Kernel function reinforcing method and device, storage medium and electronic equipment

文档序号:7935 发布日期:2021-09-17 浏览:61次 中文

1. A kernel function reinforcement method, comprising:

under the condition that a target kernel function triggering instruction is detected, judging whether the target kernel function triggering instruction has a target authority or not based on the current process;

and processing the current process according to the judgment result of whether the target kernel function triggering instruction has the target authority.

2. The method of claim 1, wherein the structure of the current process comprises a current process identification number and a group leader process identification number;

the judging whether the target kernel function triggering instruction has the target permission or not based on the current process comprises the following steps:

judging whether the current process identification number is equal to the group leader process identification number;

under the condition that the identification number of the current process is not equal to the identification number of the group leader process, determining that the current process has the group leader process, and acquiring a structural body of the group leader process;

judging whether the target kernel function triggering instruction has a target authority or not based on the structural body of the group leader process and the structural body of the current process;

the group leader process and the current process are in a first process group, the first process group comprises the group leader process and the current process, and the current process is obtained by the group leader process.

3. The method of claim 1, wherein the structure of the current process comprises a current process identification number and a group leader process identification number;

the judging whether the target kernel function triggering instruction has the target permission or not based on the current process comprises the following steps:

judging whether the current process identification number is equal to the group leader process identification number;

under the condition that the current process identification number is not equal to the group leader process identification number, determining that the current process has a group leader process, and acquiring a structural body of the group leader process and a structural body of a first father process generated based on a first interface;

judging whether the target kernel function triggering instruction has a target authority or not based on the structural body of the group leader process, the structural body of the first father process and the structural body of the current process;

wherein the group leader process, the first parent process, and the current process are in a second process group, the second process group at least includes the group leader process, the first parent process, and the current process is obtained by the first parent process, and the first parent process is obtained by the group leader process.

4. The method of claim 1, wherein the structure of the current process comprises a current process identification number and a group leader process identification number;

the judging whether the target kernel function triggering instruction has the target permission or not based on the current process comprises the following steps:

judging whether the current process identification number is equal to the group leader process identification number;

determining that the current process does not have the group leader process under the condition that the current process identification number is equal to the group leader process identification number;

acquiring a structural body of a second parent process generated based on a second interface;

under the condition that the structure body of the second parent process is detected, judging whether the target kernel function triggering instruction has a target authority or not based on the structure body of the second parent process and the structure body of the current process; the second parent process and the current process are in a third process group, the third process group at least comprises the second parent process and the current process, and the current process is obtained by the second parent process; or

And under the condition that the structural body of the second parent process is not detected, judging whether the target kernel function triggering instruction has the target authority or not based on the structural body of the current process.

5. The method of claim 3, wherein the struct of the group leader process comprises a group leader process identification number, the struct of the first parent process comprises a first parent process identification number, and the struct of the current process comprises a current process identification number;

the judging whether the target kernel function triggering instruction has the target authority based on the structural body of the group leader process, the structural body of the first parent process and the structural body of the current process comprises the following steps:

judging whether any one of the group leader process identification number, the first father process identification number and the current process identification number meets a preset condition;

under the condition that any one of the group leader process identity identification number, the first father process identity identification number and the current process identity identification number meets a preset condition, determining that the judgment result is that the group leader process identity identification number has a target authority; or

And under the condition that the group leader process identity identification number, the first father process identity identification number and the current process identity identification number do not meet preset conditions, determining that the judgment result is that the target authority is not available.

6. The method according to claim 5, wherein the determining whether any one of the group leader process id, the first parent process id, and the current process id satisfies a preset condition, and when any one of the group leader process id, the first parent process id, and the current process id satisfies the preset condition, the determining that the determination result is that the target permission is present is specifically:

and sequentially judging whether the group leader process identification number, the first father process identification number and the current process identification number meet preset conditions according to a preset sequence, finishing the judgment of the next identification number under the condition that the currently judged identification number meets the preset conditions, and determining that the judgment result is the specific target permission.

7. The method as claimed in claim 6, wherein the sequentially determining whether any one of the group leader process id, the first parent process id, and the current process id satisfies a predetermined condition according to a predetermined sequence, and when the currently determined id satisfies the predetermined condition, ending the determination of the next id, and determining that the determination result is a specific target permission, comprises:

judging whether the group leader process identity identification number meets the preset condition or not;

under the condition that the group leader process identity identification number meets the preset condition, determining that the judgment result is that the group leader process identity identification number has the target authority;

under the condition that the group leader process identity identification number does not meet the preset condition, judging whether the first father process identity identification number meets the preset condition or not;

under the condition that the first parent process identity identification number meets the preset condition, determining that the judgment result is that the first parent process identity identification number has the target authority;

under the condition that the first parent process identification number does not meet the preset condition, judging whether the current process identification number meets the preset condition or not;

and under the condition that the current process identity identification number meets the preset condition, determining that the judgment result is that the current process identity identification number has the target authority.

8. The method of claim 4, wherein the struct of the second parent process comprises a second parent process identification number, and wherein the struct of the current process comprises a current process identification number;

the determining whether the target kernel function triggering instruction has the target permission based on the structure of the second parent process and the structure of the current process includes:

judging whether any one of the second parent process identification number and the current process identification number meets a preset condition;

under the condition that any one of the second parent process identification number and the current process identification number meets a preset condition, determining that the judgment result is that the second parent process identification number and the current process identification number have the target authority; or

And under the condition that the second parent process identification number and the current process identification number do not meet the preset condition, determining that the judgment result is that the target authority is not available.

9. The method of claim 4, wherein the structure of the current process comprises a current process identification number;

the judging whether the target kernel function triggering instruction has the target authority based on the structural body of the current process comprises the following steps:

under the condition that the current process identity identification number meets a preset condition, determining that the judgment result is that the current process identity identification number has a target authority; or

And under the condition that the current process identity identification number does not meet the preset condition, determining that the judgment result is that the current process identity identification number does not have the target authority.

10. The method according to any one of claims 1 to 9, wherein the processing the current process according to the determination result of whether the current process has the target authority includes:

under the condition that the judgment result is that the current process has the target authority, recording and reporting the current process; or

Intercepting the current process under the condition that the judgment result is that the current process has the target authority; or

Under the condition that the judgment result is that the current process has the target authority, recording, reporting and intercepting the current process; or

And triggering the target kernel function based on the current process under the condition that the judgment result is that the target authority is not available.

11. The method as claimed in claim 10, wherein after processing the current process according to the determination result of determining whether the current process has the target permission, the method further comprises:

and displaying the prompt message corresponding to the target authority.

12. A kernel function reinforcement apparatus, comprising:

the first processing module is used for judging whether the target kernel function triggering instruction has a target authority or not based on the current process under the condition that the target kernel function triggering instruction is detected;

and the second processing module is used for processing the current process according to the judgment result of whether the trigger target kernel function instruction has the target authority.

13. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-11.

14. An electronic device comprising a processor and a memory;

the processor is connected with the memory;

the memory for storing executable program code;

the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any one of claims 1-11.

Background

The kernel of the Linux operating system has a series of kernel functions capable of executing set functions, and a SHELL interpreter can transmit user operation instructions to the kernel to call the kernel functions.

A kernel-mode calling user-mode function (call _ usermodeheller function) exists in the kernel function, the function can be used for directly creating and running a space program of a user in the kernel, and returning a processing result to the user, and the function has a ROOT right. By utilizing the authority characteristic, the user can hijack the kernel state to call the user state function under a certain condition, and execute the space program of the user by ROOT authority.

In the existing Linux operating system, the kernel-mode calling user-mode function class only depends on the native environment to perform conventional check and restriction on the executable binary file, and a defense mechanism is not set, for example, when a user hijacks the kernel-mode calling user-mode function in a way of hijacking a kernel pointer, the damage such as information leakage and the like can be caused by using the ROOT authority.

Disclosure of Invention

The embodiment of the application provides a kernel function reinforcing method, a kernel function reinforcing device, a storage medium and electronic equipment, which can prevent the kernel function from being randomly called by judging the process permission mode, and further avoid information leakage.

In a first aspect, an embodiment of the present application provides a kernel function reinforcement method, including:

under the condition that a target kernel function triggering instruction is detected, judging whether the target kernel function triggering instruction has a target authority or not based on the current process;

and processing the current process according to the judgment result of whether the triggering target kernel function instruction has the target authority.

In a second aspect, an embodiment of the present application provides a kernel function reinforcement apparatus, including:

the first processing module is used for judging whether the target kernel function triggering instruction has a target authority or not based on the current process under the condition that the target kernel function triggering instruction is detected;

and the second processing module is used for processing the current process according to the judgment result of whether the triggering target kernel function instruction has the target authority.

