CN105095741A - Behavior monitoring method and behavior monitoring system of application program - Google Patents
Behavior monitoring method and behavior monitoring system of application program Download PDFInfo
- Publication number
- CN105095741A CN105095741A CN201410201140.5A CN201410201140A CN105095741A CN 105095741 A CN105095741 A CN 105095741A CN 201410201140 A CN201410201140 A CN 201410201140A CN 105095741 A CN105095741 A CN 105095741A
- Authority
- CN
- China
- Prior art keywords
- behavior
- monitored
- application program
- record
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention provides a behavior monitoring method and a behavior monitoring system of an application program. The behavior monitoring method comprises the following steps: judging whether current behavior of the application program is a behavior to be monitored; if the current behavior is the behavior to be monitored, determining a reconfiguration method structure body corresponding to the behavior to be monitored, wherein the reconfiguration method structure body comprises a distribution function for indicating the position of a calling interface corresponding to a record function, and the record function is used for recording information of the behavior to be monitored; obtaining the calling interface corresponding to the record function according to the distribution function, calling the record function through the calling interface corresponding to the record function, and recording behavior information of the monitoring behavior through the record function; and determining the safety of the application program according to the behavior information of recorded behavior to be monitored. By utilizing the behavior monitoring method and the behavior monitoring system, the problem of how to monitor the behavior of the application program to enable the behavior of the application program to be transparent and visible is solved.
Description
Technical field
The present invention relates to software technology field, be specifically related to a kind of behavior monitoring method and system of application program.
Background technology
Along with the development of software engineering, increasing application is developed.To use the mobile terminal of Android Android operation system, due to the increasing income property of android system, the third-party application of developing based on android system is of a great variety, even has tens up to a hundred derivative mutation with a application.And along with constantly popularizing of ROOT authority technology, the system of increasing user to mobile terminal is modified, the kind of the system application of mobile terminal is also day by day various.For ease of describing the solution of the present invention, herein, will apply, e.g., third-party application or system application, be referred to as application program.
But in the related, after start-up, all processes of application program are all at running background, and the behavior that application program is concrete is sightless for application program.Therefore invade privacy of user even if application program is carrying out some on backstage, steal the behavior that subscriber data etc. threatens user security, user also cannot perception.Thus whether the application program of installing is safe, cannot screen out safe application program and install and use from miscellaneous application program to cause user to determine.
As can be seen here, how the behavior of application programs is monitored, and makes the behavior transparence of application program, visualization, to determine that application program safe, has trustyly become the problem that those skilled in the art need solution badly.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of a kind of behavior monitoring method and system of application program overcoming the problems referred to above or solve the problem at least in part.
According to one aspect of the present invention, provide a kind of behavior monitoring method of application program, comprising:
Whether the current behavior judging application program is behavior to be monitored;
When determining that described current behavior is behavior to be monitored, determine the method for reconfiguration structure that described behavior to be monitored is corresponding; Wherein, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored;
Obtain calling interface corresponding to described record function according to described distribution function, call described record function by the calling interface that described record function is corresponding, and by the behavioural information of behavior to be monitored described in described record function record;
The security of described application program is determined according to the behavioural information of the behavior to be monitored of record.
Alternatively, the described original method structure to described behavior to be monitored is reshuffled, and comprising:
Obtain the original method structure that described behavior to be monitored is corresponding;
By the attribute modification of described original method structure for setting attribute; Wherein, described setting attribute is used to indicate and performs described distribution function;
The pointer of described original method structure member is replaced with described distribution function; Wherein, described pointer is used to indicate the position of the interface of the original call function performing described behavior to be monitored;
Back up described original method structure.
Alternatively, whether the described current behavior judging application program is behavior to be monitored, comprising:
Obtain the attribute of method structure corresponding to described current behavior;
According to the determined property of method structure corresponding to described current behavior, whether current behavior is behavior to be monitored; Wherein, when the attribute of the method structure of described current behavior is described setting attribute, determine that described current behavior is behavior to be monitored.
Alternatively, described is setting attribute by the attribute modification of described original method structure, comprising:
Be native attribute by the attribute modification of described original method structure.
Alternatively, described obtain the step of calling interface corresponding to described record function according to described distribution function before, described method also comprises:
Obtain distribution parameters, described distribution parameters is used to indicate the type of described behavioural information;
Wherein, described acquisition distribution parameters comprises:
Traversal args parameter, obtains the args parameter that described behavior to be monitored is corresponding;
Args parameter corresponding for described behavior to be monitored is added in array, using described array as described distribution parameters.
Alternatively, described record the step of the behavioural information of described behavior to be monitored after, described method also comprises:
After described behavioural information record completes, from archive memory, obtain the original method structure of backup;
The interface of original call function corresponding to described behavior to be monitored is obtained according to the pointer in described original method structure, by the original call function that behavior to be monitored described in the interface interchange of described original call function is corresponding, to complete the execution of described behavior to be monitored.
Alternatively, the behavioural information of the described behavior to be monitored according to record is determined to comprise the security of described application program:
The behavioural information of the behavioural information of the behavior to be monitored of record as described application program is exported;
Behavioural information according to exporting judges whether the behavior of described application program is risk behavior; If so, then determine that described application program is risk application program; Otherwise, determine that described application program is security application;
Wherein, described risk behavior comprises: read user privacy information, and/or distort subscriber information message, and/or steal account number cipher information, and/or malice is called.
Alternatively, described virtual machine comprises: Dalvik virtual machine.
Alternatively, described method uses sub processes to perform.
Alternatively, described application program comprises: third party application and system application; Wherein, described application program is run in sandbox.
According to a further aspect in the invention, provide a kind of behavior monitoring system of application program, comprising:
First judge module, for judging whether the current behavior of application program is behavior to be monitored;
First determination module, for when surely described current behavior is behavior to be monitored, determines the method for reconfiguration structure that described behavior to be monitored is corresponding; Wherein, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored;
Logging modle, for obtaining calling interface corresponding to described record function according to described distribution function, calls described record function by the calling interface that described record function is corresponding, and by the behavioural information of behavior to be monitored described in described record function record;
Second determination module, the behavioural information for the behavior to be monitored according to record determines the security of described application program.
Alternatively, described system also comprises:
First acquisition module, for obtaining original method structure corresponding to described behavior to be monitored;
Modified module, for by the attribute modification of described original method structure for setting attribute; Wherein, described setting attribute is used to indicate and performs described distribution function;
Replacement module, for replacing with described distribution function by the pointer of described original method structure member; Wherein, described pointer is used to indicate the position of the interface of the original call function performing described behavior to be monitored;
Backup module, for backing up described original method structure.
Alternatively, described first judge module comprises:
4th acquisition module, for obtaining the attribute of method structure corresponding to described current behavior;
Whether the second judge module is behavior to be monitored for current behavior according to the determined property of method structure corresponding to described current behavior; Wherein, when the attribute of the method structure of described current behavior is described setting attribute, determine that described current behavior is behavior to be monitored.
Alternatively, modified module, specifically for being native attribute by the attribute modification of described original method structure.
Alternatively, described system also comprises:
Second acquisition module, before obtaining calling interface corresponding to described record function in described logging modle according to described distribution function, obtains distribution parameters;
Wherein, described second acquisition module comprises:
3rd acquisition module, for traveling through args parameter, obtains the args parameter that described behavior to be monitored is corresponding;
Add module, for adding in array, using described array as described distribution parameters by args parameter corresponding for described behavior to be monitored;
Alternatively, described system also comprises:
5th acquisition module, for after the behavioural information of behavior to be monitored described in described logging modle record, after described behavioural information record completes, obtains the original method structure of backup from archive memory;
Calling module, for obtaining the interface of original call function corresponding to described behavior to be monitored according to the pointer in described original method structure, by the original call function that behavior to be monitored described in the interface interchange of described original call function is corresponding, to complete the execution of described behavior to be monitored.
Alternatively, described first determination module, comprising:
Output module, for exporting the behavioural information of the behavioural information of the behavior to be monitored of recording as described application program;
According to the behavioural information exported, risk judgment module, for judging whether the behavior of described application program is risk behavior; If so, then determine that described application program is risk application program; Otherwise, determine that described application program is security application;
Wherein, described risk behavior comprises: read user privacy information, and/or distort subscriber information message, and/or steal account number cipher information, and/or malice is called.
Alternatively, described virtual machine comprises: Dalvik virtual machine.
Alternatively, described system uses sub processes to perform.
Alternatively, described application program comprises: third party application and system application; Wherein, described application program is run in sandbox.
The invention provides a kind of behavior monitoring method and system of application program, first determine that the current behavior of application program is behavior to be monitored, then obtain the method for reconfiguration structure that described behavior to be monitored is corresponding.And then, when virtual machine carries out function call, calling interface corresponding to record function can be obtained according to method for reconfiguration structure, call the behavioural information of described record function to described behavior to be monitored and carry out record, make the behavior transparence of application program, visualization.
Further, user can according to the behavioural information of behavior to be monitored of record, and the behavior of application programs is analyzed, and determines whether the behavior of application program is safe, and then determines described application program whether safety.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 is the process flow diagram of the behavior monitoring method of a kind of application program in first embodiment of the invention;
Fig. 2 is the process flow diagram of the behavior monitoring method of a kind of application program in second embodiment of the invention;
Fig. 3 is the structural representation of the sandbox of a kind of behavior monitoring method for realizing described application program in third embodiment of the invention;
Fig. 4 is the structured flowchart of the behavior monitoring system of a kind of application program in fourth embodiment of the invention;
Fig. 5 is the structured flowchart of the behavior monitoring system of a kind of application program in fifth embodiment of the invention.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Embodiment one
With reference to Fig. 1, show the process flow diagram of the behavior monitoring method of a kind of application program in first embodiment of the invention.In the present embodiment, method described in the behavior monitoring method of described application program be applied to virtual machine (as, Dalvik virtual machine, that one is applied to Android platform, the virtual machine that can process Java language (object oriented program language)) in, described method comprises:
Step 102, judges whether the current behavior of application program is behavior to be monitored.
In this application, application program can be various application, such as: third-party application and/or system application; Wherein, described third-party application and the application of described system can in mobile terminal or the upper application run of PC (PersonalComputer, personal computer).Wherein, the operating system of described mobile terminal includes but are not limited to Android system.The behavior that application program is called as application program in the operation that run duration carries out (also can be called function, act of execution namely performs function), the relative performance that general general reference application program is carried out significantly operates, such as: create reading and writing of files, access registration table, interconnection network etc.But, be not that all behaviors of application program all need to monitor, therefore, before the current behavior of application programs is monitored, first judge whether described current behavior is behavior to be monitored.Preferably, can judge whether the current behavior of application program is behavior to be monitored according to the behavioural information to be monitored stored in database or monitoring list.Or, judge according to the attribute information of described behavior to be monitored whether the current behavior of application program is behavior to be monitored; As, judge according to the attribute of the method structure in the attribute information of described behavior to be monitored whether the current behavior of application program is behavior to be monitored.
When determining that described current behavior is behavior to be monitored, then perform step 104; Otherwise conveniently call flow calls corresponding function to perform described current behavior.
Step 104, determines the method for reconfiguration structure that described behavior to be monitored is corresponding.
Usually, structure (struct) is by a series of data acquisition having identical type or dissimilar data and form.User according to actual conditions, can encapsulate some attributes to form new type with structure, is write as the data type of satisfying the demand by structure.Such as, the method structure Method in Java; Wherein, Method is a final class, can not inherit.
In the present embodiment, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored.
Step 106, obtains calling interface corresponding to described record function according to described distribution function, calls described record function by the calling interface that described record function is corresponding, and by the behavioural information of behavior to be monitored described in described record function record.
Step 108, determines the security of described application program according to the behavioural information of the behavior to be monitored of record.
In sum, the behavior monitoring method of application program described in the present embodiment, first determines that the current behavior of application program is behavior to be monitored, then obtains the method for reconfiguration structure that described behavior to be monitored is corresponding.And then, when virtual machine carries out function call, calling interface corresponding to record function can be obtained according to method for reconfiguration structure, call the behavioural information of described record function to described behavior to be monitored and carry out record, make the behavior transparence of application program, visualization.
Further, user can according to the behavioural information of behavior to be monitored of record, and the behavior of application programs is analyzed, and determines whether the behavior of application program is safe, and then determines described application program whether safety.
Embodiment two
With reference to Fig. 2, show the process flow diagram of the behavior monitoring method of a kind of application program in second embodiment of the invention.In the present embodiment, described application program comprises: third party application and system application; Described application program is run in sandbox.Wherein, sandbox can be a virtual system program based on Dalvik virtual machine, can running browser or other application programs in sandbox.
The behavior monitoring method of described application program can be performed by sandbox, and described method comprises:
Step 202, sandbox judges whether the current behavior of application program is behavior to be monitored.
In the present embodiment, described step 202 comprises following sub-step:
Sub-step 2024, sandbox obtains the attribute of method structure corresponding to described current behavior.
Sub-step 2024, whether sandbox current behavior according to the determined property of method structure corresponding to described current behavior is behavior to be monitored.Wherein, when the attribute of the method structure of described current behavior is setting attribute, determine that described current behavior is behavior to be monitored.
In the present embodiment, sandbox is before judging whether the current behavior of application program is behavior to be monitored, complete reshuffling original method structure corresponding to behavior to be monitored in advance, obtain method for reconfiguration structure, and by described method for reconfiguration structure seed injection process.Namely, the attribute of the method structure that the behavior that all needs have carried out monitoring by sandbox is corresponding has all been modified as setting attribute, therefore, in the present embodiment, can judge whether current behavior is behavior to be monitored by the attribute of the method structure of current behavior.
Preferably, described method structure can be Method, and described setting attribute can be native attribute.Wherein, in Java, native is used in before the method structure method of class, can be denoted as nativemethod.Virtual machine, before call function, can judge by the method structure attribute corresponding to behavior to be monitored, when the attribute of the method structure of call function is native attribute, is then gone to by conventional call flow and call nativeFunc function.Wherein, described nativeFunc is the member under nativemethod.
Preferably, when determining that described current behavior is behavior to be monitored, perform step 204; Otherwise conveniently call flow calls corresponding function to perform described current behavior.
Step 204, the method for reconfiguration structure that described behavior to be monitored is corresponding determined by sandbox.
In the present embodiment, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored.
Preferably, the described original method structure to described behavior to be monitored is reshuffled, and can comprise the following steps:
Step S22, sandbox obtains original method structure corresponding to described behavior to be monitored.
Step S24, the attribute modification of described original method structure is setting attribute by sandbox.Wherein, described setting attribute is used to indicate and performs described distribution function.
Usually, in default situations, when the behavior of application program runs, the function performing described behavior can be called by conventional call flow.In the present embodiment, the attribute modification of described original method structure is setting attribute by sandbox, the function performing described behavior then no longer conveniently call flow call, but according to the instruction call flow of described setting attribute, carry out calling of described distribution function, perform described distribution function.
Preferably, when modifying to the attribute of described original method structure, can will be used to indicate the value of general property or be used to indicate value corresponding to the value amendment native attribute of abstract attribute.As, the attribute that numerical value 5 is used to indicate method structure is general property, and the attribute that numerical value 6 is used to indicate method structure is general property, and the attribute that numerical value 0 is used to indicate method structure is native attribute; Then when the attribute of amending method structure, numeral 5 or numeral 6 are revised as numerical value 0.
Here it should be noted that, above-mentioned is that native attribute is only exemplary illustration by setting attribute modification.When the attribute of reality to method structure is modified, according to the programming language of applied environment and use, the attribute of establishing method structure can be carried out, e.g., is arranged to unverified attribute.
Step S26, the pointer of described original method structure member is replaced with described distribution function by sandbox.Wherein, described pointer is used to indicate the position of the interface of the original call function performing described behavior to be monitored.
In the present embodiment, the pointer of the member nativeFunc of the method structure after amendment attribute is replaced with distribution function, to realize distributing the Hook between function and behavior to be monitored.
Step S28, sandbox backs up described original method structure.
Preferably, backup original method structure can but be not limited only to be kept in sandbox internal memory.
Here do not have inevitable sequencing before it should be noted that step S28 and step S24, sandbox also before modifying to original method structure and reshuffling, just first can back up described original method structure, or, the two executed in parallel.
Step 206, sandbox obtains distribution parameters.Described distribution parameters is used to indicate the type of described behavioural information.
Wherein, described step 206 can comprise:
Sub-step 2062, sandbox traversal parameter args, obtains the args parameter that described behavior to be monitored is corresponding.
Sub-step 2064, args parameter corresponding for described behavior to be monitored is added in array, using described array as described distribution parameters by sandbox.
Preferably, concrete prototype can be: voidqihooCallHandler (constu4*args, JValue*pResult, constMethod*method, Thread*self).Sandbox passes through traversal parameter args, with the args parameter that the distribution function obtaining Hook between behavior to be monitored is corresponding.Then, the args parameter of Hook is added in Java object array, and by the array after interpolation as distribution parameters, sandbox can do behavior record by calling described distribution parameters.
Step 208, sandbox obtains calling interface corresponding to described record function according to described distribution function, calls described record function by the calling interface that described record function is corresponding, records the behavioural information of described behavior to be monitored.
Step 210, sandbox determines the security of described application program according to the behavioural information of the behavior to be monitored of record.
In the present embodiment, described step 210 can comprise following sub-step:
Sub-step 2102, the behavioural information of the behavioural information of the behavior to be monitored of record as described application program exports by sandbox.
Sub-step 2104, according to the behavioural information exported, sandbox judges whether the behavior of described application program is risk behavior.If so, then determine that described application program is risk application program; Otherwise, determine that described application program is security application.
Wherein, described risk behavior comprises: read user privacy information, and/or distort subscriber information message, and/or steal account number cipher information, and/or malice is called.
Here it should be noted that, the behavioural information according to the behavior to be monitored of record determines that this step of security of described application program can be performed by sandbox, also can be performed by other programs, e.g., and 360 security guards; Or, also can adopt manual type by technician, the behavioural information of behavior to be monitored is analyzed, determine the security of application program.The present embodiment is not restricted this.
Further, the behavioural information of the behavior to be monitored of record also can not export, sandbox can directly according to the judgment rule of setting to the behavioural information Direct Analysis of the behavior to be monitored of described record, and then determine described application program whether safety.As, sandbox according to the key word in the behavioural information of the behavior to be monitored of record, can being searched described key word, when finding described key word in blacklist, then determining that application program is safe in black and white lists.Or, the behavior of (or mapping) indicated by the behavioural information that sandbox can record according to the behavioural information acquisition of the behavior to be monitored of record, then the behavior indicated by the behavioural information of record and risk behavior are compared, and then determine the security of application program.
Step 212, after described behavioural information record completes, sandbox obtains the original method structure of backup from archive memory.
Step 214, sandbox obtains the interface of original call function corresponding to described behavior to be monitored according to the pointer in described original method structure, by the original call function that behavior to be monitored described in the interface interchange of described original call function is corresponding, to complete the execution of described behavior to be monitored.
In the present embodiment, after behavioural information record completes, by the readjustment Procedure Acquisition original call function by function, to guarantee the execution of described behavior to be monitored.The behavior monitoring method of application program described in the present embodiment does not affect the normal execution flow of described behavior to be monitored, ensures the normal work of application program, and the normal use of application program all functions.
In sum, the behavior monitoring method of application program described in the present embodiment, first determines that the current behavior of application program is behavior to be monitored, then obtains the method for reconfiguration structure that described behavior to be monitored is corresponding.In virtual machine, Java method structure attribute is modified to native attribute, is written with distribution function in nativeFunc member.Therefore virtual machine can first discriminant function be native attribute when function call.If so, then directly call nativeFunc and use distribution function; Described distribution function takes over the distribution of whole HOOK and calling of original function.And then, according to the distribution of described distribution function, obtain calling interface corresponding to record function, call the behavioural information of described record function to described behavior to be monitored and carry out record, make the behavior transparence of application program, visualization.
Further, user can according to the behavioural information of behavior to be monitored of record, and the behavior of application programs is analyzed, and determines whether the behavior of application program is safe, and then determines described application program whether safety.
Meanwhile, after behavioural information record completes, the readjustment of original function can be carried out to guarantee the execution of described behavior to be monitored.The behavior monitoring method of application program described in the present embodiment does not affect the normal execution flow of described behavior to be monitored, ensures the normal work of application program, and the normal use of application program all functions.
Embodiment three
With reference to Fig. 3, show the structural representation of the sandbox of a kind of behavior monitoring method for realizing described application program in third embodiment of the invention.Wherein, described sandbox can run in Android system.
According to Fig. 3, sandbox 300 comprises: injector 302, Hook platform (as, qihooload.so) 304, JavaHook distribution module (e.g., qihooBridge.jar) 306 and callback code processing module (e.g., qihooNew.apk) 308.
In the present embodiment, qihooload.so is injected into sub processes (e.g., zygote process) by injector 302; Wherein, all application programs, when act of execution, all can first copy described sub processes, the process that loading application programs is corresponding further on this basis.Then, call the loading code of qihooload.so, qihooBridge.jar loads in zygote process by qihooload.so; When the new process initiation that application program is corresponding, new process can copy zygote process, therefore qihooBridge.jar can enter into application program along with new process.QihooBridge.jar loads when new process initialization and runs qihooNew.apk; The behavior (that is, behavior to be monitored) that qihooNew.apk can carry out monitoring with the needs determined is set up Hook and is associated.
Wherein, described behavior to be monitored includes but are not limited to: install unloading, bookmark operation, telephone operation, deletion contact person, check facility information, play window loading, function of time tune number and acceleration, cryptographic operation, file operation, reflection are called, note operates, string operation and system call.
Preferably, when application program has behavior to trigger,
S32, judges whether the current behavior of application program is behavior to be monitored.
When determining that described current behavior is behavior to be monitored, perform S34; Otherwise conveniently call flow calls corresponding function to perform described current behavior.
S34, determines the method for reconfiguration structure that described behavior to be monitored is corresponding.
Wherein, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored.
S36, obtains calling interface corresponding to described record function according to described distribution function, calls described record function by the calling interface that described record function is corresponding, record the behavioural information of described behavior to be monitored.
S38, determines the security of described application program according to the behavioural information of the behavior to be monitored of record.
Preferably, analysis can be carried out by the behavior to be monitored of 360 security guards to record and judge, determine the security of described application program.Or, the behavior to be monitored of record and criterion behavior flow process are contrasted, and then determine the security of described application program.
In sum, the behavior monitoring method of application program described in the present embodiment, first determines that the current behavior of application program is behavior to be monitored, then obtains the method for reconfiguration structure that described behavior to be monitored is corresponding.When virtual machine carries out function call, calling interface corresponding to record function can be obtained according to method for reconfiguration structure, call the behavioural information of described record function to described behavior to be monitored and carry out record, make the behavior transparence of application program, visualization.
Further, user can according to the behavioural information of behavior to be monitored of record, and the behavior of application programs is analyzed, and determines whether the behavior of application program is safe, and then determines described application program whether safety.
Meanwhile, the behavior monitoring method of described application program realizes based on sandbox (virtual machine) technology, therefore, the behavior monitoring method of described application program can use in different equipment along with sandbox, applicability is strong, and applied range, without limitation.
It should be noted that, for aforesaid embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in instructions all belongs to preferred embodiment, and involved action might not be essential to the invention.
Embodiment four
Based on the same inventive concept of behavior monitoring method with above-mentioned application program, with reference to Fig. 4, show the structured flowchart of the behavior monitoring system of a kind of application program in fourth embodiment of the invention.In the present embodiment, the behavior monitoring system of described application program is applied in virtual machine, and described system can comprise:
First judge module 402, for judging whether the current behavior of application program is behavior to be monitored.
First determination module 404, for when surely described current behavior is behavior to be monitored, determines the method for reconfiguration structure that described behavior to be monitored is corresponding.
Wherein, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored.
Logging modle 406, for obtaining calling interface corresponding to described record function according to described distribution function, calls described record function by the calling interface that described record function is corresponding, and by the behavioural information of behavior to be monitored described in described record function record.
Second determination module 408, the behavioural information for the behavior to be monitored according to record determines the security of described application program.
In sum, the behavior monitoring system of application program described in the present embodiment, first determines that the current behavior of application program is behavior to be monitored, then obtains the method for reconfiguration structure that described behavior to be monitored is corresponding.And then, when virtual machine carries out function call, calling interface corresponding to record function can be obtained according to method for reconfiguration structure, call the behavioural information of described record function to described behavior to be monitored and carry out record, make the behavior transparence of application program, visualization.
Further, user can according to the behavioural information of behavior to be monitored of record, and the behavior of application programs is analyzed, and determines whether the behavior of application program is safe, and then determines described application program whether safety.
Embodiment five
With reference to Fig. 5, show the structured flowchart of the behavior monitoring system of a kind of application program in fifth embodiment of the invention.In the present embodiment, the behavior monitoring system of described application program is applied in sandbox, or, be a kind of sandbox comprising the behavior monitoring system of described application program.Described application program comprises: third party application and system application; Wherein, described application program is run in sandbox.Described sandbox can be a system based on Dalvik virtual machine.
The behavior monitoring system of described application program can comprise:
First judge module 502, for judging whether the current behavior of application program is behavior to be monitored.
In the present embodiment, described first judge module 502 comprises:
4th acquisition module 5022, for obtaining the attribute of method structure corresponding to described current behavior.
Whether the second judge module 5024 is behavior to be monitored for current behavior according to the determined property of method structure corresponding to described current behavior.Wherein, when the attribute of the method structure of described current behavior is setting attribute, determine that described current behavior is behavior to be monitored.
First determination module 504, for when surely described current behavior is behavior to be monitored, determines the method for reconfiguration structure that described behavior to be monitored is corresponding.
Wherein, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored.
Second acquisition module 506, for obtaining distribution parameters.
Wherein, described second acquisition module 506 comprises:
3rd acquisition module 5062, for traveling through args parameter, obtains the args parameter that described behavior to be monitored is corresponding.
Add module 5064, for adding in array, using described array as described distribution parameters by args parameter corresponding for described behavior to be monitored.
Logging modle 508, for obtaining calling interface corresponding to described record function according to described distribution function, calls described record function by the calling interface that described record function is corresponding, and by the behavioural information of behavior to be monitored described in described record function record.
Second determination module 510, the behavioural information for the behavior to be monitored according to record determines the security of described application program.
In the present embodiment, described second determination module 510 comprises:
Output module 5102, for exporting the behavioural information of the behavioural information of the behavior to be monitored of recording as described application program.
According to the behavioural information exported, risk judgment module 5104, for judging whether the behavior of described application program is risk behavior; If so, then determine that described application program is risk application program; Otherwise, determine that described application program is security application.
Wherein, described risk behavior comprises: read user privacy information, and/or distort subscriber information message, and/or steal account number cipher information, and/or malice is called.
5th acquisition module 512, after completing at described behavioural information record, obtains the original method structure of backup from archive memory.
Calling module 514, for obtaining the interface of original call function corresponding to described behavior to be monitored according to the pointer in described original method structure, by the original call function that behavior to be monitored described in the interface interchange of described original call function is corresponding, to complete the execution of described behavior to be monitored.
In the present embodiment, the behavior monitoring system of described application program also comprises as lower module:
First acquisition module 516, for obtaining original method structure corresponding to described behavior to be monitored.
Modified module 518, for by the attribute modification of described original method structure for setting attribute.Wherein, described setting attribute is used to indicate and performs described distribution function.
In the present embodiment, described modified module 518, specifically for being native attribute by the attribute modification of described original method structure.
Replacement module 520, for replacing with described distribution parameters by the pointer of described original method structure member.Wherein, described pointer is used to indicate the position of the interface of the original call function performing described behavior to be monitored.
Backup module 522, for backing up described original method structure.
Here it should be noted that, described first acquisition module 516 to described backup module 522 is used to reshuffle the original method structure of described behavior to be monitored, to generate method for reconfiguration structure.Wherein, described system uses sub processes to perform.Described first acquisition module 516 can before or after other arbitrary module of the behavior monitoring system of described application program to described backup module 522.
In sum, the behavior monitoring method of application program described in the present embodiment, first determines that the current behavior of application program is behavior to be monitored, then obtains the method for reconfiguration structure that described behavior to be monitored is corresponding.In virtual machine, Java method structure attribute is modified to native attribute, is written with distribution function in nativeFunc member.Therefore virtual machine can first discriminant function be native attribute when function call.If so, then directly call nativeFunc and use distribution function; Described distribution function takes over the distribution of whole HOOK and calling of original function.And then, according to the distribution of described distribution function, obtain calling interface corresponding to record function, call the behavioural information of described record function to described behavior to be monitored and carry out record, make the behavior transparence of application program, visualization.
Further, user can according to the behavioural information of behavior to be monitored of record, and the behavior of application programs is analyzed, and determines whether the behavior of application program is safe, and then determines described application program whether safety.
Meanwhile, after behavioural information record completes, the readjustment of original function can be carried out to guarantee the execution of described behavior to be monitored.The behavior monitoring method of application program described in the present embodiment does not affect the normal execution flow of described behavior to be monitored, ensures that application program normally works, and the normal use of application program all functions.
For the behavior monitoring system embodiment of above-mentioned a kind of application program, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more monitor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that micro-monitor or digital signal monitor (DSP) can be used in practice to realize according to the some or all parts in the behavior monitoring equipment of embodiment of the present invention application program.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
The invention discloses a kind of a kind of behavior monitoring method of A1, application program, described method is applied in virtual machine, and described method comprises:
Whether the current behavior judging application program is behavior to be monitored;
When determining that described current behavior is behavior to be monitored, determine the method for reconfiguration structure that described behavior to be monitored is corresponding; Wherein, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored;
Obtain calling interface corresponding to described record function according to described distribution function, call described record function by the calling interface that described record function is corresponding, and by the behavioural information of behavior to be monitored described in described record function record;
The security of described application program is determined according to the behavioural information of the behavior to be monitored of record.
A2, method as described in A1, the described original method structure to described behavior to be monitored is reshuffled, and comprising:
Obtain the original method structure that described behavior to be monitored is corresponding;
By the attribute modification of described original method structure for setting attribute; Wherein, described setting attribute is used to indicate and performs described distribution function;
The pointer of described original method structure member is replaced with described distribution function; Wherein, described pointer is used to indicate the position of the interface of the original call function performing described behavior to be monitored;
Back up described original method structure.
A3, method as described in A2, whether the described current behavior judging application program is behavior to be monitored, comprising:
Obtain the attribute of method structure corresponding to described current behavior;
According to the determined property of method structure corresponding to described current behavior, whether current behavior is behavior to be monitored; Wherein, when the attribute of the method structure of described current behavior is described setting attribute, determine that described current behavior is behavior to be monitored.
A4, method as described in A2 or A3, described is setting attribute by the attribute modification of described original method structure, comprising:
Be native attribute by the attribute modification of described original method structure.
A5, method as described in A1, described obtain the step of calling interface corresponding to described record function according to described distribution function before, described method also comprises:
Obtain distribution parameters, described distribution parameters is used to indicate the type of described behavioural information;
Wherein, described acquisition distribution parameters comprises:
Traversal args parameter, obtains the args parameter that described behavior to be monitored is corresponding;
Args parameter corresponding for described behavior to be monitored is added in array, using described array as described distribution parameters.
A6, method as described in A3, described record the step of the behavioural information of described behavior to be monitored after, described method also comprises:
After described behavioural information record completes, from archive memory, obtain the original method structure of backup;
The interface of original call function corresponding to described behavior to be monitored is obtained according to the pointer in described original method structure, by the original call function that behavior to be monitored described in the interface interchange of described original call function is corresponding, to complete the execution of described behavior to be monitored.
A7, method as described in A1, the behavioural information of the described behavior to be monitored according to record is determined to comprise the security of described application program:
The behavioural information of the behavioural information of the behavior to be monitored of record as described application program is exported;
Behavioural information according to exporting judges whether the behavior of described application program is risk behavior; If so, then determine that described application program is risk application program; Otherwise, determine that described application program is security application;
Wherein, described risk behavior comprises: read user privacy information, and/or distort subscriber information message, and/or steal account number cipher information, and/or malice is called.
A8, method as described in A1, described virtual machine comprises: Dalvik virtual machine.
A9, method as described in A1, described method uses sub processes to perform.
A10, method as described in A1, described application program comprises: third party application and system application; Wherein, described application program is run in sandbox.
The invention also discloses the behavior monitoring system of B11, a kind of application program, described system is applied in virtual machine, and described system comprises:
First judge module, for judging whether the current behavior of application program is behavior to be monitored;
First determination module, for when surely described current behavior is behavior to be monitored, determines the method for reconfiguration structure that described behavior to be monitored is corresponding; Wherein, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored;
Logging modle, for obtaining calling interface corresponding to described record function according to described distribution function, calls described record function by the calling interface that described record function is corresponding, and by the behavioural information of behavior to be monitored described in described record function record;
Second determination module, the behavioural information for the behavior to be monitored according to record determines the security of described application program.
B12, system as described in B11, described system also comprises:
First acquisition module, for obtaining original method structure corresponding to described behavior to be monitored;
Modified module, for by the attribute modification of described original method structure for setting attribute; Wherein, described setting attribute is used to indicate and performs described distribution function;
Replacement module, for replacing with described distribution function by the pointer of described original method structure member; Wherein, described pointer is used to indicate the position of the interface of the original call function performing described behavior to be monitored;
Backup module, for backing up described original method structure.
B13, system as described in B12, described first judge module comprises:
4th acquisition module, for obtaining the attribute of method structure corresponding to described current behavior;
Whether the second judge module is behavior to be monitored for current behavior according to the determined property of method structure corresponding to described current behavior; Wherein, when the attribute of the method structure of described current behavior is described setting attribute, determine that described current behavior is behavior to be monitored.
B14, system as described in B12 or B13,
Modified module, specifically for being native attribute by the attribute modification of described original method structure.
B15, system as described in B11, described system also comprises:
Second acquisition module, before obtaining calling interface corresponding to described record function in described logging modle according to described distribution function, obtains distribution parameters;
Wherein, described second acquisition module comprises:
3rd acquisition module, for traveling through args parameter, obtains the args parameter that described behavior to be monitored is corresponding;
Add module, for adding in array, using described array as described distribution parameters by args parameter corresponding for described behavior to be monitored;
B16, system as described in B13, described system also comprises:
5th acquisition module, for after the behavioural information of behavior to be monitored described in described logging modle record, after described behavioural information record completes, obtains the original method structure of backup from archive memory;
Calling module, for obtaining the interface of original call function corresponding to described behavior to be monitored according to the pointer in described original method structure, by the original call function that behavior to be monitored described in the interface interchange of described original call function is corresponding, to complete the execution of described behavior to be monitored.
B17, method as described in B11, described first determination module, comprising:
Output module, for exporting the behavioural information of the behavioural information of the behavior to be monitored of recording as described application program;
According to the behavioural information exported, risk judgment module, for judging whether the behavior of described application program is risk behavior; If so, then determine that described application program is risk application program; Otherwise, determine that described application program is security application;
Wherein, described risk behavior comprises: read user privacy information, and/or distort subscriber information message, and/or steal account number cipher information, and/or malice is called.
B18, method as described in B11, described virtual machine comprises: Dalvik virtual machine.
B19, system as described in B11, described system uses sub processes to perform.
B20, system as described in B11, described application program comprises: third party application and system application; Wherein, described application program is run in sandbox.
Claims (10)
1. a behavior monitoring method for application program, is characterized in that, described method is applied in virtual machine, and described method comprises:
Whether the current behavior judging application program is behavior to be monitored;
When determining that described current behavior is behavior to be monitored, determine the method for reconfiguration structure that described behavior to be monitored is corresponding; Wherein, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored;
Obtain calling interface corresponding to described record function according to described distribution function, call described record function by the calling interface that described record function is corresponding, and by the behavioural information of behavior to be monitored described in described record function record;
The security of described application program is determined according to the behavioural information of the behavior to be monitored of record.
2. the method for claim 1, is characterized in that, the described original method structure to described behavior to be monitored is reshuffled, and comprising:
Obtain the original method structure that described behavior to be monitored is corresponding;
By the attribute modification of described original method structure for setting attribute; Wherein, described setting attribute is used to indicate and performs described distribution function;
The pointer of described original method structure member is replaced with described distribution function; Wherein, described pointer is used to indicate the position of the interface of the original call function performing described behavior to be monitored;
Back up described original method structure.
3. method as claimed in claim 2, it is characterized in that, whether the described current behavior judging application program is behavior to be monitored, comprising:
Obtain the attribute of method structure corresponding to described current behavior;
According to the determined property of method structure corresponding to described current behavior, whether current behavior is behavior to be monitored; Wherein, when the attribute of the method structure of described current behavior is described setting attribute, determine that described current behavior is behavior to be monitored.
4. method as claimed in claim 2 or claim 3, is characterized in that, described is setting attribute by the attribute modification of described original method structure, comprising:
Be native attribute by the attribute modification of described original method structure.
5. the method for claim 1, is characterized in that, described obtain the step of calling interface corresponding to described record function according to described distribution function before, described method also comprises:
Obtain distribution parameters, described distribution parameters is used to indicate the type of described behavioural information;
Wherein, described acquisition distribution parameters comprises:
Traversal args parameter, obtains the args parameter that described behavior to be monitored is corresponding;
Args parameter corresponding for described behavior to be monitored is added in array, using described array as described distribution parameters.
6. method as claimed in claim 3, is characterized in that, described record the step of the behavioural information of described behavior to be monitored after, described method also comprises:
After described behavioural information record completes, from archive memory, obtain the original method structure of backup;
The interface of original call function corresponding to described behavior to be monitored is obtained according to the pointer in described original method structure, by the original call function that behavior to be monitored described in the interface interchange of described original call function is corresponding, to complete the execution of described behavior to be monitored.
7. the method for claim 1, is characterized in that, the behavioural information of the described behavior to be monitored according to record is determined to comprise the security of described application program:
The behavioural information of the behavioural information of the behavior to be monitored of record as described application program is exported;
Behavioural information according to exporting judges whether the behavior of described application program is risk behavior; If so, then determine that described application program is risk application program; Otherwise, determine that described application program is security application;
Wherein, described risk behavior comprises: read user privacy information, and/or distort subscriber information message, and/or steal account number cipher information, and/or malice is called.
8. the method for claim 1, is characterized in that, described virtual machine comprises: Dalvik virtual machine.
9. the method for claim 1, is characterized in that, described method uses sub processes to perform.
10. a behavior monitoring system for application program, is characterized in that, described system is applied in virtual machine, and described system comprises:
First judge module, for judging whether the current behavior of application program is behavior to be monitored;
First determination module, for when surely described current behavior is behavior to be monitored, determines the method for reconfiguration structure that described behavior to be monitored is corresponding; Wherein, described method for reconfiguration structure is the method structure after reshuffling the original method structure of described behavior to be monitored, and described method for reconfiguration structure comprises: the distribution function being used to indicate the position of calling interface corresponding to record function; Described record function is for recording the information of described behavior to be monitored;
Logging modle, for obtaining calling interface corresponding to described record function according to described distribution function, calls described record function by the calling interface that described record function is corresponding, and by the behavioural information of behavior to be monitored described in described record function record;
Second determination module, the behavioural information for the behavior to be monitored according to record determines the security of described application program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410201140.5A CN105095741A (en) | 2014-05-13 | 2014-05-13 | Behavior monitoring method and behavior monitoring system of application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410201140.5A CN105095741A (en) | 2014-05-13 | 2014-05-13 | Behavior monitoring method and behavior monitoring system of application program |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105095741A true CN105095741A (en) | 2015-11-25 |
Family
ID=54576150
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410201140.5A Pending CN105095741A (en) | 2014-05-13 | 2014-05-13 | Behavior monitoring method and behavior monitoring system of application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105095741A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105427096A (en) * | 2015-12-25 | 2016-03-23 | 北京奇虎科技有限公司 | Payment security sandbox realization method and system and application program monitoring method and system |
| CN105488398A (en) * | 2015-12-04 | 2016-04-13 | 北京航空航天大学 | Web application program behavior extraction method and malicious behavior detection method |
| CN105975859A (en) * | 2015-12-29 | 2016-09-28 | 武汉安天信息技术有限责任公司 | Method and system for auxiliary analysis of malicious code |
| CN106055453A (en) * | 2016-06-01 | 2016-10-26 | 北京百度网讯科技有限公司 | Equipment monitoring method and device |
| CN106203091A (en) * | 2016-06-30 | 2016-12-07 | 北京奇虎科技有限公司 | A kind of virtual machine escape detection method and device |
| CN107291586A (en) * | 2016-04-01 | 2017-10-24 | 腾讯科技(深圳)有限公司 | The analysis method and device of a kind of application program |
| CN107729753A (en) * | 2017-09-22 | 2018-02-23 | 郑州云海信息技术有限公司 | A kind of defence method and system of computer unknown virus |
| CN109344616A (en) * | 2018-09-13 | 2019-02-15 | 西安交通大学 | A kind of mobile applications dynamically load behavior monitoring method and device |
| CN109522189A (en) * | 2017-09-19 | 2019-03-26 | 北京国双科技有限公司 | A kind of data monitoring method, apparatus and system |
| WO2019134291A1 (en) * | 2018-01-05 | 2019-07-11 | 武汉斗鱼网络科技有限公司 | Method for recording call information between program interfaces, and electronic device |
| CN114385387A (en) * | 2022-03-23 | 2022-04-22 | 恒生电子股份有限公司 | Access information generation method and device and computer equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
| CN101458754A (en) * | 2009-01-09 | 2009-06-17 | 清华大学 | Method and apparatus for monitoring application program action |
| CN103679031A (en) * | 2013-12-12 | 2014-03-26 | 北京奇虎科技有限公司 | File virus immunizing method and device |
| CN103777942A (en) * | 2013-12-06 | 2014-05-07 | 深圳市证通电子股份有限公司 | Embedded type software product development framework applied to financial terminal |
-
2014
- 2014-05-13 CN CN201410201140.5A patent/CN105095741A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
| CN101458754A (en) * | 2009-01-09 | 2009-06-17 | 清华大学 | Method and apparatus for monitoring application program action |
| CN103777942A (en) * | 2013-12-06 | 2014-05-07 | 深圳市证通电子股份有限公司 | Embedded type software product development framework applied to financial terminal |
| CN103679031A (en) * | 2013-12-12 | 2014-03-26 | 北京奇虎科技有限公司 | File virus immunizing method and device |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488398A (en) * | 2015-12-04 | 2016-04-13 | 北京航空航天大学 | Web application program behavior extraction method and malicious behavior detection method |
| CN105488398B (en) * | 2015-12-04 | 2018-06-15 | 北京航空航天大学 | Web application behavior extracting method and malicious act detection method |
| CN105427096B (en) * | 2015-12-25 | 2020-02-07 | 北京奇虎科技有限公司 | Payment security sandbox implementation method and system and application program monitoring method and system |
| CN105427096A (en) * | 2015-12-25 | 2016-03-23 | 北京奇虎科技有限公司 | Payment security sandbox realization method and system and application program monitoring method and system |
| CN105975859A (en) * | 2015-12-29 | 2016-09-28 | 武汉安天信息技术有限责任公司 | Method and system for auxiliary analysis of malicious code |
| CN105975859B (en) * | 2015-12-29 | 2019-04-16 | 武汉安天信息技术有限责任公司 | A kind of method and system of assistant analysis malicious code |
| CN107291586B (en) * | 2016-04-01 | 2021-04-27 | 腾讯科技(深圳)有限公司 | Application program analysis method and device |
| CN107291586A (en) * | 2016-04-01 | 2017-10-24 | 腾讯科技(深圳)有限公司 | The analysis method and device of a kind of application program |
| CN106055453A (en) * | 2016-06-01 | 2016-10-26 | 北京百度网讯科技有限公司 | Equipment monitoring method and device |
| CN106203091B (en) * | 2016-06-30 | 2019-02-22 | 北京奇虎科技有限公司 | A kind of virtual machine escape detection method and device |
| CN106203091A (en) * | 2016-06-30 | 2016-12-07 | 北京奇虎科技有限公司 | A kind of virtual machine escape detection method and device |
| CN109522189A (en) * | 2017-09-19 | 2019-03-26 | 北京国双科技有限公司 | A kind of data monitoring method, apparatus and system |
| CN109522189B (en) * | 2017-09-19 | 2022-06-21 | 北京国双科技有限公司 | Data monitoring method, device and system |
| CN107729753A (en) * | 2017-09-22 | 2018-02-23 | 郑州云海信息技术有限公司 | A kind of defence method and system of computer unknown virus |
| WO2019134291A1 (en) * | 2018-01-05 | 2019-07-11 | 武汉斗鱼网络科技有限公司 | Method for recording call information between program interfaces, and electronic device |
| CN109344616B (en) * | 2018-09-13 | 2020-12-08 | 西安交通大学 | Method and device for monitoring dynamic loading behavior of mobile application program |
| CN109344616A (en) * | 2018-09-13 | 2019-02-15 | 西安交通大学 | A kind of mobile applications dynamically load behavior monitoring method and device |
| CN114385387A (en) * | 2022-03-23 | 2022-04-22 | 恒生电子股份有限公司 | Access information generation method and device and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105095741A (en) | Behavior monitoring method and behavior monitoring system of application program | |
| US10235142B1 (en) | Code generator tool for building software applications with reusable components | |
| US7810069B2 (en) | Methods and systems for relating data structures and object-oriented elements for distributed computing | |
| Magazinius et al. | Safe wrappers and sane policies for self protecting JavaScript | |
| US10565089B2 (en) | Identification of code features potentially associated with code behavior | |
| Karim et al. | An analysis of the mozilla jetpack extension framework | |
| US20150007156A1 (en) | Injecting patch code at runtime | |
| US11144643B1 (en) | Functional language source code vulnerability scanner | |
| US20070169065A1 (en) | Computer program with metadata management function | |
| CN105589805A (en) | Method and device for generating code coverage rate report | |
| CN105426310A (en) | Method and apparatus for detecting performance of target process | |
| US10084819B1 (en) | System for detecting source code security flaws through analysis of code history | |
| Wu et al. | CEclipse: An online IDE for programing in the cloud | |
| US20190205869A1 (en) | Anonymization of data fields in transactions | |
| CN106326691B (en) | Encryption and decryption function realization method and device and server | |
| CN103617120A (en) | Unit testing method and device | |
| CN114329366B (en) | Network disk file control method and device, network disk and storage medium | |
| Jancke et al. | Smell detection in context | |
| US11868465B2 (en) | Binary image stack cookie protection | |
| CN111159301A (en) | Data creating method, device, equipment and storage medium based on intelligent contract | |
| Mengerink et al. | Empowering OCL research: a large-scale corpus of open-source data from GitHub | |
| US20230334160A1 (en) | Systems and methods for software security analysis | |
| Shimari et al. | NOD4J: Near-omniscient debugging tool for Java using size-limited execution trace | |
| Letarte et al. | Security model evolution of PHP web applications | |
| CN105553767A (en) | Website backdoor file detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| AD01 | Patent right deemed abandoned | ||
| AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20191227 |