阅读说明：本技术 一种进程监听方法、装置、电子设备及可读存储介质 (Process monitoring method and device, electronic equipment and readable storage medium ) 是由 王启超 于 2021-09-18 设计创作，主要内容包括：本发明公开了一种进程监听方法、装置、电子设备及可读存储介质,该方法包括：查找待监听进程；其中,待监听进程包括系统的核心进程；向待监听进程注入内核监听程序；利用内核监听程序,对系统的用户操作进行监听；本发明通过向待监听进程注入内核监听程序,对系统的核心进程进行内核级注入,以利用核心进程中注入的内核监听程序的运行,对系统的用户操作进行监听,实现对操作系统中用户的操作行为的监听,从而能够减少安全管理软件的监管功能被发现、误杀、禁用、卸载和粉碎等不利于管理的情况发生,使得企业管理者能够更好地审计和管理企业员工的办公行为,提升了企业端的监管能力。(The invention discloses a process monitoring method, a process monitoring device, electronic equipment and a readable storage medium, wherein the method comprises the following steps: searching a process to be monitored; wherein, the process to be monitored comprises a core process of the system; injecting a kernel monitor program into the process to be monitored; monitoring the user operation of the system by using a kernel monitor; according to the invention, the kernel monitor is injected into the process to be monitored, the kernel level injection is carried out on the core process of the system, so that the operation of the kernel monitor injected in the core process is utilized to monitor the user operation of the system, and the monitoring on the operation behavior of the user in the operating system is realized, thereby reducing the occurrence of the conditions which are not beneficial to management, such as the monitoring function discovery, mistaken killing, forbidding, unloading, crushing and the like of the safety management software, enabling an enterprise manager to better audit and manage the office behavior of enterprise staff, and improving the monitoring capability of the enterprise.)

1. A process monitoring method is characterized by comprising the following steps:

searching a process to be monitored; wherein, the process to be monitored comprises a core process of the system;

injecting a kernel monitor into the process to be monitored;

and monitoring the user operation of the system by utilizing the kernel monitor.

2. The process monitoring method according to claim 1, wherein the searching for the process to be monitored comprises:

searching all target monitoring processes in the system; the target monitoring process comprises a core process of a target class in all processes of the system;

filtering the target monitoring process according to the command line and/or the token information of the target monitoring process to obtain a screening process;

determining a process to be monitored in the screening process according to the state information of the screening process; wherein the state information comprises protection state information and/or usage state information.

3. The process monitoring method according to claim 2, wherein the filtering the target monitor process according to the command line and/or token information of the target monitor process to obtain a screening process comprises:

filtering to obtain a high-authority process in the screening process according to the command line of the target monitoring process; the command line of the high-authority process comprises a preset high-authority command line;

and filtering to obtain a screening process in the high-permission process according to the token information of the high-permission process.

4. The process monitoring method according to claim 2, wherein when the process to be monitored is any core process of the system, the determining the process to be monitored in the screening process according to the status information of the screening process includes:

acquiring a kernel executive body of the current screening process according to the ID of the current screening process; wherein, the current screening process is any one of the screening processes;

determining current state information according to the kernel executive body; the current state information is the state information corresponding to the current screening process;

if the protection state information in the current state information is a protected state and the use state information is not an exit state, determining the current screening process as the process to be monitored, and executing the steps of injecting a kernel monitor program into the process to be monitored and the subsequent steps;

and if the protection state information in the current state information is not in the protected state or the use state information is in the quit state, taking the next screening process as the current screening process, and executing the kernel executive body and the subsequent steps of the current screening process according to the ID of the current screening process.

5. The process monitoring method according to claim 1, wherein after monitoring the user operation of the system by using the kernel monitor, the method further comprises:

judging whether the current destroying process is the process to be monitored;

if yes, the process to be monitored and the subsequent steps are searched.

6. The process monitoring method according to claim 1, wherein when the process to be monitored is any core process of the system, after searching for the process to be monitored, the method further comprises:

if the process to be monitored is not found, judging whether the current establishing process is the process to be monitored;

and if so, executing the kernel monitor program injection to the process to be monitored and the subsequent steps.

7. The process monitoring method according to any one of claims 1 to 6, wherein the injecting a kernel monitor into the process to be monitored comprises:

creating a new thread for the process to be monitored;

and injecting the kernel monitor into the application layer target storage space corresponding to the process to be monitored by utilizing the thread.

8. An apparatus for process monitoring, comprising:

the process searching module is used for searching a process to be monitored; wherein, the process to be monitored comprises a core process of the system;

the program injection module is used for injecting a kernel monitor program into the process to be monitored;

and the monitoring module is used for monitoring the user operation of the system by utilizing the kernel monitoring program.

9. An electronic device, comprising:

a memory for storing a computer program;

a processor for implementing the steps of the process monitoring method according to any one of claims 1 to 7 when executing the computer program.

10. A readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the process monitoring method according to any one of claims 1 to 7.

Technical Field

The present invention relates to the field of software service technologies, and in particular, to a process monitoring method and apparatus, an electronic device, and a readable storage medium.

Background

At present, the security management software of an enterprise end faces the situation of 'confrontation' with employees, and the security management software of the enterprise has the following defects: 1. management software is easy to be discovered by staff, so that the staff is prevented from behaviors outside the office; 2. the management software is in an embarrassing situation such as being forbidden, unloaded and crushed by staff, which causes difficulty in enterprise monitoring and management; 3. the management software is disabled by the antivirus software to kill due to insufficient robustness of the management software.

Therefore, how to reduce the occurrence of situations that the supervision function of the security management software is found, killed, disabled and the like which are not beneficial to management, and improve the supervision capability of the enterprise end is a problem which needs to be solved urgently nowadays.

Disclosure of Invention

The invention aims to provide a process monitoring method, a process monitoring device, electronic equipment and a readable storage medium, so that the situations that the supervision function of safety management software is discovered, killed, forbidden and the like are not beneficial to management are reduced, and the supervision capability of an enterprise end is improved.

In order to solve the above technical problem, the present invention provides a process monitoring method, including:

searching a process to be monitored; wherein, the process to be monitored comprises a core process of the system;

injecting a kernel monitor into the process to be monitored;

and monitoring the user operation of the system by utilizing the kernel monitor.

Optionally, the searching for the process to be monitored includes:

searching all target monitoring processes in the system; the target monitoring process comprises a core process of a target class in all processes of the system;

filtering the target monitoring process according to the command line and/or the token information of the target monitoring process to obtain a screening process;

determining a process to be monitored in the screening process according to the state information of the screening process; wherein the state information comprises protection state information and/or usage state information.

Optionally, the filtering the target monitoring process according to the command line and/or the token information of the target monitoring process to obtain a screening process includes:

filtering to obtain a high-authority process in the screening process according to the command line of the target monitoring process; the command line of the high-authority process comprises a preset high-authority command line;

and filtering to obtain a screening process in the high-permission process according to the token information of the high-permission process.

Optionally, when the process to be monitored is any core process of the system, determining the process to be monitored in the screening process according to the state information of the screening process includes:

acquiring a kernel executive body of the current screening process according to the ID of the current screening process; wherein, the current screening process is any one of the screening processes;

determining current state information according to the kernel executive body; the current state information is the state information corresponding to the current screening process;

if the protection state information in the current state information is a protected state and the use state information is not an exit state, determining the current screening process as the process to be monitored, and executing the steps of injecting a kernel monitor program into the process to be monitored and the subsequent steps;

and if the protection state information in the current state information is not in the protected state or the use state information is in the quit state, taking the next screening process as the current screening process, and executing the kernel executive body and the subsequent steps of the current screening process according to the ID of the current screening process.

Optionally, after the monitoring the user operation of the system by using the kernel monitor, the method further includes:

judging whether the current destroying process is the process to be monitored;

if yes, the process to be monitored and the subsequent steps are searched.

Optionally, when the process to be monitored is any core process of the system, after the process to be monitored is searched, the method further includes:

if the process to be monitored is not found, judging whether the current establishing process is the process to be monitored;

and if so, executing the kernel monitor program injection to the process to be monitored and the subsequent steps.

Optionally, the injecting a kernel monitor into the process to be monitored includes:

creating a new thread for the process to be monitored;

and injecting the kernel monitor into the application layer target storage space corresponding to the process to be monitored by utilizing the thread.

The invention also provides a process monitoring device, which comprises:

the process searching module is used for searching a process to be monitored; wherein, the process to be monitored comprises a core process of the system;

the program injection module is used for injecting a kernel monitor program into the process to be monitored;

and the monitoring module is used for monitoring the user operation of the system by utilizing the kernel monitoring program.

The present invention also provides an electronic device, comprising:

a memory for storing a computer program;

a processor, configured to implement the steps of the process monitoring method as described above when executing the computer program.

Furthermore, the present invention also provides a readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the process monitoring method as described above.

The process monitoring method provided by the invention comprises the following steps: searching a process to be monitored; wherein, the process to be monitored comprises a core process of the system; injecting a kernel monitor program into the process to be monitored; monitoring the user operation of the system by using a kernel monitor;

therefore, the kernel monitor is injected into the process to be monitored, the kernel level injection is carried out on the core process of the system, the operation of the kernel monitor injected in the core process is utilized, the user operation of the system is monitored, and the monitoring on the operation behavior of the user in the operating system is realized, so that the occurrence of the condition that the supervision function of the safety management software is discovered, mistakenly killed, forbidden, unloaded, crushed and the like which are not beneficial to management can be reduced, an enterprise manager can better audit and manage the office behavior of enterprise staff, and the supervision capability of an enterprise end is improved. In addition, the invention also provides a process monitoring device, electronic equipment and a readable storage medium, and the process monitoring device, the electronic equipment and the readable storage medium also have the beneficial effects.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

Fig. 1 is a flowchart of a process monitoring method according to an embodiment of the present invention;

fig. 2 is a flowchart of searching for a process to be monitored in another process monitoring method according to an embodiment of the present invention;

fig. 3 is a block diagram of a process monitoring apparatus according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1, fig. 1 is a flowchart of a process monitoring method according to an embodiment of the present invention. The method can comprise the following steps:

step 101: searching a process to be monitored; the process to be monitored comprises a core process of the system.

It can be understood that the process to be monitored in this step may be a process that needs to inject a kernel listener into a system (i.e., an operating system) of the electronic device, that is, a process that needs to run the injected kernel listener to monitor a user operation in the system. That is, in this step, the electronic device may determine a process in the system that needs to be injected with the kernel listener by searching for the process to be listened.

Specifically, the specific number and type of the processes to be monitored in this step may be set by a designer according to a use scenario and a user requirement, for example, the processes to be monitored may include a core process of the system, so as to monitor a user operation of the system by using the core process of the system; for example, the process to be monitored may be a core process of one of the systems, and the process to be monitored may also be all processes in one or more types of core processes in the system; the process to be monitored may further include a non-core process of the system, so as to monitor the user operation of the system by using the non-core process of the system, which is not limited in this embodiment.

It should be noted that, for the specific way of the electronic device to search for the process to be monitored in this step, the specific way can be set by the designer according to the practical scene and the user requirement, for example, the electronic device can search for the process to be monitored in the system according to the command line and/or token information of the process; for example, when the process to be monitored needs a higher authority and has a network communication capability, the electronic device may filter a process (i.e., a screening process) in which the command line includes a preset high-authority command line and the token information includes a network token from all core processes of the system according to the command line and the token information of the process, so as to determine the process to be monitored from the screening process, for example, the screening process obtained by the first filtering is determined as the process to be monitored, or all the screening processes are determined as the process to be monitored, or one process to be monitored is determined from each type of core processes of all the screening processes. In order to reduce the amount of operation for searching for the process to be monitored, in this step, the electronic device may search for the process to be monitored from the core process of the system target class, that is, the process type (i.e., target class) of the process to be monitored is set in advance, such as svchost. The electronic equipment can also search the process to be monitored in the system according to the state information (such as the state of the kernel executive body) of the process; for example, in order to ensure that the searched process to be monitored can be injected smoothly and run the kernel monitor for a long time, the electronic device may filter and find the process to be monitored whose protection state information is in the protected state and whose use state information is not in the exit state from the screening process according to the protection state information and the use state information in the state information of the process, for example, determine the first screening process found by filtering as the process to be monitored. The embodiment does not limit the process to be monitored as long as the electronic device can find the process to be monitored from all processes of the system.

It should be noted that before this step, the electronic device may also detect whether the system has completed monitoring, that is, injection of all processes to be monitored has been completed before, so that when the system has not completed monitoring, step 101 is entered to complete monitoring of the system; when the system monitors, the process is ended, and the repeated injection of the process to be monitored is avoided. If the process to be monitored is a core process of a target class, the electronic equipment acquires the kernel monitor program injection condition of the target monitor process in the system; judging whether the system completes monitoring according to the injection condition of the kernel monitor; if not, executing step 101 and subsequent steps 102 and 103; if yes, ending the process; the target monitoring process is a core process of a target class in all processes of the system.

For example, when the system is WinVista of a Windows system or above, the electronic device may obtain a list of all processes in the system by using a ZwQuerySystemInformation function (a function in the Windows system), and traverse and search by using the list to obtain all target listening processes in the system; acquiring PEBs (process environment description blocks) of all target monitoring processes, and acquiring a module linked list of each target monitoring process through the PEBs; acquiring the kernel monitor injection condition of a target monitor process by using a module linked list; and judging whether the system completes monitoring according to the injection condition of the kernel monitor, if the process to be monitored is a core process, judging whether the injected kernel monitor exists in the injection condition of the kernel monitor, and determining that the system completes monitoring when the process injected into the kernel monitor exists in the injection condition of the kernel monitor.

Step 102: and injecting a kernel monitor into the process to be monitored.

The kernel listener in this step may be a kernel-level file, such as a dll file, that can be run in a process injected into the kernel listener and is operated by a user of the system. That is, in this step, the kernel monitor is injected into the process to be monitored, so that kernel-level injection is performed on the core process of the system, and the subsequent process to be monitored can run the kernel monitor and monitor the user operation of the system.

Specifically, for the specific manner in which the electronic device injects the kernel monitor program into the process to be monitored in this step, the designer may set the kernel monitor program according to the practical scenario and the user requirement, for example, the kernel monitor program may be set according to the version and type of the system (i.e., the operating system) of the electronic device, for example, when the system is WinVista of a Windows system or above, the electronic device may inject the kernel monitor program into the application layer target storage space by using the ntcreatetreadex function (a function in the Windows system), the target machine code, the LdrLoadDll function (a function in the Windows system), the previous mode parameter of the thread (a property parameter in the Windows system), and the application layer target storage space corresponding to the process to be monitored; the target machine code is a preset machine code corresponding to the number of bits (e.g., 32 bits or 64 bits) of the process to be monitored. Correspondingly, the electronic device may complete injection of the kernel-level process to be monitored in the above manner, and the electronic device may also use the application layer to perform injection of the process to be monitored, for example, complete injection of the process to be monitored by using a SYSTEM authority injector. The embodiment does not limit the kernel listener as long as the electronic device can inject the kernel listener into the process to be listened.

It can be understood that, in this embodiment, the electronic device may execute the process monitoring method provided in this embodiment by running a pre-installed kernel-level driver (e.g., a Windows kernel-level driver), so as to complete the search and injection of the process to be monitored.

Step 103: and monitoring the user operation of the system by using the kernel monitor.

It can be understood that the electronic device in this step may monitor the user operation of the system by using the operation of the kernel monitor injected in the process to be monitored, thereby implementing the supervision function of the security management software, and the occurrence of the situations of discovery, mistaken killing, prohibition, uninstallation, pulverization, etc. of the kernel monitor can be reduced by the operation of the kernel monitor by the process to be monitored.

Specifically, the user operation in this step may be an operation behavior of the monitoring user that needs to be performed in the operating system. The specific setting of the user operation to be monitored by the electronic device using the kernel monitor in this step can be set by a designer according to a practical scene and user requirements, for example, the setting can be performed according to the supervision requirements of the enterprise client, for example, the user operation of the monitored system can include the operations of starting and closing office software and non-office software.

Correspondingly, in this embodiment, the electronic device may further send the monitored user operation to a management device (e.g., a server) by using the running of the kernel monitor program by the process to be monitored, so that an enterprise manager can audit and manage office behaviors of enterprise employees by using the management device.

In the embodiment of the invention, the kernel monitor is injected into the process to be monitored, the kernel level injection is carried out on the core process of the system, the operation of the kernel monitor injected in the core process is utilized to monitor the user operation of the system, and the monitoring on the operation behavior of the user in the operating system is realized, so that the occurrence of the condition that the supervision function of the safety management software is discovered, mistakenly killed, forbidden, uninstalled, crushed and the like which are not beneficial to management can be reduced, an enterprise manager can better audit and manage the office behavior of enterprise staff, and the supervision capability of an enterprise end is improved.

Based on the above embodiments, the present embodiment will specifically describe several steps in the above embodiments. Referring to fig. 2, fig. 2 is a flowchart illustrating a process to be monitored in another process monitoring method according to an embodiment of the present invention.

The method for searching the process to be listened to from the system includes but is not limited to the following methods:

step 201: searching all target monitoring processes in the system; the target monitoring process comprises a core process of a target class in all processes of the system.

It can be understood that, in this step, the electronic device may find out a core process (i.e., a target monitoring process) of a target process type (i.e., a target class) from all processes of the system, so as to find out a process to be monitored from the target monitoring process, thereby reducing the amount of search operation of the process to be monitored.

Correspondingly, the target class in this step may be a preset process type that can be used as a core process of the process to be monitored. The specific process type setting of the target monitoring process, that is, the specific number and the process type of the target class, may be set by a designer according to a practical scenario and a user requirement, for example, the target monitoring process may be a core process, that is, the target class may be a process type of a core process, for example, the target monitoring process may be an svchoros. The target listening process may comprise a plurality of core processes, i.e. the target class may comprise a plurality of process types of core processes, e.g. the target listening process comprises a csrss. The present embodiment does not set any limit to this.

Specifically, the embodiment does not limit the specific way in which the electronic device searches for all target monitoring processes in the system, for example, the electronic device may first obtain a list of all processes in the system, and then perform traversal search to obtain all target monitoring processes in the system; for example, when the system is WinVista or above of a Windows system, the electronic device may obtain a list of all processes in the system by using a ZwQuerySystemInformation function (a function in the Windows system), and traverse and search by using the list to obtain all target listening processes in the system, such as all svchost.

Step 202: and filtering the target monitoring process according to the command line and/or the token information of the target monitoring process to obtain a screening process.

In this step, the electronic device may filter out processes that meet the requirements (i.e., screening processes) according to the command line and/or token information of each target listening process. If the process to be monitored needs higher authority and has network communication capability, the electronic device can filter a process (namely a screening process) which comprises a preset high authority command line (such as a netsvcs command line) and the token information comprises a network token from the target monitoring process according to the command line and the token information of the target monitoring process; for example, the electronic device may filter to obtain a high-permission process in the screening process according to the command line of the target monitoring process; filtering to obtain a screening process in the high-authority process according to the token information of the high-authority process; the command line of the high-authority process comprises a preset high-authority command line; the token information of the screening process may include a network token.

Step 203: determining a process to be monitored in the screening process according to the state information of the screening process; wherein the state information comprises protection state information and/or usage state information.

It can be understood that, in this step, the electronic device may obtain the status information of the screening process according to the filtering in step 202, and determine a process (i.e., a process to be monitored) whose status meets the requirement from the screening process. If the searched process to be monitored can be injected into the kernel monitor smoothly and the kernel monitor is operated for a long time, the state information in this step includes protection state information and use state information, so as to determine, according to the state information of the screening process, a process (i.e., a process to be monitored) in which the protection state information is in a protected state and the use state information is not in an exit state in the screening process.

Specifically, the specific manner of determining the processes to be monitored in the screening process by the electronic device according to the state information of the screening process in this step may be set by a designer, and if the number of the processes to be monitored is 1, the processor may obtain the kernel executor of the current screening process according to the ID of the current screening process; determining current state information according to the kernel executive body; if the protection state information in the current state information is the protected state and the use state information is not the exit state, determining the current screening process as the process to be monitored, and continuing to execute the step 102 and the subsequent step 103; if the protection state information in the current state information is not in the protected state or the use state information is in the quit state, taking the next screening process as the current screening process, and returning to execute the step of acquiring the kernel executive body of the current screening process according to the ID of the current screening process and the subsequent step of determining the current state information according to the kernel executive body until the process to be monitored is determined, thereby continuing to execute the step 102 and the step 103 and realizing the monitoring of the user operation of the system; the current screening process is any one of the screening processes, and the current state information is the state information corresponding to the current screening process. That is, the electronic device may obtain the kernel executor of the screening process through the ID of the screening process; judging whether the screening process is a protected process or not and whether the screening process is exiting or not by using the kernel executive, thereby determining the screening process which is not the protected process and is not in the exiting state as a process to be monitored; otherwise, the kernel executive body of the screening process is obtained and judged continuously through the ID of the next screening process.

It should be noted that, this embodiment does not limit the logic sequence of step 202 and step 203, and if step 202 is completed, step 203 may be entered, for example, in this embodiment, after all screening processes are obtained after filtering in step 202, step 203 may be entered to determine a process to be monitored; step 203 may also be entered during the execution of step 202, for example, when the number of the processes to be monitored is 1, after the electronic device obtains a screening process through filtering in step 202, the electronic device may determine whether the screening process is a process to be monitored through step 203.

Based on the above embodiments, the present embodiment will specifically describe several steps in the above embodiments. The process of injecting the kernel listener into the process to be listened in the above embodiment may include:

creating a new thread for the process to be monitored; and injecting a kernel monitor program into the application layer target storage space corresponding to the process to be monitored by utilizing the thread.

The injection of the kernel monitor into the application layer target storage space may be a base address of an application layer memory for storing the injected kernel monitor, which is applied to the process to be monitored.

Specifically, the electronic device may create a file function by using the thread configuration parameter and the kernel, and create a new thread for the process to be monitored; loading a function by using the thread through a target machine code calling module, and injecting a kernel monitor into the target storage space of the application layer; the target machine code may be a preset machine code corresponding to the number of bits of the process to be monitored. For example, when the system of the electronic device is a Windows system (e.g., WinVista and above), the electronic device may set the previous mode parameter (i.e., the thread configuration parameter) of the thread to 0, and create a new thread using the ntcreatenethreadex function (i.e., the kernel-created-file function); and calling an LdrLoadDll function (namely a module loading function) by using a newly created thread through a target machine code (such as shellcode) to inject a kernel listener into the target storage space of the application layer.

Correspondingly, the process monitoring method provided in this embodiment may further include an obtaining process of the kernel creating file function, the target machine code, the module loading function, the thread configuration parameter of the thread, and the application layer target storage space corresponding to the process to be monitored.

When the thread configuration parameter of the thread is a previous mode parameter in the Windows system, the process of obtaining the thread configuration parameter of the thread may include: acquiring an operating system version of a system; judging whether the operating system version is a preset operating system version (such as version numbers of WinVista and above systems); if the operating system version is the preset operating system version, acquiring the offset position of the preset PreviousMode parameter corresponding to the operating system version by using the operating system version; acquiring a PreviousMode parameter according to the offset position; if the version of the operating system is not the preset version, the process can be directly ended. That is to say, in this embodiment, the offset position of the previous mode parameter corresponding to each os version may be preset, for example, the offset position of the previous mode of the TEB (Thread Environment Block) member is obtained in advance by using the debugging tool WinDbg.

Correspondingly, when the kernel-created-file function is an ntcreatenethreadex function in the Windows system, the obtaining process of the kernel-created-file function may include: acquiring a system service descriptor table of a system; looking up the index of the NtCreateThreadEx function in a System Service Descriptor Table (SSDT); using the index, the ntcreatenethreadex function is obtained.

For example, the electronic device may first obtain the base address of the KiSystemCall64 function through the __ readmsr (0xC0000082) instruction; looking up the address of SSDT (i.e., KSERVICE _ TABLE _ DESCRIPTOR address) from the base address of KiSystemCall64Shadow using the corresponding feature code; when the address of the SSDT is not found in the above manner, an NtOpenFile function (a kernel-level function) is obtained; enumerating all kernel modules by using an NtOpenFile function to obtain module information (such as module base address, size and the like); traversing all module information to obtain a base address of the ntoskrnl.exe module; the address of the SSDT is looked up from the ntoskrnl. The process that the electronic device can search the index of the ntcreatenethreadex function in the SSDT may be to create a memory image (Section) of the \ SystemRoot \ System32\ ntdll.dll module in the kernel layer; then using PE (Portable Executable) file structure to search the implementation of NtCreateThreadEx function; the NtCreateThreadEx function is then indexed on kernel-level SSDT by corresponding signature code matching.

Specifically, when the system of the electronic device is a Windows system, the obtaining process of the target machine code may include: the determined number of bits (such as 32 bits or 64 bits) of the process to be listened to; and determining a preset machine code corresponding to the bit number of the process to be monitored as a target machine code. For example, when the system of the electronic device is a 32-bit system, it may be determined that the number of bits of the process to be monitored is 32; when the system of the electronic equipment is a 64-bit system, a PsGetProcessWWOw 64Process function can be used for obtaining the Wow64PEB of the Process, so that whether the Process to be monitored is a 32-bit Process and runs under the 64-bit system is determined; if yes, determining the bit number of the process to be monitored to be 32; if not, the bit number of the process to be monitored is determined to be 64. Accordingly, in this embodiment, the machine code corresponding to each of the 32-bit process and the 64-bit process (i.e., the preset machine code) may be preset.

When the module loading function is an LdrLoadDll function in the Windows system, the obtaining process of the module loading function may include: acquiring a module linked list of a process to be monitored by utilizing the process to be monitored (a process environment description block); searching the ntdll.dll core module mapping by using the module linked list; dll obtains the address of the application layer LdrLoadDll function by utilizing ntdll.

Correspondingly, the process of acquiring the application layer target storage space corresponding to the process to be monitored may include: and applying for an application layer memory (namely an application layer target storage space) to the process to be monitored, wherein the application layer memory is used for storing the base address of the injected kernel monitor.

Based on the foregoing embodiment, the process monitoring method provided in this embodiment may further include: and the process destruction callback process is used for searching a new process to be monitored after the process to be monitored is destroyed, and injecting a kernel monitor program to improve the robustness of the supervision function of the security management software.

Specifically, in this embodiment, when detecting a destroyed process (i.e., a destruction process), the electronic device may determine whether a currently detected destruction process (i.e., a current destruction process) is a to-be-monitored process; if not, the process can be ended, or the destroying process is continuously detected; if so, executing step 101, and subsequent steps 102 and 103 to search for a new process to be monitored and inject the new process into the kernel monitor, so as to replace the destroyed process to be monitored; for example, when the current destruction process is a process to be monitored, the process to be monitored in the screening process may be directly entered into step 203, so that after the process to be monitored is determined by screening, step 102 and step 103 are continuously executed, thereby implementing monitoring of the user operation of the system.

Correspondingly, the process monitoring method provided by this embodiment may further include: the process creation callback process is used for detecting a newly created process (namely, a creation process) when the process to be monitored cannot be found from the process of the system at present, and judging whether the newly created process (namely, the currently created process) detected at present is the process to be monitored; if not, the process can be ended, or the establishing process is continuously detected; if so, the process may continue to step 102 and then step 103. For example, in the process destruction callback process, if the current destruction process is the process to be monitored and no new process to be monitored can be found, the null process flag may be recorded, so that the electronic device in the process creation callback process may directly determine that the process to be monitored is not found according to the null process flag, thereby determining whether the current creation process is the process to be monitored.

Corresponding to the above method embodiment, an embodiment of the present invention further provides a process monitoring apparatus, and a process monitoring apparatus described below and a process monitoring method described above may be referred to in a corresponding manner.

Referring to fig. 3, fig. 3 is a block diagram of a process monitoring apparatus according to an embodiment of the present invention. The apparatus may include:

the process searching module 10 is used for searching a process to be monitored; wherein, the process to be monitored comprises a core process of the system;

the program injection module 20 is used for injecting a kernel monitor program into the process to be monitored;

and the monitoring module 30 is used for monitoring the user operation of the system by using the kernel monitor.

Optionally, the process searching module 10 may include:

the target searching submodule is used for searching all target monitoring processes in the system; the target monitoring process comprises a core process of a target class in all processes of the system;

the filtering submodule is used for filtering the target monitoring process according to the command line and/or the token information of the target monitoring process to obtain a screening process;

the determining submodule is used for determining a process to be monitored in the screening process according to the state information of the screening process; wherein the state information comprises protection state information and/or usage state information.

Optionally, the filtering submodule may include:

the first filtering unit is used for filtering to obtain a high-authority process in the screening process according to the command line of the target monitoring process; the command line of the high-authority process comprises a preset high-authority command line;

and the second filtering unit is used for filtering to obtain a screening process in the high-authority process according to the token information of the high-authority process.

Optionally, when the process to be monitored is any core process of the system, the determining submodule may include:

the executive acquisition unit is used for acquiring the kernel executive of the current screening process according to the ID of the current screening process; wherein, the current screening process is any screening process;

the state determining unit is used for determining the current state information according to the kernel executive body; the current state information is the state information corresponding to the current screening process;

a first determining unit, configured to determine the current screening process as a process to be monitored and send a start signal to the program injection module 20 if the protection state information in the current state information is a protected state and the usage state information is not an exit state;

and the second determining unit is used for taking the next screening process as the current screening process and sending a starting signal to the executive body acquiring unit if the protection state information in the current state information is not in the protected state or the use state information is in the quitting state.

Optionally, the apparatus may further include:

the destruction callback module is used for judging whether the current destruction process is a process to be monitored or not; if yes, a start signal is sent to the process search module 10.

Optionally, when the process to be monitored is any core process of the system, the apparatus may further include:

the creating callback module is used for judging whether the current creating process is the process to be monitored or not if the process to be monitored is not found; if so, a start signal is sent to program injection module 20.

Optionally, the program injection module 20 may include:

the thread creating submodule is used for creating a new thread for the process to be monitored;

and the program injection submodule is used for injecting a kernel monitor into the application layer target storage space corresponding to the process to be monitored by utilizing the thread.

In this embodiment, the kernel monitor is injected into the process to be monitored through the program injection module 20, and kernel-level injection is performed on the core process of the system, so that the operation of the kernel monitor injected in the core process is utilized to monitor the user operation of the system, and the monitoring of the operation behavior of the user in the operating system is realized, thereby reducing the occurrence of situations that the supervision function of the security management software is discovered, mistakenly killed, forbidden, uninstalled, crushed and the like which are not beneficial to management, enabling an enterprise manager to better audit and manage the office behavior of enterprise employees, and improving the supervision capability of an enterprise end.

Corresponding to the above method embodiment, an embodiment of the present invention further provides an electronic device, and the electronic device described below and the process monitoring method described above may be referred to in a mutually corresponding manner.

Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. The electronic device may include:

a memory D1 for storing computer programs;

the processor D2 is configured to implement the steps of the process monitoring method provided by the above method embodiments when executing the computer program.

Specifically, referring to fig. 5, fig. 5 is a schematic diagram of a specific structure of an electronic device according to an embodiment of the present invention, the electronic device 310 may have a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing an application 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instructions operating on a data processing device. Still further, the central processor 322 may be configured to communicate with the storage medium 330 to execute a series of instruction operations in the storage medium 330 on the electronic device 310.

The electronic device 310 may also include one or more power sources 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341. Such as a Windows system.

The steps in the process monitoring method described above may be implemented by the structure of the electronic device.

Corresponding to the above method embodiment, an embodiment of the present invention further provides a readable storage medium, and a readable storage medium described below and a process monitoring method described above may be referred to in correspondence.

A readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the process monitoring method provided by the above method embodiments.

The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.

The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device, the electronic device and the readable storage medium disclosed by the embodiments correspond to the method disclosed by the embodiments, so that the description is simple, and the relevant points can be referred to the description of the method.

The process monitoring method, the process monitoring device, the electronic device and the readable storage medium provided by the invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.