Method and system for monitoring system event log emptying behavior of Windows process
The embodiment of the invention discloses a method and a system for monitoring a system event log emptying behavior of a Windows process. The method comprises the following steps of: finding a dynamic link library module corresponding to Windows event log service, and searching a feature code of a r...
Saved in:
Main Authors | , , |
---|---|
Format | Patent |
Language | Chinese English |
Published |
28.03.2023
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | The embodiment of the invention discloses a method and a system for monitoring a system event log emptying behavior of a Windows process. The method comprises the following steps of: finding a dynamic link library module corresponding to Windows event log service, and searching a feature code of a remote procedure call server interface structure body conforming to a specific remote procedure call interface byte code feature; searching an address of an event log emptying function accepting the wide character parameter; performing hooking operation on the emptying event log function receiving the wide character parameter to obtain a name and process information of a log file to be emptied; and reporting the log file name and the process information to an upper-layer strategy control engine, and judging whether the behavior is a malicious behavior or not. The system comprises a process injection module, a remote procedure call server interface search module, an emptying event log function search module for recei |
---|---|
Bibliography: | Application Number: CN202211599879 |