Abstract: In order to prevent malignant processes on Windows platform from destroying system resources, a validation technique via kernel mode driver was presented. This validation hooked the creation of processes and got their execution file paths, then checked whether the processes were legal. The validation procedure ran in Windows kernel mode and utilized a data structure named path-tree to speed up the validation. By this method, malignant processes can be terminated before their accomplishment of creation, so as to avoid causing damages to system resources.

Key words: process validation, process creation, kernel mode, path-tree

摘要： 为了避免Windows平台上的恶意进程破坏系统资源,提出了通过拦截Windows进程的创建过程,并检查进程执行文件的路径来验证进程是否合法的方法。该方法以软件驱动的方式运行在系统内核态,并结合使用路径树模型来提高进程合法性验证的效率。通过该方法可以有效地拦截进程的创建过程,并验证进程执行文件路径的合法性。系统从而能够在恶意进程完成创建之前,杀死恶意进程,避免系统资源遭受破坏。

关键词: 进程合法性验证, 进程创建过程, 内核态, 路径树