CN109726067B - Process monitoring method and client device - Google Patents
Process monitoring method and client deviceDownload PDFInfo
- Publication number
- CN109726067B CN109726067BCN201711037388.2ACN201711037388ACN109726067BCN 109726067 BCN109726067 BCN 109726067BCN 201711037388 ACN201711037388 ACN 201711037388ACN 109726067 BCN109726067 BCN 109726067B
- Authority
- CN
- China
- Prior art keywords
- target
- api
- service type
- client device
- dynamic link
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034methodMethods0.000titleclaimsabstractdescription248
- 230000008569processEffects0.000titleclaimsabstractdescription197
- 238000012544monitoring processMethods0.000titleclaimsabstractdescription86
- 238000013507mappingMethods0.000claimsabstractdescription18
- 230000006870functionEffects0.000claimsdescription51
- 238000003860storageMethods0.000claimsdescription19
- 238000012545processingMethods0.000claimsdescription13
- 230000009191jumpingEffects0.000claimsdescription4
- 238000004891communicationMethods0.000description26
- 238000010586diagramMethods0.000description15
- 238000001914filtrationMethods0.000description10
- 238000004590computer programMethods0.000description8
- 230000006399behaviorEffects0.000description6
- 238000001514detection methodMethods0.000description5
- 238000007726management methodMethods0.000description5
- 238000012986modificationMethods0.000description5
- 230000004048modificationEffects0.000description5
- 230000001413cellular effectEffects0.000description4
- 230000008859changeEffects0.000description4
- 241000700605VirusesSpecies0.000description3
- 230000003993interactionEffects0.000description3
- 238000013500data storageMethods0.000description2
- 238000005516engineering processMethods0.000description2
- 230000007774longtermEffects0.000description2
- 238000010295mobile communicationMethods0.000description2
- 230000003287optical effectEffects0.000description2
- HBBGRARXTFLTSG-UHFFFAOYSA-NLithium ionChemical compound[Li+]HBBGRARXTFLTSG-UHFFFAOYSA-N0.000description1
- 238000012300Sequence AnalysisMethods0.000description1
- 230000001133accelerationEffects0.000description1
- 238000004458analytical methodMethods0.000description1
- 230000009286beneficial effectEffects0.000description1
- 230000008901benefitEffects0.000description1
- 230000005540biological transmissionEffects0.000description1
- 230000007547defectEffects0.000description1
- 230000001419dependent effectEffects0.000description1
- 238000011161developmentMethods0.000description1
- 238000006073displacement reactionMethods0.000description1
- 238000009826distributionMethods0.000description1
- 230000005484gravityEffects0.000description1
- 239000004973liquid crystal related substanceSubstances0.000description1
- 229910001416lithium ionInorganic materials0.000description1
- 238000004519manufacturing processMethods0.000description1
- 230000007246mechanismEffects0.000description1
- 229910052987metal hydrideInorganic materials0.000description1
- 229910052759nickelInorganic materials0.000description1
- PXHVJJICTQNCMI-UHFFFAOYSA-NnickelSubstances[Ni]PXHVJJICTQNCMI-UHFFFAOYSA-N0.000description1
- -1nickel metal hydrideChemical class0.000description1
- 230000035515penetrationEffects0.000description1
- 238000010248power generationMethods0.000description1
- 230000010076replicationEffects0.000description1
- 238000012552reviewMethods0.000description1
- 230000005236sound signalEffects0.000description1
- 238000007619statistical methodMethods0.000description1
- 238000010897surface acoustic wave methodMethods0.000description1
- 239000000725suspensionSubstances0.000description1
- 238000012795verificationMethods0.000description1
- 230000000007visual effectEffects0.000description1
- 238000012038vulnerability analysisMethods0.000description1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
Description
Technical Field
The present invention relates to the field of computers, and in particular, to a process monitoring method and a client device.
Background
In order to implement process monitoring in the prior art, a process monitoring method as shown in fig. 1 is provided, which specifically includes the following steps:
The monitoring list comprises all processes needing monitoring;
and 102, traversing all the processes on the monitoring list at a set time point to acquire real-time parameter information of all the processes.
And 103, removing invalid parameter information from the real-time parameter information according to a preset strategy to acquire key process information.
The preset strategy is used for indicating how to eliminate invalid parameter information.
Andstep 104, reporting the key process information to a server.
The server can monitor the processes on the monitoring list according to the key process information.
The process monitoring method shown in the prior art has the following defects: the existing process monitoring method can only monitor the process, but cannot deeply monitor the specific running condition of the process, so that the process cannot be accurately monitored.
Disclosure of Invention
The embodiment of the invention provides a process monitoring method and client equipment, which can be used for monitoring an API (application program interface) called by a process, so that the process can be accurately monitored.
A first aspect of an embodiment of the present invention provides a process monitoring method, including:
mapping a dynamic link library in an address space of a target process, wherein the dynamic link library comprises a preset rule used for indicating at least one target service type;
setting hooks in a target Application Programming Interface (API) based on the dynamic link library, wherein the target API is called when the target process operates, and the service type realized by the target API is consistent with one target service type in the at least one target service type;
and acquiring target data based on the hook arranged in the target API, wherein the target data is used for monitoring the target API.
A second aspect of an embodiment of the present invention provides a client device, including:
the mapping unit is used for mapping a dynamic link library in an address space of a target process, wherein the dynamic link library comprises a preset rule used for indicating at least one target business type;
the processing unit is used for setting the hook in a target Application Programming Interface (API) based on the dynamic link library, the target API is called when the target process runs, and the service type realized by the target API is consistent with one target service type in the at least one target service type;
and the acquisition unit is used for acquiring target data based on hooks arranged in the target API, and the target data is used for monitoring the target API.
A third aspect of embodiments of the present invention provides a client device, comprising a processor and a memory, wherein,
a computer readable program stored in the memory;
the processor is configured to execute the program in the memory to perform the method according to the first aspect of the embodiment of the present invention.
A fourth aspect of the embodiments of the present invention provides a computer-readable storage medium, where instructions are stored, where the instructions are configured to execute the method shown in the first aspect of the embodiments of the present invention.
The process monitoring method and the client device shown in this embodiment can hook a target API that needs to be monitored and can implement a target service type through a dynamic link library mapped into a target process, can call the target API provided with a hook, and simultaneously acquire target data for monitoring the target API, and can monitor the target API called by the target process deeply, so that a server can acquire a calling condition of the target API for implementing different service types based on the target data, and accuracy of monitoring the target process is improved.
Drawings
FIG. 1 is a schematic diagram illustrating steps of a process monitoring method provided in the prior art;
FIG. 2 is a schematic diagram of an embodiment of a monitoring system provided in the present invention;
FIG. 3 is a schematic structural diagram of an embodiment of a client device provided in the present invention;
FIG. 4 is a flowchart illustrating steps of a process monitoring method according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating an exemplary scenario of a process monitoring method according to the present invention;
FIG. 6 is a flowchart of an application scenario of the process monitoring method provided by the present invention;
fig. 7 is a schematic structural diagram of an embodiment of a client device according to an embodiment of the present invention.
Detailed Description
In order to better understand the process monitoring method according to the embodiment of the present invention, the process monitoring method according to the embodiment is applied to a monitoring system, and the following describes a specific structure of the monitoring system with reference to fig. 2:
fig. 2 is a schematic structural diagram of a monitoring system according to an embodiment of the present invention.
The monitoring system includes aserver 210 and at least oneclient device 220.
Theserver 210 and theclient device 220 can perform data interaction, so as to implement the process monitoring method shown in this embodiment.
The specific structure of the client device shown in this embodiment is described below with reference to fig. 3, and fig. 3 is a schematic structural diagram of an embodiment of the client device provided in the present invention.
The client device includes components such as aninput unit 305, a processor 303, anoutput unit 301, acommunication unit 307, a memory 304, aradio frequency circuit 308, and the like.
These components communicate over one or more buses. Those skilled in the art will appreciate that the configuration of the client device shown in fig. 3 is not intended to limit the present invention, and may be a bus architecture, a star architecture, a combination of more or fewer components than those shown, or a different arrangement of components.
In an embodiment of the present invention, the client device includes, but is not limited to, a desktop computer, a smart phone, a mobile computer, a tablet computer, a Personal Digital Assistant (PDA), a media player, a smart television, and the like.
The client device includes:
anoutput unit 301 for outputting an image to be displayed.
Specifically, theoutput unit 301 includes, but is not limited to, adisplay screen 3011 and a sound output unit 3012.
Thedisplay screen 3011 is used to output text, pictures, and/or video. TheDisplay screen 3011 may include a Display panel, for example, a Display panel configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), a Field Emission Display (FED), or the like. Alternatively, thedisplay 3011 may comprise a reflective display, such as an electrophoretic (electrophoretic) display, or a display using optical interference Modulation (Light) technology.
For example, when the touch screen detects a gesture operation of touch or proximity thereon, the gesture operation is transmitted to the processor 303 to determine the type of touch event, and then the processor 303 provides a corresponding visual output on the display panel according to the type of touch event. Although in fig. 1, theinput unit 305 and theoutput unit 301 are implemented as two separate components to implement the input and output functions of the client device, in some embodiments, the touch screen may be integrated with the display panel to implement the input and output functions of the client device. For example, thedisplay screen 3011 may display various Graphical User interfaces (GUI for short) as virtual control components, including but not limited to windows, scroll bars, icons, and scrapbooks, for a User to operate in a touch manner.
In one embodiment of the present invention, thedisplay 3011 includes a filter and an amplifier for filtering and amplifying the video output by the processor 303. The sound output unit 3012 includes a digital-to-analog converter for converting the audio signal output from the processor 303 from a digital format to an analog format.
And the processor 303 is configured to execute corresponding codes, process the received information, and generate and output a corresponding interface.
Specifically, the processor 303 is a control center of the client device, connects various parts of the entire client device by using various interfaces and lines, and executes various functions of the client device and/or processes data by running or executing software programs and/or modules stored in the memory and calling data stored in the memory. The processor 303 may be composed of an Integrated Circuit (IC), for example, a single packaged IC, or a plurality of packaged ICs connected with the same or different functions.
For example, the Processor 303 may include only a Central Processing Unit (CPU), or a combination of a Graphics Processing Unit (GPU), a Digital Signal Processor (DSP), and a control chip (e.g., baseband chip) in the communication Unit. In the embodiment of the present invention, the CPU may be a single operation core, or may include multiple operation cores.
A memory 304 for storing code and data, the code for execution by the processor 303.
Specifically, the memory 304 may be used for storing software programs and modules, and the processor 303 executes various functional applications of the client device and implements data processing by running the software programs and modules stored in the memory 304. The memory 304 mainly includes a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function, such as a sound playing program, an image playing program, and the like; the data storage area may store data created from the use of the client device (such as audio data, a phonebook, etc.), and the like.
In an embodiment of the present invention, the Memory 304 may include a volatile Memory, such as a non-volatile dynamic Random Access Memory (NVRAM), a Phase Change Random Access Memory (PRAM), a Magnetoresistive Random Access Memory (MRAM), and a non-volatile Memory, such as at least one disk Memory, an Electrically Erasable Programmable Read-Only Memory (EEPROM), and a flash Memory, such as a NAND flash Memory or a NAND flash Memory.
The non-volatile memory stores an operating system and application programs executed by the processor 303. The processor 303 loads operating programs and data from the non-volatile memory into memory and stores digital content in mass storage devices. The operating system includes various components and/or drivers for controlling and managing conventional system tasks, such as memory management, storage device control, power management, etc., as well as facilitating communication between various hardware and software components.
In the embodiment of the present invention, the operating system may be an Android system developed by Google, an iOS system developed by Apple, a Windows operating system developed by Microsoft, or an embedded operating system such as Vxworks.
The application programs include any application installed on the client device, including but not limited to a browser, email, instant messaging service, word processing, keyboard virtualization, widgets (widgets), encryption, digital rights management, voice recognition, voice replication, location (e.g., functions provided by the global positioning system), music playing, and so forth.
Aninput unit 305 for enabling user interaction with the client device and/or input of information into the client device.
For example, theinput unit 305 may receive numeric or character information input by a user to generate a signal input related to user setting or function control. In the embodiment of the present invention, theinput unit 305 may be a touch screen, other human-computer interaction interfaces, such as an entity input key, a microphone, and other external information capturing devices, such as a camera.
The touch screen disclosed by the embodiment of the invention can collect the operation actions touched or approached by the user. For example, the user can use any suitable object or accessory such as a finger, a stylus, etc. to operate on or near the touch screen, and drive the corresponding connection device according to a preset program. Alternatively, the touch screen may include two parts, a touch detection device and a touch controller. The touch detection device detects touch operation of a user, converts the detected touch operation into an electric signal and transmits the electric signal to the touch controller; the touch controller receives the electrical signal from the touch sensing device and converts it to touch point coordinates, which are then fed to the processor 303.
The touch controller can also receive and execute commands sent by the processor 303. In addition, the touch screen can be realized by various types such as a resistive type, a capacitive type, an infrared ray, a surface acoustic wave and the like.
In other embodiments of the present invention, the physical input keys used by theinput unit 305 may include, but are not limited to, one or more of a physical keyboard, a function key (such as a volume control key, a switch key, etc.), a track ball, a mouse, a joystick, etc. Aninput unit 305 in the form of a microphone may collect speech input by a user or the environment and convert it into commands in the form of electrical signals that are executable by the processor 303.
In some other embodiments of the present invention, theinput unit 305 may also be various sensing devices, such as hall devices, for detecting physical quantities of the client device, such as force, moment, pressure, stress, position, displacement, speed, acceleration, angle, angular velocity, number of rotations, rotational speed, and time of change of operating state, and converting the physical quantities into electric quantities for detection and control. Other sensing devices may include gravity sensors, three-axis accelerometers, gyroscopes, electronic compasses, ambient light sensors, proximity sensors, temperature sensors, humidity sensors, pressure sensors, heart rate sensors, fingerprint identifiers, and the like.
Acommunication unit 307 for establishing a communication channel through which the client device connects to a remote server and downloads media data from the remote server. Thecommunication unit 307 may include a Wireless Local Area Network (wlan) module, a bluetooth module, a baseband module, and other communication modules, and a Radio Frequency (RF) circuit corresponding to the communication module, and is configured to perform wlan communication, bluetooth communication, infrared communication, and/or cellular monitoring system communication, such as Wideband Code Division Multiple Access (W-CDMA) and/or High Speed Downlink Packet Access (HSDPA) for example. The communication module is used for controlling communication of each component in the client device and can support direct memory access.
In different embodiments of the present invention, the various communication modules in thecommunication unit 307 are generally in the form of Integrated Circuit chips (Integrated Circuit chips), and can be selectively combined without including all the communication modules and corresponding antenna groups. For example, thecommunication unit 307 may only include a baseband chip, a radio frequency chip and a corresponding antenna to provide communication functions in a cellular monitoring system. The client device may be connected to a Cellular Network (Cellular Network) or the internet via a wireless communication connection established by thecommunication unit 307, such as a wireless local area Network access or a WCDMA access. In some alternative embodiments of the present invention, the communication module, e.g., the baseband module, in thecommunication unit 307 may be integrated into the processor 303, typically an APQ + MDM series platform as provided by the Qualcomm corporation.
Theradio frequency circuit 308 is used for receiving and transmitting signals during information transceiving or conversation. For example, after receiving the downlink information of the base station, the downlink information is processed by the processor 303; in addition, the data for designing uplink is transmitted to the base station. In general, theradio frequency circuitry 308 includes well-known circuitry for performing these functions, including but not limited to an antenna system, a radio frequency transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, a Codec (Codec) chipset, a Subscriber Identity Module (SIM) card, memory, and so forth. In addition, theradio frequency circuitry 308 may also communicate with networks and other devices via wireless communications.
The wireless communication may use any communication standard or protocol, including but not limited to Global System for Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), High Speed Uplink Packet Access (HSUPA), Long Term Evolution (Long Term Evolution), LTE, e-mail, Short Message Service (SMS), and the like.
Apower supply 309 for powering the various components of the client device to maintain its operation. As a general understanding, thepower source 309 may be a built-in battery, such as a common lithium ion battery, a nickel metal hydride battery, etc., and also include an external power source that directly supplies power to the client device, such as an AC adapter, etc. In some embodiments of the invention, thepower supply 309 may be more broadly defined and may include, for example, a power management system, a charging system, a power failure detection circuit, a power converter or inverter, a power status indicator (e.g., a light emitting diode), and any other components associated with power generation, management, and distribution of client devices.
The following describes in detail a specific execution flow of the process monitoring method according to the embodiment of the present invention with reference to fig. 4:
fig. 4 is a flowchart illustrating steps of a process monitoring method according to an embodiment of the present invention.
Step 401, the client device determines whether the process to be processed is a target process, and if so, executes step 402.
Specifically, the client device shown in this embodiment may create the process filtering rule in advance.
The process filtering rule shown in this embodiment may be used to determine whether a process to be processed belongs to a target process, and the client device shown in this embodiment may monitor the target process.
The processes to be processed may be all processes run by the client device.
The client device may store the created filter rules in a cached form in a system of the client device.
The client device may create or update the process filtering rule based on a certain configuration policy, which is not limited in this embodiment.
The following illustrates possible scenarios for the process filtering rules:
an optional case is: the process filtering rule defines that if the MD5(Message Digest Algorithm) value of the file name of the process to be processed is located in the preset list, the process to be processed is a target process that needs to be monitored.
Specifically, the client device may create the preset list in advance, where the preset list includes an MD5 value of a process filename that the client device needs to monitor, and if the MD5 value of the process filename of the process to be processed is located in the preset list, the client device may determine that the process to be processed is a target process that needs to be monitored.
Another optional case is: the process filtering rule defines that if the storage path of the process to be processed accords with a preset storage path, the process to be processed is a target process needing to be monitored.
Specifically, the client device may create a preset storage path in advance, and if the storage path of the process to be processed matches the preset storage path, the client device may determine that the process to be processed is a target process that needs to be monitored.
In a specific application scenario, if the monitoring method shown in this embodiment is applied to a Windows system, if the client device needs to monitor a virus, the preset storage path stored by the client device is a C disk used for monitoring a virus process, and if the client device determines that the storage path of a process to be processed is the C disk of the client device, the client device can determine that the process to be processed is a target process that needs to be monitored.
Another optional case is: the Process filtering rule defines that if an Identifier (PID) of the Process to be processed is within a preset range, the Process to be processed is a target Process that needs to be monitored.
Specifically, the client device may create a preset range in advance, and if the identifier PID of the process to be processed is located within the preset range, the client device may determine that the process to be processed is a target process that needs to be monitored.
In a specific application scenario, the preset range created by the client device may be greater than or equal to 200 and less than or equal to 400, and if the client device determines that the identifier PID of the process to be processed is 320, the client device may determine that the identifier PID of the process to be processed is located within the preset range, and the client device may determine that the process to be processed is a target process to be monitored.
Another optional case is: the process filtering rule defines that if the image name of the process to be processed comprises a preset character, the process to be processed is a target process needing to be monitored.
Specifically, the client device may create a preset character in advance, and if the image name of the process to be processed includes the preset character, the client device may determine that the process to be processed is a target process to be monitored.
In a specific application scenario, if a browser process installed on a client device needs to be monitored, the preset character created by the client device may be a "browser", and when the client device determines that a to-be-processed process image name includes the preset character "browser", the client device may determine that the to-be-processed process is a target process that needs to be monitored.
Optionally, the client device shown in this embodiment may configure a process list, where the process list may include all processes to be processed, and the client device may determine all the processes to be processed in the process list one by one to determine a target process.
Step 402, the client device obtains an address space of the target process.
Specifically, the client device obtains a handle of the target process by calling an OpenProcess function.
The OpenProcess function shown in this embodiment is used to open a target process and return a handle of the target process.
The client device can obtain the address space of the target process according to the handle of the target process.
In step 403, the client device allocates a target memory in the address space of the target process.
And the client equipment allocates a target memory in the address space of the target process by calling a VirtualAllocEx function.
In this embodiment, the size of the target memory is greater than or equal to the size of the dynamic link library, so that the dynamic link library can be effectively stored in the target memory.
The Dynamic Link Library (DLL) shown in this embodiment is a way for microsoft corporation to implement the concept of sharing a function Library in microsoft Windows operating system. The extensions of these library functions are ". dll", ". ocx" (library containing ActiveX controls) or ". drv".
Dynamically linked libraries provide a way for a process to call functions that do not belong to its executable code. The executable code for the functions is located in a DLL file that contains one or more functions that have been compiled, linked and stored separately from the process in which they are used. DLLs also facilitate sharing of data and resources. Multiple applications can simultaneously access the contents of a single DLL copy in memory. Updates can be more easily applied to individual modules using dynamically linked libraries without affecting other parts of the program.
Step 404, the client device writes the full path of the dynamic link library into the target memory.
The dynamic link library DLL shown in this embodiment includes a hook, and the client device can monitor a target process provided with the hook based on the hook.
Hook (Hook) shown in this embodiment is a platform of Windows message handling mechanism, on which an application program can set a subroutine to monitor some kind of message of a specified window, and the monitored window can be created by other processes.
The monitoring of the target process in this embodiment can be divided into a general monitoring rule and a customized monitoring rule.
Optionally, the hook shown in this embodiment may be a specific hook, that is, the specific hook is only set in a specific target process, so that the client device performs customized monitoring on the specific target process based on the specific hook.
Optionally, the hook shown in this embodiment may be a general hook, that is, the general hook is set in a non-specific target process, so that the client device performs general monitoring on the non-specific target process based on the general hook.
In the specific process that the client device sets the dynamic link library DLL in the target process to monitor the target process, the client device can write the full path of the dynamic link library into the target memory by calling a WriteProcessMemory function.
Step 405, the client device maps the dynamic link library into the address space of the target process.
Specifically, the client device shown in this embodiment may read the dynamic link library under the full path by calling a createremotetrathreadable function and a LoadLibrary function, and map the read dynamic link library into the address space of the target process.
It can be seen that the dynamic link library can be mapped in the address space of the target process by using steps 402 to 405 shown in this embodiment.
Optionally, the timing for the client device to execute steps 401 to 405 in this embodiment may be when the client device is powered on, when a target process of the client device is started, and the like, and is not limited in this embodiment.
The dynamic link library shown in this embodiment includes preset rules for indicating at least one target service type;
the preset rule shown in this embodiment can implement monitoring for the target service type.
Specifically, the service types shown in this embodiment are: and classifying the result according to the functional characteristics of the API (Application Programming Interface) and the characteristics of the operation object.
Several APIs such as NtSetValueKey, NtDeleteValueKey, and NtQueryValueKey are classified as registry traffic types because they all operate on a registry.
The monitoring granularity of the preset rule shown in this embodiment may be a specific target service type.
Specifically, the client device shown in this embodiment may monitor all APIs in the target service type that needs to be monitored.
For example, if the client device shown in this embodiment needs to monitor the service type of the registry, the client device may monitor all APIs in the service type of the registry, such as NtSetValueKey, NtDeleteValueKey, NtQueryValueKey, and the like.
The monitoring granularity of the preset rule shown in this embodiment may be a part of API under the target service type.
Specifically, the client device shown in this embodiment may monitor a part of the APIs under the target service type that needs to be monitored.
For example, if the client device shown in this embodiment needs to monitor the service type of the registry, the client device may monitor a part of the API under the service type of the registry, such as NtSetValueKey.
Therefore, the specific service types can be monitored by the dynamic link library provided with the preset rules, and the monitoring is not limited to the monitoring of the process, and the monitoring granularity shown in the embodiment can achieve stronger flexibility and pertinence, and can monitor certain service types or certain APIs (application program interfaces) in a key manner according to the characteristics of the process.
To better understand how the client device monitors the target API based on the target traffic type, as shown above, the following further illustrates with reference to fig. 5:
in this example, taking the target service type of the monitoring granularity of the preset rule as an example, as shown in fig. 5, it can be known that the client device determines, based on the preset rule, the target service types that need to be monitored to be a registry service type 501, a network Socket service type 502, and a Token service type 503.
The client device may obtain a first list 504, a second list 505 and a third list 506, where all target APIs included in the first list 501 are all APIs under the registry service type 501, all target APIs included in the second list 502 are all APIs under the network Socket service type 502, and all target APIs included in the third list 506 are all APIs under the Token service type 503.
As can be seen, the client device shown in this embodiment can divide all the target APIs that need to be monitored based on the target service types, so that the client device can monitor the target APIs for implementing different target service types, respectively. As shown in the example of fig. 5, the client device may monitor the target APIs included in the first list 504, the second list 505, and the third list 506, respectively.
The following describes in detail how the client device in this embodiment monitors the target API in the target process when the target process has the dynamic link library set therein:
the target API shown in this embodiment is that the realized service type is consistent with one target service type of the at least one target service type.
Specifically, in this embodiment, the target service type is a registry service type, the target API shown in this embodiment is operated on the registry, and the service type of the target API is the registry service type.
In this embodiment, the specific number and specific service type of the target service types that the client device needs to monitor are not limited, for example, the target service types may be: network socket traffic type, token traffic type, etc.
The following is a description of how the client device monitors the target API:
step 406, the client device acquires an idle target memory block in a target interval.
The client device shown in this embodiment obtains an idle target memory block in a target interval by calling a VirtualQuery function.
Specifically, the target interval is larger than an address area of the target API instruction space.
More specifically, the target memory block shown in this embodiment is used to store a jump instruction, and in order to ensure that the target memory block can successfully create the jump instruction, the target interval needs to be determined first.
In a specific application, such as in the x86 and x64 machines, a 32-bit relative jump instruction occupies 5 bytes of space, and once the hook is successfully set, the hooked function will begin with 1 32-bit relative jump instruction, so the jump instruction can only be stored in an address region +/-2GB of the instruction space of the target API.
It can be seen that, in this case, the target interval is [ instruction space-2 GB of target API, instruction space +2GB of target API ].
When the target interval is determined, the client device may cyclically enumerate the memory blocks in the target interval until the idle memory blocks are successfully located, and the client device may determine that the idle memory blocks are the target memory blocks.
Step 407, the client device creates a target jump instruction in the target memory block.
Wherein the target jump instruction comprises two jump instructions:
and one jump instruction included in the target jump instruction is the first M mechanical instructions in the target API mechanical instruction.
M shown in this embodiment is a positive integer greater than 1, and M is equal to 10 in this embodiment.
And the other jump instruction included in the target jump instruction is an unconditional jump JMP instruction for jumping to the dynamic link library.
Specifically, the JMP instruction is used to jump to the second half of the original location of the target API.
It can be seen that the JMP instruction shown in the embodiment resides in the dynamically linked library of the target API, and is provided with a function address at which the dynamically linked library replaces the target API.
Optionally, the client device shown in this embodiment may effectively prevent the target API from being read and written at will, and specifically, the client device may store the current protection attribute of the memory page of the target API;
the client device may determine whether a caller who calls the target API has an authority to read the target API memory PAGE, and if so, the client device sets the target memory PAGE whose protection attribute is to be changed to PAGE _ EXECUTE _ READWRITE by using a VirtualProtect function, thereby allowing the caller to have an authority to read and write the target API memory PAGE.
Step 408, the client device rewrites the first N bytes of the target API based on the JMP instruction.
N shown in this embodiment is a positive integer greater than or equal to 1, and this embodiment is exemplarily described by taking N as 5.
In this embodiment, the client device rewrites the first N bytes of the target API to hook the target API, and thus, with the method shown in this embodiment, the client device may monitor the hooked target API.
Step 409, the client device obtains target data for monitoring the target API.
The client device shown in this embodiment may obtain target data for monitoring the target API based on a hook set in the target API.
The target data shown in this embodiment may be related call parameters for reflecting that the target API is called, and different call parameters are used for showing different behaviors implemented by the target API.
It can be seen that through the above steps, the client device can change the execution logic of the target API to jump to the dynamic link library, i.e. the execution logic that monitors the target API.
And step 410, the client device reports the target data to a server.
In this embodiment, one target API of the client device may generate one target data correspondingly, and as can be seen from the above description, the number of the target APIs shown in this embodiment may be multiple, and then multiple target APIs may generate multiple target data correspondingly, and the client device may splice the multiple target data to generate a data packet, that is, the data packet generated by the client device includes multiple target data.
Optionally, the client device shown in this embodiment determines whether a data packet is greater than a preset threshold, and if so, the client device may split the data packet, so that the data packet including the target data generated by the client device is less than the preset threshold, thereby effectively ensuring a duration of time for the client device to send the data packet to the server.
The embodiment does not limit how the client device splices the plurality of target data corresponding to the plurality of target APIs into a data packet.
Optionally, the client device may be based on a target service type, that is, one target service type corresponds to one data packet, as shown above, when the client device monitors one target service type, it may determine that multiple target APIs capable of implementing the target service type are available, and then the client device may splice all the target data generated by all the target APIs for implementing the same target service type to generate the data packet.
Optionally, the client device may also directly splice all the target data to generate the data packet, and each target data included in the data packet may be correspondingly provided with an identifier, where the identifier is used to indicate a target service type implemented by the target data, and the client device and the server may make a predetermined agreement on the identifier, so that after receiving the data packet, the server may determine, according to the identifier included in the data packet, a service type implemented by each target data included in the data packet.
Optionally, the data packet generated by the client device further includes a target time point corresponding to any target data, where the target time point is a time when the client device acquires the target data, and the data packet generated by the client device splicing all the target data may include a time sequence, where the time sequence includes a time point when each target data is acquired.
In this embodiment, the description of the content included in the data packet is an optional example, and is not limited, for example, the data packet may further include IP address information, signature information, network operation information, encoding information required in a network transmission process, and the like.
Step 411, the server receives the data packet.
In this embodiment, the server may monitor the client device based on the received data packet including the plurality of target data, that is, the server may acquire the operating conditions of different service types on the client device through the data packet.
Optionally, the server may further perform statistical analysis on the operation condition of the client device through the time sequence included in the data packet.
Optionally, the server may be combined with an engine for performing malicious behavior feature analysis to discover malicious attacks in time in aspects of information theft, penetration behavior, and the like, so as to ensure the security of the client device.
Optionally, in the monitoring method shown in this embodiment, in order to protect a thread of an application program that does not execute the dynamic link library from being rewritten or damaged, the client device sets a suspension state in a state of the thread that does not execute the dynamic link library.
The client device can compare the target API with the instruction pointers of the suspended threads one by one, and if the instruction pointers of the threads are located at the first N bytes of the target API, the threads are recovered to be in an executable state.
The client device may rewrite the data in the cache to the main memory using a flushlnstructioncache function, and restore the protection attribute of the target API memory to the original attribute before executing step 406 using a VirtualProtect function.
Optionally, after the monitoring method shown in the above step is executed, the client device may unload the dynamic link library mapped in the target process, and a specific unloading process may be:
the client device may obtain an end code of a remote thread by using a GetExitCodeThtread function, where the end code is used as a base address for loading a dynamic link library, and the remote thread shown in this embodiment is a thread for executing the dynamic link library;
the client device can release the target memory allocated in the address space of the target process by utilizing a VirtualFreeEx function;
therefore, after the client device shown in this embodiment monitors the target process, the allocated target memory can be released in time, so that a large amount of occupied memory is avoided, and the operating efficiency of the client device is improved.
And the base address of the target API acquired by the client equipment unloads the dynamic link library from the target process through Windows API functions CreateRemoteThread and FreeLibrary.
The following explains the beneficial effects of the monitoring method shown in this embodiment:
by adopting the monitoring method shown in the embodiment, the target API which needs to be monitored and can realize the target service type can be hooked through the dynamic link library mapped into the target process, so that the client device can acquire target data for monitoring the target API while calling the target API provided with the hook, the client device can report the target data to the server, and the monitoring of the target API can be realized based on the target data.
The monitoring method shown in this embodiment can be applied to the field of vulnerability analysis, namely, by monitoring the specified target process, behaviors of the target process at each time point can be analyzed through target data, the behaviors are classified according to service types, and vulnerability information possibly existing in the process is analyzed through a security vulnerability detection tool by establishing a time sequence analysis model.
In order to better understand the process monitoring method provided by the embodiment of the present invention, the process monitoring method is described below with reference to specific application scenarios:
the application scenario is exemplarily illustrated by taking a terminal as a mobile phone, and with the development of mobile communication electronic technology, the mobile phone now has not only a remote call function, such as a user can browse web page contents through a browser of the mobile phone, play videos and music through a player on the mobile phone, take pictures through a camera on the mobile phone, and the like.
In order to monitor the operation condition of the mobile phone, thereby improving the operation speed of the mobile phone, avoiding the access of the mobile phone to a webpage with a virus, improving the network security and the like, the operation condition of the mobile phone needs to be mastered in an all-around manner, and the progress of an application program in the system is monitored;
a specific execution flow of the process monitoring method shown in the application scenario is described with reference to fig. 6:
step 601, the mobile phone sets the MD5 value of the process file name of the browser process in the preset list.
And the mobile phone determines the browser process as the process needing to be monitored according to the process filtering rule.
Specifically, the mobile phone may create a preset list in advance, and set the MD5 value of the process filename of the browser process in the preset list, so that the mobile phone determines that the browser is performing a process that needs to be monitored through the preset list.
Step 602, after the mobile phone is powered on, under the condition that the preset list is read, determining that the browser process needs to be monitored according to the MD5 value of the process file name of the browser process included in the preset list.
For a specific description of the creation process of the preset rule, reference may be made to the foregoing embodiments, and details are not specifically described in this application scenario.
And 603, the mobile phone obtains the address space of the browser process by calling an OpenProcess function.
For a specific calling process of the OpenProcess function, please refer to the foregoing embodiments in detail, which is not described in detail.
Step 604, the mobile phone allocates a target memory in an address space of the browser process by calling a VirtualAllocEx function.
The target memory shown in the application scene is larger than or equal to the size of the dynamic link library, so that the dynamic link library can be effectively stored in the target memory.
Step 605, the mobile phone writes the full path of the dynamic link library into the target memory.
The dynamic link library includes hooks that, once set successfully, begin with 1 32-bit relative jump instruction, so the jump instruction can only be stored in an address region of +/-2GB of the instruction space of the target API.
For a detailed description of the target API, see the above embodiments, and details are not described in this application scenario.
Step 606, the mobile phone enumerates memory blocks circularly in the target interval until the idle memory blocks are successfully located.
Step 607, the mobile phone creates a target jump instruction in the free memory block.
The target jump instruction comprises an unconditional jump JMP instruction for jumping to the dynamic link library.
And 608, rewriting the first N bytes of the target API by the mobile phone based on the JMP instruction to realize the hooking of the target API.
Step 609, the mobile phone acquires target data for monitoring the target API.
The mobile phone can acquire target data for monitoring the target API based on the hook arranged in the target API. The target data may be related call parameters for reflecting that the target API is called, and different call parameters are used for showing different behaviors implemented by the target API.
Therefore, the mobile phone can change the execution logic of the target API to jump to the dynamic link library, namely the execution logic for monitoring the target API.
And step 610, the mobile phone splices the target data to generate a data packet.
Step 611, the mobile phone sends the data packet to a server.
Step 612, the server receives the data packet.
Step 613, the server monitors the progress of the mobile phone browser based on the received data packet including the plurality of target data.
For a process of monitoring a browser process by the server based on the target data, please refer to the above embodiment in detail, which is not described in detail in this application scenario.
A detailed description is given below of a specific structure of the client device provided by the present invention with reference to fig. 7, where the client device provided by this embodiment is used to execute the monitoring method shown in fig. 4, and a specific execution process of the monitoring method is shown in the foregoing embodiment, and is not specifically described in this embodiment.
As shown in fig. 7, the client device includes:
a mapping unit 701, configured to map a dynamic link library in an address space of a target process, where the dynamic link library includes a preset rule for indicating at least one target service type.
A processing unit 702, configured to set a hook in a target application programming interface API based on the dynamic link library, where the target API is an API called by the target process when the target process runs, and a service type implemented by the target API is consistent with one target service type of the at least one target service type.
An obtaining unit 703 is configured to obtain target data based on a hook set in the target API, where the target data is used to monitor the target API.
Optionally, the mapping unit 701 is further configured to determine the target process, where the target process meets at least one condition shown in the following: the MD5 value of the target process file name is located in a preset list, the storage path of the target process is consistent with a preset storage path, the identifier PID of the target process is located in a preset range, and the target process image name comprises preset characters.
Optionally, the mapping unit 701 is further configured to obtain an address space of the target process; allocating a target memory in the address space of the target process, wherein the size of the target memory is larger than or equal to that of the dynamic link library; writing the full path of the dynamic link library into the target memory; and reading the dynamic link library under the full path, and mapping the dynamic link library into the address space of the target process.
Optionally, the mapping unit 701 is further configured to obtain an address space of the target process by calling an OpenProcess function; allocating the target memory in the address space of the target process by calling a VirtualAllocEx function; writing the full path of the dynamic link library into the target memory by calling a WriteProcessMemory function; mapping the dynamically linked library into the address space of the target process by calling the createremotetrathreadend function and the LoadLibrary function.
Optionally, the processing unit 702 is further configured to obtain an idle target memory block in a target interval, where the target interval is greater than an address area of the target API instruction space; creating a jump instruction in the target memory block, wherein the jump instruction is used for jumping to the dynamic link library; rewriting the first N bytes of the target API based on the jump instruction, wherein N is a positive integer greater than or equal to 1.
Optionally, the processing unit 702 is further configured to obtain the idle target memory block in the target interval by calling a VirtualQuery function, where the target interval is greater than an address area of the target API instruction space.
Optionally, the target data includes at least one of information indicating:
the information of the service type realized by the target API and the target data comprise time point information used for indicating the acquisition of the target data.
In this embodiment, the client device is presented in the form of a functional unit. An "element" may refer to an application-specific integrated circuit (ASIC), an electronic circuit, a processor and memory that execute one or more software or firmware programs, an integrated logic circuit, and/or other devices that may provide the described functionality.
An embodiment of the present invention further provides a computer storage medium, which is used for storing computer software instructions for implementing the monitoring method shown in fig. 4, and which contains a program designed for executing the method embodiment. The verification method provided by the embodiment of the present invention can be realized by executing the stored program.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
While the invention has been described in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed invention, from a review of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the word "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus (device), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. A computer program stored/distributed on a suitable medium supplied together with or as part of other hardware, may also take other distributed forms, such as via the Internet or other wired or wireless telecommunication systems.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the invention has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the invention. Accordingly, the specification and figures are merely exemplary of the invention as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the invention. It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A process monitoring method, comprising:
mapping a dynamic link library in an address space of a target process, wherein the dynamic link library comprises a preset rule for indicating at least one target service type, the preset rule of the target service type is used for monitoring the target service type, the monitoring granularity of the preset rule of the target service type is a specific target service type and/or a part of API under the target service type, and the target service type is a result of classification according to the functional characteristics of the API and the characteristics of an operation object;
setting hooks in a target Application Programming Interface (API) based on the dynamic link library, wherein the target API is called when the target process operates, and the service type realized by the target API is consistent with one target service type in the at least one target service type;
and acquiring target data based on the hook arranged in the target API, wherein the target data is used for monitoring the target API.
2. The method of monitoring as recited in claim 1, wherein prior to mapping the dynamically linked library in the address space of the target process, the method further comprises:
determining the target process, wherein the target process meets at least one condition shown as follows:
the MD5 value of the target process file name is located in a preset list, the storage path of the target process is consistent with a preset storage path, the identifier PID of the target process is located in a preset range, and the target process image name comprises preset characters.
3. The monitoring method according to claim 1 or 2, wherein the mapping the dynamic link library in the address space of the target process comprises:
acquiring an address space of the target process;
allocating a target memory in the address space of the target process, wherein the size of the target memory is larger than or equal to that of the dynamic link library;
writing the full path of the dynamic link library into the target memory;
and reading the dynamic link library under the full path, and mapping the dynamic link library into the address space of the target process.
4. The method of claim 3, wherein mapping the dynamically linked library in the address space of the target process comprises:
obtaining the address space of the target process by calling an OpenProcess function;
allocating the target memory in the address space of the target process by calling a VirtualAllocEx function;
writing the full path of the dynamic link library into the target memory by calling a WriteProcessMemory function;
mapping the dynamically linked library into the address space of the target process by calling the createremotetrathreadend function and the LoadLibrary function.
5. The monitoring method according to any one of claims 1 to 4, wherein the setting hooks in a target Application Programming Interface (API) based on the dynamic link library comprises:
acquiring an idle target memory block in a target interval, wherein the target interval is larger than an address area of the target API instruction space;
creating a jump instruction in the target memory block, wherein the jump instruction is used for jumping to the dynamic link library;
rewriting the first N bytes of the target API based on the jump instruction, wherein N is a positive integer greater than or equal to 1.
6. The monitoring method according to claim 5, wherein the obtaining of the idle target memory block in the target interval includes:
and acquiring the idle target memory block in the target interval by calling a VirtualQuery function, wherein the target interval is larger than the address area of the target API instruction space.
7. The monitoring method according to any one of claims 1 to 6, wherein the target data includes information indicating at least one of:
the information of the service type realized by the target API and the target data comprise time point information used for indicating the acquisition of the target data.
8. A client device, comprising:
the mapping unit is used for mapping a dynamic link library in an address space of a target process, wherein the dynamic link library comprises a preset rule used for indicating at least one target service type, the preset rule of the target service type is used for monitoring the target service type, the monitoring granularity of the preset rule of the target service type is a specific target service type and/or a part of API under the target service type, and the target service type is a result classified according to the functional characteristics of the API and the characteristics of an operation object;
the processing unit is used for setting the hook in a target Application Programming Interface (API) based on the dynamic link library, the target API is called when the target process runs, and the service type realized by the target API is consistent with one target service type in the at least one target service type;
and the acquisition unit is used for acquiring target data based on hooks arranged in the target API, and the target data is used for monitoring the target API.
9. A client device comprising a processor and a memory, wherein,
a computer readable program stored in the memory;
the processor is configured to execute the method of any one of claims 1 to 7 by executing a program in the memory.
10. A computer readable storage medium having stored therein instructions for performing the method of any of the preceding claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711037388.2ACN109726067B (en) | 2017-10-30 | 2017-10-30 | Process monitoring method and client device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711037388.2ACN109726067B (en) | 2017-10-30 | 2017-10-30 | Process monitoring method and client device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109726067A CN109726067A (en) | 2019-05-07 |
| CN109726067Btrue CN109726067B (en) | 2021-08-24 |
Family
ID=66291466
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711037388.2AActiveCN109726067B (en) | 2017-10-30 | 2017-10-30 | Process monitoring method and client device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109726067B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110650179A (en)* | 2019-08-20 | 2020-01-03 | 视联动力信息技术股份有限公司 | Process monitoring method and system |
| CN112487414B (en)* | 2019-09-12 | 2024-04-12 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for acquiring process command line |
| CN112527589A (en)* | 2019-09-17 | 2021-03-19 | 比亚迪股份有限公司 | Process monitoring method and process monitoring device |
| CN111010346B (en)* | 2019-12-23 | 2021-10-19 | 深信服科技股份有限公司 | Message processing method, device, storage medium and device based on dynamic routing |
| CN113778779B (en)* | 2020-11-18 | 2024-04-16 | 北京京东拓先科技有限公司 | Monitoring method, system, device, electronic equipment and medium of data interface |
| CN114647844A (en)* | 2020-12-21 | 2022-06-21 | 奇安信安全技术(珠海)有限公司 | Simulated behavior message identification method and device, electronic equipment and storage medium |
| CN112650650B (en)* | 2020-12-31 | 2024-04-23 | 联想(北京)有限公司 | Control method and device |
| CN112817657B (en)* | 2021-01-29 | 2023-07-18 | 北京奇艺世纪科技有限公司 | Application program starting item loading method, device, system and storage medium |
| CN113392405B (en)* | 2021-06-16 | 2022-05-27 | 赵浩茗 | Digital service vulnerability detection method and server combined with big data analysis |
| CN114138623A (en)* | 2021-11-29 | 2022-03-04 | 杭州迪普科技股份有限公司 | Device and method for monitoring user operation |
| CN114363006B (en)* | 2021-12-10 | 2025-01-07 | 奇安信科技集团股份有限公司 | WinRM service-based protection method and device |
| CN114462021A (en)* | 2022-01-27 | 2022-05-10 | 杭州立思辰安科科技有限公司 | Process Protection Method Based on Operating System Driven |
| CN116126232A (en)* | 2022-12-26 | 2023-05-16 | 深信服科技股份有限公司 | Business operation control method, device, electronic device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8065734B1 (en)* | 2008-03-06 | 2011-11-22 | Symantec Corporation | Code module operating system (OS) interactions intercepting system and method |
| CN102314561A (en)* | 2010-07-01 | 2012-01-11 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
| CN103106085A (en)* | 2011-11-15 | 2013-05-15 | 镇江亿海软件有限公司 | Remote thread injection method based on intelligence |
| CN103927485A (en)* | 2014-04-24 | 2014-07-16 | 东南大学 | Android application program risk assessment method based on dynamic monitoring |
| CN105740046A (en)* | 2016-01-26 | 2016-07-06 | 华中科技大学 | Virtual machine process behavior monitoring method and system based on dynamic library |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103150240B (en)* | 2013-03-19 | 2015-04-08 | 天脉聚源(北京)传媒科技有限公司 | Method and system for monitoring application process |
| CN105279651B (en)* | 2015-11-16 | 2019-02-12 | 中国建设银行股份有限公司 | A kind of transaction data monitor processing method and system |
| CN105426310B (en)* | 2015-11-27 | 2018-06-26 | 北京奇虎科技有限公司 | A kind of method and apparatus for the performance for detecting target process |
- 2017
- 2017-10-30CNCN201711037388.2Apatent/CN109726067B/enactiveActive
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8065734B1 (en)* | 2008-03-06 | 2011-11-22 | Symantec Corporation | Code module operating system (OS) interactions intercepting system and method |
| CN102314561A (en)* | 2010-07-01 | 2012-01-11 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
| CN103106085A (en)* | 2011-11-15 | 2013-05-15 | 镇江亿海软件有限公司 | Remote thread injection method based on intelligence |
| CN103927485A (en)* | 2014-04-24 | 2014-07-16 | 东南大学 | Android application program risk assessment method based on dynamic monitoring |
| CN105740046A (en)* | 2016-01-26 | 2016-07-06 | 华中科技大学 | Virtual machine process behavior monitoring method and system based on dynamic library |
Non-Patent Citations (1)
| Title |
|---|
| Windows系统的动态代码插装技术研究及应用;朱晓东;《万方期刊/学位》;20091231;P20-84* |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109726067A (en) | 2019-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109726067B (en) | Process monitoring method and client device | |
| US20240095043A1 (en) | Execution of sub-application processes within application program | |
| US11222118B2 (en) | Method for updating selinux security policy and terminal | |
| USRE48311E1 (en) | Apparatus and method for running multiple instances of a same application in mobile devices | |
| CN106874037B (en) | Application program installation method and device and mobile terminal | |
| CN105809028B (en) | Apparatus and method for running multiple instances of the same application in a mobile device | |
| CN112865956B (en) | Certificate updating method and device, terminal equipment and server | |
| US10048828B2 (en) | Method of interface control and electronic device thereof | |
| CN108984225A (en) | The method and apparatus of quick start boarding application | |
| CN106815518B (en) | Application installation method and electronic equipment | |
| CN108920220B (en) | Function calling method, device and terminal | |
| CN108090345B (en) | Linux system external command execution method and device | |
| EP2869604B1 (en) | Method, apparatus and device for processing a mobile terminal resource | |
| CN114096946A (en) | Method and apparatus for managing applications | |
| US10643252B2 (en) | Banner display method of electronic device and electronic device thereof | |
| CN109145598B (en) | Virus detection method and device for script file, terminal and storage medium | |
| CN110908882A (en) | Performance analysis method and device of application program, terminal equipment and medium | |
| CN111078233B (en) | Application promotion realization method, device, equipment and storage medium | |
| CN108984212B (en) | Method for closing process and electronic equipment | |
| CN115936724A (en) | Service processing method, device, storage medium and electronic equipment | |
| CN113536387A (en) | Terminal and method for detecting integrity of kernel data | |
| US11809550B2 (en) | Electronic device and control method therefor | |
| CN109918122B (en) | White list maintenance method and device and terminal equipment | |
| KR102018960B1 (en) | Software code obfuscation using doubly packed structures | |
| CN120671118A (en) | Application clone method, electronic device, storage medium and chip system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |