[go: up one dir, main page]

CN116305263A - Key acquisition method, file decryption method and related devices - Google Patents

Key acquisition method, file decryption method and related devices Download PDF

Info

Publication number
CN116305263A
CN116305263A CN202310218380.5A CN202310218380A CN116305263A CN 116305263 A CN116305263 A CN 116305263A CN 202310218380 A CN202310218380 A CN 202310218380A CN 116305263 A CN116305263 A CN 116305263A
Authority
CN
China
Prior art keywords
key
target
file
function
decrypting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310218380.5A
Other languages
Chinese (zh)
Inventor
孙晓骏
张佳荟
覃梓兴
张苏洵
刘铠文
张春广
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Rongma Technology Beijing Co ltd
Original Assignee
Rongma Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Rongma Technology Beijing Co ltd filed Critical Rongma Technology Beijing Co ltd
Priority to CN202310218380.5A priority Critical patent/CN116305263A/en
Publication of CN116305263A publication Critical patent/CN116305263A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of computer security, and provides a key acquisition method, a file decryption method and a related device, wherein the key acquisition method comprises the following steps: when a target process generates a key, acquiring the target key generated by the target process through a hook function, wherein the target key is used for decrypting a target file; the target key is stored in a key file. In the embodiment, when the target process generates the key, the target key generated by the target process is acquired through the hook function, then the target key is stored in the key file, and when the target file is maliciously encrypted based on the target key, the target key can be acquired from the key file, and the encrypted target file is decrypted based on the target key.

Description

Key acquisition method, file decryption method and related devices
Technical Field
The invention relates to the technical field of computer security, in particular to a key acquisition method, a file decryption method and a related device.
Background
The lux virus is a virus which is transmitted mainly in the forms of mail, program Trojan horse and webpage Trojan horse. The virus has bad properties and great harm, the files are encrypted by utilizing various encryption algorithms, the infected files can be possibly cracked by taking the decrypted private key, and a malicious user of the luxury virus gives money to the user.
The existing security software intercepts the known lux virus, but cannot restore the maliciously encrypted file when the interception fails.
Disclosure of Invention
The invention aims to provide a key acquisition method, a file decryption method and a related device, which can acquire and store a generated key through a hook function when a target process generates the key so as to decrypt a maliciously encrypted file when the file is maliciously encrypted.
Embodiments of the invention may be implemented as follows:
in a first aspect, the present invention provides a key obtaining method, applied to an electronic device, where a kernel layer of the electronic device runs a target process with a hook function injected in advance, the method includes:
when the target process generates a key, acquiring the target key generated by the target process through the hook function, wherein the target key is used for decrypting a target file;
and storing the target key into a key file.
In an alternative embodiment, the hook function is injected into a key generating function in the target process, and when the target process generates a key, the step of acquiring, by the hook function, the target key generated by the target process includes:
and when the target process calls the key generation function to generate the target key, acquiring the target key through the hook function.
In an alternative embodiment, the hook function is injected into a key obtaining function in the target process, the target process further includes a key generating function that generates the target key, and when the target process generates the target key, the step of obtaining, by the hook function, the target key generated by the target process includes:
when the target process calls the key acquisition function to acquire the target key, the output parameters of the key acquisition function are acquired through the hook function, so that the target key is obtained, and the target key is generated by the key generation function and acquired through the output parameters of the key acquisition function.
In an alternative embodiment, the hook function is injected into the target process in the form of a dynamically linked library.
In an alternative embodiment, the target process is a Leucavirus process.
In a second aspect, the present invention provides a file decryption method, applied to an electronic device, where a kernel layer of the electronic device runs a target process with a hook function injected in advance, the method comprising:
when the target process is determined to be a Leucasian virus process, determining a target key corresponding to the Leucasian virus process from a pre-stored key file, wherein the target key is obtained by the method according to the first aspect in the foregoing embodiment;
and decrypting the target file encrypted by the Levovirus process by using the target key.
In an optional embodiment, the key file stores an identifier of each application process and a corresponding relationship between the corresponding keys, and the method further includes:
acquiring an identifier of the Lecable virus process;
and determining a target key corresponding to the identification of the Leucasian virus process according to the corresponding relation.
In an optional embodiment, the target file is obtained by symmetrically encrypting the original file by the lux virus process through a symmetric encryption key, the symmetric encryption key is a target key, and the step of decrypting the target file encrypted by the lux virus process by using the target key includes:
acquiring a symmetric encryption key for symmetrically encrypting the original file;
determining the target key as a decryption key based on the symmetric encryption key as the target key;
and decrypting the target file encrypted by the Levovirus process by using the target key as a decryption key to obtain an original file.
In an alternative embodiment, the target key is obtained by encrypting a plaintext key by the lux virus through asymmetric encryption, and the step of decrypting the target file encrypted by the lux virus process by using the target key includes:
obtaining a key pair used for carrying out asymmetric encryption on the plaintext key, and obtaining a decryption key from the key pair;
decrypting the target key based on the decryption key to obtain the plaintext key;
and decrypting the target file encrypted by the Levovirus process by using the plaintext key to obtain an original file.
And decrypting the target file encrypted by the Levovirus process by using the symmetric encryption key.
In a third aspect, the present invention provides a key acquisition apparatus applied to an electronic device running a target process with a pre-injected hook function, the apparatus comprising:
the acquisition module is used for acquiring a target key generated by the target process through the hook function when the target process generates the key, wherein the target key is used for decrypting a target file;
and the storage module is used for storing the target secret key into a secret key file.
In a fourth aspect, the present invention provides a file decrypting apparatus applied to an electronic device, in which a kernel layer of the electronic device runs a target process with a hook function injected in advance, the apparatus comprising:
the determining module is configured to determine, when the target process is determined to be a lux virus process, from a prestored key file, that the lux virus process generates a corresponding target key, where the target key is obtained by the method in the first aspect in the foregoing embodiment;
and the decryption module is used for decrypting the target file encrypted by the Levovirus process by using the target key.
In a fifth aspect, the present invention provides an electronic device, including a processor and a memory, where the memory is configured to store a program, and the processor is configured to implement the key acquisition method according to the first aspect of the foregoing embodiment, or implement the file decryption method according to the second aspect of the foregoing embodiment, when the program is executed.
In a sixth aspect, the present invention provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the key acquisition method according to the first aspect of the foregoing embodiment, or implements the file decryption method according to the second aspect of the foregoing embodiment.
Compared with the prior art, when the target process generates the key, the target key generated by the target process is acquired through the hook function, the target key is stored in the key file, and when the target file is maliciously encrypted based on the target key, the target key can be acquired from the key file, and the encrypted target file is decrypted based on the key.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart illustrating a key obtaining method according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating a file decryption method according to an embodiment of the present invention.
Fig. 3 is an exemplary diagram of a file encryption and decryption process according to an embodiment of the present invention.
Fig. 4 is a block diagram of a key obtaining apparatus according to an embodiment of the present invention.
Fig. 5 is a block diagram of a file decrypting apparatus according to an embodiment of the present invention.
Fig. 6 is a block schematic diagram of an electronic device according to an embodiment of the present invention.
Icon: 10-an electronic device; 11-a processor; 12-memory; 13-bus; 100-key acquisition means; 110-an acquisition module; 120-a memory module; 200-file decryption means; 210-a determination module; 220-decryption module.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
In the description of the present invention, it should be noted that, if the terms "upper", "lower", "inner", "outer", and the like indicate an azimuth or a positional relationship based on the azimuth or the positional relationship shown in the drawings, or the azimuth or the positional relationship in which the inventive product is conventionally put in use, it is merely for convenience of describing the present invention and simplifying the description, and it is not indicated or implied that the apparatus or element referred to must have a specific azimuth, be configured and operated in a specific azimuth, and thus it should not be construed as limiting the present invention.
Furthermore, the terms "first," "second," and the like, if any, are used merely for distinguishing between descriptions and not for indicating or implying a relative importance.
It should be noted that the features of the embodiments of the present invention may be combined with each other without conflict.
The lux virus typically maliciously encrypts files using a key, which is information or parameters used to encrypt and decrypt messages in symmetric or asymmetric encryption. Encryption methods generally include symmetric key encryption and asymmetric key encryption, wherein the symmetric key encryption, also known as private key encryption or session key encryption algorithms, is that a sender and a receiver of information use the same key to encrypt and decrypt data. The method has the greatest advantages of high encryption/decryption speed, suitability for encrypting large data volume, but difficult key management. While asymmetric key encryption, also known as public key encryption, requires the use of different keys to accomplish the encryption and decryption operations, respectively, one is publicly issued, i.e., the public key, and the other is kept secret by the user himself, i.e., the private key. The sender of the information is de-encrypted with a public key and the receiver of the information is de-encrypted with a private key. Public key mechanisms are flexible, but encryption and decryption speeds are much slower than symmetric key encryption.
Regardless of the encryption mode, once the Leucasian virus fails to intercept, the Leucasian virus can cause huge loss to users after maliciously encrypting the file.
In view of this, the present embodiment provides a key obtaining method, a file decrypting method and related devices, and the core improvement points thereof are as follows: when the target process generates a key, the generated key is acquired and stored through a hook function so as to decrypt the maliciously encrypted file when the file is maliciously encrypted. Which will be described in detail below.
Referring to fig. 1, fig. 1 is a flowchart illustrating a key obtaining method according to an embodiment of the present invention, where the method includes the following steps:
in step S101, when the target process generates a key, the target key generated by the target process is acquired through the hook function, and the target key is used for decrypting the target file.
In this embodiment, the hook function is also called a hook function, and is a function that is executed under certain conditions, and is mounted on a mounting point, and when the code is executed on the mounting point, the mounted hook function is executed. The target process is a process into which a hook function, which is a function capable of acquiring a target key generated by the target process, is injected in advance and has a process of generating a key.
Step S102, storing the target key into a key file.
In this embodiment, in order to obtain the target key in time when needed, after the target key is obtained, the target key is stored in the key file, the key file may be stored in a preset path, and in order to ensure the security of the key file, the key file may be set to be a hidden file or a file disguised as another format, or the like. In one embodiment, after the target process uses the symmetric encryption key to symmetrically encrypt the target file, and then asymmetrically encrypt the symmetric encryption key, the target key obtained in step S102 is used to decrypt the symmetric encryption key, and in the method of this embodiment, after the target key is obtained, once the target process is found to be a malicious process and the target file is maliciously encrypted, the target key can be taken out from the key file, the symmetric encryption key is decrypted by using the target key, and then the target file is decrypted by using the decrypted symmetric encryption key.
According to the method provided by the embodiment, the target key generated by the target process is obtained through the hook function, then the target key is stored in the key file, when the target file is maliciously encrypted based on the target key, the target key can be obtained from the key file, and the encrypted target file is decrypted based on the target key.
In this embodiment, the hook function may be injected into the target process in more than one manner, and the manner of injecting the hook function to obtain the key is different, which provides at least two implementations, one is to obtain the generated key when the target process generates the key, and the other is to obtain the key when the target process obtains the generated key, which are described below separately.
Mode one: the hook function is injected into the key generation function in the target process, and one implementation manner of the step S101 is as follows: when the target process calls the key generation function to generate a key, the key is acquired through the hook function.
The key generation function in the first embodiment may be, but is not limited to, a CryptGenKey function, a RegCreateKey function, or the like.
Mode two: the hook function is injected into the key obtaining function in the target process, and another implementation manner of the step S101 is as follows: when the target process calls the key acquisition function to acquire the key, the output parameters of the key acquisition function are acquired through the hook function, the key is obtained, and the key is generated by the key generation function and acquired through the output parameters of the key acquisition function.
The key acquisition function in the second mode may be, but is not limited to, a cryptixportkey function, a bcryptixportkey function, or the like.
It should be noted that, the hook function may be injected into the target process in a dynamic link library manner, or may be injected into the target process in a registration manner.
In this embodiment, the target process is a lux virus process, and at this time, the target file maliciously encrypted by the lux virus process may be decrypted by using the obtained key, so that the loss caused by the lux virus process is greatly reduced.
In this embodiment, after the key is saved to the key file, when the electronic device is attacked by the lux virus process, in order to decrypt the file maliciously encrypted by the lux virus, the embodiment further provides a file decryption method, please refer to fig. 2, fig. 2 is a flowchart of the file decryption method provided by the embodiment of the present invention, and the method is applied to the electronic device, and includes the following steps:
in step S201, when the target process is determined to be a lux virus process, a target key corresponding to the lux virus process is determined from a pre-stored key file, and the target key is obtained by the method in the foregoing embodiment.
In this embodiment, the electronic device runs a plurality of application processes, and each of the plurality of application processes includes a process of generating a key. The method for determining the Leucavirus process can determine the Leucavirus process from a plurality of application processes through a preset characteristic template required by the Leucavirus, the characteristic template can comprise characteristic keywords or characteristic regular expressions of a virus program and the like, and the target process can be any process in the plurality of application processes.
In this embodiment, for each application process, the foregoing embodiment is adopted to obtain a key generated when the application process runs, and as an implementation manner, each application process and the key generated by the application process may be stored in a key file, so that the key generated by the Leucasian virus process may be obtained from the key file. For example, there are 3 application processes: the keys of the process A, the process B and the process C are respectively: a. b, c, if the process B is the Leuco virus process, B is the target key.
Step S202, decrypting the target file encrypted by the Levovirus process by using the target key.
It should be noted that, the characteristics of the files encrypted by different application processes may be different, and the characteristics of the files encrypted by the same application process generally have commonalities, so the target files encrypted by the same application process may be classified into the same file, if multiple lux virus processes exist in the application process, each lux virus process corresponds to its own target file, and the types of the target files of different lux virus processes may be different. The file encrypted by the Leucasian virus process can be analyzed in advance to determine the common characteristics of the file encrypted by the Leucasian virus, so that the target file encrypted by the Leucasian virus process can be identified.
In an alternative embodiment, in order to obtain the target key from the key file more conveniently, as an implementation manner, the identifier of each application process and the corresponding relationship between the corresponding keys are stored in the key file, where the implementation manner is as follows:
firstly, obtaining an identification of a Lecable virus process;
in this embodiment, each application process has an identifier for uniquely characterizing the application process, where the identifier may be a number, a letter, a combination of the two, or a combination of a number, a letter, and other special characters.
And secondly, determining a target key corresponding to the identification of the Leucavirus process according to the corresponding relation.
In this embodiment, since the encryption efficiency of the asymmetric encryption manner is not high, the file is generally encrypted by using a symmetric encryption key when the file is encrypted by the Leuch virus process, and then the symmetric encryption key used for encrypting the file is encrypted by using the asymmetric encryption key to realize dual encryption, so as to ensure the encryption strength and security, when the target file is symmetrically encrypted by the Leuch virus process by using the symmetric encryption key, the encrypted symmetric encryption key is obtained after the symmetric encryption key is asymmetrically encrypted, and the target key is used for decrypting the encrypted symmetric encryption key, for this scenario, the embodiment provides an implementation manner for decrypting the file:
firstly, a symmetric encryption key used for symmetrically encrypting an original file is obtained;
in this embodiment, after the original file is symmetrically encrypted, the target file is obtained, and as an implementation manner, the lux virus process generates a pair of asymmetric encryption key pairs first and temporarily stores the asymmetric encryption key pairs in the memory, where the key pairs include a public key and a private key, the public key is used for encrypting the symmetric encryption key, and the private key is reserved for decrypting the key.
Secondly, determining the target key as a decryption key based on the symmetric encryption key as the target key;
and finally, decrypting the target file encrypted by the Leucavirus process by using the target key as a decryption key to obtain an original file.
In this embodiment, when the target file is encrypted by the symmetric encryption key of the lux virus process, the symmetric encryption key (i.e., the target key) for symmetrically encrypting the original file is easily obtained, and the encryption key and the decryption key are the same in consideration of the symmetric encryption algorithm adopted, so that the target key can be determined to be the decryption key at the same time, and the target key is adopted as the decryption key to decrypt the target file encrypted by the lux virus process, thereby obtaining the original file.
In the above embodiment, if the target key is stored in a plaintext manner, the target key may be directly obtained as the decryption key, in some cases, in order to ensure the security of the key, the key is further encrypted, that is, the target key is stored in an encrypted manner, so that the target key cannot be directly used after being obtained, and the target key needs to be decrypted before the plaintext key is obtained, so that the encrypted target file of the lux virus is decrypted, which is described in the following embodiment.
In this embodiment, the target key is obtained by encrypting the plaintext key by the lux virus through asymmetric encryption, and the implementation manner of decrypting the target file encrypted by the lux virus process by using the target key to obtain the original file may include the following steps 1 to 3:
step 1: obtaining a key pair used for asymmetrically encrypting a plaintext key, and obtaining a decryption key from the key pair;
in this embodiment, since an asymmetric encryption algorithm is adopted, the key pair includes two keys for performing encryption and decryption operations, respectively, one key is published publicly, also referred to as a public key, and the other key is kept secret by the user himself, i.e., a private key. The sender of the message encrypts with a public key and the receiver of the message decrypts with a private key, which in this embodiment is the private key used for decryption in the key pair.
Step 2: decrypting the target key based on the decryption key to obtain a plaintext key;
step 3: and decrypting the target file encrypted by the Leucavirus process by using the plaintext key to obtain an original file.
In order to more clearly illustrate the whole encryption and decryption process, the present embodiment further provides an example diagram of a file encryption and decryption process, please refer to fig. 3, fig. 3 is an example diagram of a file encryption and decryption process provided in an embodiment of the present invention, and in fig. 3, the steps of encrypting the lux virus include:
s11: generating a symmetric key by using the Lesovirus, and encrypting the target file;
s12: the Lesu virus generates an asymmetric key pair, and stores the asymmetric key pair in a memory temporarily, wherein the asymmetric key pair comprises a public key and a private key;
s13: the Lesu virus takes the asymmetric encryption public key from the memory to encrypt the symmetric encryption key, and obtains the encrypted key.
The decryption method of the embodiment comprises the following steps:
s21: intercepting a private key in an asymmetric key pair when the Lesu virus generates the asymmetric key pair;
s22: storing the private key into a key file;
s23: when the file needs to be decrypted, a private key is obtained from the key file, and the encrypted key is decrypted by using the private key;
s24: and decrypting the target file by using the decrypted key, thereby realizing the decryption of the target file.
The order of execution of the steps S11 to S13 and the steps S21 to S24 is merely an example, and in fact, the order of execution of some steps may be adjusted in actual implementation, for example, step S11 may be executed prior to step S12, may be executed after step S12, or may be executed simultaneously.
In order to perform the respective steps of the above-described embodiments and various possible implementations, an implementation of the key acquisition device is given below. Referring to fig. 4, fig. 4 is a block diagram of a key obtaining apparatus 100 according to an embodiment of the invention. It should be noted that, the key obtaining device 100 provided in this embodiment has the same basic principle and technical effects as those of the above embodiment, and for brevity, this embodiment is not mentioned in the description.
The key obtaining device 100 is applied to electronic equipment and comprises an obtaining module 110 and a storage module 120.
The obtaining module 110 is configured to obtain, when the target process generates the key, the target key generated by the target process through the hook function, where the target key is used to decrypt the target file;
and the storage module is used for storing the target key into the key file.
In an alternative embodiment, the hook function is injected into the key generation function in the target process, and the obtaining module 110 is specifically configured to: when the target process calls the key generation function to generate a key, the key is acquired through the hook function.
In an alternative embodiment, the hook function is injected into a key obtaining function in the target process, where the target process further includes a key generating function for generating a key, and the obtaining module 110 is specifically configured, when the target process generates the key, to obtain, through the hook function, the target key generated by the target process, where the obtaining module is specifically configured to: when the target process calls the key acquisition function to acquire the target key, the output parameters of the key acquisition function are acquired through the hook function, the target key is acquired, and the target key is generated by the key generation function and is acquired through the output parameters of the key acquisition function.
In an alternative embodiment, in the obtaining module 110, the hook function is injected into the target process in a manner of a dynamic link library.
In an alternative embodiment, the target process in the key acquisition device 100 is a Leucavirus process.
In order to perform the respective steps of the above embodiments and the various possible implementations, an implementation of a file decrypting apparatus is given below. Referring to fig. 5, fig. 5 is a block diagram of a file decrypting apparatus 200 according to an embodiment of the invention. It should be noted that, the basic principle and the technical effects of the file decrypting apparatus 200 provided in this embodiment are the same as those of the above embodiment, and for brevity, this embodiment is not mentioned in the section.
The file decrypting apparatus 200 is applied to an electronic device and comprises a determining module 210 and a decrypting module 220.
A determining module 210, configured to determine, when determining that the target process is a lux virus process, a target key corresponding to the lux virus process from a pre-stored key file, where the target key is obtained by a method in the foregoing embodiment;
the decryption module 220 is configured to decrypt the target file encrypted by the lux virus process by using the target key.
In an alternative embodiment, the key file stores an identifier of each application process and a corresponding relationship between the corresponding keys, and the determining module 210 is further configured to: acquiring an identification of a Lecable virus process; and determining a target key corresponding to the identification of the Leucavirus process according to the corresponding relation.
In an alternative embodiment, the target file is obtained by symmetric encrypting the original file by the Leucvirus process through a symmetric encryption key, where the symmetric encryption key is the target key, and the decryption module 220 is specifically configured to: acquiring a symmetric encryption key for symmetrically encrypting an original file; determining the target key as a decryption key based on the symmetric encryption key as the target key; and decrypting the target file encrypted by the Leucavirus process by using the target key as a decryption key to obtain an original file.
In an alternative embodiment, the target key is obtained by encrypting the plaintext key by using the lux virus through asymmetric encryption, and the decryption module 220 is specifically configured to, when decrypting the target file encrypted by the lux virus process by using the target key: obtaining a key pair used for asymmetrically encrypting a plaintext key, and obtaining a decryption key from the key pair; decrypting the target key based on the decryption key to obtain a plaintext key; and decrypting the target file encrypted by the Leucavirus process by using the plaintext key to obtain an original file.
Referring to fig. 6, fig. 6 is a schematic block diagram of the electronic device 10 according to the embodiment of the present invention, and the electronic device 10 includes a processor 11, a memory 12, and a bus 13. The processor 11 and the memory 12 are connected by a bus 13.
The processor 11 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 11 or by instructions in the form of software. The processor 11 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), and the like; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
The memory 12 is used for storing a program, for example, the key obtaining device 100 in fig. 4 or the file decrypting device 200 in fig. 5, and each of the key obtaining device 100 or the file decrypting device 200 includes at least one software functional module that may be stored in the memory 12 in the form of software or firmware (firmware), and the processor 11 executes the program after receiving the execution instruction to implement the key obtaining method or the file decrypting method in the embodiment of the present invention.
The memory 12 may include high-speed random access memory (RAM: random Access Memory) and may also include non-volatile memory (nonvolatile memory). Alternatively, the memory 12 may be a storage device built into the processor 11, or may be a storage device independent of the processor 11.
The bus 13 may be an ISA bus, a PCI bus, an EISA bus, or the like. Fig. 6 is represented by only one double-headed arrow, but does not represent only one bus or one type of bus.
The key acquisition device 100 and the file decryption device 200 may be in the memory 12 of different electronic devices 10, or may be in the memory 12 of the same electronic device 10.
The present invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the key acquisition method as in the foregoing embodiment, or implements the file decryption method as in the foregoing embodiment.
In summary, the embodiment of the invention provides a key obtaining method, a file decrypting method and a related device, wherein the key obtaining method includes: when a target process generates a key, acquiring the target key generated by the target process through a hook function, wherein the target key is used for decrypting a target file; the target key is stored in a key file. Compared with the prior art, when the target process generates the key, the target key generated by the target process is acquired through the hook function, then the target key is stored in the key file, and when the target file is maliciously encrypted based on the target key, the target key can be acquired from the key file, and the encrypted target file is decrypted based on the target key.
The present invention is not limited to the above embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (13)

