Method and system for monitoring system event log emptying behavior of Windows process

• Main Authors: DAI PENG, BAO CHUNJIE, JIANG XIANGQIAN
• Format: Patent
• Language: Chinese; English
• Published: 28.03.2023
• Subjects: CALCULATING; COMPUTING; COUNTING; ELECTRIC DIGITAL DATA PROCESSING; PHYSICS

The embodiment of the invention discloses a method and a system for monitoring a system event log emptying behavior of a Windows process. The method comprises the following steps of: finding a dynamic link library module corresponding to Windows event log service, and searching a feature code of a remote procedure call server interface structure body conforming to a specific remote procedure call interface byte code feature; searching an address of an event log emptying function accepting the wide character parameter; performing hooking operation on the emptying event log function receiving the wide character parameter to obtain a name and process information of a log file to be emptied; and reporting the log file name and the process information to an upper-layer strategy control engine, and judging whether the behavior is a malicious behavior or not. The system comprises a process injection module, a remote procedure call server interface search module, an emptying event log function search module for recei