In a third aspect, an embodiment of the present application provides an electronic device, including a processor and a memory;

the processor is connected with the memory;

a memory for storing executable program code;

the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, so as to execute the kernel function reinforcement method provided by the first aspect of the embodiments of the present application or any implementation manner of the first aspect.

In a fourth aspect, an embodiment of the present application provides a computer storage medium, where a computer program is stored, where the computer program includes program instructions, and when the program instructions are executed by a processor, the kernel function reinforcement method provided in the first aspect of the present application or any implementation manner of the first aspect of the present application may be implemented.

In the embodiment of the application, under the condition that a target kernel function triggering instruction is detected, whether the target kernel function triggering instruction has a target authority is judged based on the current process; and processing the current process according to the judgment result of whether the triggering target kernel function instruction has the target authority. The electronic equipment can judge whether the detected target kernel function triggering instruction has the target authority, can prevent the target kernel function triggering instruction from executing and calling the target kernel function under the condition of judging that the target authority exists, provides a detection mechanism different from a native environment for the target kernel function, and further can avoid information leakage and other hazards caused by the authority.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.

Fig. 1 is a schematic structural diagram of an operating system based on a Linux kernel according to an embodiment of the present application;

fig. 2 is a schematic diagram illustrating an architecture of a kernel function reinforcement system according to an embodiment of the present application;

fig. 3 is a schematic flowchart of a kernel function reinforcement method according to an embodiment of the present application;

fig. 4 is a schematic diagram illustrating hatching of a process based on a Linux system according to an embodiment of the present application;

fig. 5 is a schematic flowchart of another kernel function reinforcement method according to an embodiment of the present application;

fig. 6 is a schematic flowchart of another kernel function reinforcement method according to an embodiment of the present application;

fig. 7 is a flowchart illustrating a further kernel function reinforcement method according to an embodiment of the present application;

fig. 8 is a flowchart illustrating a further kernel function reinforcement method according to an embodiment of the present application;

fig. 9 is an overall flowchart of a kernel function reinforcement method according to an embodiment of the present application;

fig. 10 is a flowchart illustrating a further kernel function reinforcement method according to an embodiment of the present application;

fig. 11 is a schematic view illustrating an effect of displaying a prompt message by an electronic device according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a kernel function reinforcement apparatus according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.

The terms "first," "second," "third," and the like in the description and claims of this application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.

Android systems are generally installed on Android (Android) devices in the market, each Android system is a Linux kernel-based mobile operating system and is provided with a graphical interface convenient for receiving user operating instructions, and the Linux kernels perform related program processing according to the user operating instructions by sending the user operating instructions to the Linux kernels. In other words, the operation instruction formed by the user on the graphical interface is used for controlling the computer installed with the android system. However, only the Linux kernel is used for controlling device hardware (such as a CPU, an internal memory, and the like), and a user cannot directly contact the Linux kernel due to reasons such as security complexity, and at this time, another program needs to be reused as a medium to receive an operation instruction of the user and perform conversion processing to transmit the processed operation instruction to the kernel. The method simplifies the operation of the user and protects the Linux kernel.

Specifically, fig. 1 shows a schematic structural diagram of an operating system based on a Linux kernel according to an embodiment of the present application. As shown in FIG. 1, the operating system 100 may include three components, namely, an operation instruction obtaining module, a SHELL interpreter, and a Linux kernel. The operation instruction may be an operation performed by a user on a graphical display interface of the operating system, such as but not limited to clicking a certain icon, pressing a certain icon for a long time, and the like. The SHELL interpreter can be used for receiving the user operation instruction acquired on the graphical display interface, converting the user operation instruction and transmitting the processed user operation instruction to the Linux kernel. The Linux kernel can be used for receiving the processed user operation instruction sent by the SHELL interpreter, running a related program or calling a related function based on the processed user operation instruction, and returning a running result to the graphical display interface. It is understood that the SHELL interpreter may not be limited to the above-mentioned obtaining of the user operation instruction and passing the processed operation instruction to the Linux kernel, and may also call other programs or pass data to other programs, for example.

For example, taking an electronic device equipped with an android operating system as an example, a user may select to click a wechat application icon on a main interface of the electronic device, and after receiving an operation instruction for clicking the wechat application icon, the SHELL interpreter performs conversion processing on the operation instruction, and transmits the processed operation instruction to the Linux kernel. After receiving the processed operation instruction, the Linux kernel can create and run a related process for the operation instruction, and return a running result indicating that the wechat application program is opened to a main interface of the electronic device through the SHELL interpreter, so that the electronic device displays the main interface of the wechat application program.

A plurality of functions with preset functions can be arranged in the Linux kernel, and after receiving the instruction transmitted by the SHELL interpreter, a process can be created according to the instruction to call the function capable of executing the related function. For example, the Linux kernel provides a kernel-mode calling user-mode function (call _ usermodeheller function), and when the Linux kernel calls the kernel-mode calling user-mode function, a worker thread is added to a work queue, and after the worker thread runs, the worker thread can finally start an application program in a user space, and an obtained parameter result is returned to the application program. As will be understood herein, a Linux system includes a kernel space and a user space, wherein drivers for the kernel run in the kernel space and applications run in the user space. It should be noted that the kernel mode calling user mode function has a super user right (root right), that is, when the user can directly call the kernel mode calling user mode function in some way, the root right can be used to execute other programs. Possibly, the user can call the kernel information according to the root authority of the kernel mode calling user mode function, and the called kernel information can be obtained in printing and other modes, so that the kernel information is leaked. Possibly, some illegal users can close the mandatory access control node (Security-Enhanced Linux) according to the root authority of the kernel mode calling user mode functions to remove the access authority of some important programs. Possibly, some illegal users can also close the kernel symbol table address hiding function according to the root authority of the kernel mode calling user mode functions, so that the Linux system can display symbols corresponding to different functions in the kernel symbol table, and further the random calling of the functions is realized. Possibly, some illegal users can also trigger some low-and-medium-risk vulnerabilities such as denial of service (DOS) and the like according to the root authority of the kernel mode calling user mode functions.

Taking the root authority of calling the user mode function by using the kernel mode in the prior art as an example, the way of improving the authority by bypassing the swap Space (SMAP) based on the Linux system can be to execute the binary instruction by using the kernel mode to call the user mode function and using the root authority.

It can be understood that, since the kernel-mode calling user-mode function has root authority, the user cannot directly call the kernel-mode calling user-mode function, but when the user has some conditions (for example, hijacking the kernel pointer, and jumping to the kernel-mode calling user-mode function address through the kernel pointer), the kernel-mode calling user-mode function can be hijacked.

For the above mentioned attack mode of invoking the user-mode function to the kernel mode, the existing Linux system has no set defense mechanism, only depends on the conventional check and limitation of the native environment to the executable binary file, but the mode cannot defend the attack mode of invoking the user-mode function to the kernel mode.

The following explains the present application in detail, aiming at the defects of the existing Linux system.

Referring to fig. 2, fig. 2 is a schematic diagram illustrating an architecture of a kernel function reinforcement system according to an embodiment of the present disclosure.

As shown in fig. 2, the kernel function reinforcement system 200 may include an electronic device 201 and a control terminal 202, wherein:

the electronic device 201 may be one electronic device 201 with an android system installed or a plurality of electronic devices 201 with an android system installed, and a plurality of kernel functions for setting functions may be configured in a Linux kernel inside the android system, for example, but not limited to, a kernel-mode calling user-mode function with root authority is included. The electronic device 201 may receive an operation that a user wants to perform on the display interface, for example, the user wants to use a certain application, and may click an icon of the application in the display interface with a finger, where the electronic device 201 receives an operation instruction that the user clicks the icon of the application, and may send the operation instruction to the SHELL interpreter, so that the SHELL interpreter transfers the processed operation instruction to the Linux kernel of the electronic device 201. After the Linux kernel executes the corresponding program, the result may be returned to the display interface of the electronic device 201, for example, the electronic device 201 may enter the main interface of the application program after receiving an operation instruction that the user clicks an application program icon.

Since some kernel functions in the Linux kernel of the electronic device 201 have higher authority, the security cannot be performed by the operation instruction of the user, and when the Linux kernel receives the kernel function instruction with higher authority for execution call converted by the SHELL interpreter, it can be determined whether the kernel function instruction with higher authority for execution call has the target authority based on the current process created by the kernel function instruction with higher authority for execution call. The target permission here may be a SHELL permission possessed by a SHELL interpreter, and the SHELL permission may be used to characterize an instruction received by the Linux kernel as a user instruction. Furthermore, the electronic device can process the current process according to the judgment result of whether the kernel function instruction with the higher authority has the target authority or not.

The electronic device 201 in the embodiment of the present application may be a smart phone, a tablet Computer, a desktop Computer, a laptop Computer, a notebook Computer, an Ultra-mobile Personal Computer (UMPC), a handheld Computer, a netbook, a Personal Digital Assistant (PDA), a routing device, a virtual reality device, and the like, in which an android system is installed.