1. A key acquisition method, applied to an electronic device, in which a kernel layer of the electronic device runs a target process with a hook function injected in advance, the method comprising:
when the target process generates a key, acquiring the target key generated by the target process through the hook function, wherein the target key is used for decrypting a target file;
and storing the target key into a key file.
2. The key acquisition method as claimed in claim 1, wherein the hooking function is injected into a key generation function in the target process, and the step of acquiring the target key generated by the target process through the hooking function when the target process generates the key comprises:
and when the target process calls the key generation function to generate the target key, acquiring the target key through the hook function.
3. The key acquisition method as claimed in claim 1, wherein the hooking function is injected into a key acquisition function in the target process, the target process further comprising a key generation function generating the key, the step of acquiring the target key generated by the target process by the hooking function when the target process generates the target key comprising:
when the target process calls the key acquisition function to acquire the target key, the output parameters of the key acquisition function are acquired through the hook function, so that the target key is obtained, and the target key is generated by the key generation function and acquired through the output parameters of the key acquisition function.
4. The key acquisition method of claim 1, wherein the hooking function is injected into the target process in a dynamic linked library.
5. The key acquisition method of claim 1, wherein the target process is a lux virus process.
6. A file decryption method, which is applied to an electronic device, wherein a target process with a hook function injected in advance runs in a kernel layer of the electronic device, the method comprising:
when the target process is determined to be a Leucasian virus process, determining a target key corresponding to the Leucasian virus process from a prestored key file, wherein the target key is obtained by the method of any one of claims 1 to 5;
and decrypting the target file encrypted by the Levovirus process by using the target key.
7. The file decrypting method as claimed in claim 6, wherein the key file stores a correspondence between an identification of each application process and a corresponding key, the method further comprising:
acquiring an identifier of the Lecable virus process;
and determining a target key corresponding to the identification of the Leucasian virus process according to the corresponding relation.
8. The file decryption method as claimed in claim 6, wherein the target file is obtained by symmetrically encrypting an original file by the lux virus process through a symmetric encryption key, and the symmetric encryption key is a target key, and the step of decrypting the target file encrypted by the lux virus process using the target key comprises:
acquiring a symmetric encryption key for symmetrically encrypting the original file;
determining the target key as a decryption key based on the symmetric encryption key as the target key;
and decrypting the target file encrypted by the Levovirus process by using the target key as a decryption key to obtain an original file.
9. The file decrypting method as claimed in claim 8, wherein the target key is obtained by encrypting a plaintext key by the lux virus through asymmetric encryption, and the step of decrypting the target file encrypted by the lux virus process using the target key includes:
obtaining a key pair used for carrying out asymmetric encryption on the plaintext key, and obtaining a decryption key from the key pair;
decrypting the target key based on the decryption key to obtain the plaintext key;
and decrypting the target file encrypted by the Levovirus process by using the plaintext key to obtain an original file.
10. A key acquisition apparatus, applied to an electronic device, in which a target process of injecting a hook function in advance runs in a kernel layer, comprising:
the acquisition module is used for acquiring a target key generated by the target process through the hook function when the target process generates the key, wherein the target key is used for decrypting a target file;
and the storage module is used for storing the target secret key into a secret key file.
11. A file decrypting apparatus, applied to an electronic device, in which a target process of injecting a hook function in advance runs in a kernel layer, comprising:
a determining module, configured to determine, when the target process is determined to be a lux virus process, a target key corresponding to the lux virus process from a prestored key file, where the target key is obtained by the method according to any one of claims 1 to 5;
and the decryption module is used for decrypting the target file encrypted by the Levovirus process by using the target key.
12. An electronic device comprising a processor and a memory, the memory being configured to store a program, the processor being configured to implement the key acquisition method according to any one of claims 1 to 5 or the file decryption method according to any one of claims 6 to 9 when the program is executed.
13. A computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the key acquisition method according to any one of claims 1 to 5 or implements the file decryption method according to any one of claims 6 to 9.
CN202310218380.5A 2023-03-08 2023-03-08 Key acquisition method, file decryption method and related devices Pending CN116305263A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310218380.5A CN116305263A (en) 2023-03-08 2023-03-08 Key acquisition method, file decryption method and related devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310218380.5A CN116305263A (en) 2023-03-08 2023-03-08 Key acquisition method, file decryption method and related devices

Publications (1)

Publication Number Publication Date
CN116305263A true CN116305263A (en) 2023-06-23

Family

ID=86800808

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310218380.5A Pending CN116305263A (en) 2023-03-08 2023-03-08 Key acquisition method, file decryption method and related devices

Country Status (1)

Country Link
CN (1) CN116305263A (en)

Similar Documents

Publication Publication Date Title
US11824999B2 (en) Chosen-plaintext secure cryptosystem and authentication
CN111428254B (en) Key storage method, device, equipment and storage medium
US12287886B2 (en) Method for file encryption, terminal, electronic device and computer-readable storage medium
US11128455B2 (en) Data encryption method and system using device authentication key
CN110855433B (en) Data encryption method and device based on encryption algorithm and computer equipment
US8774407B2 (en) System and method for executing encrypted binaries in a cryptographic processor
US20160285635A1 (en) Secure communication of data between devices
CN106100823B (en) Password protection device
CN116866029B (en) Random number encryption data transmission method, device, computer equipment and storage medium
CN117155549A (en) Key distribution method, key distribution device, computer equipment and storage medium
CN113824553B (en) Key management method, device and system
WO2021114850A1 (en) Method and apparatus for encrypting and decrypting and reading and writing messages, computer device, and storage medium
US12105855B2 (en) Privacy-enhanced computation via sequestered encryption
CN116455572B (en) Data encryption method, device and equipment
CN112948867A (en) Method and device for generating and decrypting encrypted message and electronic equipment
CN115567200B (en) HTTP interface anti-spam method, system and related equipment
CN111404892B (en) Data supervision method and device and server
US20240267215A1 (en) Equipment identity authentication method and apparatus, electronic device, and storage medium
CN113672973B (en) Database system for embedded devices based on RISC-V architecture based on trusted execution environment
Knockel et al. The Not-So-Silent Type: Vulnerabilities in Chinese IME Keyboards' Network Security Protocols
CN114329522A (en) A kind of private key protection method, device, system and storage medium
CN110602051B (en) Information processing method based on consensus protocol and related device
CN113411347B (en) Transaction message processing method and processing device
CN116305263A (en) Key acquisition method, file decryption method and related devices
CN115242389A (en) Data confusion transmission method and system based on multi-level node network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination