CN107798240B - A kind of method and device operating mobile device for monitoring the end PC - Google Patents

A kind of method and device operating mobile device for monitoring the end PC Download PDF

Info

Publication number
CN107798240B
CN107798240B CN201610806113.XA CN201610806113A CN107798240B CN 107798240 B CN107798240 B CN 107798240B CN 201610806113 A CN201610806113 A CN 201610806113A CN 107798240 B CN107798240 B CN 107798240B
Authority
CN
China
Prior art keywords
thread
monitoring
message
file
reading
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610806113.XA
Other languages
Chinese (zh)
Other versions
CN107798240A (en
Inventor
曾祥刚
乔伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Antian Information Technology Co Ltd
Original Assignee
Wuhan Antian Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Antian Information Technology Co Ltd filed Critical Wuhan Antian Information Technology Co Ltd
Priority to CN201610806113.XA priority Critical patent/CN107798240B/en
Publication of CN107798240A publication Critical patent/CN107798240A/en
Application granted granted Critical
Publication of CN107798240B publication Critical patent/CN107798240B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of for monitoring the monitoring method of the end PC operation mobile device, the characteristics of being interacted when the end PC access mobile terminal is utilized using the adbd process in ADB order and android system, the operation of reading USB device file in mobile device end monitoring all threads of adbd process, to obtain the content of parameter of the operation, then content of parameter is combined into message, message is combined into ADB order, to obtain the order sent when the access mobile terminal of the end PC, to achieve the purpose that monitoring.This method is not influenced by PC end ring border, easy to use, and monitoring effect is good.The invention also discloses a kind of for monitoring the monitoring device of the end PC operation mobile device.

