CN104598809A - Program monitoring method and defending method thereof, as well as relevant device - Google Patents
Program monitoring method and defending method thereof, as well as relevant device Download PDFInfo
- Publication number
- CN104598809A CN104598809A CN201510080320.7A CN201510080320A CN104598809A CN 104598809 A CN104598809 A CN 104598809A CN 201510080320 A CN201510080320 A CN 201510080320A CN 104598809 A CN104598809 A CN 104598809A
- Authority
- CN
- China
- Prior art keywords
- function
- hook
- program
- java
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 169
- 230000008569 process Effects 0.000 claims abstract description 90
- 230000007246 mechanism Effects 0.000 claims abstract description 36
- 238000012544 monitoring process Methods 0.000 claims description 21
- 238000012545 processing Methods 0.000 claims description 11
- 238000002347 injection Methods 0.000 claims description 6
- 239000007924 injection Substances 0.000 claims description 6
- 238000009434 installation Methods 0.000 claims description 4
- 230000006870 function Effects 0.000 abstract description 188
- 230000006399 behavior Effects 0.000 description 18
- 238000004891 communication Methods 0.000 description 9
- 230000006854 communication Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000011084 recovery Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000013467 fragmentation Methods 0.000 description 3
- 238000006062 fragmentation reaction Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000005201 scrubbing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000002156 mixing Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Devices For Executing Special Programs (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a program monitoring method and device. The program monitoring method comprises the following steps: writing in a skip instruction for positioned objective functions so as to perform a hook operation; distributing hook functions to registered Java callback functions, and preventing created temporary variables from being collected by a garbage collection mechanism of a system; enabling the objective functions which are not processed to skip back to hook positions, or else, continuing to process the objective functions. Through the adoption of the program monitoring method disclosed by the invention, any Java function of an Android system under an ART mode can be monitored without destroying the stack of the objective functions, so that the garbage collection mechanism of the ART can perform normal memory collection. The invention further provides a program defending method and device, which realize a defending mechanism of the Android system under the ART mode by adopting the program monitoring method disclosed by the invention.
Description
Technical field
The present invention relates to security of computer software technical field, specifically, the present invention relates to a kind of method for supervising and relevant apparatus of program, and a kind of defence method of program and relevant apparatus.
Background technology
Prevention-Security technology in android system, by in known manner to process injecting codes, kidnap process function, realize monitoring to process and response with these type of means, prior art mainly realizes this Prevention-Security object for the Dalvik virtual machine technique in the version before Android 4.4.After Android 4.4, Android gradually adopts ART virtual machine to replace Dalvik, and both embodies some differences technically.
Dalvik is the Java Virtual Machine that Google company oneself is designed for Android platform.Dalvik virtual machine is one of core component of the Android mobility device of manufacturer's cooperative development such as Google.It can support the operation of the java application being converted to .dex (i.e. Dalvik Executable) form, and .dex form is a kind of compressed format aiming at Dalvik design, is applicable to internal memory and the limited system of processor speed.Dalvik, through optimizing, allows the example simultaneously running multiple virtual machine in limited internal memory, and each Dalvik applies as an independently Linux process execution.Independently process can prevent all programs when virtual machine crashes to be all closed.
ART represents Android Runtime, and the mode that its process application program performs is different from Dalvik completely, and Dalvik is that dependence Just-In-Time (JIT) compiler goes to explain bytecode.Application code after developer's compiling needs to be run on the equipment of user by an interpreter, and this mechanism is not efficient, but allows application easilier run in different hardware and framework.ART then change completely this cover way, apply install time with regard to precompile bytecode to machine code, this mechanism is called that Ahead-Of-Time (AOT) compiles.After removing this process of interpretive code, it will be more efficient that application program performs, and start faster.
Because Dalvik and ART two kinds of patterns exist above difference, performance to memory headroom, the former exist Virtual Space and real space point, the latter only has blending space.Therefore, under ART pattern, attempt is by traditional Prevention-Security technology, realize the monitoring to the function that program process calls, to become more difficult, especially to some policer operations that the process under ART pattern applies, the structure of its internal memory stack will be improved, stack is left a trace, causes internal storage access to be made mistakes.
More crucially, the garbage reclamation mechanism of ART is also different from Dalvik, the former only reclaims internal memory rubbish in Virtual Space, and the real space of the latter under hybird environment reclaims rubbish, if fail to consider this factor, no matter be the internal storage data realizing monitoring technique itself, or the data of monitored process self, when resource is nervous, all easily by the improper recovery of the garbage reclamation mechanism of ART, process is caused to be collapsed.Especially, after Android 5.0 version, adopt compact Memory recycle mechanism, can move memory object, if fail to follow the tracks of this variation, internal storage access equally also can be caused abnormal.
Summary of the invention
Object of the present invention is intended to solve at least one problem above-mentioned, provides a kind of method for supervising and relevant apparatus of program, for monitoring the application program function of Android 5.0 version; Accordingly, a kind of defence method and relevant apparatus of program are also provided.
The invention provides a kind of method for supervising of program, comprise the following steps:
Machine code performed by localizing objects function;
Write jump instruction is linked up with objective function;
Distribution hook function gives registered Java call back function, and prevents the temporary variable created from being reclaimed by system rubbish reclaim mechanism;
Objective function whether after continuation process hook;
If do not process, then the hook place of rebound objective function;
If process, not rebound, performs respective handling to objective function.
Concrete, described hook operation adopts the mode of inline hook.
Concrete, described jump instruction is specially ARM instruction.
Concrete, described in prevent the temporary variable created from being reclaimed specifically finger Java function call Java function and Java function call Native function two kinds of situations by system rubbish reclaim mechanism.
A supervising device for program, is characterized in that, comprising:
Hooking module: for the machine code performed by localizing objects function;
Redirect module: objective function is linked up with for writing jump instruction;
Distribution module: for distributing hook function to registered Java call back function, and prevent the temporary variable created from being reclaimed by garbage reclamation mechanism;
Judge module: for judging whether the objective function after processing hook;
Rebound module: for the hook place of rebound objective function;
Processing module: for performing respective handling operation to objective function.
Concrete, described Hooking module adopts the mode of inline hook.
Concrete, the jump instruction that described redirect module performs is ARM instruction.
Concrete, described in prevent the temporary variable created from being reclaimed specifically finger Java function call Java function and Java function call Native function two kinds of situations by system rubbish reclaim mechanism.
A defence method for program, comprises the following steps:
Service processes to system injects so file;
The event behavior of application program in supervisory system;
The instruction of respond services process, processes the event behavior of described program process, wherein, above-mentioned monitoring step adopt said procedure method for supervising perform.
A defence installation for program, comprising:
Injection module: inject so file for the service processes to system;
Monitoring module: for the event behavior of application program in supervisory system;
Respond module: for the instruction of respond services process, processes the event behavior of described program process,
Wherein, described monitoring module is for performing the method for supervising of said procedure.
Compared to existing technology, the solution of the present invention has the following advantages:
1. a kind of method for supervising of program is provided, by the machine code of inline hook by the jump instruction of ARM instruction set write objective function, realizes the hook of any Java function to the Android under ART pattern.
2., in the method for supervising of a kind of program provided by the invention, distribution hook function gives registered Java call back function, and prevents the temporary variable created from being reclaimed by garbage reclamation mechanism.Evading garbage reclamation mechanism, prevent temporary variable to be recovered and comprise two kinds of situations, be respectively Java and adjust the garbage reclamation mechanism of Java and Java to adjust the garbage reclamation mechanism of Native.Java layer so not only can be avoided to adjust the temporary variable created during Java layer to be labeled, be not recovered, Java layer also can be avoided to adjust the temporary variable created during Native layer to be labeled, be not recovered.Meanwhile, the garbage reclamation mechanism of ART also can be made to complete the recovery of garbage object internal memory smoothly.
3. a kind of defence method of program is provided, the defense mechanism under ART pattern is realized by adopting the function method for supervising under a kind of ART pattern of the present invention, android system Java layer functions under ART pattern is monitored, be different from prior art only when JNI layer communicates to the method that some limited objective functions are tackled, directly can be easy to find the objective function that will tackle at Java layer hook, and can realize tackling the objective function of arbitrary act.
The aspect that the present invention adds and advantage will part provide in the following description, and these will become obvious from the following description, or be recognized by practice of the present invention.
Accompanying drawing explanation
The present invention above-mentioned and/or additional aspect and advantage will become obvious and easy understand from the following description of the accompanying drawings of embodiments, wherein:
Fig. 1 is a kind of schematic flow sheet of method for supervising of program;
Fig. 2 is a kind of theory diagram of supervising device of program;
Fig. 3 is a kind of schematic flow sheet of defence method of program;
Fig. 4 is a kind of theory diagram of defence installation of program.
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the embodiment be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
Those skilled in the art of the present technique are appreciated that unless expressly stated, and singulative used herein " ", " one ", " described " and " being somebody's turn to do " also can comprise plural form.Should be further understood that, the wording used in instructions of the present invention " comprises " and refers to there is described feature, integer, step, operation, element and/or assembly, but does not get rid of and exist or add other features one or more, integer, step, operation, element, assembly and/or their group.Should be appreciated that, when we claim element to be " connected " or " coupling " to another element time, it can be directly connected or coupled to other elements, or also can there is intermediary element.In addition, " connection " used herein or " coupling " can comprise wireless connections or wirelessly to couple.Wording "and/or" used herein comprises one or more whole or arbitrary unit listing item be associated and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, and all terms used herein (comprising technical term and scientific terminology), have the meaning identical with the general understanding of the those of ordinary skill in field belonging to the present invention.It should also be understood that, those terms defined in such as general dictionary, should be understood to that there is the meaning consistent with the meaning in the context of prior art, unless and by specific definitions as here, otherwise can not explain by idealized or too formal implication.
Those skilled in the art of the present technique are appreciated that, here used " terminal ", " terminal device " had both comprised the equipment of wireless signal receiver, it only possesses the equipment of the wireless signal receiver without emissive ability, comprise again the equipment receiving and launch hardware, it has and on bidirectional communication link, can perform the reception of two-way communication and launch the equipment of hardware.This equipment can comprise: honeycomb or other communication facilitiess, its honeycomb or other communication facilities of having single line display or multi-line display or not having multi-line display; PCS (Personal Communications Service, PCS Personal Communications System), it can combine voice, data processing, fax and/or its communication ability; PDA (PersonalDigital Assistant, personal digital assistant), it can comprise radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, calendar and/or GPS (Global PositioningSystem, GPS) receiver; Conventional laptop and/or palmtop computer or other equipment, it has and/or comprises the conventional laptop of radio frequency receiver and/or palmtop computer or other equipment.Here used " terminal ", " terminal device " can be portable, can transport, be arranged in the vehicles (aviation, sea-freight and/or land), or be suitable for and/or be configured at local runtime, and/or with distribution form, any other position operating in the earth and/or space is run.Here used " terminal ", " terminal device " can also be communication terminal, access terminals, music/video playback terminal, can be such as PDA, MID (Mobile Internet Device, mobile internet device) and/or there is the mobile phone of music/video playing function, also can be the equipment such as intelligent television, Set Top Box.
Those skilled in the art of the present technique are appreciated that used remote network devices here, and it includes but not limited to the cloud that computing machine, network host, single network server, multiple webserver collection or multiple server are formed.At this, cloud is formed by based on a large amount of computing machine of cloud computing (Cloud Computing) or the webserver, and wherein, cloud computing is the one of Distributed Calculation, the super virtual machine be made up of a group loosely-coupled computing machine collection.In embodiments of the invention, realize communicating by any communication mode between remote network devices, terminal device with WNS server, include but not limited to, the mobile communication based on 3GPP, LTE, WIMAX, the computer network communication based on TCP/IP, udp protocol and the low coverage wireless transmission method based on bluetooth, Infrared Transmission standard.
Android has three kinds of operational modes, comprising:
1, JNI: use compiler that the language direct compilations such as C/C++ are become machine code on stream, can make full use of system performance when operation, this is the fastest;
2, the method for operation of all Android versions before Dalvik:Android Lindenmayer system, employing be bytecode, explain the machine code performing and become machine and can identify when running, this process is slower;
3, ART:Android4.4 starts the new running environment of release, use dex2oat instrument to be directly machine code file DEX file transform when app installs, run in machine code mode when running, system performance can be made full use of, in addition, when the Memory recycle mechanism improved makes the Memory recycle speed under ART operational mode only have Dalvik to run under pattern 50%, also can elevator system travelling speed.
Andriod system architecture, according to the difference of programming language, can be called Java layer, Native layer and Linux kernel layer.The Malware of Java layer or fail-safe software, Java language is all adopted to develop, and Malware can pass through to system registry some events, send short messages steathily in the unwitting situation of user, steal the behaviors such as call, and that the application of Java layer is Andriod SDK, the authority had is limited, and Java language can not direct access memory, makes the Initiative Defense behavior of Java layer fail-safe software become difficulty.
The method for supervising of prior art is generally only applicable to the Andriod system of Dalvik pattern, be not suitable for the Android5.0 of ART pattern, indivedual method for supervising also can only monitor the JNI layer of ART pattern, hook due to JNI layer needs the function finding JNI layer, hook point is caused to be difficult to look for, and can only hook part function, can not the function of hook arbitrary act.The invention provides a kind of method for supervising of program, not only may be used for the function hook of native layer, can also realize the hook of Java layer arbitrary act function, specific embodiment is as follows:
S11, machine code performed by localizing objects function
What perform when ART runs is the machine code instruction obtained after translation DEX bytecode, so the core of ART is OAT file, OAT file is the privately owned ELF file layout of a kind of Android, comprise from before the DEX file translation of the Dalvik machine code instruction of coming, but owing to providing Java Virtual Machine interface when ART runs, and realize Java Virtual Machine interface and to have to depend on DEX file, so OAT file comprises original DEX file content.Inner when ART runs can by two different term description classes and method, wherein class is described as Class, and class methods are described as Method.
The corresponding Method structure of each Java function, this structure member variable comprises class object pointer, the attribute of method, the index of method in dex file at method place, the machine code pointer of method and the pointer etc. of method native code, the Method structure that Java function obtains objective function is called at Native layer, structure member variable const void*entry_point_from_compiled_code, point to the machine code address that objective function performs, the machine code finding objective function to perform by the address of this member variable record.Due to the difference in version of android system, the position of this member variable in structure Method is uncertain, will be obtained by dynamic instrumentation.
S12, write jump instruction are linked up with objective function
In specific implementation, machine code of the present invention is the binary code after being compiled by ART, and described hook is operating as inline hook inline hook and operates.Machine code for the objective function of monitoring carries out inline hook.By the common hook of the call address of Modification growth function before Inline hook is different from, is direct modify instruction in the function body of objective function, realizes the object linked up with a jump instruction.
ARM is 32 bit instruction collection, is compiled as ARM instruction set by the objective function of hook, the jump instruction of write objective function, and make objective function jump to self-defining hook function, embodiment is as follows:
First by self-defining hook function with preserved by the address of the objective function of hook;
Generate the code of hook, be specially 12 bytes, self-defining hook function address is loaded into PC register;
Jump instruction is write front 12 bytes of objective function.
When the objective function by hook will be called, perform jump instruction and jump to self-defining hook function.
After the machine code finding objective function to perform, adopt inline hook (inline hook) mode to link up with it, in 12 bytes of its beginning, write jump instruction, jump instruction adopts arm instruction, is specially MOV PC, LR, wherein:
Just jump to when objective function performs this instruction in our self-defining hook function, preserve the function context that objective function calls simultaneously, namely preserve the memory address of its call function.
Wherein PC is current address, and LR is the address of wanting redirect, and LR is passed to PC, and PC register stores next instruction address that will perform, and the instruction indicating next to perform, namely realizes redirect.
In addition, first to check whether and can write before write jump instruction, will make into write state if can not write; And judge that whether objective function is by hook mistake, no longer carried out hook by the function that hook crosses.
S13, distribution hook function are given registered Java call back function, and are prevented the temporary variable created from being reclaimed by system rubbish reclaim mechanism
Current ART achieves two kinds of garbage reclamation (Garbage Collection) technology, and one is Mark-Sweep, and another kind is Semi-Space.Basic thought is, is recorded in bitmap A, from the root of all objects by all objects in the position of internal memory, the all references of scanning root object, quoting of all references of sweep object, is successively traveled through by the structure of stack, from level to level until the object of leaf node.And in the process of scanning, the object's position related to is recorded in bitmap B.After the end of scan, contrast two bitmap A and B, be labeled as in 1, B the object being labeled as 0 in all A and be regarded as rubbish, and obtain this object according to the indexed search in bitmap, discharge the internal memory that this object takies.Meanwhile, " Large Object Space " (blobspace) is introduced into ART garbage reclamation mechanism, for the treatment of the large objects in application program internal memory, such as picture.These large objects can make heap become fragmentation, produce serious problems, and the Memory Distribution Map of intelligence can reduce degree of fragmentation, and the frequency of calling of GC is significantly reduced.Also have a moving collector to be used for activity compression object in ART, memory headroom is arranged, makes memory headroom compacter, thus make the overall performance of GC have tremendous increase.
A lot of burdens of garbage reclamation before ART garbage reclamation mechanism alleviates, no longer need in implementation to suspend, and labeling process also completed mark as far as possible by twice mark before other threads of time-out, thus time-out is made only need simply to check at one and complete in verification.
By the mode of inline hook, the flow process of objective function is introduced self-defining hook function, need the parameter obtaining objective function, first parameter is method pointer; Second parameter may be first parameter, also may be class pointer, when for during static method being exactly first pointer; When for during class methods being exactly class pointer, finding all parameters of objective function successively, being obtained the method information of function by these parameters, thus being for further processing.
Java application by self-defining hook function registration call back function at interception target function, is distributed by hook function, is called the call back function of each Java, thus the objective function information of interception is passed to java application.In this process, will garbage reclamation be carried out when the situation of low memory appears in ART, or the internal memory of application reaches certain limit, or during program initiative GC, all can start garbage reclamation thread, the internal memory of release garbage object.
Because hook causes stack frame to increase, garbage reclamation mechanism finds temporary variable by stack architexture, and reclaims unlabelled object, so the temporary variable of the function called after needing to prevent hook is recovered.The present invention takes corresponding measure mainly for following two kinds of situations:
1.Java function adjusts Java function
The all corresponding Method pointer of every layer of stack in Java function call stack, i.e. the Method structure of called function, can calculate by this structure the stack obtaining current layer high, and mark the temporary variable number recorded in Method structure.According to the stack of current layer, high and stack frame obtains last layer and to be called the Method structure of function, and mark temporary variable wherein, Using such method continues to look for calling and marking its temporary variable successively of next function, final mark is complete all by the temporary variable of the called function of pop down, thus avoids these temporary variables to be recovered.
2.Java function adjusts Native function
If the function call of the Java layer function of Native layer, then stack is the stack of Native layer functions, compiler due to Native layer is different from the ART compiler of Java layer, thus function how many stacks of Native layer cannot be known, stack height now also cannot be known, that is Method pointer is now empty.High in order to obtain stack, adopt the method for chained list, ART garbage reclamation mechanism can search structure ManagerStack automatically, one of them member variable is pointer, point to the first address of chained list, chained list points to next Method, the higher number obtaining temporary variable of the stack recorded by this Method, and mark these temporary variables, prevent from being reclaimed by garbage reclamation mechanism.
In addition, the garbage reclamation mechanism of Android5.0 has compact Memory recycle mechanism, can do memory scrubbing, the internal memory of mobile object, prevents too much memory fragmentation from producing.This just causes creating an object when us, take the pointer of this object for a long time, and this object is done memory scrubbing by GC and moves to that other are local, use during this object at Native and be moved, then the memory object pointed by pointer of this object has been not this object, so the present invention adopts evade this problem with the following method:
1. the Java object of hook function creation is changed into JNI object
The object of java class type is changed into the object of JNI type, namely need a variable transitions of the upper and lower call relation of hook function preserved to become JNI object by when carrying out hook.
2. JNI object transfer is decoded to the interface function of ART
JNI object can be decoded by the interface function DecodeJObject (jobject obj) of ART, obtains Java object.Described interface function code is as follows:
3. after decoding, obtain the former Java object of the hook function creation of JNI object reference
JNI object is quoting Java object just, and by decoding, the Java object obtained is only real former Java object.By decoding, the former object of Java obtained is assigned to corresponding variable.
S14, whether continue to process the objective function after hook
If S15 does not process, then the hook place of rebound objective function
If got the information of objective function by Java call back function after, any process is not done to objective function, that is preserved by hook function before is write back PC register by the jump address of the objective function of hook, then objective function can continue to perform capped primary code.Meanwhile, the temporary variable of the hook function marked is converted into unmarked state, by garbage reclamation thread the automatic recovery.
If S16 processes, not rebound, respective handling is performed to objective function
Correspondingly, the present invention also provides a kind of supervising device of program, comprises Hooking module 11, redirect module 12, distribution module 13, judge module 14, rebound module 15 and processing module 16.Wherein,
Hooking module 11 is for the machine code performed by localizing objects function.Call at Native layer the Method structure that some Java functions obtain objective function, structure has individual member variable, points to the machine code that objective function performs.By the machine code that the address of this member variable record finds objective function to perform.
Redirect module 12 is linked up with objective function for writing jump instruction.ARM is 32 bit instruction collection, is compiled as ARM instruction set by the objective function of hook, the jump instruction of write objective function, and make objective function jump to self-defining hook function, embodiment is as follows:
First by self-defining hook function with preserved by the address of the objective function of hook;
Generate the code of hook, be specially 12 bytes, self-defining hook function address is loaded into PC register;
Jump instruction is write front 12 bytes of objective function.
When the objective function by hook will be called, perform jump instruction and jump to self-defining hook function.
After the machine code finding objective function to perform, adopt inline hook (inline hook) mode to link up with it, in 12 bytes of its beginning, write jump instruction, jump instruction adopts arm instruction, is specially MOV PC, LR, wherein;
Just jump to when objective function performs this instruction in our self-defining hook function, preserve the function context that objective function calls simultaneously, namely preserve the memory address of its call function.
Wherein PC is current address, and LR is the address of wanting redirect, and LR is passed to PC, and PC register stores next instruction address that will perform, and the instruction indicating next to perform, namely realizes redirect.
In addition, first to check whether and can write before write jump instruction, will make into write state if can not write; And judge that whether objective function is by hook mistake, no longer carried out hook by the function that hook crosses.
Distribution module 13 for distributing hook function to registered Java call back function, and prevents the temporary variable created from being reclaimed by system rubbish reclaim mechanism.Detailed process is:
By the mode of inline hook, the flow process of objective function is introduced self-defining hook function, need the parameter obtaining objective function, first parameter is method pointer; Second parameter may be first parameter, also may be class pointer, when for during static method being exactly first pointer; When for during class methods being exactly class pointer, finding all parameters of objective function successively, being obtained the method information of function by these parameters, thus being for further processing.
Java application by self-defining hook function registration call back function at interception target function, is distributed by hook function, is called the call back function of each Java, thus the objective function information of interception is passed to java application.In this process, will garbage reclamation be carried out when the situation of low memory appears in ART, now start garbage reclamation thread, the internal memory of release garbage object.
Because hook causes stack frame to increase, garbage reclamation mechanism finds temporary variable by stack architexture, and reclaims unlabelled object, so the temporary variable of the function called after needing to prevent hook is recovered.The present invention takes corresponding measure mainly for following two kinds of situations:
1.Java function adjusts Java function
The all corresponding Method pointer of every layer of stack of Java function, the stack recording this layer in this pointer is high, according to the number of the high known temporary variable of the stack of record, marks these temporary variables, thus avoids these temporary variables to be recovered.
2.Java function adjusts Native function
If the function call of the Java layer function of Native layer, then stack is the stack of Native layer functions, compiler due to Native layer is different from the ART compiler of Java layer, thus function how many stacks of Native layer cannot be known, stack height now also cannot be known, that is Method pointer is now empty.High in order to obtain stack, adopt the method for chained list, ART garbage reclamation mechanism can search structure ManagerStack automatically, one of them member variable is pointer, point to the first address of chained list, chained list points to next Method, the higher number obtaining temporary variable of the stack recorded by this Method, and mark these temporary variables, prevent from being reclaimed by garbage reclamation mechanism.
Judge module 14 is for determining whether the objective function after processing hook.
Rebound module 15 is for the hook place of rebound objective function.If got the information of objective function by Java call back function after, any process is not done to objective function, that is preserved by hook () function before is write back PC register by the jump address of the objective function of hook, then objective function can continue to perform capped primary code.Meanwhile, convert the temporary variable of the hook function marked to unmarked state, by garbage reclamation thread the automatic recovery.
Processing module 16 is for performing respective handling to objective function.
The invention provides a kind of defence method of program, embodiment is:
S11, inject so file to the service processes of system
So injects and injects so file from a process to another process, by the interception function of this so file measure for fulfill exactly.Specific operation process is:
Step 1:ptrace_attach, to target process, stops when allowing target process that ptrace_syscall occurs;
Step 2:ptrace_getregs preserves the context of target process, i.e. the buffer status of target process;
Step 3:ptrace_setregs rewrites the PC register of target process, makes it point to the address of function mmap;
Step 4:ptrace_cont allows target process recover to perform, and now can perform function mmap;
Step 5:ptrace_getregs obtains the R0 register value of target process, is the rreturn value of function mmap, points to one piece of internal memory that target process address space distributes;
Step 6:ptrace_poketext writes the code that will inject toward target process allocation address.
Step 7:ptrace_setregs rewrites the PC register of target process, makes it point to the start address of above-mentioned injecting codes;
Step 8:ptrace_detach target process, target process will perform injection after recovering execution;
The event behavior of application program in S12, supervisory system
When monitoring some event behavior of application program in system, during as read contact person, transmission note, reading photo equal time behavior, it being tackled, extracts application features information, the such as information such as UID, bag name.
Monitor procedure described in the present embodiment is the android system based on ART pattern, and concrete monitoring step is performed by the function method for supervising under above-mentioned ART pattern, by the function that the corresponding event behavior of hook application program is corresponding, obtains its characteristic information.In the process, the compiler due to ART virtual machine is different from the compiler of linux kernel, so will carry out memory management simultaneously, in order to avoid affect the GC mechanism in ART virtual machine.
The instruction of S13, respond services process, processes the event behavior of described program process
Based on the characteristic information that above-mentioned steps obtains, whether the event behavior of the application program from the known setting data of Local or Remote (being such as stored in local or long-range database) corresponding to this characteristic information of inspection should be limited or be prohibited, when it is when should be limited or answer forbidden application program, send instruction by system service process, monitoring module response also processes it.Whether this known setting data can store each UID and be limited or mapping relations between forbidden information.This processing procedure, safer and more effective monitoring effect can be provided, by configuring described known setting data, especially when this known setting data can obtain renewal long-range timely, the operation of the malicious application of mobile terminal can be stoped in time by this kind of data.
Correspondingly, the present invention also provides a kind of defence installation of program, comprises injection module 11, monitoring module 12, respond module 13.Wherein,
Injection module 11 injects so file for the service processes to system, and specific operation process is:
Step 1:ptrace_attach, to target process, stops when allowing target process that ptrace_syscall occurs;
Step 2:ptrace_getregs preserves the context of target process, i.e. the buffer status of target process;
Step 3:ptrace_setregs rewrites the PC register of target process, makes it point to the address of function mmap;
Step 4:ptrace_cont allows target process recover to perform, and now can perform function mmap;
Step 5:ptrace_getregs obtains the R0 register value of target process, is the rreturn value of function mmap, points to one piece of internal memory that target process address space distributes;
Step 6:ptrace_poketext writes the code that will inject toward target process allocation address.
Step 7:ptrace_setregs rewrites the PC register of target process, makes it point to the start address of above-mentioned injecting codes;
Step 8:ptrace_detach target process, target process will perform injection after recovering execution;
Monitoring module 12 is for the event behavior of application program in supervisory system.When monitoring some event behavior of application program in system, during as read contact person, transmission note, reading photo equal time behavior, it being tackled, extracts application features information, the such as information such as UID, bag name.
Monitor procedure described in the present embodiment is the android system based on ART pattern, and concrete monitoring step is performed by the function method for supervising under above-mentioned ART pattern, by the function that the behavior of hook application program corresponding event is corresponding, obtains its characteristic information.In the process, the compiler due to ART virtual machine is different from the compiler of linux kernel, so will carry out memory management simultaneously, in order to avoid affect the GC mechanism in ART virtual machine.
Respond module 13, for the instruction of respond services process, processes the event behavior of described program process.Based on the characteristic information that above-mentioned steps obtains, whether the event behavior of the application program from the known setting data of Local or Remote (being such as stored in local or long-range database) corresponding to this characteristic information of inspection should be limited or be prohibited, when it is when should be limited or answer forbidden application program, send instruction by system service process, monitoring module response also processes it.Whether this known setting data can store each UID and be limited or mapping relations between forbidden information.This processing procedure, safer and more effective monitoring effect can be provided, by configuring described known setting data, especially when this known setting data can obtain renewal long-range timely, the operation of the malicious application of mobile terminal can be stoped in time by this kind of data.
The above is only some embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. a method for supervising for program, is characterized in that, comprises the following steps:
Machine code performed by localizing objects function;
Write jump instruction is linked up with objective function;
Distribution hook function gives registered Java call back function, and prevents the temporary variable created from being reclaimed by system rubbish reclaim mechanism;
Objective function whether after continuation process hook;
If do not process, then the hook place of rebound objective function;
If process, not rebound, performs respective handling to objective function.
2. the method for supervising of a kind of program according to claim 1, is characterized in that, described hook operation adopts the mode of inline hook.
3. the method for supervising of a kind of program according to claim 1, is characterized in that, described jump instruction is specially ARM instruction.
4. the method for supervising of a kind of program according to claim 1, is characterized in that, described in prevent the temporary variable created from being reclaimed specifically finger Java function call Java function and Java function call Native function two kinds of situations by system rubbish reclaim mechanism.
5. a supervising device for program, is characterized in that, comprising:
Hooking module: for the machine code performed by localizing objects function;
Redirect module: objective function is linked up with for writing jump instruction;
Distribution module: for distributing hook function to registered Java call back function, and prevent the temporary variable created from being reclaimed by system rubbish reclaim mechanism;
Judge module: for judging whether the objective function after continuing process hook;
Rebound module: for the hook place of rebound objective function;
Processing module: for performing respective handling to objective function.
6. the supervising device of a kind of program according to claim 7, is characterized in that, described Hooking module adopts the mode of inline hook.
7. the supervising device of a kind of program according to claim 7, is characterized in that, the jump instruction that described redirect module performs is ARM instruction.
8. the supervising device of a kind of program according to claim 7, is characterized in that, described in prevent the temporary variable created from being reclaimed specifically finger Java function call Java function and Java function call Native function two kinds of situations by system rubbish reclaim mechanism.
9. a defence method for program, comprises the following steps:
Service processes to system injects so file;
The event behavior of application program in supervisory system;
The instruction of respond services process, processes the event behavior of described program process,
It is characterized in that, above-mentioned monitoring step is performed by the method for supervising of described a kind of program arbitrary in claim 1 to 6.
10. a defence installation for program, comprising:
Injection module: inject so file for the service processes to system;
Monitoring module: for the event behavior of application program in supervisory system;
Respond module: for the instruction of respond services process, processes the event behavior of described program process,
It is characterized in that, described monitoring module for perform as arbitrary in claim 1 to 6 as described in a kind of method for supervising of program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510080320.7A CN104598809B (en) | 2015-02-13 | 2015-02-13 | Program monitoring method and defending method thereof, as well as relevant device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510080320.7A CN104598809B (en) | 2015-02-13 | 2015-02-13 | Program monitoring method and defending method thereof, as well as relevant device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104598809A true CN104598809A (en) | 2015-05-06 |
| CN104598809B CN104598809B (en) | 2017-04-19 |
Family
ID=53124587
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510080320.7A Expired - Fee Related CN104598809B (en) | 2015-02-13 | 2015-02-13 | Program monitoring method and defending method thereof, as well as relevant device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104598809B (en) |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105630651A (en) * | 2015-12-28 | 2016-06-01 | 北京像素软件科技股份有限公司 | Method and device for monitoring performance |
| CN106547580A (en) * | 2015-09-22 | 2017-03-29 | 腾讯科技(深圳)有限公司 | The method and apparatus of hooking function |
| CN106909457A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | EMS memory management process and device |
| CN107122247A (en) * | 2017-04-27 | 2017-09-01 | 腾讯科技(深圳)有限公司 | A kind of static detection method and device for taking picture |
| CN107391219A (en) * | 2017-07-07 | 2017-11-24 | 腾讯科技(深圳)有限公司 | Function Compilation Method and device |
| CN107861807A (en) * | 2017-11-20 | 2018-03-30 | 北京奇虎科技有限公司 | The optimization method and device of routine call |
| CN107908391A (en) * | 2017-11-20 | 2018-04-13 | 北京奇虎科技有限公司 | The optimization method and device of routine call |
| CN107943517A (en) * | 2017-10-26 | 2018-04-20 | 北京奇虎科技有限公司 | The hook method and device of terminal applies |
| CN108021357A (en) * | 2017-11-20 | 2018-05-11 | 北京奇虎科技有限公司 | The optimization method and device of routine call |
| CN108446119A (en) * | 2017-12-28 | 2018-08-24 | 北京奇虎科技有限公司 | Inline control method and device |
| CN108959070A (en) * | 2018-06-13 | 2018-12-07 | 珠海金山网络游戏科技有限公司 | A kind of Python Hook Function method and apparatus based on code object |
| CN109271792A (en) * | 2018-08-15 | 2019-01-25 | 中国人民解放军陆军工程大学 | Terminal peripheral control method and device based on Android local layer hook |
| CN109471768A (en) * | 2017-09-08 | 2019-03-15 | 阿里巴巴集团控股有限公司 | Monitoring method, device and the electronic equipment of traffic issues |
| CN109471767A (en) * | 2017-09-08 | 2019-03-15 | 福建省天奕网络科技有限公司 | The method and terminal of a kind of function in hook virtual machine |
| CN109558332A (en) * | 2017-09-26 | 2019-04-02 | 北京金山安全软件有限公司 | Object recovery method and device, electronic equipment and storage medium |
| CN109635589A (en) * | 2018-12-25 | 2019-04-16 | 成都卫士通信息产业股份有限公司 | The method and device that SO file calls |
| CN110046497A (en) * | 2018-01-16 | 2019-07-23 | 腾讯科技(深圳)有限公司 | A kind of function hook implementation method, device and storage medium |
| CN110096338A (en) * | 2019-05-10 | 2019-08-06 | 百度在线网络技术(北京)有限公司 | Intelligent contract executes method, apparatus, equipment and medium |
| WO2019157891A1 (en) * | 2018-02-13 | 2019-08-22 | 中兴通讯股份有限公司 | Application installation method and application installer generating method |
| CN110554998A (en) * | 2018-03-30 | 2019-12-10 | 腾讯科技(深圳)有限公司 | hook method, device, terminal and storage medium for replacing function internal instruction |
| CN110704184A (en) * | 2019-09-19 | 2020-01-17 | 海南车智易通信息技术有限公司 | Application memory optimization method and device and mobile terminal |
| CN111026598A (en) * | 2018-10-09 | 2020-04-17 | 迈普通信技术股份有限公司 | Data acquisition method and device |
| CN111352629A (en) * | 2018-12-24 | 2020-06-30 | 北京奇虎科技有限公司 | Optimization method and device for program call |
| CN111428241A (en) * | 2019-10-31 | 2020-07-17 | 北京深之度科技有限公司 | Multi-security access policy control method and computing device |
| CN109558304B (en) * | 2017-09-27 | 2020-10-30 | 北京邮电大学 | Component association analysis method and device and electronic equipment |
| CN111966427A (en) * | 2020-08-17 | 2020-11-20 | 四川长虹电器股份有限公司 | Implementation method for calling Java API (Java application program interface) by Android native |
| CN112882695A (en) * | 2021-03-02 | 2021-06-01 | 百果园技术(新加坡)有限公司 | Parameter transmission method and device, computer equipment and storage medium |
| CN113392416A (en) * | 2021-06-28 | 2021-09-14 | 北京恒安嘉新安全技术有限公司 | Method, device, equipment and storage medium for acquiring application program encryption and decryption data |
| CN114138691A (en) * | 2021-11-05 | 2022-03-04 | 杭州薮猫科技有限公司 | Kernel extension method, device and equipment based on callback mechanism |
| CN115017058A (en) * | 2022-08-04 | 2022-09-06 | 飞腾信息技术有限公司 | Test method and device of kernel module, electronic equipment and storage medium |
| WO2023124930A1 (en) * | 2021-12-27 | 2023-07-06 | 北京有竹居网络技术有限公司 | Permission management method and apparatus, storage medium, and electronic device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102810143A (en) * | 2012-04-28 | 2012-12-05 | 天津大学 | Safety detecting system and method based on mobile phone application program of Android platform |
| US8359496B1 (en) * | 2010-08-31 | 2013-01-22 | Google Inc. | Fault-resistant just-in-time compiler |
| CN103744727A (en) * | 2014-01-16 | 2014-04-23 | Tcl集团股份有限公司 | Service starting method, device and intelligent equipment |
| CN104156662A (en) * | 2014-08-28 | 2014-11-19 | 北京奇虎科技有限公司 | Process monitoring method and device and intelligent terminal |
| CN104317673A (en) * | 2014-10-24 | 2015-01-28 | 新华瑞德(北京)网络科技有限公司 | Program recycling method and device and recovering method and device |
-
2015
- 2015-02-13 CN CN201510080320.7A patent/CN104598809B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8359496B1 (en) * | 2010-08-31 | 2013-01-22 | Google Inc. | Fault-resistant just-in-time compiler |
| CN102810143A (en) * | 2012-04-28 | 2012-12-05 | 天津大学 | Safety detecting system and method based on mobile phone application program of Android platform |
| CN103744727A (en) * | 2014-01-16 | 2014-04-23 | Tcl集团股份有限公司 | Service starting method, device and intelligent equipment |
| CN104156662A (en) * | 2014-08-28 | 2014-11-19 | 北京奇虎科技有限公司 | Process monitoring method and device and intelligent terminal |
| CN104317673A (en) * | 2014-10-24 | 2015-01-28 | 新华瑞德(北京)网络科技有限公司 | Program recycling method and device and recovering method and device |
Non-Patent Citations (2)
| Title |
|---|
| 李彬: ""基于Android沙箱的软件行为分析***的设计与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 罗曼: ""Dalvik虚拟机代码注入和内存追踪设计与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (45)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106547580A (en) * | 2015-09-22 | 2017-03-29 | 腾讯科技(深圳)有限公司 | The method and apparatus of hooking function |
| CN106547580B (en) * | 2015-09-22 | 2020-08-28 | 腾讯科技(深圳)有限公司 | Method and device for hooking function, mobile terminal and storage medium |
| CN106909457A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | EMS memory management process and device |
| CN105630651A (en) * | 2015-12-28 | 2016-06-01 | 北京像素软件科技股份有限公司 | Method and device for monitoring performance |
| CN107122247A (en) * | 2017-04-27 | 2017-09-01 | 腾讯科技(深圳)有限公司 | A kind of static detection method and device for taking picture |
| CN107122247B (en) * | 2017-04-27 | 2021-11-02 | 腾讯科技(深圳)有限公司 | Method and device for detecting static occupied picture |
| CN107391219A (en) * | 2017-07-07 | 2017-11-24 | 腾讯科技(深圳)有限公司 | Function Compilation Method and device |
| CN109471768B (en) * | 2017-09-08 | 2023-04-18 | 阿里巴巴集团控股有限公司 | Service problem monitoring method and device and electronic equipment |
| CN109471768A (en) * | 2017-09-08 | 2019-03-15 | 阿里巴巴集团控股有限公司 | Monitoring method, device and the electronic equipment of traffic issues |
| CN109471767A (en) * | 2017-09-08 | 2019-03-15 | 福建省天奕网络科技有限公司 | The method and terminal of a kind of function in hook virtual machine |
| CN109558332B (en) * | 2017-09-26 | 2022-10-25 | 北京金山安全软件有限公司 | Object recovery method and device, electronic equipment and storage medium |
| CN109558332A (en) * | 2017-09-26 | 2019-04-02 | 北京金山安全软件有限公司 | Object recovery method and device, electronic equipment and storage medium |
| CN109558304B (en) * | 2017-09-27 | 2020-10-30 | 北京邮电大学 | Component association analysis method and device and electronic equipment |
| CN107943517A (en) * | 2017-10-26 | 2018-04-20 | 北京奇虎科技有限公司 | The hook method and device of terminal applies |
| CN107908391B (en) * | 2017-11-20 | 2021-06-04 | 北京奇虎科技有限公司 | Optimization method and device for program call |
| CN107861807B (en) * | 2017-11-20 | 2021-06-25 | 北京奇虎科技有限公司 | Optimization method and device for program call |
| CN107861807A (en) * | 2017-11-20 | 2018-03-30 | 北京奇虎科技有限公司 | The optimization method and device of routine call |
| CN108021357A (en) * | 2017-11-20 | 2018-05-11 | 北京奇虎科技有限公司 | The optimization method and device of routine call |
| CN107908391A (en) * | 2017-11-20 | 2018-04-13 | 北京奇虎科技有限公司 | The optimization method and device of routine call |
| CN108446119A (en) * | 2017-12-28 | 2018-08-24 | 北京奇虎科技有限公司 | Inline control method and device |
| CN110046497A (en) * | 2018-01-16 | 2019-07-23 | 腾讯科技(深圳)有限公司 | A kind of function hook implementation method, device and storage medium |
| WO2019157891A1 (en) * | 2018-02-13 | 2019-08-22 | 中兴通讯股份有限公司 | Application installation method and application installer generating method |
| CN110554998B (en) * | 2018-03-30 | 2024-02-13 | 腾讯科技(深圳)有限公司 | Hook method, device, terminal and storage medium for replacing function internal instruction |
| CN110554998A (en) * | 2018-03-30 | 2019-12-10 | 腾讯科技(深圳)有限公司 | hook method, device, terminal and storage medium for replacing function internal instruction |
| CN108959070A (en) * | 2018-06-13 | 2018-12-07 | 珠海金山网络游戏科技有限公司 | A kind of Python Hook Function method and apparatus based on code object |
| CN108959070B (en) * | 2018-06-13 | 2022-05-10 | 珠海金山网络游戏科技有限公司 | Python hook function method and device based on code object |
| CN109271792A (en) * | 2018-08-15 | 2019-01-25 | 中国人民解放军陆军工程大学 | Terminal peripheral control method and device based on Android local layer hook |
| CN111026598A (en) * | 2018-10-09 | 2020-04-17 | 迈普通信技术股份有限公司 | Data acquisition method and device |
| CN111352629A (en) * | 2018-12-24 | 2020-06-30 | 北京奇虎科技有限公司 | Optimization method and device for program call |
| CN109635589B (en) * | 2018-12-25 | 2022-06-14 | 成都卫士通信息产业股份有限公司 | SO file calling method and device |
| CN109635589A (en) * | 2018-12-25 | 2019-04-16 | 成都卫士通信息产业股份有限公司 | The method and device that SO file calls |
| CN110096338B (en) * | 2019-05-10 | 2021-12-14 | 百度在线网络技术(北京)有限公司 | Intelligent contract execution method, device, equipment and medium |
| CN110096338A (en) * | 2019-05-10 | 2019-08-06 | 百度在线网络技术(北京)有限公司 | Intelligent contract executes method, apparatus, equipment and medium |
| CN110704184A (en) * | 2019-09-19 | 2020-01-17 | 海南车智易通信息技术有限公司 | Application memory optimization method and device and mobile terminal |
| CN111428241B (en) * | 2019-10-31 | 2023-12-29 | 北京统信软件技术有限公司 | Multi-security access policy control method and computing device |
| CN111428241A (en) * | 2019-10-31 | 2020-07-17 | 北京深之度科技有限公司 | Multi-security access policy control method and computing device |
| CN111966427A (en) * | 2020-08-17 | 2020-11-20 | 四川长虹电器股份有限公司 | Implementation method for calling Java API (Java application program interface) by Android native |
| CN111966427B (en) * | 2020-08-17 | 2022-06-21 | 四川长虹电器股份有限公司 | Implementation method for calling Java API (Java application program interface) by Android native |
| CN112882695A (en) * | 2021-03-02 | 2021-06-01 | 百果园技术(新加坡)有限公司 | Parameter transmission method and device, computer equipment and storage medium |
| CN112882695B (en) * | 2021-03-02 | 2023-11-28 | 百果园技术(新加坡)有限公司 | Parameter transmission method, parameter transmission device, computer equipment and storage medium |
| CN113392416B (en) * | 2021-06-28 | 2024-03-22 | 北京恒安嘉新安全技术有限公司 | Method, device, equipment and storage medium for acquiring application program encryption and decryption data |
| CN113392416A (en) * | 2021-06-28 | 2021-09-14 | 北京恒安嘉新安全技术有限公司 | Method, device, equipment and storage medium for acquiring application program encryption and decryption data |
| CN114138691A (en) * | 2021-11-05 | 2022-03-04 | 杭州薮猫科技有限公司 | Kernel extension method, device and equipment based on callback mechanism |
| WO2023124930A1 (en) * | 2021-12-27 | 2023-07-06 | 北京有竹居网络技术有限公司 | Permission management method and apparatus, storage medium, and electronic device |
| CN115017058A (en) * | 2022-08-04 | 2022-09-06 | 飞腾信息技术有限公司 | Test method and device of kernel module, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104598809B (en) | 2017-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104598809A (en) | Program monitoring method and defending method thereof, as well as relevant device | |
| CN109478217B (en) | Kernel-based detection of target application functionality using offset-based virtual address mapping | |
| US10698668B1 (en) | Custom code transformations during compilation process | |
| US10761905B2 (en) | Enhanced code callback | |
| CN103064784B (en) | Towards Xen environment run-time memory leakage detection method and realize system | |
| CN107729725A (en) | A kind of Android applications hardened system and method based on virtual machine instructions modification | |
| CN1894662A (en) | Processor cache memory as ram for execution of boot code | |
| US8893272B2 (en) | Method and device for recombining runtime instruction | |
| CN103631712B (en) | A kind of medelling software critical behavior tracking based on memory management | |
| CN105303072A (en) | ART mode based software hardening method and apparatus | |
| Lewis et al. | Memory forensics and the windows subsystem for linux | |
| CN103440457A (en) | Binary program analytic system based on process simulation | |
| US7600223B2 (en) | Abstracted managed code execution | |
| US9152456B2 (en) | Efficient per-thread safepoints and local access | |
| US7743377B2 (en) | Cooperative threading in a managed code execution environment | |
| CN113176926A (en) | API dynamic monitoring method and system based on virtual machine introspection technology | |
| CN111931191A (en) | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform | |
| CN115543586B (en) | Method, device and equipment for starting application layer system process and readable storage medium | |
| US7549045B2 (en) | Delegate registration in a managed code execution environment | |
| CN114625646A (en) | Method and device for detecting system memory boundary crossing | |
| KR101530530B1 (en) | Apparatus and Method for Detecting Malicious Process Execution in a Mobile Terminal | |
| Zhu et al. | Dytaint: The implementation of a novel lightweight 3-state dynamic taint analysis framework for x86 binary programs | |
| Li et al. | rOOM: A Rust-Based Linux Out of Memory Kernel Component | |
| KR101562282B1 (en) | System and Method for Verifying Integrity of an ODEX | |
| CN116382774A (en) | Method for generating computer security detection and response code by using security monitoring language |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220728 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170419 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |