CN107239698A - A kind of anti-debug method and apparatus based on signal transacting mechanism - Google Patents
A kind of anti-debug method and apparatus based on signal transacting mechanism Download PDFInfo
- Publication number
- CN107239698A CN107239698A CN201710393685.4A CN201710393685A CN107239698A CN 107239698 A CN107239698 A CN 107239698A CN 201710393685 A CN201710393685 A CN 201710393685A CN 107239698 A CN107239698 A CN 107239698A
- Authority
- CN
- China
- Prior art keywords
- signal
- status
- application program
- status signal
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
This application discloses a kind of anti-debug method based on signal transacting mechanism, for solving the problem of application program attacker can be attacked and be cracked to intended application using debugger in the prior art, including:Monitoring process is created by the host process of application program;By the monitoring process trapped state signal, the process status of the host process is included in the status signal;If it is determined that the process status included in the status signal is preset state, then the host process is terminated, the preset state is the state that the application program is debugged by external progress or attempts to debug by external progress.Disclosed herein as well is a kind of anti-debug device based on signal transacting mechanism.
Description
Technical field
The application is related to field of computer technology, more particularly to a kind of anti-debug method and dress based on signal transacting mechanism
Put.
Background technology
With the fast development of mobile Internet industry, mobile applications break out in blowout, wherein, based on Android system
The Android application program developed of uniting is also more and more, and Android application program hereafter is referred to as into application program for ease of description.
Increased income characteristic because Android system has in itself, application program is very easy to by the invasion and attack of wooden horse and pirate,
Just gradually substitution computer end program turns into the main object of assault to application program.
In the prior art, application program attacker can track the operation of application program using debugger, check, change and answer
With the internal storage code and data of program, the programmed logic of destination application is analyzed, so as to attack application program
With crack.
The content of the invention
The embodiment of the present application provides a kind of anti-debug method based on signal transacting mechanism, for solving in the prior art should
The problem of intended application being attacked and cracked using debugger with program attack person.
The embodiment of the present application also provides a kind of anti-debug device based on signal transacting mechanism, for solving in the prior art
The problem of application program attacker can be attacked and be cracked to intended application using debugger.
The embodiment of the present application uses following technical proposals:
A kind of anti-debug method based on signal transacting mechanism, including:
Monitoring process is created by the host process of application program;
By the monitoring process trapped state signal, the process status of the host process is included in the status signal;
If it is determined that the process status included in the status signal is preset state, then the host process is terminated, it is described pre-
It is the state that the application program is debugged by external progress or attempts to debug by external progress if state.
It is preferred that, the status signal is captured by the monitoring process by destination application interface.
It is preferred that, the destination application interface receives the status signal using following manner:
The signal that operating system is sent is obtained by Hook Function;
The status signal in the signal is captured by the destination application interface.
It is preferred that, after by status signal described in destination application interface, methods described also includes:
The process status for determining to include in the status signal by default system macrodefinition function.
It is preferred that, the monitoring process passes through fork () function creation by the host process of the application program.
A kind of anti-debug device based on signal transacting mechanism, including:
Process creation unit, for creating monitoring process by the host process of application program;
Signal capture unit, for by the monitoring process trapped state signal, comprising described in the status signal
The process status of host process;
Process terminates unit, for if it is determined that the process status included in the status signal is preset state, then terminating
The host process, the preset state is the shape that the application program is debugged by external progress or attempts to debug by external progress
State.
It is preferred that, the status signal is captured by the monitoring process by destination application interface.
It is preferred that, the destination application interface receives the status signal using following manner:
The signal that operating system is sent is obtained by Hook Function;
The status signal in the signal is captured by the destination application interface.
It is preferred that, after by status signal described in destination application interface, institute's device also includes:
Status determining unit, for the process for determining to include in the status signal by default system macrodefinition function
State.
It is preferred that, the monitoring process passes through fork () function creation by the host process of the application program.
At least one above-mentioned technical scheme that the embodiment of the present application is used can reach following beneficial effect:
In the application, due to monitoring process can be created by the host process of application program, captured by the monitoring process
The process status of application program host process is included in status signal, the status signal, and it is determined that what is included in status signal enters
When journey state is preset state, i.e., when application program is debugged by external progress or attempts to debug, terminate the host process.So when having
When other external progress are debugged or attempt to debug the host process of the application program, just application program can be determined by monitoring process
The process status of host process, and then terminate the host process of application program, it is to avoid attacker carries out malice to the program process
Attack and crack.
Brief description of the drawings
Accompanying drawing described herein is used for providing further understanding of the present application, constitutes the part of the application, this Shen
Schematic description and description please is used to explain the application, does not constitute the improper restriction to the application.In the accompanying drawings:
The implementation process diagram for the anti-debug method based on signal transacting mechanism that Fig. 1 provides for the embodiment of the present application;
The structural representation for the anti-debug device based on signal transacting mechanism that Fig. 2 provides for the embodiment of the present application.
Embodiment
To make the purpose, technical scheme and advantage of the application clearer, below in conjunction with the application specific embodiment and
Technical scheme is clearly and completely described corresponding accompanying drawing.Obviously, described embodiment is only the application one
Section Example, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Go out the every other embodiment obtained under the premise of creative work, belong to the scope of the application protection.
Below in conjunction with accompanying drawing, the technical scheme that each embodiment of the application is provided is described in detail.
As stated in the Background Art, because Android system has characteristic of increasing income in itself, Android application program attacker is acquisition
The data included in Android application program, often carry out malicious attack, Android software reversal technique to Android application program
Gradually by these attacker's malicious exploitations.In Android software reversal technique, Android debugging technique is one very important group
Into part, by carrying out the debugging of Android application program, the operational process of Android application program can be obtained, being inferred to Android should
With the general principle of program, generally one can be got with very well and rapidly bypass some and log in limitation or function restriction
The private information of a little users, with larger harm.
Attacker, when being debugged to application program, is typically that the corresponding process of application program is debugged, from wide
For in justice, process, which is one, has several times operation activity of the program of certain standalone feature on some data acquisition system, and it is
The elementary cell of operating system Dynamic Execution, in traditional operating system, process is both basic allocation unit, is also basic
Execution unit.Because each process has the address space of oneself, text filed (text region), data are generally included
Region (data region) and storehouse (stack region), wherein, the code of text filed storage computing device, data
Region stores the internal memory of the dynamically distributes used during variable and process execution, and stack region stores the Process Movement invocation of procedure
Instruction and local variable, once therefore the process of some application program carried out malicious attack and cracking by attacker, just can
Obtain the key message and data of the application program.
It should be noted that the debugging in the embodiment of the present application can be using program language provide debugging function or
Person special debugging acid analyzes the behavior of application program.
For solve in the prior art application program attacker can using debugger to intended application carry out malicious attack with
The problem of cracking, the embodiment of the present application provides a kind of method of the anti-debug based on signal transacting mechanism, the execution master of this method
Body, but be not limited to mobile phone, tablet personal computer, PC (Personal Computer, PC) etc. can be configured as perform this Shen
Please at least one of the application program of method that provides of embodiment, or this method executive agent, can also be realization this
Apply for the application program by the anti-debug method based on signal transacting mechanism provided in itself.For ease of description, hereafter with this
Exemplified by the executive agent of method is application program, the embodiment to this method is introduced.It is appreciated that the execution of this method
Main body is that application program is a kind of exemplary explanation, is not construed as the restriction to this method.
The implementation process schematic diagram for the anti-debug method based on signal transacting mechanism that the application is provided is as shown in figure 1, bag
Include following step:
Step 11, monitoring process is created by the host process of application program;
In the embodiment of the present application, host process is referred to as parent process, generally can be that can create one or more sons
The process of process.Subprocess is the process created by another process, and subprocess inherits most of category of corresponding parent process
Property, such as filec descriptor.In linux system, subprocess is often the product that system calls fork () function creation.One
Process may subordinate multiple subprocess, but can only at most have 1 parent process, and if a certain process does not have parent process, understanding should
Process is likely to be directly generated by kernel.
In actual applications, process is not created without foundation, and each process is derived by its parent process,
In linux system, parent process can generally use the process creation functions such as fork (), vfork () or clone () to create son
Process.In the embodiment of the present application, host process can create monitoring process by fork () function.Wherein, fork () function can
To be called by system, a substantially identical subprocess of parent process with calling fork () function is created, in other words,
One parent process is called after fork () function, and system can such as store number to the monitoring process distribution resource that will be created first
According to the space with code, all values of the parent process of fork () function then will be called all to copy to the monitoring that will be created and entered
Cheng Zhong, only a small number of values are different from the value of parent process, that is, having cloned one and parent process identical monitoring process itself.
Because Android system is not forbidden calling for the system of debugging, attacker is taking root power using rogue program
In the case of limit, application programming interfaces (Application Program Interface, API) can be used to application program
Internal memory, the register of process modify, to reach the purpose for performing shellcode, injecting malice module.In injection malice
After module, malice module just can dynamically obtain the various sensitive informations in internal memory, the user name of such as application user
With important information and the data such as password, can be by performing following steps to application program host process in order to avoid these problems
Process status be monitored so that prevent other external progress to application program host process carry out debugging operations.
Step 12, by monitoring process trapped state signal, the process status of host process is included in the status signal;
Because the signal in linux system can make a distinction according to function, and then may be used corresponding to the signal of difference in functionality
To be captured by application programming interfaces corresponding with the function, monitoring process trapped state signal can then be answered by target
The status signal is captured with routine interface, Hook Function can be specifically first passed through and obtain the signal that operating system is sent, then pass through
Status signal in the signal that destination application interface is got.
Wherein, status signal, is captured by monitoring process by destination application interface, in actual applications, Ke Yitong
Cross waitpid () interface function and carry out trapped state signal.Variable in waitpid () interface function often have parameter pid,
Status and options, wherein, pid is progress recognizing code, and status is process done state value, and options is extra choosing
.Waitpid () can temporarily cease the execution of current process, until having signal to come or process terminates.If called
During waitpid (), process is over, then waitpid () can return to the state value that the process terminates immediately.The knot of the process
Pencil state value can be returned by parameter status, and the progress recognizing code pid of the process can also be returned together.If paying no attention to process
Done state value, then parameter status could be arranged to NULL.
Parameter pid is progress recognizing code, and progress recognizing code is the progress recognizing code of captured process, and its numerical value meaning can
To be defined as:Work as pid<When -1, then the progress recognizing code that may indicate that captured process is any process of pid absolute values;When
During pid=-1, then may indicate that captured process is any process;As pid=0, then entering for captured process is may indicate that
Journey group identification code and current any process of process identical;Work as pid>When 0, then the progress recognizing code of captured process is may indicate that
For pid process.
Parameter options provides some extra options to control waitpid (), and parameter option can be 0 or can
Used so that these extra options are connected with " | " operator, such as:Ret=waitpid (- 1, NULL, WNOHANG |
WUNTRACED), wherein, if WNOHANG shows that the process that pid is specified is not over, waitpid () function return 0, not
To wait;If terminating, the ID of the process is returned.If WUNTRACED shows that process enters halted state, return at once, but
The done state of process is not comprehended.If being not desired to use this parameter, options can also be set to 0, such as:Ret=
Waitpid (- 1, NULL, 0).
Hook Function, is a part for message processing facility, and the letter that operating system is sent can be obtained by Hook Function
Number, such as application program host process or other state of a process signals.In linux system, each process has the only of oneself
The vertical process space, can be called by system, by the process of Hook Function injected system, be sent whenever there is specific message
When, Hook Function just can first obtain the message, i.e. Hook Function and first obtain control, and at this moment, Hook Function can both be processed
The message is handled, can not also process and continue to transmit the message, can also force to terminate the transmission of the message.The application is real
Apply destination application interface in example using Hook Function can in acquisition system the message of process this feature, pass through hook
Subfunction obtains the signal that sends of process in operating system, then, then by destination application interface is that waitpid () connects
Status signal in the signal that mouth function is got.
After by destination application interface status signal, journey is applied to determine whether to include in the status signal
The debugged state of sequence host process, can also determine that what is included in the status signal enters by default system macrodefinition function
Journey state.
Wherein, the process status included in status signal is determined by default system macrodefinition function, can both be passed through
The system macrodefinition functions such as WIFEXITED (status), WIFSIGNALED (status), WIFSTOPPED (status) come true
Determine the process status included in status signal, the systems such as WTERMSIG (status), WSTOPSIG (status) can also be passed through
Macrodefinition function determines process status.Specifically, WIFEXITED (status) function can be in fair termination application program
Host process is performed in the state of returning, and capture application program host process sends exit to or low eight conducts of _ exit parameters are entered
Journey state;WIFSIGNALED (status) function can be performed in the state of the return of abnormal end process, capture application program
The signal numbering that host process is terminated is used as process status;WIFSTOPPED (status) function can be in current hang application program
Performed in the state of the return of host process, the signal for taking application program host process to suspend is numbered as process status.And
WTERMSIG (status) function then can be used for the signal code that capture process stops by signal, it is however generally that, can first it lead to
Cross and call WIFSIGNALED (status) just to use this system macrodefinition function after judging;WSTOPSIG (status) function
Trigger the signal code of process suspension for capturing, it is however generally that, it can first pass through and call WIFSTOPPED (status) to judge
This system macrodefinition function is just used afterwards.
Step 13, however, it is determined that the process status included in status signal is preset state, then terminates host process.
Wherein, preset state is the state that application program is debugged by external progress or attempts to debug by external progress, this
Preset state in application embodiment shows that application program is debugged by external progress, or application program is possible to by external progress
Debugging, specifically, preset state can be that the process of application program is in the state of abnormal running, such as outer
The state of portion's Process Debugging, or caused halted state is debugged by external progress, both states can all crack for attacker
Facility is provided with attack application program.
To avoid other external progress from debugging the host process of application program, and application program host process is in and stopped
It only after state, can be cracked by attacker, and then obtain the important informations such as account, the password of user's input, the embodiment of the present application exists
When to determine the process status included in status signal be preset state by default system macrodefinition function, then terminate and apply journey
Sequence host process.
In the application, due to monitoring process can be created by the host process of application program, captured by the monitoring process
The process status of application program host process is included in status signal, the status signal, and it is determined that what is included in status signal enters
When journey state is preset state, i.e., when application program is debugged by external progress or attempts to debug, terminate the host process.So when having
When other external progress are debugged or attempt to debug the host process of the application program, just application program can be determined by monitoring process
The process status of host process, and then terminate the host process of application program, it is to avoid attacker carries out malice to the program process
Attack and crack.
The operation of intended application can be tracked using debugger using attacker to solve Android in the prior art, to application
The problem of program is attacked and cracked, based on the above-mentioned anti-debug method identical invention structure based on signal transacting mechanism
Think, the embodiment of the present application also provides a kind of anti-debug device based on signal transacting mechanism, as shown in Fig. 2 including:
Process creation unit 21, for creating monitoring process by the host process of application program;
Signal capture unit 22, for by the monitoring process trapped state signal, institute to be included in the status signal
State the process status of host process;
Process terminates unit 23, for if it is determined that the process status included in the status signal is preset state, then eventually
Only the host process, the preset state, are state or attempted by external progress that the application program is debugged by external progress
The state of debugging.
The specific workflow of said apparatus embodiment is that first, process creation unit 21 is entered by the master of application program
Journey creates monitoring process, and then, signal capture unit 22 passes through the monitoring process trapped state signal, the status signal
In include the process status of the host process, finally, process terminates unit 23, however, it is determined that the process included in the status signal
State is preset state, then terminates the host process, so, when have other external progress debug or attempt debug the application program
Process when, this process status just can be detected by monitoring process, and then terminate the host process of the application program so that
Attacker can be avoided to carry out malicious attack to the program process and crack.
In one embodiment, because the signal classification in linux system is divided by function, the signal is caught
Unit 22 is obtained, is used for:
Pass through destination application interface trapped state signal.
In one embodiment, the signal capture unit 22, specifically for:
The signal for including the status signal is obtained by Hook Function;
Status signal in the signal is captured by the destination application interface.
In one embodiment, after by destination application interface status signal, described device also includes:
Status determining unit 24, for determining that what is included in the status signal enters by default system macrodefinition function
Journey state.
In one embodiment, the process creation unit 21, specifically for:
Pass through monitoring process described in fork () function creation.
In the application, due to monitoring process can be created by the host process of application program, captured by the monitoring process
The process status of application program host process is included in status signal, the status signal, and it is determined that what is included in status signal enters
When journey state is preset state, i.e., when application program is debugged by external progress or attempts to debug, terminate the host process.So when having
When other external progress are debugged or attempt to debug the host process of the application program, just application program can be determined by monitoring process
The process status of host process, and then terminate the host process of application program, it is to avoid attacker carries out malice to the program process
Attack and crack.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program
Product.Therefore, the application can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.Moreover, the application can be used in one or more computers for wherein including computer usable program code
The computer program production that usable storage medium is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The application be with reference to the method for the embodiment of the present application, the flow chart of equipment (system) and computer program product and/
Or block diagram is described.It should be understood that can by each flow in computer program instructions implementation process figure and/or block diagram and/
Or square frame and the flow in flow chart and/or block diagram and/or the combination of square frame.These computer program instructions can be provided
To the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices to produce one
Individual machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for realizing
The device for the function of being specified in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which is produced, to be included referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moved
State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus
Or any other non-transmission medium, the information that can be accessed by a computing device available for storage.Define, calculate according to herein
Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
It should also be noted that, term " comprising ", "comprising" or its any other variant are intended to nonexcludability
Comprising so that process, method, commodity or equipment including a series of key elements are not only including those key elements, but also wrap
Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including key element
Also there is other identical element in process, method, commodity or equipment.
Embodiments herein is these are only, the application is not limited to.To those skilled in the art,
The application can have various modifications and variations.All any modifications made within spirit herein and principle, equivalent substitution,
Improve etc., it should be included within the scope of claims hereof.
Claims (10)
1. a kind of anti-debug method based on signal transacting mechanism, it is characterised in that including:
Monitoring process is created by the host process of application program;
By the monitoring process trapped state signal, the process status of the host process is included in the status signal;
If it is determined that the process status included in the status signal is preset state, then the host process, the default shape are terminated
State, is the state that the application program is debugged by external progress or attempts to debug by external progress.
2. the method as described in claim 1, it is characterised in that the status signal, should by target by the monitoring process
Captured with routine interface.
3. method as claimed in claim 2, it is characterised in that the destination application interface, is captured using following manner
The status signal:
The signal that operating system is sent is obtained by Hook Function;
The status signal in the signal is captured by the destination application interface.
4. method as claimed in claim 3, it is characterised in that passing through status signal described in destination application interface
Afterwards, methods described also includes:
The process status for determining to include in the status signal by default system macrodefinition function.
5. the method as described in claim 1, it is characterised in that the monitoring process is passed through by the host process of the application program
Fork () function creation.
6. a kind of anti-debug device based on signal transacting mechanism, it is characterised in that including:
Process creation unit, for creating monitoring process by the host process of application program;
Signal capture unit, for by the monitoring process trapped state signal, entering in the status signal comprising the master
The process status of journey;
Process terminates unit, for if it is determined that the process status included in the status signal is not preset state, then terminating institute
Host process is stated, the preset state is the state that the application program is debugged by external progress.
7. device as claimed in claim 6, it is characterised in that the status signal, should by target by the monitoring process
Captured with routine interface.
8. device as claimed in claim 7, it is characterised in that the destination application interface, is received using following manner
The status signal:
The signal for determining to include the status signal by Hook Function;
The status signal in the signal determined is captured by the destination application interface.
9. device as claimed in claim 8, it is characterised in that after by destination application interface status signal,
Described device also includes:
Status determining unit, for the process shape for determining to include in the status signal by default system macrodefinition function
State.
10. device as claimed in claim 6, it is characterised in that the monitoring process is led to by the host process of the application program
Cross fork () function creation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710393685.4A CN107239698A (en) | 2017-05-27 | 2017-05-27 | A kind of anti-debug method and apparatus based on signal transacting mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710393685.4A CN107239698A (en) | 2017-05-27 | 2017-05-27 | A kind of anti-debug method and apparatus based on signal transacting mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107239698A true CN107239698A (en) | 2017-10-10 |
Family
ID=59984685
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710393685.4A Pending CN107239698A (en) | 2017-05-27 | 2017-05-27 | A kind of anti-debug method and apparatus based on signal transacting mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107239698A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108388778A (en) * | 2018-03-21 | 2018-08-10 | 北京理工大学 | The APP that Android platform merges multiple features demodulates method for testing |
| CN109190377A (en) * | 2018-09-13 | 2019-01-11 | 麒麟合盛网络技术股份有限公司 | Intrusion detection method and device |
| CN112363917A (en) * | 2020-10-30 | 2021-02-12 | 北京五八信息技术有限公司 | Application program debugging exception processing method and device, electronic equipment and medium |
| CN114676424A (en) * | 2022-05-25 | 2022-06-28 | 杭州默安科技有限公司 | Container escape detection and blocking method, device, equipment and storage medium |
| US11409635B2 (en) | 2019-08-23 | 2022-08-09 | Raytheon Company | Hacker-resistant anti-debug system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102880818A (en) * | 2012-10-10 | 2013-01-16 | 北京深思洛克软件技术股份有限公司 | Software protection method |
| CN103383689A (en) * | 2012-05-03 | 2013-11-06 | 阿里巴巴集团控股有限公司 | Service process fault detection method, device and service node |
| WO2014077702A1 (en) * | 2012-11-13 | 2014-05-22 | Auckland Uniservices Limited | Security system and method for operating systems |
| CN104932972A (en) * | 2014-03-19 | 2015-09-23 | 北京娜迦信息科技发展有限公司 | Method and apparatus for preventing application from dynamic debugging |
| CN105793860A (en) * | 2013-11-14 | 2016-07-20 | Inka安特沃客有限公司 | Method for anti-debugging |
| CN105956474A (en) * | 2016-05-17 | 2016-09-21 | 武汉虹旭信息技术有限责任公司 | Abnormal behavior detection system of Android platform software |
-
2017
- 2017-05-27 CN CN201710393685.4A patent/CN107239698A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103383689A (en) * | 2012-05-03 | 2013-11-06 | 阿里巴巴集团控股有限公司 | Service process fault detection method, device and service node |
| CN102880818A (en) * | 2012-10-10 | 2013-01-16 | 北京深思洛克软件技术股份有限公司 | Software protection method |
| WO2014077702A1 (en) * | 2012-11-13 | 2014-05-22 | Auckland Uniservices Limited | Security system and method for operating systems |
| CN105793860A (en) * | 2013-11-14 | 2016-07-20 | Inka安特沃客有限公司 | Method for anti-debugging |
| CN104932972A (en) * | 2014-03-19 | 2015-09-23 | 北京娜迦信息科技发展有限公司 | Method and apparatus for preventing application from dynamic debugging |
| CN105956474A (en) * | 2016-05-17 | 2016-09-21 | 武汉虹旭信息技术有限责任公司 | Abnormal behavior detection system of Android platform software |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108388778A (en) * | 2018-03-21 | 2018-08-10 | 北京理工大学 | The APP that Android platform merges multiple features demodulates method for testing |
| CN108388778B (en) * | 2018-03-21 | 2021-03-30 | 北京理工大学 | APP anti-debugging method with Android platform fused with multiple features |
| CN109190377A (en) * | 2018-09-13 | 2019-01-11 | 麒麟合盛网络技术股份有限公司 | Intrusion detection method and device |
| US11409635B2 (en) | 2019-08-23 | 2022-08-09 | Raytheon Company | Hacker-resistant anti-debug system |
| CN112363917A (en) * | 2020-10-30 | 2021-02-12 | 北京五八信息技术有限公司 | Application program debugging exception processing method and device, electronic equipment and medium |
| CN112363917B (en) * | 2020-10-30 | 2022-03-04 | 北京五八信息技术有限公司 | Application program debugging exception processing method and device, electronic equipment and medium |
| CN114676424A (en) * | 2022-05-25 | 2022-06-28 | 杭州默安科技有限公司 | Container escape detection and blocking method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107239698A (en) | A kind of anti-debug method and apparatus based on signal transacting mechanism | |
| CN110310205B (en) | Block chain data monitoring method, device, equipment and medium | |
| US8978141B2 (en) | System and method for detecting malicious software using malware trigger scenarios | |
| US10380349B2 (en) | Security analysis using relational abstraction of data structures | |
| US20150143521A1 (en) | System and method for detecting malicious software using malware trigger scenarios in a modified computer environment | |
| JP2009525541A (en) | Software system with controlled access to objects | |
| WO2015016901A1 (en) | Signal tokens indicative of malware | |
| US11443032B2 (en) | Stack pivot exploit detection and mitigation | |
| US10198309B2 (en) | Unexpected event detection during execution of an application | |
| CN109117201B (en) | Program exiting method and related equipment | |
| US20180373865A1 (en) | Call flow-based anomaly detection for layered software systems | |
| CN113946825B (en) | Memory horse processing method and system | |
| CN103116715A (en) | API (application programming interface) delay import protection method for executable files of Windows platform | |
| WO2023035751A1 (en) | Intelligent confusion for mobile terminal application | |
| CN105426751A (en) | Method and device for preventing system time from being tampered | |
| CN107122656A (en) | It is a kind of that the outside method and apparatus debugged are prevented by Self-debugging | |
| CN105760761A (en) | Software behavior analyzing method and device | |
| CN107133503A (en) | A kind of anti-debug method and apparatus detected based on process status | |
| CN111259382A (en) | Malicious behavior identification method, device and system and storage medium | |
| CN105022959B (en) | A kind of malicious code of mobile terminal analytical equipment and analysis method | |
| KR102102577B1 (en) | Apparatus for detecting malicious app and method thereof | |
| US20220253524A1 (en) | Malware Detection System | |
| CN109684846A (en) | A kind of file extraction method and device | |
| CN113836529A (en) | Process detection method, device, storage medium and computer equipment | |
| EP2819055B1 (en) | System and method for detecting malicious software using malware trigger scenarios |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100083 Beijing, Haidian District Xueyuan Road 30 days building A 20 floor Applicant after: Beijing Bang Bang Safety Technology Co. Ltd. Address before: 100083 Xueyuan Road, Haidian District, Haidian District, Beijing, Haidian District, Beijing Applicant before: Yangpuweiye Technology Limited |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171010 |
|
| RJ01 | Rejection of invention patent application after publication |