Description

A kind of method and device operating mobile device for monitoring the end PC
Technical field
The present invention relates to field of computer technology more particularly to it is a kind of for monitor the end PC operation mobile device method and Device.
Background technique
Currently, the end PC is often connected to realize that the end PC controls mobile terminal by user with mobile terminal, such as peace of application Loading/unloading carries, system root etc..If the end PC has been infected malicious code, when the Malicious Code Detection at the end PC is to mobile terminal When being connected into the end PC, malicious code can connect the mobile terminals such as mobile phone automatically and carry out some malicious operations, such as obtain root power Limit, the application in unloading mobile terminal, automatically installation malicious application, the file of acquisition mobile terminal and information etc..Also, the end PC Generally by USB(universal serial bus) access mobile terminal, for using the mobile terminal of android system, Matter is using ADB(Android Debug Bridge, and Android debugs bridge) the corresponding command of command-line tool.ADB life It enables row tool be made of 3 parts, does a little introductions to it below:
(1) ADB client, the command-line tool run in the end PC, installation application obtain the operations such as file and pass through The command-line tool provides.
(2) ADB server-side, the service processes run in the end PC, the management end PC is directly connect with mobile phone and data interaction. The operation that ADB client is initiated is sent to ADB server-side first, is then sent to mobile phone by ADB server-side.
(3) ADB mobile phone terminal process is the process of an entitled adbd in android system, receives and executes ADB clothes The instruction that business end is sent.The process is interacted by the USB device file in read-write android system with ADB server-side, adbd Process can open 2 threads operating USB device file, being respectively used to read and writing.
Adbd process has specific message format when interacting with ADB server-side, have in the source code of Android document into Row description.ADB order can include a series of message, and every message contains 2 part of message header and message data again, this is The message of column is identified (ID number is located in message header) by the same ID number, and is usually started by OPEN, CLOSE ending. Message header format is shown in Fig. 1, wherein each field is 4 byte-sizeds.Command is the mark of order.Arg0, Arg1 are message life The parameter of order, Arg0 are the ID number being mentioned herein.The message header of each OPEN order has a new Arg0 value.Data_ Length is the length of message data behind message header.
Common ADB command operation has:
(1) software, adb.exe install [options] abc.apk are installed
(2) uninstall, adb.exe uninstall packageName
(3) file transmits, and includes adb.exe push and adb.exe pull order, push is to be transferred to local file Specified path in mobile phone, pull are by file copy in mobile phone to locally.
(4) order executes, adb.exe shell cmd [options].Android system be based on linux system, Adb can execute some Linux commands by shell parameter.File adb shell rm filepath is such as deleted, is unloaded soft Part adb shell pm uninstall packageName obtains system property adb shell getprop etc..
Although the existing antivirus software of mobile terminal and protection capacity of safety protection software can scan and analyze application program, can not The operation of ADB order is analyzed, so may cause mobile whole if mobile terminal is connected into the end PC for having infected malicious code It holds and is mounted malicious application, information leakage.This programme can monitor the operation of ADB order on mobile terminals, if discovery malice is pacified The behavior of dress and malicious operation then can be prevented and be alarmed, and ensure terminal security.
Summary of the invention
The purpose of the present invention is to provide a kind of for monitoring the monitoring method and device of the end PC operation mobile device, energy Operation of the user directly at the mobile terminal monitored end PC to mobile terminal is helped, which is not influenced by PC end ring border, user Just, monitoring effect is good.
To achieve the goals above, the invention discloses a kind of for monitoring the monitoring method of the end PC operation mobile device, The following steps are included:
The thread number of all threads in acquisition for mobile terminal adbd process and the adbd process;
Per thread is monitored respectively according to all thread numbers of acquisition, is found out and is wherein read the thread of USB device file simultaneously Obtain the current thread number for reading thread;
According to the reading file operation in the current thread number monitoring thread for reading thread, obtain in the parameter for reading file operation Hold, the content of parameter includes message header or message data;
When the content of parameter of the first reading file operation monitored is message data, then all parameters of acquisition are saved Content;
All content of parameter of preservation are combined into corresponding message, wherein a message header and a corresponding message Data can be combined to a piece of news;
Obtained message is combined into corresponding ADB order, wherein an ADB order includes at least one message, is belonged to The message of same order possesses identical ID number, and the ID number is located in the message header;
Judge whether the ADB order obtained can generate malicious act according to default rule.
Further, per thread is monitored according to the preset time and finds the corresponding behaviour for reading USB device file Make, if not finding during this period of time, monitors next thread immediately.
Further, after finding out whole thread numbers, per thread is monitored one by one, if current thread, which executes, reads text Part operation, and what first parameter be directed toward is USB device file, then obtains the thread number of current thread.
It further, can again after terminal does not connect USB or searches the thread failure for reading USB device file Whole thread numbers are obtained, and search whether to read the thread of USB device file.
Further, if judging, ADB order can generate malicious act, modify current ADB order, resistance value malicious act Occur.
Further, if judging, ADB order can generate malicious act, generate user's alarm.
To achieve the goals above, the invention also discloses a kind of for monitoring the monitoring dress of the end PC operation mobile device It sets, in mobile terminal, the monitoring device to include guarding module, monitoring module, detection module, in which:
When the end PC accesses mobile terminal, the module of guarding owns for obtaining in adbd process and the adbd process The thread number of thread;Per thread is monitored respectively according to all thread numbers of acquisition, finds out the line for wherein reading USB device file The thread number that thread is currently read in journey and acquisition is sent to the monitoring module;
The monitoring module is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains and reads The content of parameter of file operation, the content of parameter includes message header or message data, when first reading text that judgement monitors When the content of parameter of part operation is message data, then all content of parameter of acquisition are saved;
The detection module is used to all content of parameter saved being combined into corresponding message, wherein a message header It can be combined to a piece of news with a corresponding message data;Obtained message is combined into corresponding ADB order, wherein one ADB order includes at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is located at described disappear It ceases in head;The detection module is also used to save preset malicious commands sentence, the ADB order that will acquire and the preset malice Command statement is compared, and judges whether that malicious act can be generated.
Further, the monitoring module is used to be monitored the corresponding reading of searching to per thread according to the preset time The operation of USB device file monitors next thread if not finding during this period of time immediately.
Further, described to keep after terminal does not connect USB or searches the thread failure for reading USB device file Shield module can obtain whole thread numbers again, and search whether to read the thread of USB device file.
Further, after finding out whole thread numbers, the monitoring module is one by one monitored per thread, if worked as Preceding thread, which executes, reads file operation, and what first parameter be directed toward is USB device file, then obtains the thread of current thread Number.If not finding the thread number for reading USB device file, whole thread numbers are obtained again, and continue to scan on thread.
Further, if judging, ADB order can generate malicious act, and the detection module modifies current ADB order, resistance It is worth malicious act.
Further, if judging, ADB order can generate malicious act, and the detection module generates user's alarm.
Compared with the prior art, the invention has the advantages that: present invention utilizes use when the end PC accesses mobile terminal The characteristics of adbd process in ADB order and android system interacts, in mobile device end monitoring adbd process, institute is wired Then content of parameter is combined into message to obtain the content of parameter of the operation by the operation of the reading USB device file in journey, will Message is combined into ADB order, to obtain the order sent when the access mobile terminal of the end PC, to achieve the purpose that monitoring.The prison Control is not influenced by PC end ring border, and easy to use, monitoring effect is good.
Detailed description of the invention
Fig. 1 is the form schematic diagram of ADB command messages head.
Fig. 2 is a kind of flow chart for operating the monitoring method of mobile device for monitoring the end PC of the present invention.
Fig. 3 is a kind of structural schematic diagram for operating the monitoring device of mobile device for monitoring the end PC of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into One step it is described in detail.
Although the step in the present invention is arranged with label, it is not used to limit the precedence of step, unless Based on the execution of the order or certain step that specify step needs other steps, otherwise the relative rank of step is It is adjustable.
When accessing mobile terminal present invention utilizes the end PC using the adbd process in ADB order and android system into The feature of row interaction, in some embodiments, as shown in Fig. 2, a kind of for monitoring the monitoring method of the end PC operation mobile device The following steps are included:
S01 obtains the thread number of all threads in adbd process and the adbd process in the terminal.
The ps order that system offer can be used directly obtains whole thread numbers of adbd process, can also be by checking/proc File system.Each process has a corresponding catalogue/proc/ [process number] at/proc in Linux, under the catalogue Cmdline file saves command name, and whole thread numbers (being denoted as No. PID hereinafter) of process are had recorded under task subdirectory.
S02 monitors per thread according to all thread numbers of acquisition respectively, finds out the line for wherein reading USB device file Journey, and obtain the current thread number for reading thread.
After finding out whole thread numbers, need to judge wherein to read the thread of USB device file.It is called using ptrace system (it is that a process is allowed to track and control another process that it, which is acted on), is one by one monitored per thread.It is available The system that the PTRACE_SYSCALL of ptrace carrys out monitoring thread is called.If current thread, which executes, reads file operation, and the What one parameter was directed toward is USB device file, then obtains No. PID of current thread.Also it can use strace tool directly to look into Whether the system for seeing per thread progress has the operation for reading USB device file in calling.
The USB device file path of different editions android system can be variant, specifically needs to refer to source code, such as The USB device file of 4.4 version of Android default is /dev/android_adb.
Preferably, can be continued to the judgement of per thread a bit of time, according to the preset time to per thread into Row monitoring finds corresponding reading file operation, if not finding during this period of time, then it represents that current thread is not required to monitor Thread, monitor next thread immediately.
It should be understood that being also required to opening again for monitoring adbd process due to restarting possibility there are adbd process It is dynamic, No. PID that obtains respective thread again is required after restarting every time.It is read when terminal does not connect USB or searches After the thread failure of USB device file, whole thread numbers can be obtained again, and search whether to read the line of USB device file Journey.
S03 reads the reading file operation in thread according to the current thread number monitoring for reading thread, obtains the ginseng for reading file operation Number content, the content of parameter includes message header or message data.
Ginseng after obtaining current No. PID for reading thread, when method in ptrace can be used to read file system call to obtain Number reads document method and only has 3 parameters, and when transmitting is to be transmitted by register, therefore use the PTRACE_ of ptrace GETREGS, which obtains register value, can be obtained parameter.Wherein, the parameter of data storage is a memory address, reads file operation At the end of, the content of reading is stored in the memory of memory address direction, and the PTRACE_PEEKTEXT of ptrace can be used Method comes out the data copy in address.
S04 then saves all of acquisition when the content of parameter of the first reading file operation monitored is message data Content of parameter.
Each message generally comprises message header and message data two parts, therefore primary monitoring is read file operation and obtained To may be message header be also likely to be message data.First determine whether the content of parameter copied out is message content, is pressed According to the message format description in ADB, there is magic field in message content, by checking the field to determine whether for message header. If it is message header, what next reading file operation was got is exactly message data, and the length of message data is stored in message header In.If start to get is not message header, current message data is abandoned, reading file operation next time is got just inevitable It is message header.
All content of parameter of preservation are combined into corresponding message by S05.
It should be understood that the message header and message data of a piece of news are opposite with the parameter of file operation is read twice in succession It answers, therefore a piece of news can be obtained file operation content merging getparms is read twice.
Obtained message is combined into corresponding ADB order by S06, wherein and an ADB order includes at least one message, The message for belonging to same order possesses identical ID number, and the ID number is located in the message header.
Those of ordinary skill in the art will appreciate that, the order of an ADB client executing is to be converted into multiple messages It is sent to adbd process.Such as the push operation of file, (OPEN, sync) is contained in the message for reading file acquisition -- > (WRTE, STAT) --> (WRTE, filepath) --> (WRTE, SEND) --> WRTE(filepath + Content) -- > (WRTE, QUIT) -- > (CLOSE) indicates that one disappears with including the tuple of 2 element contents here Breath, first part are the order of message header, and second part is message data, and such as (OPEN, sync) expression will start to carry out sync Operation, (WRTE, SEND) expression will do it data transmission;Therefore may determine that be one by this series of message Push file operation, by filepath it is known that the place of file storage.The order of other ADB clients is also similar 's.A series of message corresponding to every ADB Client command possess the same ID number, therefore can will possess disappearing for identical ID number Breath is combined into corresponding ADB order.
S07 judges whether the ADB order obtained can generate malicious act according to default rule.
Preset malicious commands sentence is preserved in mobile terminal, by the ADB order being combined into and preset malicious commands Sentence is compared, if the ADB order being combined into is preset malicious commands sentence, judges that the ADB order obtained has malice Behavior.
When accessing mobile terminal present invention utilizes the end PC using the adbd process in ADB order and android system into The feature of row interaction, the reading file operation in mobile device end monitoring all threads of adbd process, to obtain reading file operation Content of parameter, content of parameter is then combined into message, message is combined into ADB order, it is mobile eventually to obtain the access of the end PC The order sent when end, to achieve the purpose that monitoring.The monitoring is not influenced by PC end ring border, easy to use, and monitoring effect is good.
Preferably, if judging, ADB order can generate malicious act, as file copy, using install and uninstall, port is opened It opens, then the present invention also carries out respective handling to ADB order to avoid causing user to lose.
Several frequently seen malicious commands sentence and the more excellent solution for the order is described below:
(1) sample installation order, it is file transmission first that in ADB server-side, the order, which is decomposed into following two steps progress, (adb push filename.apk/data/local/tmp/filename.apk), followed by execute installation order (adb Shell pm install/data/local/tmp/filename.apk).Peace can be either executed by scanning file transmission The file path specified when dress carrys out the malicious of judgement sample installation order.
If judging there is sample installation order, command context can be directly modified, such as the packet name in order is replaced with into sky Character string, so that installation is invalid.
(2) the transmission order of file, including incoming mobile terminal order (adb push) and outflow mobile terminal order (adb pull).Push operation can judge that pull operation needs to judge that transmission file is by being scanned to transmission file No is sensitive document (such as contact database).If transmission file is sensitive document, can be by the way that file path is set as empty string etc. Mode keeps order invalid.
(3) operation that the execution of shell-command, i.e. adb shell mode execute.As adb shell getprop is obtained System property, adb shell am order can send broadcast, and adb shell pm order can unload application.It needs according to specific Order is malicious to judge, such as whether unloading is that crucial application can be judged by the packet name specified in pm order;Such as Fruit order is to delete file then to can determine whether file path is system file path.Malicious commands can be by modification order The mode of appearance is handled.
Mentioning in the processing method of above-mentioned three classes malicious commands can be handled by modifying command context, specifically be repaired The mode of changing is described as follows: the content of order is stored in message data and reads in the memory of parameter direction of file operation, due to It is saved the parameter for reading file operation, therefore the PTRACE_POKETEXT of ptrace can be used to modify memory where order In content, also can be used ptrace PTRACE_SETREGS modification read file operation parameter be null pointer, make parameter Value is invalid.
Preferably, if judging, ADB order can generate malicious act, generate user's alarm.
Specifically, can by directly generate user alarm or by the content of the ADB order by process communication in a manner of pass To common social category or game class application, such application can carry out user's alarm in such a way that pop-up alerts.
As shown in figure 3, the invention also discloses a kind of monitoring devices for operating mobile device for monitoring the end PC, for moving In dynamic terminal, the monitoring device includes guarding module 10, monitoring module 20, detection module 30, in which:
When the end PC accesses mobile terminal, the module 10 of guarding is for obtaining institute in adbd process and the adbd process There is the thread number of thread;Per thread is monitored respectively according to all thread numbers of acquisition, is found out and is wherein read USB device file The thread number of thread and the current reading thread of acquisition is sent to the monitoring module 20.
The ps order that system offer can be used directly obtains whole thread numbers of adbd process, can also be by checking/proc File system.Each process has a corresponding catalogue/proc/ [process number] at/proc in Linux, under the catalogue Cmdline file saves command name, and No. PID of whole threads of process is had recorded under task subdirectory.
After finding out whole No. PID, using ptrace system calling, (it is that one process of permission is another to track and control that it, which is acted on, An outer process), per thread is monitored one by one, can be come monitoring thread using the PTRACE_SYSCALL of ptrace System calls.If the reading file operation of current thread calling system, and what first parameter be directed toward is USB device file, then Obtain No. PID of current thread.Also can use strace tool be directly viewable per thread progress system call in whether There is the operation for reading USB device file.
Preferably, can be continued to the judgement of per thread a bit of time, according to the preset time to per thread into Row monitoring finds corresponding reading file operation, if not finding during this period of time, then it represents that current thread is not required to monitor Thread, monitor next thread immediately.
It should be understood that being also required to opening again for monitoring adbd process due to restarting possibility there are adbd process It is dynamic, No. PID that obtains respective thread again is required after restarting every time.It is read when terminal does not connect USB or searches After the thread failure of USB device file, whole thread numbers can be obtained again, and search whether to read the line of USB device file Journey.
The monitoring module 20 is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains The content of parameter of file operation is read, and judges the content of parameter of monitor first reading file operation as message header or message count According to then saving all content of parameter of acquisition if message data, the content of parameter includes message header or message data.
After obtaining current No. PID for reading thread, method can be used in ptrace to obtain parameter when system is called, read text The system call method of part operation only has 3 parameters, and when transmitting is to be transmitted by register, therefore use ptrace's PTRACE_GETREGS, which obtains register value, can be obtained parameter.For saving the parameter of data storage location for a memory Location, the PTRACE_PEEKTEXT method that ptrace can be used come out the data copy in address.
Each message generally comprises message header and message data two parts, therefore primary monitoring is read file operation and obtained To may be message header be also likely to be message data.First determine whether the content of parameter copied out is message content, is pressed According to the message format description in ADB, there is magic field in message content, by checking the field to determine whether for message header. If it is message header, what next reading file operation was got is exactly message data, and the length of message data is stored in message header In.If start to get is not message header, current message data is abandoned, reading file operation next time is got just inevitable It is message header.
The detection module 30 is used to all content of parameter saved being combined into corresponding message, wherein a message Head can be combined to a piece of news with a corresponding message data;Obtained message is combined into corresponding ADB order, wherein One ADB order includes at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is located at described In message header;The detection module 30 is also used to save preset malicious commands sentence, and the ADB order that will acquire is preset with this Malicious commands sentence is compared, and judges whether that malicious act can be generated.
Those of ordinary skill in the art will appreciate that, the message header and message data of a piece of news and reading text twice in succession The parameter of part operation is corresponding, therefore a piece of news can be obtained in the content merging for the parameter for reading file operation twice.One The order of ADB client executing is converted into multiple messages and is sent to adbd process.Such as the push operation of file, it is reading -- > (WRTE, STAT) -- > (WRTE, filepath) is contained (OPEN, sync) in the thread of USB device file -- > (WRTE, SEND) -- > WRTE (filepath+content) -- > (WRTE, QUIT) -- > (CLOSE), this In with including the tuple of 2 element contents indicate a message, first part is the order of message header, and second part is message Data, such as (OPEN, sync) expression will start to carry out sync operation, and (WRTE, SEND) expression will do it data transmission;Therefore It may determine that by this series of message as a push file operation, by filepath it is known that file storage Place.The order of other ADB clients is also similar.A series of message corresponding to every ADB Client command possess together One ID number, therefore the message for possessing identical ID number can be combined into corresponding ADB order.
Preset malicious commands sentence is preserved in mobile terminal, by the ADB order being combined into and preset malicious commands Sentence is compared, and judges that the ADB order obtained has malice row if the ADB order being combined into is preset malicious commands sentence For.
When accessing mobile terminal present invention utilizes the end PC using the adbd process in ADB order and android system into The feature of row interaction reads the reading file operation in USB device file thread, in mobile device end monitoring adbd process to obtain The content of parameter for reading file operation, is then combined into message for content of parameter, message is combined into ADB order, to obtain PC The order sent when the access mobile terminal of end, to achieve the purpose that monitoring.The monitoring is not influenced by PC end ring border, user Just, monitoring effect is good.
Preferably, the detection module 30 is also used to when judging that ADB order has malicious act, to the ADB order into Row respective handling is lost to avoid causing user.
Several frequently seen malicious commands sentence and the more excellent solution for the order is described below:
(1) sample installation order, it is file transmission first that in ADB server-side, the order, which is decomposed into following two steps progress, (adb push filename.apk/data/local/tmp/filename.apk), followed by execute installation order (adb Shell pm install/data/local/tmp/filename.apk).Peace can be either executed by scanning file transmission The file path specified when dress carrys out the malicious of judgement sample installation order.
If judging there is sample installation order, command context can be directly modified, such as the packet name in order is replaced with into sky Character string, so that installation is invalid.
(2) the transmission order of file, including incoming mobile terminal order (adb push) and outflow mobile terminal order (adb pull).Push operation can judge that pull operation needs to judge that transmission file is by being scanned to transmission file No is sensitive document (such as contact database).If transmission file is sensitive document, can be by the way that file path is set as empty string etc. Mode keeps order invalid.
(3) operation that the execution of shell-command, i.e. adb shell mode execute.As adb shell getprop is obtained System property, adb shell am order can send broadcast, and adb shell pm order can unload application.It needs according to specific Order is malicious to judge, such as whether unloading is that crucial application can be judged by the packet name specified in pm order;Such as Fruit order is to delete file then to can determine whether file path is system file path.Malicious commands can be by modification order The mode of appearance is handled.
Mentioning in the processing method of above-mentioned three classes malicious commands can be handled by modifying command context, specifically be repaired The mode of changing is described as follows: the content of order is stored in the memory for the parameter direction for reading file operation, is read due to being saved The parameter of file operation, thus can be used the PTRACE_POKETEXT of ptrace come modify order content in memory, Also it is null pointer that the parameter of file operation is read in the PTRACE_SETREGS modification that ptrace can be used, and keeps parameter value invalid.
The side that the detection module 30 is also used to generate user's alarm or the content of the ADB order is passed through process communication Formula passes common social category or game class application, such application can carry out user's alarm in such a way that pop-up alerts.
Above description has shown and described several embodiments of the invention, but as previously described, it should be understood that the present invention is not It is confined to form disclosed herein, should not be regarded as an exclusion of other examples, and can be used for various other combinations, modification And environment, and can be carried out within that scope of the inventive concept describe herein by the above teachings or related fields of technology or knowledge Change.And changes and modifications made by those skilled in the art do not depart from the spirit and scope of the present invention, then it all should be in institute of the present invention In attached scope of protection of the claims.

Claims (10)

1. a kind of for monitoring the monitoring method of the end PC operation mobile device, which is characterized in that the monitoring method includes following Step:
The thread number of all threads in acquisition for mobile terminal adbd process and the adbd process;
Per thread is monitored respectively according to all thread numbers of acquisition, finds out thread and the acquisition for wherein reading USB device file The current thread number for reading thread, the current thread of reading is the thread for reading USB device file that current monitor arrives;
The reading file operation in the thread is monitored according to the current thread number for reading thread, obtains the content of parameter for reading file operation, The content of parameter includes message header or message data;
When the content of parameter of the first reading file operation monitored is message data, then save in all parameters of acquisition Hold;
All content of parameter of preservation are combined into corresponding message, wherein a message header and a corresponding message data It can be combined to a piece of news;
Obtained message is combined into corresponding ADB order, wherein an ADB order includes at least one message, is belonged to same The message of order possesses identical ID number, and the ID number is located in the message header;
Judge whether the ADB order obtained can generate malicious act according to default rule.
2. monitoring method as described in claim 1, which is characterized in that be monitored and seek to per thread according to the preset time Corresponding reading file operation is looked for monitor next thread immediately if not finding during this period of time.
3. monitoring method as described in claim 1, which is characterized in that after finding out whole thread numbers, one by one to per thread into Row monitoring, if current thread, which executes, reads file operation, and what first parameter be directed toward is USB device file, then obtains and work as The thread number of preceding thread.
4. monitoring method as described in claim 1, which is characterized in that set when terminal does not connect USB or searches reading USB After the thread failure of standby file, whole thread numbers can be obtained again, and search whether to read the thread of USB device file.
5. monitoring method as described in claim 1, which is characterized in that if judging, ADB order can generate malicious act, press Current ADB order is modified according to default rule, malicious act is prevented to occur or/and generate user's alarm.
6. a kind of for monitoring the monitoring device of the end PC operation mobile device, which is characterized in that the monitoring device includes guarding Module, monitoring module, detection module, when the end PC accesses mobile terminal:
The module of guarding is for obtaining the thread number of all threads in adbd process and the adbd process;According to the institute of acquisition There is thread number to monitor per thread respectively, find out the thread for wherein reading USB device file and obtains the current thread for reading thread Number it is sent to the monitoring module, it is described current to read the thread that thread is the reading USB device file that current monitor arrives;
The monitoring module is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains and reads file The content of parameter of operation, the content of parameter includes message header or message data, as first reading file behaviour that judgement monitors When the content of parameter of work is message data, then all content of parameter of acquisition are saved;
The detection module be used for by save all content of parameter be combined into corresponding message, wherein a message header with it is right The message data answered can be combined to a piece of news;Obtained message is combined into corresponding ADB order, wherein an ADB Order includes at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is located at the message header It is interior;The detection module is also used to save preset malicious commands sentence, the ADB order that will acquire and the preset malicious commands Sentence is compared, and judges whether to generate malicious act.
7. monitoring device as claimed in claim 6, which is characterized in that the monitoring module is used for according to the preset time to every A thread is monitored the corresponding reading file operation of searching and monitors next line immediately if not finding during this period of time Journey.
8. monitoring device as claimed in claim 6, which is characterized in that the monitoring module one by one supervises per thread Control, if current thread, which executes, reads file operation, and what first parameter be directed toward is USB device file, then obtains and work as front The thread number of journey.
9. monitoring device as claimed in claim 6, which is characterized in that set when terminal does not connect USB or searches reading USB After the thread failure of standby file, the module of guarding can obtain whole thread numbers again, and search whether to read USB device text The thread of part.
10. monitoring device as claimed in claim 6, which is characterized in that if judging, ADB order can generate malicious act, institute It states detection module and modifies current ADB order according to default rule, malicious act is prevented to occur or/and generate user's alarm.
CN201610806113.XA 2016-09-07 2016-09-07 A kind of method and device operating mobile device for monitoring the end PC Active CN107798240B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610806113.XA CN107798240B (en) 2016-09-07 2016-09-07 A kind of method and device operating mobile device for monitoring the end PC

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610806113.XA CN107798240B (en) 2016-09-07 2016-09-07 A kind of method and device operating mobile device for monitoring the end PC

Publications (2)

Publication Number Publication Date
CN107798240A CN107798240A (en) 2018-03-13
CN107798240B true CN107798240B (en) 2019-10-18

Family

ID=61529963

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610806113.XA Active CN107798240B (en) 2016-09-07 2016-09-07 A kind of method and device operating mobile device for monitoring the end PC

Country Status (1)

Country Link
CN (1) CN107798240B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114968456B (en) * 2022-05-07 2024-03-08 麒麟合盛网络技术股份有限公司 Method and device for controlling terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254113A (en) * 2011-06-27 2011-11-23 深圳市安之天信息技术有限公司 Method and system for detecting and intercepting malicious code of mobile terminal
CN103279706A (en) * 2013-06-07 2013-09-04 北京奇虎科技有限公司 Method and device for intercepting installation of Android application program in mobile terminal
US8935793B2 (en) * 2012-02-29 2015-01-13 The Mitre Corporation Hygienic charging station for mobile device security
CN104978518A (en) * 2014-10-31 2015-10-14 哈尔滨安天科技股份有限公司 Method and system for preventing PC (Personal Computer) side from obtaining layout operation of mobile equipment screen

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254113A (en) * 2011-06-27 2011-11-23 深圳市安之天信息技术有限公司 Method and system for detecting and intercepting malicious code of mobile terminal
US8935793B2 (en) * 2012-02-29 2015-01-13 The Mitre Corporation Hygienic charging station for mobile device security
CN103279706A (en) * 2013-06-07 2013-09-04 北京奇虎科技有限公司 Method and device for intercepting installation of Android application program in mobile terminal
CN104978518A (en) * 2014-10-31 2015-10-14 哈尔滨安天科技股份有限公司 Method and system for preventing PC (Personal Computer) side from obtaining layout operation of mobile equipment screen

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Android手机和计算机连接后的安全控制策略研究;史杨;《长春师范大学学报》;20151030;第34卷(第10期);第34-37页 *

Also Published As

Publication number Publication date
CN107798240A (en) 2018-03-13

Similar Documents

Publication Publication Date Title
CN107480527B (en) Lesso software prevention method and system
CN109688097B (en) Website protection method, website protection device, website protection equipment and storage medium
US10169585B1 (en) System and methods for advanced malware detection through placement of transition events
US8370931B1 (en) Multi-behavior policy matching for malware detection
US11086983B2 (en) System and method for authenticating safe software
EP3028489B1 (en) Centralized selective application approval for mobile devices
US8844038B2 (en) Malware detection
US8930915B2 (en) System and method for mitigating repeated crashes of an application resulting from supplemental code
US8448165B1 (en) System and method for logging operations of virtual machines
CN109344616B (en) Method and device for monitoring dynamic loading behavior of mobile application program
Eder et al. Ananas-a framework for analyzing android applications
CN110213207B (en) Network security defense method and equipment based on log analysis
JP2011501280A (en) Method and apparatus for preventing exploitation of vulnerability in web browser
CN104932972B (en) A kind of method and device of reaction state debugging utility
US11055416B2 (en) Detecting vulnerabilities in applications during execution
US20130290898A1 (en) Method for presenting prompt message, terminal and server
CN108763951A (en) A kind of guard method of data and device
KR20110128632A (en) Method and device for detecting malicious action of application program for smartphone
CN109783316B (en) Method and device for identifying tampering behavior of system security log, storage medium and computer equipment
CN115840938B (en) File monitoring method and device
CN111062032A (en) Anomaly detection method and system and computer-readable storage medium
CN104252594A (en) Virus detection method and device
CN110851824B (en) Detection method for malicious container
US9542535B1 (en) Systems and methods for recognizing behavorial attributes of software in real-time
CN109784054B (en) Behavior stack information acquisition method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 430000 Hubei city Wuhan East Lake New Technology Development Zone 8 Huacheng Road 8 Wuhan software new town industry three phase C20 building

Applicant after: Wuhan Antian Information Technology Co., Ltd.

Address before: 430000 software industry, No. 1 East Road, software park, East Lake New Technology Development Zone, Hubei, Wuhan 4-1, B4 building, room 12, floor 01

Applicant before: Wuhan Antian Information Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant