操作系统中HTTP协议的关联处理程序从当前浏览器修改为其他处理程序的操作; Intercepting the second process independent of the browser to modify the association process of the HTTP protocol in the current operating system from the current browser to another handler;
    和/或,拦截独立于浏览器的第二进程对当前浏览器功能的配置信息的修改。And/or, intercepting modification of configuration information of the current browser function by the second process independent of the browser.
  7. 如权利要求1所述的方法,其特征在于,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:The method of claim 1 wherein the modifying the browser data by the first process independent of the browser process comprises:
    拦截独立于浏览器进程的第一进程对当前浏览器记录的用户个性化数据的修改。The modification of the user personalized data recorded by the current browser by the first process independent of the browser process is intercepted.
  8. 如权利要求1所述的方法,其特征在于,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:The method of claim 1 wherein the modifying the browser data by the first process independent of the browser process comprises:
    对于浏览器访问的网址,利用云杀毒引擎对所述网址进行安全判定;如果所述网址不安全,则进行拦截。For the URL accessed by the browser, the cloud antivirus engine is used to make a security determination for the URL; if the URL is not secure, the interception is performed.
  9. 如权利要求1所述的方法,其特征在于,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:The method of claim 1 wherein the modifying the browser data by the first process independent of the browser process comprises:
    对于通过浏览器下载的文件,利用云杀毒引擎对所述文件进行安全检测。For the files downloaded through the browser, the file is security detected by the cloud antivirus engine.
  10. 如权利要求1所述的方法,其特征在于,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:The method of claim 1 wherein the modifying the browser data by the first process independent of the browser process comprises:
    当确定浏览器打开的网页为网购页面时,检测当前的网购环境是否安全;;When it is determined that the webpage opened by the browser is an online shopping page, it is detected whether the current online shopping environment is safe;
    进一步的,还包括:针对当前的网购页面,在所述安全的系统环境生成保护单号。Further, the method further includes: generating a protection number in the secure system environment for the current online shopping page.
  11. 如权利要求2所述的方法,其特征在于,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:The method of claim 2 wherein modifying the browser installation file and/or browser data by the first process independent of the browser process comprises:
    判断当前打开的网页是否安全,如果不安全,则将所述网页对于的网页进程放入沙箱运行。It is judged whether the currently opened webpage is safe, and if it is not secure, the webpage process for the webpage is put into a sandbox operation.
  12. 如权利要求1所述的方法,其特征在于,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:The method of claim 1 wherein modifying the browser installation file and/or browser data by the first process independent of the browser process comprises:
    拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器。Intercepting the first process independent of the browser injects code into the browser to hijack the browser.
  13. 如权利要求12所述的方法,其特征在于,所述拦截独立于浏览器 的第一进程向浏览器注入代码以劫持浏览器包括:The method of claim 12 wherein said intercepting is independent of a browser The first process of injecting code into the browser to hijack the browser includes:
    复制当前浏览器的源分层服务提供商链表,获得第一分层服务提供商链表;Copying the source layered service provider linked list of the current browser to obtain a first hierarchical service provider linked list;
    将所述第一分层服务提供商链表中不允许访问的源节点转换为虚拟节点,得到转换后的第二分层服务提供商链表;所述虚拟分层服务提供商节点实现各分层服务提供商接口并返回空值;Converting a source node that is not allowed to be accessed in the first hierarchical service provider linked list to a virtual node, and obtaining a converted second hierarchical service provider linked list; the virtual hierarchical service provider node implementing each layered service Provider interface and return null values;
    将当前浏览器的网络请求通过所述第二分层服务提供商链表传输。The network request of the current browser is transmitted through the second hierarchical service provider linked list.
  14. 如权利要求13所述的方法,其特征在于,将所述第一分层服务提供商链表中不允许访问的源节点转换为虚拟节点,包括:The method according to claim 13, wherein converting the source node in the first hierarchical service provider linked list that is not allowed to be accessed into a virtual node comprises:
    通过所述源分层服务提供商链表的配置信息,获得源分层服务提供商链表的各源节点的身份信息;Obtaining identity information of each source node of the source layered service provider linked list by using configuration information of the source layered service provider linked list;
    将所述各源节点的身份信息与预置的身份信息名单进行匹配,根据匹配结果确定不允许访问的源节点;Matching the identity information of each source node with a preset identity information list, and determining a source node that is not allowed to access according to the matching result;
    将所述不允许访问的源节点在注册表中的路径转换为虚拟节点的路径。Converting the path of the source node that is not allowed to access in the registry to the path of the virtual node.
  15. 如权利要求12所述的方法,其特征在于,所述拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器包括:The method of claim 12, wherein the intercepting the first process independent of the browser to inject code into the browser to hijack the browser comprises:
    加载用于拦截窗口消息的窗口消息钩子函数;Loading a window message hook function for intercepting window messages;
    针对操作系统中的窗口消息,通过所述窗口消息钩子函数进行拦截;Blocking the window message in the operating system by using the window message hook function;
    判断所述窗口消息是否为劫持浏览器的窗口消息;Determining whether the window message is a window message for hijacking a browser;
    如果所述窗口消息是劫持浏览器的窗口消息,则停止所述窗口消息的传输。If the window message is a window message that hijacks the browser, then the transmission of the window message is stopped.
  16. 如权利要求15所述的方法,其特征在于,所述加载用于拦截窗口消息的窗口消息钩子函数,包括:The method of claim 15 wherein said loading a window message hook function for intercepting a window message comprises:
    调用动态链接库加载函数加载所述窗口消息钩子函数所在的动态链接库,以加载所述窗口消息钩子函数。The dynamic link library load function is called to load the dynamic link library in which the window message hook function is located to load the window message hook function.
  17. 如权利要求16所述的方法,其特征在于,所述判断所述窗口消息是否为劫持浏览器的窗口消息,包括: The method of claim 16, wherein the determining whether the window message is a window message of a hijacking browser comprises:
    将所述窗口消息所属的窗口句柄名与预置的窗口句柄名单进行匹配;如果所述窗口句柄匹配上,则确定所述窗口消息为劫持浏览器的窗口消息。Matching the window handle name to which the window message belongs to the preset window handle list; if the window handle matches, determining that the window message is a window message for hijacking the browser.
  18. 如权利要求16所述的方法,其特征在于,还包括:The method of claim 16 further comprising:
    获取所述窗口句柄所属应用程序的验证签名;Obtaining a verification signature of an application to which the window handle belongs;
    对所述验证签名进行验证,如果所述验证失败,则确定所述窗口消息为劫持浏览器才窗口消息。The verification signature is verified, and if the verification fails, it is determined that the window message is a hijacking browser window message.
  19. 如权利要求18所述的方法,其特征在于,所述针对操作系统中的窗口消息,通过所述窗口消息钩子函数进行拦截包括:The method according to claim 18, wherein the intercepting by the window message hook function for the window message in the operating system comprises:
    针对操作系统中的创建窗口的窗口消息,通过所述窗口消息钩子函数进行拦截。The window message for creating a window in the operating system is intercepted by the window message hook function.
  20. 如权利要求1所述的方法,其特征在于,所述拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:The method of claim 1 wherein the modifying the browser installation file and/or the browser data by the first process independent of the browser process comprises:
    利用所述系统服务,通过调用一虚拟的设备级驱动程序拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。Using the system service, the modification of the browser installation file and/or browser data by the first process independent of the browser process is intercepted by invoking a virtual device level driver.
  21. 一种浏览器客户端,包括:A browser client that includes:
    安装组件,其配置为在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;The installation component is configured to install a system service started by the operating system startup in the operating system of the browser through the browser installation package when the browser is installed;
    安全组件,其配置为在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。a security component configured to embed a security component in the browser, the browser is invoked by the security component to invoke the system service, and the first process independent of the browser process is blocked from the browser installation file and/or browser data. Modifications.
  22. 如权利要求21所述的浏览器客户端,其特征在于,所述浏览器数据包括浏览器访问的网页数据,The browser client according to claim 21, wherein said browser data comprises webpage data accessed by a browser,
    进一步的,所述安全组件包括:Further, the security component includes:
    网页安全模组,其配置为针对浏览器访的网页数据,通过所述安全组件调用系统服务,对所述网页数据进行安全扫描。The webpage security module is configured to perform a security scan on the webpage data by calling the system service through the security component for webpage data accessed by the browser.
  23. 如权利要求21所述的浏览器客户端,其特征在于,所述安全组件包括: The browser client of claim 21, wherein the security component comprises:
    安全信息拦截模组,其配置为拦截独立于浏览器进程的第一进程对浏览器数据中的安全信息的获取;所述安全信息包括网址、下载文件、电话号码、公众号、即时聊天号其中至少一个。The security information intercepting module is configured to intercept the acquisition of the security information in the browser data by the first process independent of the browser process; the security information includes a web address, a download file, a phone number, a public number, and a live chat number. at least one.
  24. 如权利要求21所述的浏览器客户端,其特征在于,还包括:The browser client of claim 21, further comprising:
    安全更新模组,其配置为调用系统服务获取浏览器的安全的更新文件,以进行更新。A security update module configured to invoke a system service to obtain a secure update file of the browser for updating.
  25. 如权利要求21所述的浏览器客户端,其特征在于,所述安全组件包括:The browser client of claim 21, wherein the security component comprises:
    配置保护模组,其配置为拦截独立于浏览器进程的第一进程对操作系统中与浏览器相关的配置参数的修改。The protection module is configured to intercept modification of the browser-related configuration parameters in the operating system by the first process independent of the browser process.
  26. 如权利要求25所述的浏览器客户端,其特征在于,所述配置保护模组包括:The browser client of claim 25, wherein the configuration protection module comprises:
    默认浏览器保护模组,其配置为拦截独立于浏览器的第二进程将当前操作系统中HTTP协议的关联处理程序从当前浏览器修改为其他处理程序的操作;a default browser protection module configured to intercept an operation in which the second process independent of the browser changes the association processing procedure of the HTTP protocol in the current operating system from the current browser to another processing program;
    和/或,浏览器功能配置保护模组,其配置为拦截独立于浏览器的第二进程对当前浏览器功能的配置信息的修改。And/or, the browser function configures a protection module configured to intercept modification of configuration information of the current browser function by the second process independent of the browser.
  27. 如权利要求21所述的浏览器客户端,其特征在于,所述安全组件包括:The browser client of claim 21, wherein the security component comprises:
    个性化数据保护模组,其配置为拦截独立于浏览器进程的第一进程对当前浏览器记录的用户个性化数据的修改。The personalized data protection module is configured to intercept the modification of the user personalized data recorded by the current browser by the first process independent of the browser process.
  28. 如权利要求21所述的浏览器客户端,其特征在于,所述安全组件包括:The browser client of claim 21, wherein the security component comprises:
    网址云保护模组,其配置为对于浏览器访问的网址,利用云杀毒引擎对所述网址进行安全判定;如果所述网址不安全,则进行拦截。The URL cloud protection module is configured to perform a security determination on the web address by using a cloud antivirus engine for the web address accessed by the browser, and intercept the web address if the web address is not secure.
  29. 如权利要求21所述的浏览器客户端,其特征在于,所述安全组件包括:The browser client of claim 21, wherein the security component comprises:
    下载文件保护模组,其配置为对于通过浏览器下载的文件,利用云杀毒 引擎对所述文件进行安全检测。Download a file protection module configured to use cloud antivirus for files downloaded through a browser The engine performs security detection on the file.
  30. 如权利要求21所述的浏览器客户端,其特征在于,所述安全组件包括:The browser client of claim 21, wherein the security component comprises:
    网购保护模组,其配置为当确定浏览器打开的网页为网购页面时,检测当前的网购环境是否安全;;The online shopping protection module is configured to detect whether the current online shopping environment is safe when determining that the webpage opened by the browser is an online shopping page;
    进一步的,还包括:Further, it also includes:
    保护单号生成模组,其配置为针对当前的网购页面,在所述安全的系统环境生成保护单号。The protection number generation module is configured to generate a protection ticket number in the secure system environment for the current online shopping page.
  31. 如权利要求22所述的浏览器客户端,其特征在于,所述安全组件包括:The browser client of claim 22, wherein the security component comprises:
    沙箱运行模组,其配置为判断当前打开的网页是否安全,如果不安全,则将所述网页对于的网页进程放入沙箱运行。The sandbox running module is configured to determine whether the currently opened webpage is safe. If it is not secure, the webpage process for the webpage is put into a sandbox operation.
  32. 如权利要求22所述的浏览器客户端,其特征在于,所述安全组件包括:The browser client of claim 22, wherein the security component comprises:
    注入拦截模组,其配置为拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器。An interception module is configured to intercept the first process independent of the browser to inject code into the browser to hijack the browser.
  33. 如权利要求32所述的方法,其特征在于,所述注入拦截模组包括:The method of claim 32, wherein the injection intercepting module comprises:
    链表复制模组,其配置为复制当前浏览器的源分层服务提供商链表,获得第一分层服务提供商链表;a linked list replication module configured to copy a source layered service provider linked list of a current browser to obtain a first hierarchical service provider linked list;
    链表转换模组,其配置为将所述第一分层服务提供商链表中不允许访问的源节点转换为虚拟节点,得到转换后的第二分层服务提供商链表;所述虚拟分层服务提供商节点实现各分层服务提供商接口并返回空值;a linked list conversion module configured to convert a source node that is not allowed to be accessed in the first hierarchical service provider linked list into a virtual node, to obtain a converted second hierarchical service provider linked list; and the virtual hierarchical service The provider node implements each layered service provider interface and returns a null value;
    请求控制模组,其配置为将当前浏览器的网络请求通过所述第二分层服务提供商链表传输。And a request control module configured to transmit the network request of the current browser through the second hierarchical service provider linked list.
  34. 如权利要求33所述的浏览器客户端,其特征在于,所述链表转换模组包括:The browser client of claim 33, wherein the linked list conversion module comprises:
    节点身份获取模组,其配置为通过所述源分层服务提供商链表的配置信 息,获得源分层服务提供商链表的各源节点的身份信息;a node identity acquisition module configured to configure a configuration letter through the source layered service provider list Information, obtain the identity information of each source node of the source layered service provider linked list;
    节点身份确定模组,其配置为将所述各源节点的身份信息与预置的身份信息名单进行匹配,根据匹配结果确定不允许访问的源节点;a node identity determining module, configured to match identity information of each source node with a preset identity information list, and determine a source node that is not allowed to access according to the matching result;
    节点转换模组,其配置为将所述不允许访问的源节点在注册表中的路径转换为虚拟节点的路径。a node conversion module configured to convert the path of the source node that is not allowed to access in the registry into a path of the virtual node.
  35. 如权利要求32所述的浏览器客户端,其特征在于,所述注入拦截模组包括:The browser client of claim 32, wherein the injection intercepting module comprises:
    钩子加载模组,其配置为加载用于拦截窗口消息的窗口消息钩子函数;a hook loading module configured to load a window message hook function for intercepting a window message;
    窗口信息拦截模组,其配置为针对操作系统中的窗口消息,通过所述窗口消息钩子函数进行拦截;a window information intercepting module configured to intercept the window message in the operating system by using the window message hook function;
    窗口信息判断模组,其配置为判断所述窗口消息是否为劫持浏览器的窗口消息;a window information determining module configured to determine whether the window message is a window message of a hijacking browser;
    窗口信息处理模组,其配置为如果所述窗口消息是劫持浏览器的窗口消息,则停止所述窗口消息的传输。a window information processing module configured to stop transmission of the window message if the window message is a window message that hijacks a browser.
  36. 如权利要求35所述的浏览器客户端,其特征在于,所述钩子加载模组包括:The browser client of claim 35, wherein the hook loading module comprises:
    第一钩子加载模组,其配置为调用动态链接库加载函数加载所述窗口消息钩子函数所在的动态链接库,以加载所述窗口消息钩子函数。The first hook loading module is configured to invoke a dynamic link library loading function to load the dynamic link library in which the window message hook function is located to load the window message hook function.
  37. 如权利要求36所述的浏览器客户端,其特征在于,所述窗口信息判断模组包括:The browser client of claim 36, wherein the window information determining module comprises:
    句柄匹配模组,其配置为将所述窗口消息所属的窗口句柄名与预置的窗口句柄名单进行匹配;如果所述窗口句柄匹配上,则确定所述窗口消息为劫持浏览器的窗口消息。The handle matching module is configured to match the window handle name to which the window message belongs to the preset window handle list; if the window handle matches, the window message is determined to be a window message of the hijacking browser.
  38. 如权利要求36所述的浏览器客户端,其特征在于,还包括:The browser client of claim 36, further comprising:
    签名获取模组,其配置为获取所述窗口句柄所属应用程序的验证签名;a signature acquisition module configured to obtain a verification signature of an application to which the window handle belongs;
    签名验证模组,其配置为对所述验证签名进行验证,如果所述验证失败,则确定所述窗口消息为劫持浏览器才窗口消息。The signature verification module is configured to verify the verification signature, and if the verification fails, determine that the window message is a hijacking browser window message.
  39. 如权利要求38所述的浏览器客户端,其特征在于,所述窗口信息 拦截模组包括:A browser client according to claim 38, wherein said window information The interception module includes:
    创建拦截模组,其配置为针对操作系统中的创建窗口的窗口消息,通过所述窗口消息钩子函数进行拦截。An interception module is configured to be configured to intercept the window message of the created window in the operating system by using the window message hook function.
  40. 如权利要求21所述的浏览器客户端,其特征在于,所述安全组件包括:The browser client of claim 21, wherein the security component comprises:
    第一安全模组,其配置为利用所述系统服务,通过调用一虚拟的设备级驱动程序拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。The first security module is configured to utilize the system service to intercept modification of the browser installation file and/or browser data by a first device-level driver independent of the browser process.
  41. 一种带有浏览器客户端的装置,包括:A device with a browser client, comprising:
    处理器,以及加载有多条可执行指令的存储器,所述多条指令包括执行以下步骤的方法:a processor, and a memory loaded with a plurality of executable instructions, the plurality of instructions including a method of performing the following steps:
    在浏览器进行安装时,通过浏览器安装包在浏览器所在操作系统中安装一随操作系统启动而启动的系统服务;When the browser is installed, the system service started by the operating system startup is installed in the operating system of the browser through the browser installation package;
    在浏览器中内置一安全组件,浏览器启动后通过该安全组件调用所述系统服务,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改。A security component is built in the browser, and the system service is invoked by the security component after the browser is started, and the modification of the browser installation file and/or the browser data by the first process independent of the browser process is intercepted.
  42. 如权利要求41所述的装置,其特征在于,所述浏览器数据包括浏览器访问的网页数据,The device according to claim 41, wherein said browser data comprises web page data accessed by a browser.
    进一步的,所述拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:Further, the modifying the browser data independently from the first process of the browser process includes:
    针对浏览器访的网页数据,通过所述安全组件调用系统服务,对所述网页数据进行安全扫描。For the webpage data accessed by the browser, the security service component invokes the system service to perform security scanning on the webpage data.
  43. 如权利要求41所述的装置,其特征在于,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:The apparatus of claim 41, wherein modifying the browser installation file and/or browser data by the first process independent of the browser process comprises:
    拦截独立于浏览器进程的第一进程对浏览器数据中的安全信息的获取;所述安全信息包括网址、下载文件、电话号码、公众号、即时聊天号其中至少一个。Blocking the acquisition of security information in the browser data by the first process independent of the browser process; the security information includes at least one of a web address, a download file, a phone number, a public number, and an instant chat number.
  44. 如权利要求41所述的装置,其特征在于,还包括: The device of claim 41, further comprising:
    调用系统服务获取浏览器的安全的更新文件,以进行更新。Call the system service to get the browser's secure update file for update.
  45. 如权利要求41所述的装置,其特征在于,拦截独立于浏览器进程的第一进程对浏览器数据的修改包括:The apparatus of claim 41, wherein the modifying the browser data by the first process independent of the browser process comprises:
    拦截独立于浏览器进程的第一进程对操作系统中与浏览器相关的配置参数的修改。The modification of the browser-related configuration parameters in the operating system by the first process independent of the browser process is intercepted.
  46. 如权利要求45所述的装置,其特征在于,拦截独立于浏览器进程的第一进程对操作系统中与浏览器相关的配置信息的修改包括:The apparatus according to claim 45, wherein the modifying the browser-related configuration information in the operating system by the first process independent of the browser process comprises:
    拦截独立于浏览器的第二进程将当前操作系统中HTTP协议的关联处理程序从当前浏览器修改为其他处理程序的操作;Intercepting the second process independent of the browser to modify the association process of the HTTP protocol in the current operating system from the current browser to another handler;
    和/或,拦截独立于浏览器的第二进程对当前浏览器功能的配置信息的修改。And/or, intercepting modification of configuration information of the current browser function by the second process independent of the browser.
  47. 如权利要求41所述的装置,其特征在于,拦截独立于浏览器进程的第一进程对浏览器安装文件和/或浏览器数据的修改包括:The apparatus of claim 41, wherein modifying the browser installation file and/or browser data by the first process independent of the browser process comprises:
    拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器。Intercepting the first process independent of the browser injects code into the browser to hijack the browser.
  48. 如权利要求47所述的装置,其特征在于,所述拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器包括:The apparatus according to claim 47, wherein said intercepting the browser independent of the first process independent of the browser to hijack the browser comprises:
    复制当前浏览器的源分层服务提供商链表,获得第一分层服务提供商链表;Copying the source layered service provider linked list of the current browser to obtain a first hierarchical service provider linked list;
    将所述第一分层服务提供商链表中不允许访问的源节点转换为虚拟节点,得到转换后的第二分层服务提供商链表;所述虚拟分层服务提供商节点实现各分层服务提供商接口并返回空值;Converting a source node that is not allowed to be accessed in the first hierarchical service provider linked list to a virtual node, and obtaining a converted second hierarchical service provider linked list; the virtual hierarchical service provider node implementing each layered service Provider interface and return null values;
    将当前浏览器的网络请求通过所述第二分层服务提供商链表传输。The network request of the current browser is transmitted through the second hierarchical service provider linked list.
  49. 如权利要求47所述的装置,其特征在于,所述拦截独立于浏览器的第一进程向浏览器注入代码以劫持浏览器包括:The apparatus according to claim 47, wherein said intercepting the browser independent of the first process independent of the browser to hijack the browser comprises:
    加载用于拦截窗口消息的窗口消息钩子函数;Loading a window message hook function for intercepting window messages;
    针对操作系统中的窗口消息,通过所述窗口消息钩子函数进行拦截;Blocking the window message in the operating system by using the window message hook function;
    判断所述窗口消息是否为劫持浏览器的窗口消息;Determining whether the window message is a window message for hijacking a browser;
    如果所述窗口消息是劫持浏览器的窗口消息,则停止所述窗口消息的 传输。If the window message is a window message that hijacks the browser, stopping the window message transmission.
  50. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在终端设备上运行时,导致所述终端设备执行根据权利要求1-20中的任一个所述的浏览器防注入方法。A computer program comprising computer readable code causing the terminal device to perform a browser anti-injection method according to any one of claims 1-20 when the computer readable code is run on a terminal device.
  51. 一种计算机可读介质,其中存储了如权利要求50所述的计算机程序。 A computer readable medium storing the computer program of claim 50.
PCT/CN2015/094845 2014-12-05 2015-11-17 Method, browser client, and device for achieving browser security WO2016086767A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410743201.0 2014-12-05
CN201410743201.0A CN104536981B (en) 2014-12-05 2014-12-05 Realize method, browser client and the device of secure browser

Publications (1)

Publication Number Publication Date
WO2016086767A1 true WO2016086767A1 (en) 2016-06-09

Family

ID=52852509

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/094845 WO2016086767A1 (en) 2014-12-05 2015-11-17 Method, browser client, and device for achieving browser security

Country Status (2)

Country Link
CN (1) CN104536981B (en)
WO (1) WO2016086767A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110188294A (en) * 2019-05-05 2019-08-30 平安科技(深圳)有限公司 URL intercepts conversion method, device and computer equipment
CN114095464A (en) * 2021-11-16 2022-02-25 成都知道创宇信息技术有限公司 Instant message implementation method and system
CN117278803A (en) * 2023-11-21 2023-12-22 深圳软牛科技有限公司 DRM video decryption method, device, equipment and storage medium

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104536981B (en) * 2014-12-05 2018-01-16 北京奇虎科技有限公司 Realize method, browser client and the device of secure browser
CN106649417A (en) * 2015-11-04 2017-05-10 珠海市君天电子科技有限公司 Window interception method and device
CN105468674A (en) * 2015-11-12 2016-04-06 珠海市君天电子科技有限公司 Window interception method and device and terminal equipment
CN105825127B (en) * 2016-03-11 2019-03-01 珠海豹趣科技有限公司 A kind of window destroys hold-up interception method and device
CN105893847B (en) * 2016-04-22 2019-01-25 珠海豹趣科技有限公司 A kind of method, apparatus and electronic equipment for protecting security protection application file
CN106446684B (en) * 2016-09-22 2019-12-03 武汉斗鱼网络科技有限公司 A kind of network account guard method and system based on password control
CN108073804B (en) * 2016-11-14 2022-11-29 百度在线网络技术(北京)有限公司 Risk identification method and device
CN107728888B (en) * 2017-10-26 2020-02-18 竞技世界(北京)网络技术有限公司 Virtual key implementation method for android terminal
CN108170574B (en) * 2017-12-25 2021-04-20 深圳Tcl新技术有限公司 Website information processing method and device
CN108549809A (en) * 2018-04-02 2018-09-18 郑州云海信息技术有限公司 A kind of program process control method and system based on digital certificate
CN110135132A (en) * 2019-05-13 2019-08-16 重庆八戒传媒有限公司 A kind of quick method, apparatus for solving the problems, such as project convention security and storage medium
CN110278271B (en) * 2019-06-24 2022-04-12 厦门美图之家科技有限公司 Network request control method and device and terminal equipment
CN112580088A (en) * 2019-09-30 2021-03-30 北京国双科技有限公司 Data loading method and device, computer equipment and storage medium
CN113050927B (en) * 2021-04-12 2024-01-23 平安国际智慧城市科技股份有限公司 Authority control method and device based on custom instruction and computer equipment
CN113296654B (en) * 2021-05-27 2023-12-29 深信服科技股份有限公司 Data processing method, device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
CN103116723A (en) * 2013-02-06 2013-05-22 北京奇虎科技有限公司 Method, device and system of web site interception process
CN103218561A (en) * 2013-03-18 2013-07-24 珠海市君天电子科技有限公司 Tamper-proof method and device for protecting browser
CN103823873A (en) * 2014-02-27 2014-05-28 北京奇虎科技有限公司 Reading/writing method, device and system of browser setting item
CN104536981A (en) * 2014-12-05 2015-04-22 北京奇虎科技有限公司 Browser safety achieving method, browser client-side and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7152106B2 (en) * 2001-07-06 2006-12-19 Clickfox, Llc Use of various methods to reconstruct experiences of web site visitors
US8407779B1 (en) * 2011-07-29 2013-03-26 Juniper Networks, Inc. Transposing a packet firewall policy within a node
CN103023869B (en) * 2012-11-02 2016-07-06 北京奇虎科技有限公司 Malicious attack prevention method and browser
CN102999354B (en) * 2012-11-15 2015-12-02 北京奇虎科技有限公司 file loading method and device
CN102981874B (en) * 2012-11-15 2015-12-02 北京奇虎科技有限公司 Computer processing system and registration table reorientation method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
CN103116723A (en) * 2013-02-06 2013-05-22 北京奇虎科技有限公司 Method, device and system of web site interception process
CN103218561A (en) * 2013-03-18 2013-07-24 珠海市君天电子科技有限公司 Tamper-proof method and device for protecting browser
CN103823873A (en) * 2014-02-27 2014-05-28 北京奇虎科技有限公司 Reading/writing method, device and system of browser setting item
CN104536981A (en) * 2014-12-05 2015-04-22 北京奇虎科技有限公司 Browser safety achieving method, browser client-side and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110188294A (en) * 2019-05-05 2019-08-30 平安科技(深圳)有限公司 URL intercepts conversion method, device and computer equipment
CN114095464A (en) * 2021-11-16 2022-02-25 成都知道创宇信息技术有限公司 Instant message implementation method and system
CN114095464B (en) * 2021-11-16 2023-08-08 成都知道创宇信息技术有限公司 Instant message realization method and system
CN117278803A (en) * 2023-11-21 2023-12-22 深圳软牛科技有限公司 DRM video decryption method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN104536981B (en) 2018-01-16
CN104536981A (en) 2015-04-22

Similar Documents

Publication Publication Date Title
WO2016086767A1 (en) Method, browser client, and device for achieving browser security
US10164993B2 (en) Distributed split browser content inspection and analysis
US9460292B2 (en) Dynamic rendering of a document object model
Jackson et al. Subspace: secure cross-domain communication for web mashups
JP6624771B2 (en) Client-based local malware detection method
AU2009220439B2 (en) Secure browser-based applications
US20100037317A1 (en) Mehtod and system for security monitoring of the interface between a browser and an external browser module
US8769268B2 (en) System and methods providing secure workspace sessions
KR101565230B1 (en) System and method for preserving references in sandboxes
JP4912400B2 (en) Immunization from known vulnerabilities in HTML browsers and extensions
US8843820B1 (en) Content script blacklisting for use with browser extensions
US11797636B2 (en) Intermediary server for providing secure access to web-based services
WO2016086765A1 (en) Browser injection prevention method, browser client, and device
US20100192224A1 (en) Sandbox web navigation
US7735094B2 (en) Ascertaining domain contexts
EP2642718B1 (en) Dynamic rendering of a document object model
JP2012533823A (en) Communicate information about the local machine to the browser application
WO2016086766A1 (en) Browser injection prevention method, browser client, and device
US11073994B2 (en) System and method to secure a computer system by selective control of write access to a data storage medium
Golubovic Attacking browser extensions
Morgan et al. Xml schema, dtd, and entity attacks
Xuan et al. DroidPill: Pwn Your Daily-Use Apps
Sawant et al. Web Browser Attack Using BeEF Framework
Viopoulou MSc Dissertation: An investigation of JavaScript isolation mechanisms: Sandboxing implementations

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15865730

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15865730

Country of ref document: EP

Kind code of ref document: A1