The control terminal 202 may be a terminal provided with a SHELL interpreter, and may transmit an instruction for executing a kernel function call to the Linux kernel of the electronic device 201 based on the SHELL interpreter after establishing a connection with the electronic device 201. The connection mode between the control terminal 202 and the electronic device 201 may be, but is not limited to, a data line connection, a wireless connection, a near field communication connection, or the like. Possibly, when the control terminal 202 and the electronic device 201 are connected by a data line, the user may edit the code of the SHELL interpreter at the control terminal 202, so that the SHELL interpreter transfers and executes a kernel function instruction with higher authority to the Linux kernel of the electronic device 201.

Possibly, when the control terminal 202 is wirelessly connected to the electronic device 201, the control terminal 202 may first receive a kernel function instruction with higher authority for execution call sent by an application installed on the electronic device 201, process the kernel function instruction with higher authority for execution call through the SHELL interpreter, then return the processed kernel function instruction with higher authority for execution call to the application, and directly transmit the processed kernel function instruction with higher authority for execution call to the electronic device 201 by the application.

The control terminal 202 according to the embodiment of the present application may be a tablet Computer, a desktop Computer, a laptop Computer, a notebook Computer, an Ultra-mobile Personal Computer (UMPC), a handheld Computer, a netbook, a Personal Digital Assistant (PDA), a routing device, a virtual reality device, and the like, in which the SHELL interpreter is installed.

It should be noted that, the structure of the kernel function reinforcement system according to the embodiment of the present application may be based on the control terminal 202 and the electronic device 201 mentioned above, and may also be directly formed by an electronic device, where the electronic device may be installed with an application program for sending an instruction for executing a kernel function calling a higher authority to a Linux kernel of the electronic device. Possibly, when the user runs, the application program can upload an execution and call kernel function instruction with higher authority to a background server corresponding to the application program, a SHELL interpreter arranged in the background server processes the execution and call kernel function instruction with higher authority, and the processed execution and call kernel function instruction with higher authority is transmitted to a Linux kernel of the electronic device to call the kernel function with higher authority.

Possibly, the application program can transmit a preset and stored execution calling higher-authority kernel function instruction to a Linux kernel of the electronic device during running so as to call the higher-authority kernel function.

It can be understood that the application program may also directly transfer the instruction for executing the kernel function calling the higher authority to the Linux kernel of the electronic device after the user installs the application program, and the embodiment of the present application is not limited to this.

Referring to fig. 3, fig. 3 is a schematic flowchart illustrating a flow of a kernel function reinforcement method provided in an embodiment of the present application, where the method is applied to an electronic device installed with an android system.

As shown in fig. 3, the kernel function reinforcement method specifically includes the following steps:

step 301, under the condition that the target kernel function triggering instruction is detected, judging whether the target kernel function triggering instruction has the target authority or not based on the current process.

Specifically, when the Linux kernel of the electronic device detects that the target kernel function triggering instruction is triggered, a current process is created according to the target kernel function triggering instruction, and whether the target kernel function triggering instruction has the target permission or not can be judged based on the current process. Illustratively, the target permission may be a SHELL permission for passing a SHELL interpreter that characterizes execution of a call target kernel function instruction. The target kernel function may be a kernel function with higher authority in the Linux kernel, such as, but not limited to, a kernel-mode call user-mode function.

It will be appreciated that it is possible that the current process may be the first process of a group of processes, i.e. the group leader process. It is possible that the current process may also be the last process of a group of processes, i.e. a child process hatched directly from a previous process (parent process). And if at least two processes exist in the process group, the authorities of any two adjacent processes can be associated, for example, the authority of the previous process is equal to the authority of the hatched next process, or the authority of the hatched next process is reduced according to requirements, and then the authority of the previous process is greater than the authority of the hatched next process.

Step 302, processing the current process according to the judgment result of whether the triggering target kernel function instruction has the target authority.

Specifically, after determining a determination result of whether the trigger target function instruction has the target permission, the electronic device may process the current process according to the determination result, and different determination results may correspond to different processing modes executed for the current process.

In the embodiment of the application, the electronic device can judge whether the detected target kernel function triggering instruction has the target authority, and can prevent the target kernel function triggering instruction from executing and calling the target kernel function under the condition that the target authority is judged, so that a detection mechanism different from a native environment is provided for the target kernel function, and further, the hazards of information leakage and the like caused by the authority can be avoided.

For better understanding of the current process and the process group, reference may be made to a process hatching diagram of the Linux-based system provided in the embodiment of the present application illustrated in fig. 4.

As shown in fig. 4, the process hatching diagram may include a process group 1 and a process group 2, where the process group 1 includes a process a, a process B, and a process C, the process B is directly hatched by the process a based on a fork interface (which is equivalent to the process a being a parent process of the process B), the process C is directly hatched by the process B based on the fork interface (which is equivalent to the process B being a parent process of the process C), and the current process identification number (which may be denoted by pid) of the process a and the group leader process identification number (which may be denoted by tgid) are both 43, the values of the pid and tgid of the process B are both 42, and the values of the pid and tgid of the process C are both 41, that is to say, the process a, the process B, and the process C can each serve as a group leader process. It should be noted that process a in process group 1 does not necessarily represent a group leader process for all processes in process group 1, e.g., the source of process group 1 is derived from an init process (the first process created by the Linux system).

The process group 2 includes a process B, a process B1, and a process B2, the process B1 is obtained by directly hatching the process B based on a new interface (which is equivalent to the process B being a parent process of the process B1), the process B2 is obtained by directly hatching the process B1 based on the new interface (which is equivalent to the process B1 being a parent process of the process B2), values corresponding to pid and tgid of the process B are both 42, values corresponding to pid of the process B1 are 44 and values corresponding to tgid are 42, values corresponding to pid of the process B2 are 46 and values corresponding to tgid are 42, that is, if the process B2 is used as a current process in the process group 2, the process B1 is a parent process, and the process B is a group-long process.

Possibly, if the current process in this embodiment is the process C in fig. 4, it indicates that the process C may also be represented as a group leader process, and the process C has a parent process (process B), and further, whether the target kernel function triggering instruction has the target authority may be determined according to the authority of the process B and the authority of the process C.

Possibly, if the current process in this embodiment is the process B2 in fig. 4, it indicates that the process B1 is the parent process and the process B is the group leader process, and further, whether the target kernel function triggering instruction has the target authority may be determined according to the authority of the process B2, the authority of the process B1, and the authority of the process B.

It can be understood that, based on the above-mentioned current process and the process group, the embodiment of the present application may next describe in detail a case where the current process only includes the group leader process, the current process at least includes the group leader process and a parent process in the same process group as the group leader process, and the current process does not include the group leader process.

As an embodiment of the present application, refer to fig. 5 for a schematic flow chart of another kernel function reinforcement method provided in this embodiment, where a structure of a current process includes a current process identification number and a group leader process identification number;

as shown in fig. 5, the kernel function reinforcement method specifically includes the following steps:

step 501, under the condition that a target kernel function triggering instruction is detected, judging whether the current process identification number is equal to the group leader process identification number.

Step 502, under the condition that the identification number of the current process is not equal to the identification number of the group leader process, determining that the current process has the group leader process, and acquiring a structural body of the group leader process.

Step 503, judging whether the triggering target kernel function instruction has the target authority or not based on the structure of the group leader process and the structure of the current process.

And step 504, processing the current process according to the judgment result of whether the triggering target kernel function instruction has the target authority.

The group leader process and the current process are located in a first process group, the first process group comprises the group leader process and the current process, and the current process is obtained by the group leader process.

Specifically, when judging whether the triggered target kernel function instruction has the target right based on the current process, the electronic device may preferentially judge whether the first process group in which the current process is located has the group length process, where the judging manner may be to determine, in a structural body of the current process, numerical values corresponding to a current process identification number (pid) and a group length process identification number (tgid), and judge whether the numerical value corresponding to the current process identification number is equal to the numerical value corresponding to the group length process identification number, and if not, it means that the first process group in which the current process is located has the group length process. It can be understood that, if the first process group in which the current process is located has a group leader process, the current process is hatched by the group leader process, in other words, the authority of the group leader process is equal to the authority of the current process when the authority of the current process is not reduced according to the requirement, and is greater than the authority of the current process when the authority of the current process is reduced according to the requirement.

It should be noted that, in the case that it is determined that the process group in which the current process is located has a group leader process, it may be indicated that the process group in which the current process is located includes at least the current process and the group leader process. Possibly, taking the example that the process group in which the current process is located includes A, B, C and four processes D, the group leader process may be represented by a, the current process may be represented by D, and it should be noted that the parent process of the current process may be represented by C at this time. Possibly, taking the example that the process group in which the current process is located includes two processes, i.e., a and B, the group leader process may be represented by a, the current process may be represented by B, and the parent process is identical to the group leader process (the current process is hatched directly by the parent process).

In this embodiment, taking an example that the first process group where the current process is located only includes the current process and the group leader process, further, the group leader process identification number may be input to a specific primitive function of the Linux kernel to obtain a structural body of the group leader process. The structure of the group leader process may be consistent with the structure of the current process, and may include, for example, a current process identification number (pid) and a group leader process identification number (tgid) having the same corresponding values, where the pid of the group leader process corresponds to the group leader process identification number.

Further, in the case of obtaining the structure of the group leader process, whether the trigger target kernel function instruction has the target authority may be determined based on the authority of the structure of the group leader process and the authority of the structure of the current process.

In the embodiment of the application, for the condition that the current process has the group leader process and the process group where the current process is located has and only includes the current process and the group leader process, whether the target kernel function triggering instruction has the target authority or not can be judged according to the authority of the group leader process and the authority of the current process, the process range of detecting whether the target authority exists or not can be expanded, and the defense capability of the target kernel function is further improved.

As another embodiment of the present application, reference may be made to fig. 6, which is a flowchart illustrating a method for strengthening a kernel function provided in this embodiment of the present application, where a structure of a current process includes a current process identifier and a group leader process identifier.

As shown in fig. 6, the kernel function reinforcement method specifically includes the following steps:

step 601, under the condition that a target kernel function triggering instruction is detected, judging whether the current process identification number is equal to the group leader process identification number.

Step 602, determining that the current process has the group leader process under the condition that the current process identification number is not equal to the group leader process identification number, and acquiring a structural body of the group leader process and a structural body of a first father process generated based on the first interface.

Step 603, judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the group leader process, the structural body of the first father process and the structural body of the current process.

And step 604, processing the current process according to the judgment result of whether the triggering target kernel function instruction has the target authority.

The group leader process, the first father process and the current process are in a second process group, the second process group at least comprises the group leader process, the first father process and the current process, the current process is obtained by the first father process, and the first father process is obtained by the group leader process.

Specifically, in the case that the electronic device determines that the second process group in which the current process is located has the group leader process, taking the example that the second process group in which the current process is located at least includes the current process, the group leader process, and the first parent process, the electronic device may further obtain the structural body of the first parent process generated based on the first interface on the basis that the structural body of the group leader process is obtained by inputting the group leader process identification number to the specific primitive ecological function of the Linux kernel. The first interface can be a new interface which is specially used for creating a process by the Linux system, the first father process can be hatched by the group leader process based on the new interface, and the current process can be hatched directly by the first father process based on the new interface. It should be noted here that, in the second process group, all processes except the group leader process are hatched based on the new interface. By referring to the above manner of obtaining the structure of the group leader process, the current process identification number of the current process can be input to other specific original ecological functions of the Linux kernel to obtain a parent process structure corresponding to the current process.

Further, in the case of obtaining the structure of the group leader process and the structure of the parent process, whether the trigger target kernel function instruction has the target authority may be determined based on the authority of the structure of the group leader process, the authority of the structure of the first parent process, and the authority of the structure of the current process.

In the embodiment of the application, for the condition that the current process has the group leader process and the parent process, whether the target kernel function triggering instruction has the target authority or not can be judged according to the authority of the group leader process, the authority of the parent process and the authority of the current process, the process range of detecting whether the target kernel function instruction has the target authority or not can be expanded, and the defense capability of the target kernel function is further improved.

As another embodiment of the present application, reference may be made to fig. 7, which is a flowchart illustrating a method for strengthening a kernel function provided in this embodiment of the present application, where a structure of a current process includes a current process identifier and a group leader process identifier.

As shown in fig. 7, the kernel function reinforcement method specifically includes the following steps:

step 701, under the condition that a target kernel function triggering instruction is detected, judging whether the current process identification number is equal to the group leader process identification number.

And step 702, under the condition that the current process identification number is equal to the group leader process identification number, determining that the current process does not have the group leader process, and acquiring a structural body of a second father process generated based on the second interface.

703, under the condition that the structural body of the second parent process is detected, judging whether the triggering target kernel function instruction has a target authority or not based on the structural body of the second parent process and the structural body of the current process; the second parent process and the current process are in a third process group, the third process group at least comprises the second parent process and the current process, and the current process is obtained by the second parent process; or

And under the condition that the structural body of the second parent process is not detected, judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the current process.

Step 704, processing the current process according to the judgment result of whether the triggering target kernel function instruction has the target authority.

Specifically, when the electronic device determines whether the trigger target kernel function instruction has the target right based on the current process, if the current process identification number is equal to the group leader process identification number, it may be determined that the current process does not have an additional group leader process, in other words, the current process may be a group leader process of the process group in which the current process is located, and the process group has only one process.

It should be noted that, here, the current process as the group leader process is not hatched to other processes based on the new interface mentioned above, but the current process may be hatched by other processes based on other interfaces specific to the creating process by the Linux system, for example, hatched by other processes based on the fork interface specific to the creating process by the Linux system, that is, the current process has a parent process in the process group composed based on the fork interface hatching, where the parent process is hatched based on the fork interface.

Further, in a case that it is determined that the current process does not have a group leader process (i.e., the current process may be used as a group leader process), a structure of a second parent process generated based on a second interface may be obtained, where the second interface may be the aforementioned fork interface. Possibly, under the condition that the structure of the second parent process is not detected, the current process is indicated to have neither the group leader process nor the parent process, and whether the target kernel function triggering instruction has the target authority can be judged directly based on the authority of the current process.

Possibly, under the condition that the structure body of the second parent process is detected, the current process is indicated to have the parent process, and whether the target kernel function triggering instruction has the target authority or not can be judged according to the authority of the current process and the authority of the second parent process. It can be known from fig. 4 that the current process and the second parent process are processes in a third process group obtained based on the fork interface, the third process group does not necessarily include only the current process and the second parent process, and the current process only needs to consider whether the second parent process obtaining the current process based on the fork interface is available or not when determining that the current process is used as the group leader process in the process group obtained based on the new interface.

It can be understood that the present embodiment may not be limited to acquiring the second parent process of the current process, and for example, may also acquire a source process in a third process group (which may also be referred to as a group leader process in the process group) including the current process and the second parent process, so as to further expand the process range for detecting whether the target process has the target authority. Of course, if the source process is the init process mentioned above, the source process does not need to be acquired.

In the embodiment of the application, for the case that the current process does not have a group leader process, a second parent process of the current process obtained based on different interfaces can be obtained, whether a target kernel function triggering instruction has a target authority or not is judged by combining the current process according to the detection result of the second parent process, whether the process range has the target authority or not can be detected to the maximum extent, and therefore the defense capability of the target kernel function is improved.

In combination with the above embodiments, a manner of determining whether the target kernel function instruction has the target permission based on the current process may specifically refer to a flowchart of another kernel function reinforcement method provided in the embodiment of the present application shown in fig. 8.

As shown in fig. 8, the kernel function reinforcement method specifically includes the following steps:

step 801, under the condition that a target kernel function triggering instruction is detected, judging whether the current process identification number is equal to the group leader process identification number.

And 802, under the condition that the identification number of the current process is not equal to the identification number of the group leader process, determining that the current process has the group leader process, and acquiring a group leader process structural body.

And step 803, judging whether the trigger target kernel function instruction has the target authority or not based on the structural body of the group leader process and the structural body of the current process.

Possibly, if the value corresponding to the current process identification number in the structural body of the current process is not equal to the value corresponding to the group leader process identification number, the group leader process identification number can be input into a specific original ecological function of the Linux kernel to obtain the structural body of the group leader process corresponding to the current process, and whether the target kernel function triggering instruction has the target authority is judged based on the authority of the structural body of the group leader process and the authority of the two processes of the structural body of the current process.

And 804, under the condition that the identification number of the current process is not equal to the identification number of the group leader process, determining that the current process has the group leader process, and acquiring a structural body of the group leader process and a structural body of a first father process generated based on the first interface.

And step 805, judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the group leader process, the structural body of the first parent process and the structural body of the current process.

Possibly, if the value corresponding to the current process identification number in the structural body of the current process is not equal to the value corresponding to the group length process identification number, the group length process identification number can be input into a specific original ecological function of the Linux kernel to obtain the structural body of the group length process corresponding to the current process, the current process identification number can be input into other specific original ecological functions of the Linux kernel to obtain a first parent process structural body corresponding to the current process, and whether the target kernel function triggering instruction has the target authority is judged based on the authorities of the three processes of the structural body of the group length process, the structural body of the first parent process and the structural body of the current process.

As another embodiment of the present application, the structure of the group leader process includes a group leader process identification number, the structure of the first parent process includes a first parent process identification number, and the structure of the current process includes a current process identification number;

judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the group leader process, the structural body of the first father process and the structural body of the current process, wherein the judging step comprises the following steps:

judging whether any one of the group leader process identification number, the first father process identification number and the current process identification number meets a preset condition or not;

under the condition that any one of the group leader process identity identification number, the first father process identity identification number and the current process identity identification number meets a preset condition, determining that the judgment result is that the target authority is available; or

And under the condition that the group leader process identity identification number, the first father process identity identification number and the current process identity identification number do not meet the preset condition, determining that the judgment result is that the target authority is not available.

It should be noted that the SHELL right of the instruction passed to the Linux kernel based on the SHELL interpreter may be represented by an identification number (UID), and the SHELL right of the SHELL interpreter is a fixed value, which may be represented as UID equal to 2000.

Specifically, the electronic device may determine whether any one of the group leader process id number, the first parent process id number, and the current process id number satisfies a preset condition, where the preset condition may be set to that the aforementioned UID is equal to 2000, in a case where it is determined that the current process has the group leader process and the first parent process. In other words, the structure of the group leader process, the structure of the first parent process, and the structure of the current process all have their own corresponding id numbers, each id number may correspond to a numerical value, and the determination result of whether the triggered target kernel function instruction has the target permission is determined by determining whether any one of the group leader process id number, the first parent process id number, and the current process id number is equal to 2000.

Possibly, if it is detected that the value corresponding to any one of the group leader process identification number, the first parent process identification number and the current process identification number is equal to 2000, it indicates that at least one of the three structural bodies of the group leader process, the first parent process and the current process has the SHELL authority, and thus it is determined that the determination result is that the target authority is present.

Possibly, if it is detected that the numerical value corresponding to any one of the group leader process identification number, the first parent process identification number and the current process identification number is not equal to 2000, it indicates that none of the three structural bodies of the group leader process, the first parent process and the current process has the SHELL authority, and thus it is determined that the determination result is that the structural body does not have the target authority.

It can be understood that, if the current process only has the group leader process, it may be detected whether a value corresponding to any one of the group leader process identification number and the current process identification number is equal to 2000, and if so, it indicates that at least one of the two structures of the group leader process and the current process has the SHELL right, and it may be determined that the determination result is that the target right is present. If not, it indicates that no structure in the two structures of the group leader process and the current process has the SHELL authority, and further, the judgment result can be determined to be that the structure does not have the target authority.

In the embodiment of the application, whether the target kernel function triggering instruction has the target authority or not can be judged by specifically combining whether the numerical values corresponding to the respective identity identification numbers in the three structural bodies of the group leader process, the first parent process and the current process are equal to 2000 or not, the accuracy of the judgment result is improved under the condition that the process range of whether the target authority or not is detected maximally, and the defense capability of the target kernel function in multiple aspects is further improved.

And 806, under the condition that the current process identification number is equal to the group leader process identification number, determining that the current process does not have the group leader process, and acquiring a structural body of a second parent process generated based on the second interface.

In step 807, when the structure of the second parent process is detected, it is determined whether the trigger target kernel function instruction has the target authority based on the structure of the second parent process and the structure of the current process.

Possibly, if the value corresponding to the current process identification number in the structural body of the current process is equal to the value corresponding to the group leader process identification number, and the structural body of the second parent process corresponding to the process obtained based on the fork interface is obtained, whether the trigger target kernel function instruction has the target permission can be judged based on the structural body of the second parent process and the permissions of the two processes of the structural body of the current process.

As another embodiment of the present application, the structure of the second parent process includes a second parent process identification number, and the structure of the current process includes a current process identification number;

judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the second parent process and the structural body of the current process, wherein the judging step comprises the following steps:

judging whether any one of the second parent process identification number and the current process identification number meets a preset condition or not;

under the condition that any one of the second parent process identification number and the current process identification number meets a preset condition, determining that the judgment result is that the target authority is provided; or

And under the condition that the second parent process identification number and the current process identification number do not meet the preset condition, determining that the judgment result is that the target authority is not available.

Specifically, in the case where it is determined that the current process does not have the group leader process and has the second parent process generated by the second interface, the electronic device may determine the structure of the second parent process and the structure of the current process according to a preset determination process order. If the second parent process identification number meets the preset condition, the judgment is finished and the judgment result is determined to have the authority, if the second parent process identification number does not meet the preset condition, the current process identification number is determined to have the authority, if the second parent process identification number does not meet the preset condition, the judgment result is determined to have the authority, and if the second parent process identification number does not meet the preset condition, the judgment result is determined to have no authority.

If the second parent process identification number does not meet the preset condition, the second parent process identification number is judged to have the authority, and if the second parent process identification number does not meet the preset condition, the second parent process identification number is judged to have the authority.

In the embodiment of the application, the electronic equipment can judge the judgment result of whether the triggering target kernel function instruction has the target authority in order according to the preset judgment process sequence, the detection efficiency can be improved while the multi-aspect defense capability of the target kernel function is guaranteed, and better experience is brought to a user.

And 808, under the condition that the structural body of the second parent process is not detected, judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the current process.

Possibly, if the value corresponding to the current process identification number in the structure of the current process is equal to the value corresponding to the group leader process identification number, and the structure of the second parent process corresponding to the process obtained based on the fork interface is not detected, it indicates that the current process does not have any parent process and can be used as the group leader process, and whether the trigger target kernel function instruction has the target authority can be directly judged based on the authority of the structure of the current process.

As another embodiment of the present application, the structure of the current process includes a current process identification number;

judging whether the triggering target kernel function instruction has a target authority or not based on the structural body of the current process, wherein the judging step comprises the following steps:

under the condition that the current process identity identification number meets the preset condition, determining that the judgment result is that the current process identity identification number has the target authority; or

And under the condition that the current process identity identification number does not meet the preset condition, determining that the judgment result is that the target authority is not available.

Specifically, the electronic device determines whether the current process identity identification number meets a preset condition under the condition that the current process does not have the group leader process and a second parent process generated by the second interface, determines that the judgment result is authorized if the preset condition is met, and determines that the judgment result is not authorized if the preset condition is not met.

In the embodiment of the application, the electronic equipment can judge the judgment result of whether the triggering target kernel function instruction has the target authority in order according to the preset judgment process sequence, the detection efficiency can be improved while the multi-aspect defense capability of the target kernel function is guaranteed, and better experience is brought to a user.

And step 809, processing the current process according to the judgment result of whether the triggering target kernel function instruction has the target authority.

It should be noted that any one of the above-mentioned steps 802, 804 and 806 can be optionally executed. The present embodiment is not intended to be limiting.

In the embodiment of the application, various ways for judging whether the target kernel function triggering instruction has the target authority are provided by combining whether the current process has the group leader process and whether the current process has the parent process, so that the judgment result can be effectively judged according to the actually created process, and the accuracy of the detection result is ensured.

As another embodiment of the present application, it is determined whether any one of the group leader process id number, the first parent process id number, and the current process id number satisfies a preset condition, and when any one of the group leader process id number, the first parent process id number, and the current process id number satisfies the preset condition, it is determined that the determination result is that the target permission is:

and sequentially judging whether the group leader process identification number, the first father process identification number and the current process identification number meet preset conditions according to a preset sequence, finishing the judgment of the next identification number under the condition that the currently judged identification number meets the preset conditions, and determining that the judgment result is the specific target permission.

Specifically, the electronic device may determine, according to a preset determination process sequence, whether the group leader process identification number, the first parent process identification number, and the current process identification number satisfy a preset condition, when it is determined that the current process includes the group leader process and the first parent process.

The method comprises the steps of judging whether the identification number of a group leader process meets a preset condition or not, finishing judgment and determining that the judgment result is right if the preset condition is met, judging whether the identification number of a first father process meets the preset condition or not if the preset condition is not met, finishing judgment and determining that the judgment result is right if the preset condition is met, judging whether the identification number of a current process meets the preset condition or not if the preset condition is not met, determining that the judgment result is right if the preset condition is met, and determining that the judgment result is not right if the preset condition is not met.

Specifically, taking the above-mentioned determination process sequence as an example, refer to the overall flow chart of the kernel function reinforcement method provided in the embodiment of the present application shown in fig. 9, where the kernel function reinforcement method is applicable to a case where the current process has a group leader process and a first parent process.

As shown in fig. 9, the overall flow of the kernel function reinforcement method includes:

step 901, acquiring a structural body of a group leader process and a structural body of a first parent process generated based on a first interface under the condition that a target kernel function triggering instruction is detected.

And step 902, judging whether the group leader process identity identification number meets a preset condition, if so, entering step 906, and otherwise, entering step 903.

Step 903, determining whether the first parent process id number satisfies a preset condition, if yes, entering step 906, otherwise, entering step 904.

And 904, judging whether the current process identity identification number meets a preset condition, if so, entering 906, and otherwise, entering 905.

Step 905, determine that the target authority is not present.

And step 906, judging that the target authority is available.

Step 907, if the judgment result is that the target authority is available, intercepting processing is carried out; or if the judgment result is that the target kernel function instruction is not provided with the target authority, executing the target kernel function triggering instruction.

Specifically, in the case that it is determined that the current process has the group leader process and the first parent process, the electronic device may first determine whether the identification number of the group leader process satisfies a preset condition, if the preset condition is satisfied, end the determination and determine that the determination result is authorized, if the preset condition is not satisfied, then determine whether the identification number of the first parent process satisfies the preset condition, if the preset condition is satisfied, end the determination and determine that the determination result is authorized, if the preset condition is not satisfied, then determine whether the identification number of the current process satisfies the preset condition, if the preset condition is satisfied, then determine that the determination result is authorized, and if the preset condition is not satisfied, then determine that the determination result is not authorized. Furthermore, the electronic equipment can timely react or perform process interception when the judgment result is that the electronic equipment has the target authority, and the electronic equipment can execute the target kernel function triggering instruction when the judgment result is that the electronic equipment does not have the target authority.

The method comprises the steps of judging whether the identification number of a group leader process meets a preset condition or not, finishing judgment and determining that the judgment result is right if the preset condition is met, judging whether the identification number of a current process meets the preset condition or not if the preset condition is not met, finishing judgment and determining that the judgment result is right if the preset condition is met, judging whether the identification number of a first parent process meets the preset condition or not if the preset condition is not met, determining that the result is right if the preset condition is met, and determining that the judgment result is not right if the preset condition is not met.

It should be noted here that, when it is determined that the process sequence is from the current process to the first parent process, it indicates that neither the current process nor the group leader process has the target permission, but since the current process is obtained by directly hatching the first parent process, the permission of the first parent process is greater than or equal to the permission of the current process, it is not possible to determine whether the first parent process satisfies the preset condition under the condition that the permission of the current process does not satisfy the preset condition, and if the first parent process has the target permission, the target kernel function triggering instruction is also executed.

The method comprises the steps of judging whether an identification number of a current process meets a preset condition or not, if so, finishing judgment and determining that a judgment result is right, if not, judging whether the identification number of a first father process meets the preset condition or not, if so, finishing judgment and determining that the judgment result is right, if not, judging whether the identification number of a group leader process meets the preset condition or not, if so, determining that the identification number of the group leader process has the right, and if not, determining that the judgment result is not right.

The embodiments of the present application are not limited to the above-mentioned determination process sequence, and the specific determination method can refer to the above, which is not described herein in detail.

It is also understood that, if the current process has a group leader process and the process group including the group leader process has at least four processes, in other words, the process group includes the current process, the group leader process, the first parent process and other processes, the kernel function reinforcement method shown in fig. 9 above may also be referred to. Specifically, taking a process group including four processes as an example, the process group may be a group leader process, other processes, a first parent process and a current process, where the other processes may be hatched directly by the group leader process, and the first parent process may be hatched directly by the other processes. After acquiring the structural body of the group leader process and the structural body of the first parent process, the electronic device may also first determine whether the identification number of the group leader process satisfies a preset condition, if the preset condition is satisfied, end the determination and determine that the determination result is authorized, if the preset condition is not satisfied, then determine whether the identification number of the first parent process satisfies the preset condition, if the preset condition is satisfied, end the determination and determine that the determination result is authorized, if the preset condition is not satisfied, then determine whether the identification number of the current process satisfies the preset condition, if the preset condition is satisfied, determine that the determination result is authorized, and if the preset condition is not satisfied, determine that the determination result is not authorized. Furthermore, the electronic equipment can timely react or perform process interception when the judgment result is that the electronic equipment has the target authority, and the electronic equipment can execute the target kernel function triggering instruction when the judgment result is that the electronic equipment does not have the target authority.

In the embodiment of the application, the electronic equipment can judge the judgment result of whether the triggering target kernel function instruction has the target authority in order according to the preset judgment process sequence, the detection efficiency can be improved while the multi-aspect defense capability of the target kernel function is guaranteed, and better experience is brought to a user.

It should be noted that, when the instruction for triggering the target kernel function detected by the electronic device is directly sent by the application installed in the electronic device, that is, the reinforcement system architecture of the current kernel function is directly composed of the electronic device, because the identification number corresponding to the instruction sent by the application belongs to the specific preset range, the above-mentioned preset condition can be changed to the preset range. The specific preset range may be a value of UID greater than 10000, that is, the preset condition may be changed to UID greater than or equal to 10000.

Possibly, when the electronic device judges that the current process does not have the group leader process based on the current process identification number of the current process and the group leader process identification number, whether the current process is greater than or equal to 10000 or not can be judged based on a numerical value corresponding to the identity identification number of the current process, if the identity identification number of the current process is greater than or equal to 10000, the judgment result can be determined to have the target authority, and if the identity identification number of the current process is not greater than or equal to 10000, the judgment result can be determined to have no target authority. It can be understood that, in this embodiment, the structural body of the second parent process generated based on the second interface may also be obtained, and when the structural body of the second parent process is detected, whether the structural body is greater than or equal to 10000 is determined based on a value corresponding to the identification number of the second parent process, if the identification number of the current process is greater than or equal to 10000, it may be determined that the determination result has the target permission, and if the identification number of the current process is not greater than or equal to 10000, it may be determined that the determination result does not have the target permission.

Possibly, when the electronic device judges that the current process has the group leader process based on the current process identification number of the current process and the group leader process identification number, the identity number of the group leader process can be obtained, whether the number is larger than or equal to 10000 is judged based on the value corresponding to the identity number of the group leader process, if the identity number of the group leader process is larger than or equal to 10000, the judgment result can be determined to have the target authority, and if the identity number of the group leader process is not larger than 10000, the judgment result can be determined to have no target authority. It can be understood that the embodiment herein may not limit the determined sequence of the processes, that is, if any one of the group leader process id number, the first parent process id number, and the current process id number satisfies 10000 or more, it may be determined that the target permission is available, and if any one of the group leader process id number, the first parent process id number, and the current process id number does not satisfy 10000 or more, it may be determined that the target permission is not available.

The present embodiment may also not be limited to setting the preset condition to 2000 or 10000 or more alone, and for example, the preset condition may be set to 2000 or more and 10000 or less. Possibly, when the electronic device judges that the current process does not have the group leader process based on the current process identification number of the current process and the group leader process identification number, whether the current process is greater than or equal to 2000 and less than or equal to 10000 can be judged based on a numerical value corresponding to the identity identification number of the current process, if the identity identification number of the current process is greater than or equal to 2000 and less than or equal to 10000, the judgment result can be determined to have the target authority, and if the identity identification number of the current process is not greater than 2000 and less than or equal to 10000, the judgment result can be determined to have no target authority.

Possibly, when the electronic device judges that the current process has the group leader process based on the current process identification number of the current process and the group leader process identification number, the identity number of the group leader process can be acquired, whether the number is greater than or equal to 2000 and less than or equal to 10000 is judged based on a numerical value corresponding to the identity number of the group leader process, if the identity number of the group leader process is greater than or equal to 2000 and less than or equal to 10000, the judgment result can be determined to be that the electronic device has the target authority, and if the identity number of the group leader process is not greater than 2000 and less than or equal to 10000, the judgment result can be determined to be that the electronic device does not have the target authority.

As another embodiment of the present application, a flowchart of another kernel function reinforcement method provided in the embodiment of the present application may be shown in fig. 10.

As shown in fig. 10, the kernel function reinforcement method specifically includes the following steps:

step 1001, under the condition that the target kernel function triggering instruction is detected, judging whether the target kernel function triggering instruction has the target authority or not based on the current process.

And step 1002, recording and reporting the current process under the condition that the judgment result is that the current process has the target authority.

Specifically, when the electronic device determines that the determination result is that the electronic device has the target permission, it indicates that there is a risk in the current triggered target kernel function instruction, and may record the current process created based on the triggered target kernel function instruction, store and report the record to a background server corresponding to the electronic device, and perform tracking processing on the initiating end of the triggered target kernel function instruction by a background worker. The content represented by the record may include that the value corresponding to the id number of any one of the current process, the parent process, or the group leader process is equal to 2000, and the SHELL right triggers the call of the target kernel function instruction. For example, taking the target kernel function as the kernel mode to call the user mode function as an example, the record may be represented as that the value corresponding to the id number of the current process is equal to 2000, and the SHELL authority is used to execute the call to the kernel mode to call the user mode function. It can be understood that the embodiment is not limited to record only one process with a value equal to 2000 corresponding to an id number, for example, the record may also indicate that the value corresponding to the id number of the current process is equal to 2000, and the value corresponding to the id number of the parent process is equal to 2000, and both the current process and the parent process execute the call kernel mode to call the user mode function with the SHELL authority.

And 1003, intercepting the current process under the condition that the judgment result is that the current process has the target authority.

Specifically, when the electronic device determines that the determination result is that the current process has the target permission, it indicates that the current triggered target kernel function instruction may have a danger, and may perform an operation of stopping processing or returning to an error function on the current process created based on the triggered target kernel function instruction, so that the current process cannot be normally executed, and further, the call of the target kernel function may be effectively prevented.

And 1004, recording, reporting and intercepting the current process under the condition that the judgment result is that the current process has the target authority.

Specifically, when the electronic device determines that the determination result is that the current triggered target kernel function instruction has the target permission, it indicates that there is a risk in the current triggered target kernel function instruction, and may record the current process created based on the triggered target kernel function instruction, store and report the record to a background server corresponding to the electronic device, and at the same time, may perform an operation of stopping processing or returning to an error function on the current process created based on the triggered target kernel function instruction. It should be understood that the content recorded herein is not limited to include that the value corresponding to the id number of at least one of the current process, the parent process or the group leader process is equal to 2000, and the SHELL authority triggers the call of the target kernel function instruction, and may also include that the content is represented as intercepting the current process.

Here, any one of the above-mentioned steps 1002, 1003 and 1004 may be optionally executed. The present embodiment is not intended to be limiting.

It should be noted that the recorded content mentioned above exists in the form of a character string in the electronic device, and will not be described in detail herein.

And 1005, under the condition that the judgment result is that the target authority is not provided, triggering the target kernel function based on the current process.

Specifically, when the electronic device determines that the determination result is that the target kernel function instruction does not have the target permission, it indicates that there is no danger in the current trigger target kernel function instruction, and may continue to execute the trigger target kernel function instruction based on the current process, so as to perform normal call on the target kernel function.

In the embodiment of the application, the trigger target kernel function instruction can be subjected to appointed processing in time according to requirements under the condition that the judgment result is that the target kernel function instruction has the target authority, so that the safety of the target kernel function is effectively and quickly guaranteed, and the reinforcement and protection effects on the target kernel function are further achieved.

As another embodiment of the present application, after processing the current process according to the determination result of determining whether the current process has the target permission based on the current process, the method further includes:

and displaying the prompt message corresponding to the target authority.

Specifically, when the electronic device determines that the determination result is that the electronic device has the target authority, it indicates that there is a risk in the current instruction for triggering the target kernel function, and can feed back the called prompt information of the target kernel function to the user of the electronic device in time, so that the user can perform corresponding processing in the first time. The type of the prompt message may not be limited to a short message prompt, an interface pop-up prompt box prompt, or a voice prompt.

Specifically, the effect diagram of the electronic device displaying the prompt information provided by the embodiment of the application shown in fig. 11 can be referred to.

As shown in fig. 11, when the electronic device determines that the determination result is that the electronic device has the target authority, a prompt dialog 1101 may pop up on the current display interface 1100, and a prompt dialog 1101 displays "illegal instruction exists |)! "and an interception control 1102 and a reporting control 1103 are arranged below the text information. When the user receives the prompt dialog 1101, the user can select to click the interception control 1102 or the reporting control 1103 according to the requirement, so as to perform defense processing on the target kernel function triggering instruction.

Referring to fig. 12, fig. 12 is a schematic structural diagram illustrating a kernel function reinforcement apparatus according to an embodiment of the present application.

As shown in fig. 12, the kernel function reinforcement apparatus 1200 may include at least a first processing module 1201 and a second processing module 1202, where:

the first processing module 1201 is configured to, when a target kernel function triggering instruction is detected, determine whether the target kernel function triggering instruction has a target permission based on a current process;

the second processing module 1202 is configured to process the current process according to a determination result of whether the trigger target kernel function instruction has the target permission.

In some possible embodiments, the structure of the current process includes a current process identification number and a group leader process identification number;

the first processing module 1201 includes:

the first judgment unit is used for judging whether the current process identification number is equal to the group leader process identification number;

the first processing unit is used for determining that the current process has the group leader process under the condition that the current process identification number is not equal to the group leader process identification number, and acquiring a structural body of the group leader process;

the second judgment unit is used for judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the group leader process and the structural body of the current process;

the group leader process and the current process are located in a first process group, the first process group comprises the group leader process and the current process, and the current process is obtained by the group leader process.

In some possible embodiments, the structure of the current process includes a current process identification number and a group leader process identification number;

the first processing module 1201 includes:

the first judgment unit is used for judging whether the current process identification number is equal to the group leader process identification number;

the second processing unit is used for determining that the current process has the group leader process under the condition that the current process identification number is not equal to the group leader process identification number, and acquiring a structural body of the group leader process and a structural body of a first father process generated based on the first interface;

the third judging unit is used for judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the group leader process, the structural body of the first father process and the structural body of the current process;

the group leader process, the first father process and the current process are in a second process group, the second process group at least comprises the group leader process, the first father process and the current process, the current process is obtained by the first father process, and the first father process is obtained by the group leader process.

In some possible embodiments, the structure of the current process includes a current process identification number and a group leader process identification number;

the first processing module 1201 includes:

the first judgment unit is used for judging whether the current process identification number is equal to the group leader process identification number;

the third processing unit is used for determining that the current process does not have the group leader process under the condition that the current process identification number is equal to the group leader process identification number;

the acquisition unit is used for acquiring a structural body of a second parent process generated based on a second interface;

the fourth judging unit is used for judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the second parent process and the structural body of the current process under the condition that the structural body of the second parent process is detected; the second parent process and the current process are in a third process group, the third process group at least comprises the second parent process and the current process, and the current process is obtained by the second parent process; or

And under the condition that the structural body of the second parent process is not detected, judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the current process.

In some possible embodiments, the structure of the group leader process includes a group leader process identification number, the structure of the first parent process includes a first parent process identification number, and the structure of the current process includes a current process identification number;

the third judging unit is specifically configured to:

judging whether any one of the group leader process identification number, the first father process identification number and the current process identification number meets a preset condition or not;

under the condition that any one of the group leader process identity identification number, the first father process identity identification number and the current process identity identification number meets a preset condition, determining that the judgment result is that the target authority is available; or

And under the condition that the group leader process identity identification number, the first father process identity identification number and the current process identity identification number do not meet the preset condition, determining that the judgment result is that the target authority is not available.

In some possible embodiments, the third determining unit is specifically configured to:

and sequentially judging whether the group leader process identification number, the first father process identification number and the current process identification number meet preset conditions according to a preset sequence, finishing the judgment of the next identification number under the condition that the currently judged identification number meets the preset conditions, and determining that the judgment result is the specific target permission.

In some possible embodiments, the third determining unit is specifically configured to:

judging whether the group leader process identity identification number meets a preset condition or not;

under the condition that the group leader process identity identification number meets the preset condition, determining that the judgment result is that the group leader process identity identification number has the target authority;

under the condition that the group leader process identity identification number does not meet the preset condition, judging whether the first father process identity identification number meets the preset condition or not;

under the condition that the first parent process identity identification number meets the preset condition, determining that the judgment result is that the first parent process identity identification number has the target authority;

under the condition that the first parent process identification number does not meet the preset condition, judging whether the current process identification number meets the preset condition or not;

and under the condition that the current process identity identification number meets the preset condition, determining that the judgment result is that the current process identity identification number has the target authority.

In some possible embodiments, the structure of the second parent process includes a second parent process identification number, and the structure of the current process includes a current process identification number;

the fourth judging unit is specifically configured to:

judging whether any one of the second parent process identification number and the current process identification number meets a preset condition or not;

under the condition that any one of the second parent process identification number and the current process identification number meets a preset condition, determining that the judgment result is that the target authority is provided; or

And under the condition that the second parent process identification number and the current process identification number do not meet the preset condition, determining that the judgment result is that the target authority is not available.

In some possible embodiments, the structure of the current process includes a current process identification number;

the fourth judging unit is specifically configured to:

under the condition that the current process identity identification number meets the preset condition, determining that the judgment result is that the current process identity identification number has the target authority; or

And under the condition that the current process identity identification number does not meet the preset condition, determining that the judgment result is that the target authority is not available.

In some possible embodiments, the second processing module is configured to:

under the condition that the judgment result is that the current process has the target authority, recording and reporting the current process; or

Intercepting the current process under the condition that the judgment result is that the current process has the target authority; or

Under the condition that the judgment result is that the current process has the target authority, recording, reporting and intercepting the current process; or

And triggering the target kernel function based on the current process under the condition that the judgment result is that the target kernel function does not have the target authority.

In some possible embodiments, the apparatus further comprises:

and the display module is used for displaying the prompt message corresponding to the target authority.

Referring to fig. 13, fig. 13 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.

As shown in fig. 13, the electronic device 1300 may include: at least one processor 1301, at least one network interface 1304, a user interface 1303, memory 1305, a display screen 1306, and at least one communication bus 1302.

The communication bus 1302 may be used for implementing the connection communication of the above components.

The user interface 1303 may include keys, and the selectable user interfaces may also include standard wired interfaces and wireless interfaces.

The network interface 1304 may include, but is not limited to, a bluetooth module, an NFC module, or a Wi-Fi module, among others.

Processor 1301 may include one or more processing cores, among other things. The processor 1301, which connects various parts throughout the electronic device 1300 using various interfaces and lines, performs various functions of the routing device 1300 and processes data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 1305 and invoking data stored in the memory 1305. Optionally, the processor 1301 may be implemented in at least one hardware form of DSP, FPGA, or PLA. The processor 1301 may integrate one or a combination of CPU, GPU, modem, etc. Wherein, the CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It is to be understood that the modem may not be integrated into the processor 1301, but may be implemented by a single chip.

The memory 1305 may include a RAM or a ROM. Optionally, the memory 1305 includes a non-transitory computer-readable medium. The memory 1305 may be used to store an instruction, a program, code, a set of codes, or a set of instructions. The memory 1305 may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the various method embodiments described above, and the like; the storage data area may store data and the like referred to in the above respective method embodiments. The memory 1305 may optionally be at least one memory device located remotely from the processor 1301. As shown in fig. 13, the memory 1305, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a kernel function reinforcement application program.

In particular, the processor 1301 may be configured to invoke a kernel function reinforcement application stored in the memory 1305, and specifically perform the following operations:

under the condition that a target kernel function triggering instruction is detected, judging whether the target kernel function triggering instruction has a target authority or not based on the current process;

and processing the current process according to the judgment result of whether the triggering target kernel function instruction has the target authority.

In some possible embodiments, the structure of the current process includes a current process identification number and a group leader process identification number;

the processor 1301 specifically executes, when judging whether the trigger target kernel function instruction has the target right based on the current process:

judging whether the current process identification number is equal to the group leader process identification number;

under the condition that the identification number of the current process is not equal to the identification number of the group leader process, determining that the current process has the group leader process, and acquiring a structural body of the group leader process;

judging whether the trigger target kernel function instruction has a target authority or not based on the structural body of the group leader process and the structural body of the current process;

the group leader process and the current process are located in a first process group, the first process group comprises the group leader process and the current process, and the current process is obtained by the group leader process.

In some possible embodiments, the structure of the current process includes a current process identification number and a group leader process identification number;

the processor 1301 specifically executes, when judging whether the trigger target kernel function instruction has the target right based on the current process:

judging whether the current process identification number is equal to the group leader process identification number;

under the condition that the identification number of the current process is not equal to the identification number of the group leader process, determining that the current process has the group leader process, and acquiring a structural body of the group leader process and a structural body of a first father process generated based on a first interface;

judging whether the triggering target kernel function instruction has a target authority or not based on the structural body of the group leader process, the structural body of the first father process and the structural body of the current process;

the group leader process, the first father process and the current process are in a second process group, the second process group at least comprises the group leader process, the first father process and the current process, the current process is obtained by the first father process, and the first father process is obtained by the group leader process.

In some possible embodiments, the structure of the current process includes a current process identification number and a group leader process identification number;

the processor 1301 specifically executes, when judging whether the trigger target kernel function instruction has the target right based on the current process:

judging whether the current process identification number is equal to the group leader process identification number;

determining that the current process does not have the group leader process under the condition that the current process identification number is equal to the group leader process identification number;

acquiring a structural body of a second parent process generated based on a second interface;

under the condition that the structure of the second parent process is detected, judging whether the target kernel function triggering instruction has the target authority or not based on the structure of the second parent process and the structure of the current process; the second parent process and the current process are in a third process group, the third process group at least comprises the second parent process and the current process, and the current process is obtained by the second parent process; or

And under the condition that the structural body of the second parent process is not detected, judging whether the triggering target kernel function instruction has the target authority or not based on the structural body of the current process.

In some possible embodiments, the structure of the group leader process includes a group leader process identification number, the structure of the first parent process includes a first parent process identification number, and the structure of the current process includes a current process identification number;

the processor 1301 specifically executes, when determining whether the triggered target kernel function instruction has the target right based on the structural body of the group leader process, the structural body of the first parent process, and the structural body of the current process:

judging whether any one of the group leader process identification number, the first father process identification number and the current process identification number meets a preset condition or not;

under the condition that any one of the group leader process identity identification number, the first father process identity identification number and the current process identity identification number meets a preset condition, determining that the judgment result is that the target authority is available; or

And under the condition that the group leader process identity identification number, the first father process identity identification number and the current process identity identification number do not meet the preset condition, determining that the judgment result is that the target authority is not available.

In some possible embodiments, the processor 1301 determines whether any one of the group leader process id number, the first parent process id number, and the current process id number satisfies a preset condition, and when any one of the group leader process id number, the first parent process id number, and the current process id number satisfies the preset condition, the determination is specifically performed when the determination result is that the target authority is satisfied:

and sequentially judging whether the group leader process identification number, the first father process identification number and the current process identification number meet preset conditions according to a preset sequence, finishing the judgment of the next identification number under the condition that the currently judged identification number meets the preset conditions, and determining that the judgment result is the specific target permission.

In some possible embodiments, the processor 1301 sequentially determines whether any one of the group leader process identification number, the first parent process identification number, and the current process identification number satisfies a preset condition according to a preset sequence, ends the determination of the next identification number when the currently determined identification number satisfies the preset condition, and specifically executes when the determination result is determined to be the specific target right:

judging whether the group leader process identity identification number meets a preset condition or not;

under the condition that the group leader process identity identification number meets the preset condition, determining that the judgment result is that the group leader process identity identification number has the target authority;

under the condition that the group leader process identity identification number does not meet the preset condition, judging whether the first father process identity identification number meets the preset condition or not;

under the condition that the first parent process identity identification number meets the preset condition, determining that the judgment result is that the first parent process identity identification number has the target authority;

under the condition that the first parent process identification number does not meet the preset condition, judging whether the current process identification number meets the preset condition or not;

and under the condition that the current process identity identification number meets the preset condition, determining that the judgment result is that the current process identity identification number has the target authority.

In some possible embodiments, the structure of the second parent process includes a second parent process identification number, and the structure of the current process includes a current process identification number;

when the processor 1301 judges whether the trigger target kernel function instruction has the target right based on the structural body of the second parent process and the structural body of the current process, the following steps are specifically executed:

judging whether any one of the second parent process identification number and the current process identification number meets a preset condition or not;

under the condition that any one of the second parent process identification number and the current process identification number meets a preset condition, determining that the judgment result is that the target authority is provided; or

And under the condition that the second parent process identification number and the current process identification number do not meet the preset condition, determining that the judgment result is that the target authority is not available.

In some possible embodiments, the structure of the current process includes a current process identification number;

when the processor 1301 judges whether the trigger target kernel function instruction has the target right based on the structure of the current process, the following steps are specifically executed:

under the condition that the current process identity identification number meets the preset condition, determining that the judgment result is that the current process identity identification number has the target authority; or

And under the condition that the current process identity identification number does not meet the preset condition, determining that the judgment result is that the target authority is not available.

In some possible embodiments, when the processor 1301 processes the current process according to the determination result of determining whether the current process has the target permission, specifically:

under the condition that the judgment result is that the current process has the target authority, recording and reporting the current process; or

Intercepting the current process under the condition that the judgment result is that the current process has the target authority; or

Under the condition that the judgment result is that the current process has the target authority, recording, reporting and intercepting the current process; or

And triggering the target kernel function based on the current process under the condition that the judgment result is that the target kernel function does not have the target authority.

In some possible embodiments, after processing the current process according to the determination result of determining whether the current process has the target permission, the processor 1301 is further configured to:

and displaying the prompt message corresponding to the target authority.

Embodiments of the present application also provide a computer-readable storage medium, which stores instructions that, when executed on a computer or a processor, cause the computer or the processor to perform one or more steps in the embodiments shown in fig. 3, 5, 6, 7, 8, or 10. The respective constituent modules of the electronic device described above may be stored in the computer-readable storage medium if they are implemented in the form of software functional units and sold or used as independent products.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in or transmitted over a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)), or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., Digital Versatile Disk (DVD)), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the program is executed. And the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks. The technical features in the present examples and embodiments may be arbitrarily combined without conflict.

The above-described embodiments are merely preferred embodiments of the present application, and are not intended to limit the scope of the present application, and various modifications and improvements made to the technical solutions of the present application by those skilled in the art without departing from the design spirit of the present application should fall within the protection scope defined by the claims of the present application.

完整详细技术资料下载
上一篇:石墨接头机器人自动装卡簧、装栓机
下一篇:安全的多固件融合系统及多固件融合控制方法

网友询问留言

已有0条留言

还没有人留言评论。精彩留言会获得点赞!

精彩留言,会给你点赞!

技术分类