The content of the invention
The purpose of the embodiment of the present invention is to provide a kind of process monitoring method and device, existing to mobile terminal to solveProcess monitoring, it is necessary to change system source code, and caused by development cost is high, renewal modification inconvenience, the problem of technical risk is big.
The embodiment of the present invention proposes a kind of process monitoring method, including:
Monitoring system parent process;
When monitoring that parent process creates new subprocess, environment monitoring module is injected to new subprocess;
Monitoring instruction is sent to environmental monitoring module, passes through environmental monitoring module monitors subprocess;And
When the operation of subprocess meets environmental monitoring mould monitoring strategies in the block, the operation number of subprocess is obtainedAccording to.
The embodiment of the present invention also proposes a kind of process monitoring device, including:
Parent process monitoring unit, for monitoring system parent process;
Logic loading unit, for when the parent process monitoring unit monitors that parent process creates new subprocess, toNew subprocess injection environment monitoring module;
Control centre's unit, for sending monitoring instruction to environmental monitoring module, and passes through environmental monitoring module monitorsProcess;And
Data capture unit, for when the operation of subprocess meets environmental monitoring mould monitoring strategies in the block, obtainingTake the operation data of subprocess.
Relative to the prior art, the beneficial effects of the invention are as follows:The method and apparatus of the embodiment of the present invention, by father intoDuring Cheng Jianli subprocess, monitoring programme dynamically is injected to subprocess, without making any change to source code, does not influence normal operationIn the case of, realize the monitoring to system process, thus can be whole logic realization in an application program.Therefore, existIn the case of not involving source code, it is only necessary to monitoring programme is designed merely, there is relatively low technical risk, development costIt is low.And when needing to update or repairing bug, substantial amounts of source code will not be involved, technical threshold is low, when changing and using moreAdd conveniently.
Embodiment
For the present invention foregoing and other technology contents, feature and effect, in the following preferable reality coordinated with reference to schemaApplying during example describes in detail to be clearly presented.By the explanation of embodiment, when predetermined mesh can be reached to the present inventionThe technological means taken and effect be able to more deeply and it is specific understand, but institute's accompanying drawings are only to provide with reference to sayingIt is bright to be used, not it is used for being any limitation as the present invention.
Fig. 1 is referred to, it is the flow chart of the first process monitoring method of the embodiment of the present invention, it includes following stepSuddenly:
S101, monitoring system parent process.
S102, when monitoring that parent process creates new subprocess, injects environment monitoring module to new subprocess.
When monitoring parent process, the function that can monitor whether to create new process is called, such as the father of Android system such asProcess zygote, often produces a subprocess, it can all call this function of fork, thus only need to monitor whether fork is calledIt can know whether that new subprocess wound is built.
S103, sends monitoring instruction to environmental monitoring module, passes through environmental monitoring module monitors subprocess.
When receiving monitoring instruction, environmental monitoring module will start to work, subprocess is monitored, to obtain needsData.Monitoring strategies are provided with the environmental monitoring module, such as monitor whether some function is called, or monitoringWhether some file is operated.Monitoring strategies can be that to be set in advance in environmental monitoring mould in the block or pass through prisonControl instruction is transferred to environmental monitoring module.
S104, when the operation of subprocess meets environmental monitoring mould monitoring strategies in the block, obtains the fortune of subprocessRow data.
The data of acquisition are for the management and analysis subsequently to subprocess operation conditions, such as pass through the analysis to dataKnow the operational circumstances to some file, or viral dynamic behaviour data whether there is according to the operation data search of subprocessDeng.
The scope of the operation data of the acquisition can be set accordingly in monitoring strategies.Such as to some fileOperation when being monitored, setting obtained to this context data to file whole operation event.And for example, during monitoring virusAll data that environmental monitoring module monitors arrive can be obtained.
The method of the present embodiment, by when parent process establishes subprocess, dynamically injecting monitoring programme, nothing to subprocessIt need to make any change to source code, in the case of not influencing normal operation, realize the monitoring to system process, thus can be wholeLogic realization is in an application program, such as APK(APK is application program Android file format)Form or kit jar(Java Archive, archive file)Form.Therefore, in the case where not involving source code, it is only necessary to merely to monitoring journeySequence is designed, and has relatively low technical risk, and development cost is low.And when needing to update or repairing bug, it will not involveTo substantial amounts of source code, technical threshold is low, more convenient when changing and using.
Fig. 2 is referred to, it is the flow chart of second of process monitoring method of the embodiment of the present invention, it includes following stepSuddenly:
S201, monitoring system parent process.
S202, judges whether parent process calls the function for creating new process, if then entering step S203, if otherwise returningStep S201.
S203, injects environment monitoring module to new subprocess.Monitoring is provided with the environmental monitoring module of the present embodimentAllocation list, the monitoring allocation list are used to store user identifier(uid), the monitoring information such as file path and monitoring rules.
S204, sends monitoring instruction to environmental monitoring module, whether text is called by environmental monitoring module monitors subprocessPart handling function.File manipulation function such as open, unlink, rename, the function such as read, write.
S205, when subprocess calls file manipulation function, checks user identifier and the file road of file operation eventWhether footpath is consistent with the monitoring information stored in the monitoring allocation list, S206 is entered step if consistent, if inconsistent returnReturn S204.
The monitoring information stored in monitoring allocation list can be configured by being sent to the monitoring instruction of environmental monitoring module.Such as user be when will be monitored the operation behavior of some file, can by user identifier, the file path to be monitored andOne or more in the monitoring informations such as the handling function to be monitored, which are added in monitoring instruction, is sent to environmental monitoring module, andBy the configuration of environmental monitoring module in allocation list is monitored.Assuming that one group of monitoring information in monitoring allocation list includes:User A, textPart path B, handling function open, then when When subroutine calls open functions, can check user identifier in action event andWhether file path is respectively A and B, on the contrary then inconsistent if then consistent.
S206, obtains the context data of file operation event.The data of acquisition include but are not limited to file operation ID(The numbering of open, unlink, rename function), file path, action event, user identifier uid and Process identifier pidDeng.
The method of the present embodiment can realize the monitoring carried out to the file operation behavior in process, based on without changing sourceCode the characteristics of, have the advantages that technical risk is low, development cost is low, technical threshold is low, change and it is easy to use.It is additionally, sinceUsing Dynamic injection technology, so the file path to be monitored need not be preassigned, but can by user needs whenWait dynamic to specify, have very strong interactive.
Fig. 3 is referred to, it is the flow chart of the third process monitoring method of the embodiment of the present invention, it includes following stepSuddenly:
S301, monitoring system parent process.
S302, when monitoring that parent process creates new subprocess, injects environment monitoring module to new subprocess.
S303, sends monitoring instruction to environmental monitoring module, passes through environmental monitoring module monitors subprocess.In this implementation,Environmental monitoring mould monitoring strategies in the block are to monitor all operation conditions of subprocess.
S304, obtains all data that the environmental monitoring module monitors arrive.
S305, filters the data of acquisition.The purpose of filtering be in order to improve the validity for the data being collected into, withOperand and error rate when reducing subsequently to these data analyses.For example the daily record data to being repeated in the unit interval is goneWeight.
Collection and test of the method for the present embodiment especially suitable for big data quantity, such as divide using to daily record dataAnalysis, searches whether there are viral dynamic behaviour data.Due to being monitored using Dynamic injection technology, it is not necessary to modify system sourceCode, reduces development cost and technical risk, has been also convenient for renewal and modification to monitoring programme.
The embodiment of the present invention also proposes a kind of process monitoring device, refers to Fig. 4, it includes:Parent process monitoring unit 41,Logic loading unit 42, control centre's unit 43 and data capture unit 44.
Parent process monitoring unit 41 is used for monitoring system parent process.Specifically, parent process monitoring unit 41 can to father intoWhether journey, which creates new subprocess, is monitored, such as whether monitoring parent process calls the function for creating subprocess.
Logic loading unit 42 is used for when parent process monitoring unit 41 monitors that parent process creates new subprocess, Xiang XinSubprocess injection environment monitoring module.Monitoring strategies are provided with the environmental monitoring module, it is used for the fortune to subprocessRow is monitored and the data of needs is acquired.
Control centre's unit 43 is used to send monitoring instruction to environmental monitoring module, and passes through environmental monitoring module monitorsProcess.Control centre's unit 43 can provide an interactive interface to the user, and allow user to set monitoring strategies, as monitoredObject, function etc., and together it is sent to environmental monitoring module by monitoring instruction.
Data capture unit 44 is used to, when the operation of subprocess meets environmental monitoring mould monitoring strategies in the block, obtainTake the operation data of subprocess.The data of acquisition are for the management and analysis subsequently to subprocess operation conditions, such as are passed throughThe operational circumstances to some file are known in analysis to data, or according to the operation data search of subprocess with the presence or absence of virusDynamic behaviour data etc..The scope of the operation data of the acquisition can be set accordingly in monitoring strategies.
By taking the monitoring to file operation as an example, when parent process monitoring unit 41 monitors that parent process creates new subprocessWhen, logic loading unit 42 can be by environmental monitoring module loading into newly-built subprocess.Then, control centre's unit 43 can be withInteractive interface is provided a user, so that user inputs the monitoring informations such as the file to be monitored, path, operation, is then supervised theseControl information is added in monitoring instruction, and is sent to environmental monitoring module.Environmental monitoring module starts after receiving monitoring instructionWhether work, monitoring subprocess call the file manipulation functions such as default open, unlink, rename, read, write.Work as textWhen part handling function is called, it can be compared with the monitoring allocation list set in environmental monitoring module, check action eventWhether user identifier and file path and the monitoring information stored in the monitoring allocation list are consistent.The data acquisition if consistentUnit 44 can obtain the context data of this document action event, for customer analysis or use.
And for example with the viral dynamic behaviour data instance of monitoring, when parent process monitoring unit 41 monitors that parent process creates newlySubprocess when, logic loading unit 42 can by environmental monitoring module loading into newly-built subprocess.Control centre's unit 43After sending monitoring instruction to environmental monitoring module, the dynamic behaviour data of environmental monitoring module monitors subprocess can be passed through.And byData capture unit 44 obtains these dynamic behaviour data that environmental monitoring module monitors arrive, so that whether customer analysis is wherein depositedIn viral dynamic behaviour data.
The device of the present embodiment, by when parent process establishes subprocess, dynamically injecting monitoring programme, nothing to subprocessIt need to make any change to source code, in the case of not influencing normal operation, realize the monitoring to system process, thus can be wholeLogic realization is in an application program, such as APK(APK is application program Android file format)Form or kit jar(Java Archive, archive file)Form.Therefore, in the case where not involving source code, it is only necessary to merely to monitoring journeySequence is designed, and has relatively low technical risk, and development cost is low.And when needing to update or repairing bug, it will not involveTo substantial amounts of source code, technical threshold is low, more convenient when changing and using.
Fig. 5 is referred to, it is the structure chart of second of process monitoring device of the embodiment of the present invention, the embodiment with Fig. 4Compare, the device of the present embodiment further includes filter element 45, and filter element 45 is used for the data obtained to data capture unit 44Filtered.The purpose of filtering be in order to improve the validity for the data being collected into, with reduce subsequently to these data analyses whenOperand and error rate.For example the daily record data to being repeated in the unit interval carries out duplicate removal.Other knots of the present embodiment deviceStructure is identical with the embodiment of Fig. 4 with function, and details are not described herein.
Through the above description of the embodiments, those skilled in the art can be understood that the embodiment of the present inventionIt by hardware realization, can also add the mode of necessary general hardware platform by software to realize.Based on such reasonSolution, the technical solution of the embodiment of the present invention can be embodied in the form of software product, which can be stored in oneA non-volatile memory medium(Can be CD-ROM, USB flash disk, mobile hard disk etc.)In, including some instructions are used so that a meterCalculate machine equipment(Can be personal computer, server, or network equipment etc.)Perform each implement scene institute of the embodiment of the present inventionThe method stated.
The above described is only a preferred embodiment of the present invention, not make limitation in any form to the present invention, thoughSo the present invention is disclosed above with preferred embodiment, but is not limited to the present invention, any to be familiar with this professional technology peopleMember, is not departing from the range of technical scheme, when the technology contents using the disclosure above make a little change or modificationFor the equivalent embodiment of equivalent variations, as long as being the technical spirit pair according to the present invention without departing from technical scheme contentAny simple modification, equivalent change and modification that above example is made, in the range of still falling within technical solution of the present invention.